Asteroid is a web application security scanner that combines multiple open source tools to gather URLs and detect vulnerabilities. It uses a modular structure to separate functionality for each tool.
Developed during an internship at SURF.
Disclaimer: Do not run Asteroid on a website without explicit permission of the owner.
| Module | License | Default | Comment |
|---|---|---|---|
| Katana | MIT | ✅ | Uses Katana to crawl the target domain, extracts forms to use with Nuclei |
| Feroxbuster | MIT | ✅ | Runs Feroxbuster for URL bruteforcing using raft-small-words.txt |
| Gau | MIT | ✅ | Runs Gau to collect URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl |
| Arjun | AGPL-3.0 | ❌ | Fuzzes for GET query parameters with Arjun using params wordlist from param-miner |
| Directory Listing | MIT | ✅ | Scans Feroxbuster output for open directory listings |
| Sensitive Files | MIT | ✅ | Runs Feroxbuster with a dangerous files wordlist from Bo0oM |
| Trufflehog | AGPL-3.0 | ❌ | Downloads all URLs with curl and scans them for secrets using Trufflehog |
| Extension Inspector | - | ✅ | Reports sensitive file extensions, Python implementation of a Nuclei template by ayadim |
| Vulnscan | GPL-3.0 | ✅ | Detects technologies using wappalyzer-next and scans for CVEs using search_vulns |
| RetireJS | Apache-2.0 | ✅ | Runs RetireJS to detect use of vulnerable JavaScript libraries using Python 3 adaptation from ghostlulzhacks |
| Nuclei | MIT | ✅ | Fuzzes for vulnerabilities like XSS and SQLi in URLs and forms using Nuclei DAST templates |
| File Upload | - | ✅ | Detects vulnerable file uploads. Custom tool and work-in-progress |
False positives and duplicate URLs are filtered using httpx (MIT) and uro (Apache-2;0).
To run the Vulnscan module, you should first generate an API key at https://search-vulns.com/api/setup and put it in config.py.
Build with docker (takes ~8 min):
docker build -t asteroid:latest .Run with docker:
docker run -it -v ./asteroid_output:/asteroid/asteroid_output asteroid -hfor help menu, or
docker run -it -v ./asteroid_output:/asteroid/asteroid_output asteroid http://testphp.vulnweb.comto run on a target, e.g. http://testphp.vulnweb.com
Run install.sh on a debian-testing based (e.g. Kali Linux) distribution.
bash install.shNow you can run Asteroid using uv:
uv run asteroid.pyRead the help menu or visit the Wiki.
$ uv run asteroid.py -h
usage: asteroid [-h] [-o OUTPUT] [--modules MODULES] [--skip-modules SKIP_MODULES] [--list-modules] [--rerun] [--continue] [-v] [-rl RATE_LIMIT] [-p PROXY] [-s SIZE] [-headless] [-tl TIME_LIMIT] [-H HEADERS]
[--dont-scan DONT_SCAN] [-w WORDLIST] [-d DEPTH] [-C C] [-x EXTENSIONS] [-aw ARJUN_WORDLIST] [-sfw SENSITIVE_FILES_WORDLIST] [--keep-downloads] [--max-download-size MAX_DOWNLOAD_SIZE]
[target]
Runs all Asteroid Web Application Security Scanner modules.
positional arguments:
target The target domain to crawl, or a file containing domains
options:
-h, --help show this help message and exit
-o OUTPUT, --output OUTPUT
Output directory to save results
--modules MODULES Comma-separated list of modules to run
--skip-modules SKIP_MODULES
Comma-separated list of modules to skip
--list-modules List all modules and exit
--rerun Rerun even if previous output is detected
--continue Continue from the last module run
-v, --verbose Enable verbose output
-rl RATE_LIMIT, --rate-limit RATE_LIMIT
Maximum requests to send per second
-p PROXY, --proxy PROXY
HTTP proxy to use for the requests, not supported by Vulnscan and RetireJS
vulnscan:
-s SIZE, --size SIZE Max number of outputs by search_vulns
katana:
-headless Run in headless mode in Katana
-tl TIME_LIMIT, --time-limit TIME_LIMIT
Time limit for the Katana scan
-H HEADERS, --headers HEADERS
Headers to use
--dont-scan DONT_SCAN
Do not scan URLs matching this regex
feroxbuster:
-w WORDLIST, --wordlist WORDLIST
Wordlist to use for feroxbuster
-d DEPTH, --depth DEPTH
Recursive depth for feroxbuster
-C C Filter status codes for feroxbuster
-x EXTENSIONS, --extensions EXTENSIONS
Extensions to use for feroxbuster, reads values (newline-separated) from file if input starts with an @ (ex: @ext.txt)
arjun:
-aw ARJUN_WORDLIST, --arjun-wordlist ARJUN_WORDLIST
Wordlist to use for parameter mining
sensitive files:
-sfw SENSITIVE_FILES_WORDLIST, --sensitive-files-wordlist SENSITIVE_FILES_WORDLIST
Wordlist to use for Feroxbuster sensitive files scan
trufflehog:
--keep-downloads Do not cleanup the output directory
--max-download-size MAX_DOWNLOAD_SIZE
Maximum file size to download, e.g. 5M
Feel free to open issues or pull requests. You can even create your own modules by extending the BaseModule class, which I might add to Asteroid after review.