Skip to content
/ tprox Public

TProx is a fast reverse proxy path traversal detector and directory bruteforcer.

License

MIT license
28 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ethicalhackingplayground/tprox

BranchesTags

Repository files navigation


TProx

TProx is a fast reverse proxy path traversal detector and directory bruteforcer

InstallUsageExamplesJoin Discord

Install Options

From Source

▶  GO111MODULE=on go get -v  github.com/ethicalhackingplayground/tprox/tprox

Docker

▶  git clone https://github.com/ethicalhackingplayground/tprox && cd tprox && docker build -t tprox .

Usage

▶ tprox -h
▶  docker run tprox -h

This will display help for the tool. Here are all the switches it supports.

👉 tprox help menu 👈 
Usage of ./tprox:
  -c int
        The number of concurrent requests (default 10)
  -check
        Check if a path/folder/file is internal
  -crawl
        crawl the resolved domain while testing for proxy misconfigs
  -depth int
        The crawl depth (default 5)
  -discover
        Discover path/folder/file with already found traversal
  -o string
        Output the results to a file
  -progress
        This flag will allow you to turn on the progress bar
  -regex string
        Filter crawl with regex pattern
  -scope string
        Specify a scope to crawl with in using regexs
  -silent
        Show Silent output
  -test
        Enable/Disable test mode only
  -traverse
        This flag will allow you to turn on traversing
  -w string
        The wordlist to use against a valid endpoint to traverse

Examples

Traversal with Brute

echo "https://example.com/api/v1" | tprox -w wordlist -traverse

Traversal with Crawling & Brute

echo "https://example.com" | tprox -w wordlist -crawl -traverse

Traversal with Crawling, Regex Match & Brute

echo "https://example.com" | tprox -w wordlist -crawl -traverse -regex "/api/"

Traversal With Crawling InScope & Brute

echo "https://example.com" | tprox -w wordlist -crawl -traverse -regex "/api/" -scope ".*.\.example.com"

Traversal with Test Only

echo "https://example.com/api" | tprox -test -traverse

Check if File is Internal

echo "https://example.com/api/internalfile.html" | tprox -check

Discover Content

echo "https://example.com/api/..%2f" | tprox -discover -progress -w wordlist


example

Changes

  • Added some additional flags to help aid finding traversal misconfigurations
  • Optimised the crawler
  • Added a flag to disable/enable the progress bar
  • Fixed the silent flag
  • Added check,test & discover flags

Fixes

  • Fixed a crawling bug.
  • Fixed a traversal bug, it now only prints internal files & endpoints very low % of false positives.
  • Made some optimization fixes.
  • Discover content fix, it was not finding content.
  • Optimisation fixes.

Known Fixes

if for some reason the program fails to install or update run:

sudo rm -r /home/<user-name>/go/pkg/mod/github.com/ethicalhackingplayground/tprox
go clean --modcache
go clean

Then try and install it again.

License

Tprox is distributed under MIT License

Join Discord

About

TProx is a fast reverse proxy path traversal detector and directory bruteforcer.

Topics

proxy hacking pentesting vulnerabilities misconfigurations

Resources

Readme

License

MIT license
Activity

Stars

28 stars

Watchers

1 watching

Forks

4 forks
Report repository

Releases 2

v0.2-dev Latest
Sep 16, 2021
+ 1 release

Packages

No packages published

Languages