将旦昧爽之交,日夕昏明之际,北面而察之,淡淡焉若有物存,莫识其状。其所触也,窃窃然有声,经物而物不疾也。
ChYing is a comprehensive security toolbox designed to simplify various security testing tasks. It provides a range of features and tools, including directory scanning, JWT , Swagger API testing, encoding/decoding utilities, a lightweight BurpSuite alternative, and antivirus assistance. ChYing aims to assist security professionals and developers in identifying vulnerabilities and strengthening the security of their applications.
ChYing.mp4
https://wails.io/docs/gettingstarted/installation/
Install Wails.
Then run wails build.
Scanning using dictionary rules extracted from dirsearch. Currently, only scans a single level of directories. Future considerations include traversing multiple levels of directories based on the discovered directories.
Scanning with bbscan rules.
Unauthenticated, SSRF, and injection testing on swagger api.
Automatic 403 bypass for the Swagger features.
https://github.com/devploit/dontgo403
https://infosecwriteups.com/403-bypass-lyncdiscover-microsoft-com-db2778458c33
- JWT token parsing with visual display similar to jwt.io.
- JWT key cracking.
Key vulnerability scanning based on nuclei
https://github.com/yhy0/nucleiY
Utilizing the features of the go-mitmproxy project to replicate BurpSuite functionality.
After launching, the default HTTP proxy address is set to port 9080.
For the first launch, you need to install a certificate to decrypt HTTPS traffic. The certificate will be automatically generated after the first launch command and saved in ~/.mitmproxy/mitmproxy-ca-cert.pem. The installation steps can be found in the Python mitmproxy documentation: Certificates.
- Proxy module
- Repeater module
- Intruder module
Various dictionary files are used. On the first run, the built-in dictionaries will be released to the .config/ChYing directory in the user's folder, and they will be read on each subsequent run.
Unicode, URL, Hex, Base64 encoding/decoding.
MD5 encryption.
https://github.com/gh0stkey/avList/blob/master/avlist.js
Lack of frontend expertise; heavily reliant on ChatGPT.
- Currently, each tab page needs to be clicked to activate it, which means BurpSuite requires clicking through each page before using it.
- Intruder module
- The Attack display cannot switch to other Intruder tab pages, otherwise the results won't be displayed. It's a frontend data binding issue. Still figuring out the best way to address it.
This code is distributed under the AGPL-3.0 license. See LICENSE in this directory.
Special thanks to JetBrains for providing a range of powerful IDEs and supporting this project.
https://github.com/lijiejie/bbscan
https://github.com/maurosoria/dirsearch
https://github.com/devploit/dontgo403
https://github.com/lqqyt2423/go-mitmproxy
https://github.com/gh0stkey/avList/