a burp extension creates dynamic payloads to reveal injection flaws(LFI, RCE, SQLi), generates user access tables to spot authentication/authorization issues, and copys Http requests as JavaScript code.
Agartha is a penetration testing tool which creates dynamic payload lists and user access matrix to reveal injection flaws and authentication/authorization issues. There are many different attack payloads alredy exist, but Agartha creates run-time, systematic and vendor-neutral payloads with many different possibilities and bypassing methods. It also draws attention to user session and URL relationships, which makes easy to find user access violations. And additionally, it converts Http requests to JavaScript to help digging up XSS issues more.
In summary:
Here is a small tutorial how to use.
You should download 'Jython' file and set your environment first:
You can install Agartha through official store:
Or for manual installation:
After all, you will see 'Agartha' tab in the main window and it will be also registered the right click, under:
It both supports unix and windows file syntax. You can generate any wordlists dynamically for the path you want. You just need to supply a file path and that's all.
It creates command execution dynamic wordlists with the command you supply. It combines different separators and terminators for both unix and windows environments together.
It generates payloads for Stacked Queries, Boolean-Based, Union-Based, Time-Based SQL Injection attacks, and you do not need to supply any inputs. You just pick what type of SQL attacks and databases you want, then it will generate a wordlist with different combinations.
This part focuses on user session and URLs relationships to determine access violations. The tool will visit all URLs from pre-defined user sessions and fill the table with all Http responses. It is a kind of access matrix and helps to find out authentication/authorization issues. Afterwards you will see what users can access what page contents.
A little bit more details:
After clicking 'RUN', the tool will fill user and URL matrix with different colors. Besides the user colors, you will see orange, yellow and red cells. The URL address does not belong to the user, and if the cell color is:
You may also notice, it support only one Http request method and user session at the same time, because it processes bulk requests and it is not possible to provide different header options for each calls. But you may play with 'GET/POST' methods to see response differences.
The feature is for converting Http requests to JavaScript code. It can be useful to dig up further XSS issues and bypass header restrictions.
To access it, right click any Http request and 'Extensions > Agartha > Copy as JavaScript'.
It will automatically save it to your clipboard with some remarks. For example:
Http request with minimum header paramaters in JavaScript:
<script>var xhr=new XMLHttpRequest();
xhr.open('GET','http://dvwa.local/vulnerabilities/xss_r/?name=XSS');
xhr.withCredentials=true;
xhr.send();
</script>
Http request with all header paramaters (except cookies, tokens, etc) in JavaScript, you may need to remove unnecessary fields:
<script>var xhr=new XMLHttpRequest();
xhr.open('GET','http://dvwa.local/vulnerabilities/xss_r/?name=XSS');
xhr.withCredentials=true;
xhr.setRequestHeader('Host',' dvwa.local');
xhr.setRequestHeader('User-Agent',' Mozilla/5.0 Gecko/20100101 Firefox/114.0');
xhr.setRequestHeader('Accept',' text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8');
xhr.setRequestHeader('Accept-Language',' en-GB,en;q=0.5');
xhr.setRequestHeader('Accept-Encoding',' gzip, deflate');
xhr.setRequestHeader('Connection',' close');
xhr.setRequestHeader('Referer',' http://dvwa.local/vulnerabilities/xss_r/');
xhr.setRequestHeader('Upgrade-Insecure-Requests',' 1');
xhr.send();
</script>
For redirection, please also add this code before '</script>' tag:
xhr.onreadystatechange=function(){if (this.status===302){var location=this.getResponseHeader('Location');return ajax.call(this,location);}};
Please note that, the JavaScript code will be called over original user session and many header fields will be filled automatically by browsers. In some cases, the server may require some header field mandatory, and therefore you may need to modify the code for an adjustment.
Another tutorial link