Skip to content

Latest commit

 

History

History
74 lines (49 loc) · 4.57 KB

README.md

File metadata and controls

74 lines (49 loc) · 4.57 KB

Lotus Logo

Lotus: Dynamic Application Security Testing (DAST) Automation System

Lotus is an advanced automation system for Dynamic Application Security Testing (DAST). It simplifies web security scripting by offering a powerful Lua API that automates security processes in just a few lines of code. With Lotus, web security testing becomes more efficient, ensuring no critical security steps are missed.

Our mission is to streamline the security testing workflow, providing robust libraries and functions to automate web security processes with speed and precision.

Table of Contents

Why Choose Lotus?

1. Comprehensive Lua API

Lotus delivers a powerful Lua API packed with numerous functions designed to automate complex web security testing scenarios. With Lotus, automating security tasks becomes efficient, allowing you to focus on addressing vulnerabilities.

2. Optimized for Performance

Lotus is engineered for speed and accuracy, delivering top-tier performance in web security testing. This ensures faster vulnerability identification without the need for manual intervention.

3. Flexible and Customizable

Lotus offers unmatched flexibility with its customizable reporting, HTTP request handling, and input validation. Its API includes functions for regex matching and data validation, enabling precise detection of vulnerabilities.

4. Active and Ongoing Development

As an open-source project, Lotus is actively maintained and regularly updated. You can trust in continuous support and improvements to meet the evolving demands of web security testing.

5. Quick and Easy Installation

Installing Lotus is a simple process, whether you choose to compile from source or download pre-built binaries. Full documentation is provided to guide you through installation and usage.

6. Community Collaboration

We encourage community contributions! Share feedback, report issues, or suggest improvements through our GitHub Issues page, or connect with the community on our Discord server.

Features of Lotus Scripts

Lotus scripts provide a variety of powerful capabilities for web security testing, including:

  • Regex Matching: Advanced regex API with full support for all regex options.
  • String Matching: Simple and efficient string matching functions.
  • Multi-Threading: Two threading managers for optimal scanning, including race condition detection and fast parameter scanning.
  • URL Parsing: Extract parameters and set payloads for URL parsing with ease.
  • HTML Parsing/Searching: CSS selector functions and pattern generation for HTML analysis.
  • OS Utilities: Access various OS utilities like file reading, logging, path management, and thread sleeping.
  • HTTP Requests: Send HTTP requests with all methods and custom headers, including multipart requests.
  • Encoding/Decoding: Built-in functions for encoding and decoding formats such as base64 and URL encoding.

Additionally, with Lua libraries available on LuaRocks, you can further extend Lotus's capabilities for your security testing needs.

🚀 Installation Guide

Follow these steps to install Lotus from the source code:

$ apt install libssl-dev pkg-config gcc git lua53 liblua5.3-0 liblua5.3-dev -y
$ cargo install --git=https://github.com/BugBlocker/lotus/

Ensure you have the openssl-dev package installed before running the commands. If you experience any issues during compilation, please open a ticket in our GitHub repository for assistance.

Alternatively, you can download the appropriate binary from the GitHub Release page and run it directly on your system.

To get started with example scripts, download the Lua scripts from our GitHub Repository. After downloading, you can run a test scan using the following command:

$ echo http://testphp.vulnweb.com/listproducts.php?cat=1 | lotus scan lotus-scripts/active -o test_out.json -v

📖 Documentation

Detailed documentation is available in the docs/*.md folder of this repository. For a more accessible version, please visit our online documentation.