This is a combination of RequestBin, BurpCollaborator and PortSwigger Exploit server lab. It aims to be a light weight application to be deployed internally for pentesters.
In the /logs page you can find the logs of all the requests made to the server except those made to the /logs page and the /craft page.
The logs can be foung in JSON format to be exported by doing a GET request to /api/logs
Example:
In the /craft page you can craft responses to GET requests at a specific URL. You can even specify the Content Type of the response.
For example for the crafted response in the below image, when you do a GET to /test you will get an empty JSON as a response.
You can run it locally on localhost with npm to test for functionality.
All you need to do is:
npm install
EXPLOIT_SERVER_KEY=mushokutensei npm start
EXPLOIT_SERVER_KEY is the password that we will generate a symmetric key from that will be used to encrypt the logs.
In test/requester.sh there is a small script that will assess the performance by sending a lot of request to the exploit server locally.
It was designed to be deployed internally in a Kubernetes or Openshift Cluster to aid internal pentest engagement.
A Docker image is available.
docker run -it -e "EXPLOIT_SERVER_KEY=mushokutensei" -p 3000:3000 h4r0r/exploit-server:1.0