Application Automatic Attacks Simulation Tool
A web-based security testing tool with a simple GUI that enables automated simulation of OWASP Top 10 vulnerabilities.
WARNING: This tool is intended for authorized security testing only.
- Only use against systems you own or have explicit written permission to test
- Unauthorized access to computer systems is illegal and may result in criminal prosecution
- The authors assume no liability for misuse of this tool
- Always obtain proper authorization before conducting security assessments
Use these intentionally vulnerable applications and platforms to safely test Attack-Sim:
| Resource | URL | Description |
|---|---|---|
| OWASP WebGoat | https://owasp.org/www-project-webgoat/ | Official OWASP training app, covers all Top 10 |
| DVWA | https://github.com/digininja/DVWA | Damn Vulnerable Web Application |
| OWASP Juice Shop | https://demo.owasp-juice.shop/ | Modern vulnerable app with 100+ challenges |
| HackTheBox | https://www.hackthebox.com | Legal CTF platform with vulnerable machines |
| TryHackMe | https://tryhackme.com | Guided hacking labs and rooms |
| PortSwigger Web Security Academy | https://portswigger.net/web-security | Free labs for all OWASP categories |
| VulnHub | https://www.vulnhub.com | Downloadable vulnerable VMs |
| CryptoHack | https://cryptohack.org | Cryptography-focused challenges |
| Attack Module | Recommended Test Target |
|---|---|
| A01: Broken Access Control | PortSwigger Access Control Labs |
| A02: Cryptographic Failures | CryptoHack, OWASP Juice Shop |
| A03: Injection | PortSwigger SQL Injection Labs |
| A04: Insecure Design | OWASP Juice Shop, WebGoat |
| A05: Security Misconfiguration | VulnHub VMs, DVWA |
| A06: Vulnerable Components | OWASP Juice Shop, WebGoat |
| A07: Authentication Failures | PortSwigger Authentication Labs |
| A08: Integrity Failures | OWASP Juice Shop (JWT challenges) |
| A09: Logging/Monitoring Failures | Local test environments, DVWA |
| A10: SSRF | PortSwigger SSRF Labs |
Run vulnerable applications locally for safe testing:
# DVWA
docker run --rm -it -p 80:80 vulnerables/web-dvwa
# OWASP Juice Shop
docker run --rm -p 3000:3000 bkimminich/juice-shop
# WebGoat
docker run -p 8080:8080 -p 9090:9090 webgoat/webgoatTip: For beginners, start with PortSwigger Web Security Academy - it offers free, isolated labs covering all OWASP Top 10 categories with no setup required.
- Attack-Sim
| Feature | Description |
|---|---|
| Target Configuration | Input target URL/IP and configure connection parameters |
| Attack Selection | Choose from available OWASP Top 10 attack modules via intuitive UI |
| OWASP Top 10 Scanner | Automated detection of OWASP Top 10 (2021) vulnerabilities |
| Real-time Progress | Live display of attack progress with percentage completion |
| Severity Classification | Findings categorized by severity (Critical, High, Medium, Low, Info) |
| Report Generation | Export findings to JSON format with timestamps |
| Attack History | View and manage previous scan results |
| Job Management | Cancel running attacks, view job status |
| ID | Vulnerability | Detection Method |
|---|---|---|
| A01 | Broken Access Control | Authorization bypass attempts, IDOR testing, path traversal |
| A02 | Cryptographic Failures | TLS/SSL analysis, weak cipher detection, certificate validation |
| A03 | Injection | SQL injection, XSS, Command injection payloads |
| A04 | Insecure Design | Business logic flaw detection, rate limiting analysis |
| A05 | Security Misconfiguration | Header analysis, default credentials, debug mode detection |
| A06 | Vulnerable Components | Version fingerprinting, CVE matching, outdated library detection |
| A07 | Authentication Failures | Session analysis, weak password policy, brute force resistance |
| A08 | Integrity Failures | Deserialization tests, unsigned data detection, CI/CD analysis |
| A09 | Logging & Monitoring | Error disclosure, debug info leakage, verbose error detection |
| A10 | SSRF | Server-side request forgery testing, internal network probing |
# Clone the repository
git clone https://github.com/Anurag080102/attack-sim.git
cd attack-sim
# Install dependencies using uv
uv sync
# Run the application
uv run src/main/python/main.py
# Open browser to http://localhost:5000- Python 3.11 or higher
- uv - Fast Python package manager
- Git (for cloning the repository)
# Clone the repository
git clone https://github.com/Anurag080102/attack-sim.git
cd attack-sim
# Install dependencies
uv sync
# Install with development dependencies (for testing/contributing)
uv sync --all-extras# Run the application
uv run src/main/python/main.py
# You should see:
# ==================================================
# Attack-Sim - Security Testing Tool
# ==================================================
# Running on: http://127.0.0.1:5000
# Configuration: development
# ==================================================-
Start the application:
uv run src/main/python/main.py
-
Open your browser to
http://localhost:5000 -
Dashboard Overview:
- View available OWASP Top 10 attack modules
- See recent attack jobs and their status
- Access reports and settings
From the dashboard, click on an attack card to configure it:
- OWASP Top 10 Scanners: A01 through A10 vulnerability scanners
Enter the required parameters:
| Field | Description | Example |
|---|---|---|
| Target URL | The base URL of the target application | http://target.example.com |
| Username | Target username (for auth attacks) | admin |
| Login URL | Full path to login endpoint | /login or /api/auth |
| Additional Options | Attack-specific parameters | Thread count, delays, etc. |
- Click "Run Attack" to start
- Monitor progress in real-time with the progress bar
- Findings appear as they are discovered
- Use "Cancel" to stop a running attack
| Option | Type | Default | Description |
|---|---|---|---|
timeout |
integer | 10 |
Request timeout |
delay |
float | 0.5 |
Delay between requests |
follow_redirects |
boolean | true |
Follow HTTP redirects |
max_depth |
integer | 2 |
Crawl depth for discovery |
| Severity | Icon | Description |
|---|---|---|
| Critical | 🔴 | Immediate exploitation possible, high impact |
| High | 🟠 | Significant vulnerability, should be fixed soon |
| Medium | 🟡 | Moderate risk, plan for remediation |
| Low | 🟢 | Minor issue, fix when convenient |
| Info | 🔵 | Informational finding, no immediate risk |
Each finding includes:
- Title: Brief description of the vulnerability
- Severity: Risk level classification
- Description: Detailed explanation
- Evidence: Proof of the vulnerability
- Remediation: Steps to fix the issue
- Metadata: Additional technical details
- After an attack completes, click "Generate Report"
- Select the format (JSON)
- Reports are saved to the
reports/directory - Download or view reports from the Reports page
Tests for authorization bypass, IDOR, path traversal, and privilege escalation.
Analyzes TLS/SSL configuration, detects weak ciphers, and validates certificates.
Tests for SQL injection, XSS (reflected/stored), and OS command injection.
Detects business logic flaws, missing rate limiting, and insecure workflows.
Checks security headers, default credentials, debug modes, and exposed files.
Fingerprints software versions and checks for known CVEs.
Tests session management, password policies, and brute force protections.
Detects insecure deserialization and unsigned data vulnerabilities.
Identifies error disclosure, debug information leakage, and verbose errors.
Tests for server-side request forgery and internal network access.
http://localhost:5000/api
| Method | Endpoint | Description |
|---|---|---|
GET |
/attacks |
List all available attacks |
GET |
/attacks/<attack_id> |
Get attack details and options |
POST |
/attacks/run |
Start a new attack job |
GET |
/attacks/jobs |
List all attack jobs |
GET |
/attacks/status/<job_id> |
Get job status and progress |
GET |
/attacks/results/<job_id> |
Get job findings |
POST |
/attacks/cancel/<job_id> |
Cancel a running job |
GET |
/attacks/owasp/categories |
List OWASP attack categories |
| Method | Endpoint | Description |
|---|---|---|
GET |
/reports |
List all saved reports |
GET |
/reports/<report_id> |
Get report details |
POST |
/reports/generate |
Generate a new report |
GET |
/reports/<report_id>/download |
Download report file |
DELETE |
/reports/<report_id> |
Delete a report |
Request:
curl -X POST http://localhost:5000/api/attacks/run \
-H "Content-Type: application/json" \
-d '{
"attack_id": "a05",
"target": "http://target.example.com",
"config": {
"timeout": 10,
"delay": 0.5
}
}'Response:
{
"message": "Attack started",
"job": {
"id": "abc123-def456-...",
"attack_id": "a05",
"attack_name": "Security Misconfiguration Scanner",
"target": "http://target.example.com",
"status": "running",
"progress": 0.0,
"started_at": "2025-12-02T10:30:00"
}
}Request:
curl http://localhost:5000/api/attacks/status/abc123-def456-...Response:
{
"id": "abc123-def456-...",
"status": "completed",
"progress": 100.0,
"findings_count": 3,
"completed_at": "2025-12-02T10:35:00"
}| Variable | Default | Description |
|---|---|---|
FLASK_CONFIG |
development |
Configuration mode (development/testing/production) |
FLASK_HOST |
127.0.0.1 |
Server host address |
FLASK_PORT |
5000 |
Server port |
SECRET_KEY |
(auto-generated) | Flask secret key (required in production) |
app/config.py contains configuration classes:
DevelopmentConfig: Debug enabled, relaxed settingsTestingConfig: For running testsProductionConfig: Secure settings, requiresSECRET_KEY
# Set required environment variables
export FLASK_CONFIG=production
export SECRET_KEY="your-secure-secret-key"
export FLASK_HOST=0.0.0.0
# Run with a production WSGI server (e.g., gunicorn)
uv add gunicorn
gunicorn -w 4 -b 0.0.0.0:5000 "app:create_app('production')"attack-sim/
├── src/
│ ├── main/
│ │ ├── python/
│ │ │ ├── main.py # Application entry point
│ │ │ ├── app/ # Flask application
│ │ │ │ ├── __init__.py # App factory
│ │ │ │ ├── config.py # Configuration classes
│ │ │ │ ├── errors.py # Error handlers
│ │ │ │ ├── validation.py # Input validation
│ │ │ │ ├── routes/
│ │ │ │ │ ├── __init__.py # Blueprint registration
│ │ │ │ │ ├── dashboard.py # Dashboard routes
│ │ │ │ │ ├── attacks.py # Attack API endpoints
│ │ │ │ │ └── reports.py # Report endpoints
│ │ │ │ ├── static/
│ │ │ │ │ ├── css/
│ │ │ │ │ │ └── style.css
│ │ │ │ │ └── js/
│ │ │ │ │ └── app.js
│ │ │ │ └── templates/
│ │ │ │ ├── base.html
│ │ │ │ ├── dashboard.html
│ │ │ │ ├── attack_config.html
│ │ │ │ ├── results.html
│ │ │ │ ├── reports.html
│ │ │ │ └── error.html
│ │ │ └── attacks/ # Attack modules
│ │ │ ├── __init__.py # Attack registry
│ │ │ ├── base.py # BaseAttack, Finding, Severity
│ │ │ └── owasp/
│ │ │ ├── __init__.py # OWASP registry
│ │ │ ├── base_owasp.py
│ │ │ ├── a01_broken_access.py
│ │ │ ├── a02_crypto_failures.py
│ │ │ ├── a03_injection.py
│ │ │ ├── a04_insecure_design.py
│ │ │ ├── a05_security_misconfig.py
│ │ │ ├── a06_outdated_components.py
│ │ │ ├── a07_auth_failures.py
│ │ │ ├── a08_integrity_failures.py
│ │ │ ├── a09_logging_monitoring.py
│ │ │ └── a10_ssrf.py
│ │ └── resources/
│ │ └── wordlists/
│ │ ├── common_passwords.txt
│ │ └── common_usernames.txt
│ └── test/
│ ├── python/
│ │ ├── __init__.py
│ │ ├── conftest.py # Pytest fixtures
│ │ ├── test_attacks.py # Attack module tests
│ │ ├── test_routes.py # Route/API tests
│ │ ├── test_integration.py # Integration tests
│ │ └── manual_api_test.py # Manual API testing
│ └── resources/ # Test resources
│
├── target/ # Build outputs (gitignored)
│ └── reports/ # Generated reports
│
├── .github/
│ └── instructions/ # Project specifications
│
├── AGENTS.md # Agent workflow guide
├── pyproject.toml # Project configuration
├── uv.lock # Dependency lock file
└── README.md # This file
# Clone the repository
git clone https://github.com/Anurag080102/attack-sim.git
cd attack-sim
# Install with dev dependencies
uv sync --all-extras
# Run tests to verify setup
uv run pytest# Run all tests
uv run pytest
# Run with verbose output
uv run pytest -v
# Run specific test file
uv run pytest src/tests/python/test_attacks.py
# Run specific test
uv run pytest src/tests/python/test_attacks.py::TestInjectionAttack::test_injection_payloads_exist
# Run with coverage report
uv run pytest --cov=app --cov=attacks --cov-report=html| Test File | Tests | Description |
|---|---|---|
test_attacks.py |
52 | Attack module unit tests |
test_routes.py |
51 | API route tests |
test_integration.py |
- | End-to-end integration tests |
conftest.py |
- | Shared pytest fixtures |
# Format code with Black
uv run ruff format
# Check linting with Flake8
uv run ruff check- Create a new file in
attacks/orattacks/owasp/ - Inherit from
BaseAttackorBaseOWASPAttack - Implement required methods:
configure(**kwargs): Set attack parametersrun(target) -> Generator[Finding]: Execute attackget_progress() -> float: Return progress percentage
- Register with the appropriate registry using decorator
Example:
from attacks.base import BaseAttack, Finding, Severity
from attacks import AttackRegistry
@AttackRegistry.register("my_attack")
class MyAttack(BaseAttack):
name = "My Custom Attack"
description = "Description of what this attack does"
def configure(self, **kwargs):
self._config = {"option": kwargs.get("option", "default")}
def run(self, target):
yield Finding(
title="Example Finding",
severity=Severity.MEDIUM,
description="Found something",
evidence="Evidence here",
remediation="How to fix"
)
def get_progress(self):
return self._progress# Check Python version
python --version # Should be 3.11+
# Verify dependencies
uv sync
# Check for port conflicts
lsof -i :5000 # or netstat -an | grep 5000- Check if the target is reachable
- Increase the
timeoutconfiguration - Verify the target URL is correct (include
http://orhttps://)
- Ensure the target has the vulnerabilities you're testing for
- Check that the login URL and form field names are correct
- Review the success/failure indicators
# Reinstall dependencies
uv sync --reinstall- Check the logs in the terminal for error messages
- Review the API response for error details
- Open an issue on GitHub with:
- Error message
- Steps to reproduce
- Python version and OS
We welcome contributions! Please follow these guidelines:
- Fork the repository
- Create a feature branch:
git checkout -b feature/my-feature - Make your changes
- Write tests for new functionality
- Run the test suite:
uv run pytest - Commit using conventional format:
feat(scope): Short description - Bullet point 1 - Bullet point 2 Refs: #feature/my-feature - Push and create a Pull Request
feat: New featurefix: Bug fixdocs: Documentation changestest: Adding or updating testsrefactor: Code refactoringstyle: Code style changeschore: Maintenance tasks
This project is for educational purposes only.
The tool is provided "as-is" without warranty. Users are solely responsible for ensuring their use of this tool complies with applicable laws and regulations.
- OWASP Top 10 for vulnerability classification
- Flask for the web framework
- Requests for HTTP functionality
Last Updated: December 2025