Metadata-Version: 2.1
Name: raider
Version: 0.2.2
Summary: Web authentication testing framework
Home-page: https://github.com/DigeeX/raider
License: GPL-3.0-or-later
Keywords: authentication,security,raider,digeex,hy
Author: Daniel Neagaru
Author-email: daniel@digeex.de
Requires-Python: >=3.8,<4.0
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)
Classifier: Natural Language :: English
Classifier: Operating System :: POSIX :: Linux
Classifier: Programming Language :: Lisp
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: Software Development :: Testing
Requires-Dist: bs4 (>=0.0.1,<0.0.2)
Requires-Dist: hy (>=0.20.0,<0.21.0)
Requires-Dist: importlib-metadata (>=4.6.1,<5.0.0)
Requires-Dist: requests (>=2.25.1,<3.0.0)
Project-URL: Documentation, https://raider.readthedocs.io/en/latest/
Project-URL: Repository, https://github.com/DigeeX/raider
Description-Content-Type: text/markdown

# What is this

This is a framework designed to test authentication for web
applications. While web proxies like
[ZAProxy](https://www.zaproxy.org/) and
[Burpsuite](https://portswigger.net/burp) allow authenticated tests,
they don't provide features to test the authentication process itself,
i.e. manipulating the relevant input fields to identify broken
authentication. Most authentication bugs in the wild have been found
by manually testing it or writing custom scripts that replicate the
behaviour. **Raider** aims to make testing easier, by providing the
interface to interact with all important elements found in modern
authentication systems.

**Note:**

Raider is still a work in progress. Bugs and missing features are to
be expected. If you find something that doesn't work as expected, open
a Github issue and let us know. You can also [join the community
forum](https://community.digeex.de/) and start asking questions there.


# Features

**Raider** has the goal to support most of the modern authentication
systems, and here are some features that other tools don't offer:

* Unlimited authentication steps
* Unlimited inputs/outputs for each step
* Ability to conditionally decide the next step
* Running arbitrary operations when receiving the response
* Easy to write custom operations and plugins


# How does it work

**Raider** treats the authentication as a finite state machine. Each
authentication step is a different state, with its own inputs and
outputs. Those can be cookies, headers, CSRF tokens, or other pieces
of information.

Each application needs its own configuration file for **Raider** to
work. The configuration is written in
[Hylang](https://docs.hylang.org/). The language choice was done for
multiple reasons, mainly because it's a Lisp dialect embedded in
Python.

Using Lisp was necessarily since sometimes the authentication can get
quite complex, and using a static configuration file would've not been
enough to cover all the details. Lisp makes it easy to combine code
and data, which is exactly what was needed here.

By using a real programming language as a configuration file gives
**Raider** a lot of power, and with great power comes great
responsibility. Theoretically one can write entire malware inside the
application configuration file, which means you should be careful
what's being executed, and **not to use configuration files from
sources you don't trust**. **Raider** will evaluate everything inside
the .hy files, which means if you're not careful you could shoot
yourself in the foot and break something on your system.

# Installation

**Raider** is available on PyPi:

```
$ pip3 install --user raider
```

# Raider's philosophy

**Raider** was developed with the following goals:

* To abstract authentication concepts using Python objects.
* To support most modern web authentication features.
* To make it easy to add new features for users.


And if you're looking at the code and willing to contribute, keep
those in mind:

* The simpler and cleaner the code, the better.
* New features should be implemented as `Plugins` and
  `Operations` if possible.
* The `hyfiles` should stay as minimal as possible, while still
  allowing the user to get creative. In the future parts of this code
  could be autogenerated.



# The Documentation is available on [Read the Docs](https://raider.readthedocs.io/en/latest/).

# Come talk to us in the [community forum](https://community.digeex.de/).

