reaper

README

Reaper

Reaper by Ghost Security is a modern, lightweight, and extensible open-source application security testing framework built to be operated by both humans and AI Agents. It provides several capabilities that enable manual application security workflows: target reconnaissance, request proxying, request tampering/replay, live collaboration, and active test running. When combined with an AI Agent backed by an LLM, Reaper becomes a flexible engine to drive even more powerful application testing workflows.

⚠ This project is undergoing rapid development and may change significantly in the near future.

Table of Contents

1. About
2. Project Goals
3. Setup
4. Usage
   • Scan
   • Explore
   • Replay
   • Tests
   • AI Agent
   • Reports
5. Contributing
6. Acknowledgments

About

The Reaper framework was created to combine several application security workflow steps from discrete tools into one. It aims to streamline the process of discovering targets, performing reconnaissance, tampering/replayiing requests, driving workflows via API or AI automation, and more from within the same toolset.

Existing tools (e.g. Burp Suite, Zap, and subfinder / katana / nuclei) are able to perform individual steps of the testing lifecycle but require the end user to manually engage with each tool and export/import data between steps.

Reaper is designed to be orchestrated by humans and AI Agents (Agents) to enable almost any workflow you need to become a reality. Agents that are backed by an LLM can act as another helpful team member and perform tasks in seconds that would take hours by analysts. For example, it can assist with test parameter tuning, summarization of data/findings, data analysis, and even report generation.

(back to top)

Project Goals

• A modern, lightweight, and extensible framework for application security testing
• Usable by humans and AI Agents alike
• A platform for running autonomous workflows
• Easy to maintain and extend
• Help avoid application security engineer burn-out with helpful automation

(back to top)

Installation

Running via Docker

If you have Docker version 19.x or above, the quickest path to getting running is to clone this repo and run:

docker compose up

Running via Binary

TODO

(back to top)

Usage

Scan

The first step in reconnaissance is enumerating the available targets for a given domain/subdomain and to probe them for availability. Click Add Domain and enter in a domain or subdomain that you are authorized to test. For example ghostbank.net or api.ghostbank.net. With the Auto-scan checkbox enabled, click Add and scan to initiate discovery of live hosts.

Explore

To capture requests made to a target system, enable the Proxy on toggle at the top of the page. From there, configure your browser or other client to route requests through the proxy at localhost:8080 for both HTTP and HTTPS.

To install the proxy's certificate and configure your tool/browser to proxy through Reaper, follow this guide.

Replay

Requests/Responses that have traversed the Proxy will appear in this listing. The filter allows filtering all requests by fuzzy match on the hostname or path. The All/APIs toggles viewing of all or responses of content-type application/json.

To replay or tamper a request:

1. Select the desired request.
2. On the right pane, click Replay original to resend without modification. The Response pane will update automatically. In many cases, there will be no change in that field.
3. To send a modified request, live-edit either the Request headers or Request Body as desired. Click Replay modified and view the response in the Response field.

Tests

This workspace drives testing workflows based on endpoints and/or requests that match desired criteria. For example, when testing for Broken Object Level Access (BOLA) / Insecure Direct Object Reference (IDOR) vulnerabilities, it typically requires capture and replay of a valid request to an endpoint while fuzzing certain parameters. Stay tuned as we continue to develop this capability. In the meantime, your feedback is welcomed and encouraged!

AI Agent

The AI Agent capability is the basis for a natural language interaction with one or more Agents via a chat-like interface. Each session will record all messages and actions taken by the Agent and provide human-in-the-loop confirmation for important actions as needed. Stay tuned as we continue to develop this capability. In the meantime, your feedback is welcomed and encouraged!

Reports

To view reports generated and saved via the /api/reports POST endpoint, select the desired report. Stay tuned as we continue to develop this capability. In the meantime, your feedback is welcomed and encouraged!

(back to top)

Contributing

First, thank you for taking the time to check out Reaper! Our primary goal is to get as many folks using it and to drive a roadmap based on your feedback. If you have a great idea for an enhancement or you have encountered a bug, we'd greatly appreciate a well-formed Issue in this repo so we can triage and prioritize accordingly.

Reaper is distributed under the Apache 2.0 License. All Reaper contributors and community members must adhere to the Code of Conduct

(back to top)

Acknowledgments

Here are a list of projects we want to acknowledge:

• ProjectDiscovery - produces a suite of open source tools tailored for offensive security: security engineers, bug bounty hunters, and red teamers. The creaters of subfinder, katana, nuclei, and many other great tools.

(back to top)