Mongoaudit - A powerful MongoDB auditing and pentesting tool

  •        115

Mongoaudit not only detects mis-configurations, known vulnerabilities and bugs but also gives you advice on how to fix them, recommends best practices and teaches you how to DevOp like a pro! There are quite a few holes in its default configuration settings. This fact, combined with abundant lazy system administrators and developers, led to what the press has called the MongoDB apocalypse.



Related Projects

Beef - Browser Exploitation Framework

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser.

Nogotofail - Network Security Testing Tool

Nogotofail is a network security testing tool designed to help developers and security researchers spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and applications in a flexible, scalable, powerful way. It includes testing for common SSL certificate verification issues, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, cleartext issues, and more.

Sqlmap - Automatic SQL injection and database takeover tool

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Metasploit Framework - World's most used penetration testing software

Metasploit, helps verify vulnerabilities and manage security assessments. It makes it easy to automate all phases of a penetration test, from choosing the right exploits to streamlining evidence collection and reporting.

Watcher: Web security testing tool and passive vulnerability scanner

A Fiddler plugin that passively checks web application's for a variety of security issues. Watcher acts as assistant to the web developer, tester, or security auditor, by quickly identifying real issues and hot-spots that commonly lead to security problems in web apps.

inspec - InSpec: Auditing and Testing Framework

InSpec is an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.InSpec makes it easy to run your tests wherever you need. More options are found in our CLI docs.

Hardanger - Web Application Penetration Testing Platform

Hardanger is an open source web application penetration testing platform for Microsoft Windows operating systems.

mitmproxy - Intercept HTTP traffic for penetration testing

mitmproxy is an interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers. mitmproxy is an interactive, SSL-capable intercepting proxy with a console interface. mitmdump is the command-line version of mitmproxy. Think tcpdump for HTTP. mitmweb is a web-based interface for mitmproxy.

robomongo - Native cross-platform MongoDB management tool

Robo 3T (formerly Robomongo *) is a shell-centric cross-platform MongoDB management tool. Unlike most other MongoDB admin UI tools, Robo 3T embeds the actual mongo shell in a tabbed interface with access to a shell command line as well as GUI interaction.Starting from version 1.1, Robo 3T embeds the MongoDB 3.4 shell.

ncrack - Ncrack network authentication tool

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.Ncrack's features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap's and many more. Protocols supported are: SSH, RDP, FTP, Telnet, HTTP(S), POP3(S), IMAP, SMB, VNC, SIP, Redis, PostgreSQL, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA.


PwnPi is a Linux-based penetration testing dropbox distribution for the Raspberry Pi. It currently has 200+ network security tools pre-installed to aid the penetration tester. It is built a stripped down version of the Debian Wheezy image from the Raspberry Pi foundation's website and uses Openbox as the window manager. PwnPi can be easily setup to send reverse connections from inside a target network by editing a simple configuration file.

Robomongo - Shell-centric cross-platform MongoDB management tool

Robomongo is a shell-centric cross-platform open source MongoDB management tool (i.e. Admin GUI). Robomongo embeds the same JavaScript engine that powers MongoDB's mongo shell. Everything you can write in mongo shell — you can write in Robomongo. It also provides you with syntax highlighting, autocompletion, different view modes (text, tree, custom) and more.


This is Metasploitable2 (Linux) Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. The default login and password is msfadmin:msfadmin. Never expose this VM to an untrusted network (use NAT or Host-only mode if you have any questions what that means). To contact the developers, please send email to

SQL Data Capture - Black Box Application Testing

A tool for capturing and analyzing data modifications; an audit trail generator with a data modifications viewer. Helps with testing, troubleshooting and exploring application functionality. ASP.NET 3.5 C#, SMO application. Audit and CRUD generators are included.

qark - Tool to look for several security related Android application vulnerabilities

Quick Android Review Kit - This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs.

Galunggung - Penetration Test Studio

Galunggung is an open source project based .NET framework to build security tools for penetration test. It will consist of security collection tools. These tools also can be applied to penetration test and hacking purpose at your own risk.

SecurityShepherd - Web and mobile application security training platform

The OWASP Security Shepherd Project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skill set to security expert status.

awesome-web-security - 🐶 A curated list of Web Security materials and resources.

🐶 Curated list of Web Security materials and resources.Needless to say, most of websites on-line are suffered from various type of bugs, which might eventually lead to vulnerabilities. Why would this happen so often? Many factors can be involved, including misconfiguration, shortage of engineers' security skills, and etc. Therefore, here is the curated list of Web Security materials and resources for learning the cutting edge penetrating techniques.

Audit Test Project

audit-test is a test suite designed to provide automated testing for the light-weight audit framework that first appeared in the 2.6.4 kernel. It has been used regularly since RHEL4 and has most recently been updated for RHEL6.3 and SLES11. The test suite now covers functionality beyond audit and includes the automated tests required for the BSI OSPP, including labeled security and virtualization.

x5s - test encodings and character transformations to find XSS hotspots

x5s is a Fiddler addon that aims to assist penetration testers in finding cross-site scripting (XSS) vulnerabilities. By auto-injecting special character-probes into all inputs x5s can detect where the emitted character may be ill-encoded or transformed in a vulnerable way.