"With great power comes great responsibility. Also, the IT department will probably yell at you."
A feature-packed security testing toolkit built in Python, available in two flavours: a sleek dark-themed GUI for people who like clicking things, and a terminal CLI for people who think mice are a crutch.
This tool is for authorized security testing only. That means:
- β Testing your own stuff
- β Testing stuff you've been explicitly given permission to test
- β Testing your ex's website
- β Testing your neighbor's router "just to see"
- β Testing anything government-related and then claiming you "didn't know"
- β Using the DoS lab against anything that isn't localhost
If you use this tool on systems you don't own or have permission to test, you will have a bad time. A legally bad time. The kind of bad time that comes with orange jumpsuits and a very disappointed lawyer.
You've been warned. We accept zero responsibility. Have fun responsibly.
SecurityTool Pro comes loaded with enough tabs to make your browser jealous:
| Module | What It Does |
|---|---|
| π Port Scanner | Knock on all the doors and see who answers. Politely. |
| π Vuln Scanner | Poke the web app until it cries (XSS, SQLi, LFI, SSRF, Open Redirect, CMDi, XXE, CSRF) |
| π CMDi Scanner | Shove shell metacharacters at URL params until something executes |
| π XXE Scanner | Feed malicious XML to endpoints that probably shouldn't be eating XML |
| π‘οΈ CSRF Detector | Find forms that trust everyone unconditionally, like a golden retriever |
| π΅οΈ Proxy | Sit in the middle of HTTP traffic like a very nosy tollbooth operator |
| π‘ Packet Sniffer | Watch packets fly by in real time. Nerd bliss. |
| π Dir Brute-Forcer | Guess hidden paths until you find the .env file someone definitely meant to gitignore |
| π― Fuzzer | Throw garbage at inputs and scientifically observe what explodes |
| πͺ Header Analyzer | Check if a server remembered to wear its security headers today |
| π SSL Analyzer | Verify TLS isn't held together with duct tape and expired certs |
| π HTTP Repeater | Resend requests obsessively until you understand what's happening |
| π·οΈ Spider | Crawl a site like a caffeinated intern with infinite energy |
| π₯ DoS Lab | A localhost-only punching bag server with intentionally broken endpoints, plus a stress tester to hit it with |
For the visually inclined. Launches a dark, brooding window. Click tabs. Fill in fields. Feel like a hacker in a movie, except accurate.
python security_tool.pyFor the terminally online. Every feature accessible via subcommands. Tab-complete not included; suffering builds character.
python tfs.py --helpInteractive shell mode (for those who want a REPL that judges them):
python tfs.py shellEnter a host, pick a port range, crank up the threads, and watch it go. Ports will be open (exciting!), closed (boring), or filtered (a firewall is silently judging you from a distance).
GUI: Port Scanner tab β fill in host + range β Scan
CLI: python tfs.py portscan --host 127.0.0.1 --start 1 --end 1024
Paste a URL containing at least one ?param=value, check the boxes for what you want to test, and let the chaos begin. Checks are done by injecting payloads into each query parameter and looking for telltale signs in the response.
Supported checks:
| Check | What It Looks For |
|---|---|
| XSS | Reflected script tags / event handlers in response |
| SQL Injection | DB errors, syntax complaints, stack traces |
| LFI | /etc/passwd contents leaking into responses |
| SSRF | Server making requests to places it really shouldn't |
| Open Redirect | Location: headers pointing somewhere embarrassing |
| CMDi | OS command output (uid=, root:, directory listings) |
| XXE | File contents leaking through XML parsers |
| CSRF | POST forms without any token-looking inputs |
| Headers | Security headers missing their shift |
GUI: Vuln Scanner tab β URL β check boxes β Scan
CLI: python tfs.py scan --url "http://target.local/?q=1" --xss --sqli --cmdi --xxe --csrf
Injects shell metacharacters (;whoami, |id, $(whoami), backtick variants, newlines, the works) into URL query parameters. Inspects responses for OS output signatures. Finds that one developer who trusted user input.
CLI: python tfs.py cmdi --url "http://target.local/ping?host=127.0.0.1"
POSTs crafted XML payloads with external entity definitions that point at local files like /etc/passwd and /etc/hosts. If the parser is trusting and misconfigured, you'll see file contents come back. XML parsers: the golden retrievers of the web world.
CLI: python tfs.py xxe --url "http://target.local/api/parse"
Fetches a page, parses all its HTML forms, and flags any POST form that doesn't have an input that looks like a CSRF token. This is the "someone left the front door open" check. Surprisingly common.
CLI: python tfs.py csrf --url "http://target.local/account/settings"
Set your browser to use 127.0.0.1 on your chosen port and watch/intercept all the HTTP traffic. Edit requests before forwarding them. Feel the power. Use the power responsibly.
GUI: Proxy tab β set port β Start
CLI: python tfs.py proxy --port 8080
Captures live network traffic with Scapy. Requires elevated privileges (root/admin) because the OS doesn't let just anyone read raw packets β it draws the line somewhere. If you're on a network you shouldn't be sniffing, please re-read the disclaimer.
GUI: Packet Sniffer tab β choose interface β Sniff
CLI: python tfs.py sniff --iface eth0
Tries a wordlist of paths against your target and reports which ones actually exist. Finds hidden endpoints like /admin, /.env, /backup_final_REAL_v3.zip. You would be genuinely amazed at what developers leave lying around in production.
GUI: Dir Brute-Forcer tab β URL + wordlist β Brute
CLI: python tfs.py dirbrute --url "http://target.local" --wordlist /path/to/list.txt
Throws a configurable list of unexpected inputs at a URL parameter and records what comes back. Crash it, confuse it, break its spirit, document the findings.
GUI: Fuzzer tab β URL β Fuzz
CLI: python tfs.py fuzz --url "http://target.local/search?q=FUZZ"
Fetches the HTTP response headers from a URL and checks for the presence of important security headers. Missing Content-Security-Policy? Missing X-Frame-Options? It will tell you. Sadly, it will not tell the developer for you.
GUI: Header Analyzer tab β URL β Analyze
CLI: python tfs.py headers --url "http://target.local"
Checks the TLS certificate for a host β expiry date, issuer, subject, protocol version, and cipher suite. Finds the cert that expired three months ago and nobody noticed. Classic.
GUI: SSL Analyzer tab β host β Analyze
CLI: python tfs.py ssl --host target.local
Send a raw HTTP request and see the raw response. Tweak it. Resend it. Tweak it again. Keep going until enlightenment arrives or your coffee gets cold, whichever comes first.
GUI: HTTP Repeater tab β paste request β Send
Crawls a site starting from a given URL, finds all links, follows them, maps the site. Like wget --mirror but with a GUI and more personality.
GUI: Spider tab β URL β Crawl
A deliberately vulnerable local HTTP server you spin up on your own machine to practice load testing and stress analysis. It exposes intentionally unprotected endpoints so you can observe what happens when things go wrong β safely, on localhost, like a responsible adult.
Endpoints:
| Path | Behaviour |
|---|---|
/ |
Normal boring response |
/slow |
Sleeps 5 seconds before responding (no timeout protection) |
/heavy |
Returns 512 KB of garbage data |
/cpu |
Runs a CPU-intensive loop (resource exhaustion simulation) |
/info |
Returns server stats as JSON |
GUI: DoS Lab tab β set port β Start Lab Server β point Stress Tester at it
CLI (start server): python tfs.py doslab --port 9999
CLI (stress test): python tfs.py stress --url "http://127.0.0.1:9999/slow" --threads 20 --requests 200
The stress tester tracks: requests sent, successes, errors, requests/sec, average/min/max latency. Use it to understand how systems behave under load. Use it only against the lab server or systems you own and have explicitly set up for this purpose.
Python 3.x
tkinter β bundled with Python; proof the 90s never fully died
requests β for everything HTTP
beautifulsoup4 β HTML parsing; finds the forms CSRF forgot to protect
scapy β packet sniffing only; optional; requires root/admin
Install non-stdlib deps:
pip install requests beautifulsoup4 scapyNote on Scapy: It requires root/admin. Not because we want to gatekeep, but because raw socket access requires it. The OS is being responsible. We appreciate that.
security_tool.py β GUI version; one file; living dangerously
tfs.py β CLI/terminal version; also one file; double the danger
README.md β You are here
Found a bug? Have a feature idea? Open an issue or PR.
Please don't submit "added 500 more payloads" as your entire contribution without context. We will have questions. Many questions.
MIT License
Copyright (c) 2026 Prathyay
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
(Translation: Do whatever you want with this, but if it breaks something, that's entirely on you, champ.)
Built with Python, tkinter, mild paranoia, and a deep mistrust of unpatched web apps.