🐉 Dragon Bypass

Professional Authentication Security Testing Framework
Advanced tool for security researchers, penetration testers, and bug bounty hunters.

---

🔥 Key Features

Category	Capabilities
Authentication	Auto-detect flows (Form, Basic, OAuth, SAML, JWT, API Key)
Injection	SQLi, XSS, XXE, SSRF, Command Injection
Brute Force	JWT secret cracking, API key brute-forcing
Analysis	Security headers, cookie entropy, tech fingerprinting
Automation	Workflow chains, multi-step auth flows
OAST	DNS exfiltration, out-of-band testing

---

🚀 Quick Start

# Clone the repository
git clone https://github.com/clayhackergroup/dragon.git
cd dragon

# Install dependencies
pip install -r requirements.txt

# Basic scan
python main.py scan --url https://target.com

# Interactive mode
python main.py interactive

---

📋 Available Commands

scan         - Full vulnerability scanner
replay      - Replay captured auth flows  
test        - Run security tests on flows
record      - Record authentication flows
report      - Display scan reports
server      - Start FastAPI server
fuzz        - Parameter fuzzing
jwt         - JWT vulnerability toolkit
proxy       - Intercept proxy
export      - Export reports (HTML/CSV/JSON)
detect      - Auto-detect auth flows
audit       - Security headers audit
session     - Cookie/session analyzer
jssecrets   - Scan JavaScript for secrets
workflow   - Workflow automation
interactive - Interactive shell
intruder    - Cluster bomb/Sniper brute-forcer
inject      - SQLi/XSS/XXE/SSRF injector
brute      - JWT/API key brute-forcer
oast       - DNS exfiltration testing

---

🛠️ Usage Examples

Authentication Detection

# Auto-detect login forms and auth flows
python main.py detect --url https://app.target.com/login

# Record and replay auth flow
python main.py record --url https://app.target.com --login -u admin -p password123
python main.py replay auth_flow.json --url https://app.target.com

Vulnerability Scanning

# Full scan
python main.py scan --url https://app.target.com --test all

# SQL Injection testing
python main.py inject --url https://app.target.com/search --param q --type sql

# XSS testing
python main.py inject --url https://app.target.com/search --param q --type xss

# JWT vulnerabilities
python main.py jwt --url https://app.target.com/api --token "eyJ..."

Brute Forcing

# Intruder-style parameter brute
python main.py intruder --url https://app.target.com/login --param username --type numbers

# JWT secret cracking
python main.py brute --url https://app.target.com/api/verify --token "eyJ..." --wordlist /usr/share/wordlists/rockyou.txt

# Custom wordlist
python main.py intruder --url https://app.target.com/auth --param user --wordlist usernames.txt --type sql

Security Analysis

# Security headers audit
python main.py audit --url https://app.target.com

# Cookie & session analysis
python main.py session --url https://app.target.com/dashboard

# JavaScript secrets scanning
python main.py jssecrets --url https://app.target.com/app.js

# Technology fingerprinting
python main.py session --url https://app.target.com

Advanced

# Start intercept proxy
python main.py proxy --target https://app.target.com --port 8080

# Workflow automation
python main.py workflow login_then_access.json --url https://app.target.com --var username=admin --var password=pass123

# Export report
python main.py export results.json --format html --output report.html

---

🎯 Module Architecture

dragon-bypass/
├── core/                    # Core engine
│   ├── recorder.py         # Capture auth flows
│   ├── replayer.py         # Replay requests
│   ├── mutator.py         # Parameter mutation
│   ├── analyzer.py       # Response analysis
│   ├── fuzzer.py          # Fuzzing engine
│   ├── proxy.py          # Intercept proxy
│   ├── threading.py      # Parallel execution
│   └── workflow.py      # Automation
│
├── modules/                # Testing modules
│   ├── role_tester.py     # Privilege escalation
│   ├── otp_tester.py    # OTP vulnerabilities
│   ├── session_checker.py # Session handling
│   ├── reset_tester.py  # Password reset
│   ├── jwt_tester.py    # JWT attacks
│   ├── auth_detector.py # Auth flow detection
│   ├── security_audit.py # Headers & cookies
│   ├── http_attacks.py  # HTTP smuggling
│   ├── intruder.py      # Burp-style intruder
│   ├── injection.py    # SQLi/XSS/XXE/SSRF
│   └── oast.py          # OAST/DNS
│
└── utils/                 # Utilities
    ├── logger.py        # Colored output
    ├── parser.py        # HTTP parsing
    ├── diff_engine.py   # Response comparison
    ├── reporter.py      # Report generation
    └── interactive.py    # Interactive shell

---

🆚 Comparison with Other Tools

Feature	Dragon Bypass	Burp Suite Pro	OWASP ZAP	AuthRecon
Auth Flow Detection	✅	✅	❌	✅
SQLi Testing	✅	✅	✅	❌
XSS Testing	✅	✅	✅	❌
JWT Attacks	✅	✅	⚠️	❌
Workflow Automation	✅	✅	⚠️	❌
Cluster Bomb	✅	✅	❌	❌
Interactive Shell	✅	❌	❌	❌
JWT Brute-Force	✅	❌	❌	❌
OAST/DNS	✅	✅	⚠️	⚠️
Free/Open Source	✅	❌	✅	✅
Python-based	✅	❌	⚠️	✅

Why Dragon Bypass?

• Comprehensive: 20+ commands covering all auth testing scenarios
• Fast: Multi-threaded cluster bombing
• Modern: Python 3.8+, async support
• Free: No expensive licenses
• Extensible: Modular plugin architecture

---

📊 Security Testing Coverage

Category	Tests
Authentication Bypass	15+
SQL Injection	30+
XSS Variants	25+
XXE Injection	7+
SSRF Vectors	15+
Command Injection	12+
JWT Attacks	10+
OAuth Vulnerabilities	5+
SAML Attacks	4+

---

⚠️ Disclaimer

FOR AUTHORIZED SECURITY TESTING ONLY

This tool is designed for security professionals and researchers conducting authorized security assessments. Using this tool against systems without explicit permission is illegal and unethical.

The authors assume no liability for misuse or damage caused by this tool.

---

📝 License

MIT License - See LICENSE for details.

---

👥 Developer

Lead Developer

Role	Name	Handle
Founder / Lead	Spidey	@spideyze
Co-Founder	Dark Horizon	@mrdarkhorizon

Development Team

Role	Name	Area
Core Developer	Spidey and Dark Horizon	Core engine, CLI, Mutator
Security Researcher	Spidey and Dark Horizon	Injection modules, Attack vectors
Pentest Lead	BlackMoon and spidey	Authentication testing
Automation Dev	Divya tiwari and Spidey	Workflow, Pipeline
Research	spidey and misti	JWT/OAuth security
QA	GhostSec , spidey , Dark Horizon , Divya Tiwari , misti , aditya, radhika and sam	Testing, Documentation

Team: Clay Group

╔═══════════════════════════════════════════════════════════╗
║                   CLAY GROUP                        ║
║        Official Cybersecurity Research Team        ║
╠═══════════════════════════════════════════════════════════╣
║  Founded: 2024                                   ║
║  Focus: Web App Security, API Testing             ║
║  Mission: Professional security tools          ║
╚═══════════════════════════════════════════════════════════╝

Contact

Platform	Handle
Instagram	@h4cker.in and @exp1oit
Telegram	@spideyze and @mrdarkhorizon
Email	hidden
GitHub	@clayhackergroup

Acknowledgments

Special thanks to:

• The security research community
• Bug bounty hunters worldwide
• OWASP Foundation
• Open source contributors

---

📜 History

v1.0.0 (2024)

• Initial release
• 20 commands
• 28 modules
• SQLi/XSS/XXE/SSRF injection
• JWT/OAuth testing
• Cluster bomb intruder
• Workflow automation

---

🔧 Requirements

requests>=2.28.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
pyjwt>=2.8.0
colorama>=0.4.6
fastapi>=0.100.0
uvicorn>=0.23.0
pydantic>=2.0.0

---

_{Dragon Bypass v1.0.0 | Professional Auth Security Testing Framework}