🧟♂️ Zombie VDP – Ultimate Offensive Security Framework for VDP/Bug Bounty
Project description
🧟♂️ ZOMBIE VDP – Ultimate Offensive Security Framework
⚠️ DISCLAIMER
FOR AUTHORIZED SECURITY TESTING ONLY
This tool is designed exclusively for:
- Vulnerability Disclosure Programs (VDP)
- Authorized Bug Bounty programs
- Security researchers with explicit written permission
- Educational purposes in controlled lab environments
Unauthorized scanning of systems you do not own or have permission to test is ILLEGAL. The authors assume no liability for misuse of this software. You are solely responsible for complying with all applicable laws and regulations.
🎯 What is ZOMBIE VDP?
ZOMBIE VDP is an all-in-one offensive security automation framework that transforms your bug bounty workflow into a relentless, intelligent machine. Like the undead, it never stops hunting.
🧬 The Philosophy
Traditional scanners are noisy, linear, and predictable. ZOMBIE breaks that mold:
| Traditional Scanners | 🧟 ZOMBIE VDP |
|---|---|
| Sequential scanning | 🔀 Concurrent multi-vector attacks |
| Static payloads | 🧬 DNA Cloning — mutating payloads |
| Easy to fingerprint | 👻 Ghost Mode — invisible to WAF |
| Single perspective | 🪞 Mirror Mode — multi-identity rotation |
| Manual recon chain | ⛓️ Automated end-to-end kill chain |
| Basic crawling | 🕸️ Deep JavaScript endpoint extraction |
🩸 Core Architecture
🚀 Features
🔍 Reconnaissance (OSINT + Passive)
- ✅ Google/Bing/DDG Dorking — Automated dork generation from templates
- ✅ Wayback Machine — Historical endpoint discovery via CDX API
- ✅ CommonCrawl — Massive-scale URL indexing (billions of pages)
- ✅ crt.sh Integration — SSL certificate transparency log mining
- ✅ AlienVault OTX — Threat intelligence passive DNS/subdomain
- ✅ URLScan.io — Domain scan history & screenshot analysis
- ✅ WHOIS Lookup — Domain registration intelligence
🕷️ Advanced Crawler
- ✅ JavaScript-aware crawling — Executes JS, extracts dynamic content
- ✅ SPA Support — Single Page Application endpoint discovery
- ✅ Sourcemap Parser — Extract hidden paths from
.js.mapfiles - ✅ JS Endpoint Extractor — Find API endpoints in minified JavaScript
- ✅ Robots.txt respect — Ethical crawling with configurable bypass
- ✅ Configurable depth & delay — Stealthy or aggressive modes
💉 Vulnerability Detection
| Module | Description | CVEs Detected |
|---|---|---|
| IDOR | Insecure Direct Object Reference | Parameter manipulation, UUID prediction |
| XXE | XML External Entity Injection | Blind & error-based, SSRF chaining |
| JWT Attack | JSON Web Token exploitation | None algo, weak secrets, KID injection |
| GraphQL | Introspection & injection | Batching attacks, field suggestion abuse |
| WebSocket | WS message tampering | CSWSH, connection hijacking |
| Prototype Pollution | JS object prototype injection | Server-side & client-side vectors |
| SQL Injection | Time-based, boolean, error-based | MySQL, PostgreSQL, MSSQL, Oracle |
| XSS | Reflected, Stored, DOM-based | WAF bypass payloads included |
| SSRF | Server-Side Request Forgery | AWS metadata, GCP, internal services |
| LFI/RFI | Local/Remote File Inclusion | Log poisoning, PHP wrappers |
| CSRF | Cross-Site Request Forgery | Token validation, same-site bypass |
| Open Redirect | URL redirection | Header-based, meta-refresh, JS redirect |
👻 Ghost/Mirror — Advanced Evasion
🛡️ Stealth & Anonymity
- ✅ Anonymous Mode — Tor/SOCKS5 proxy chaining
- ✅ Proxy Validation — Auto-test proxy health before use
- ✅ SSL Verification Toggle — Accept self-signed certs when needed
- ✅ Rate Limiting — Adaptive request throttling
- ✅ Random Delays — Human-like timing patterns
- ✅ Filter System —
ninja,samurai,ghostpresets
📦 Installation
Prerequisites
- Python 3.9 or higher
- pip (latest version recommended)
- git
Quick Install
# Clone the repository
git clone https://github.com/pormes-90/ZOMBIE.git
cd ZOMBIE
# Basic installation
pip install .
# Full installation with all features
pip install ".[all]"
# Development installation
pip install -e ".[dev,ghost]"
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file zombie_vdp-1.0.8.tar.gz.
File metadata
- Download URL: zombie_vdp-1.0.8.tar.gz
- Upload date:
- Size: 61.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1362466ccba28ac33662955fadf2772db7596fada170dc8620ea8ebf699d5067
|
|
| MD5 |
23aee4a4dc4b7f3af37fc6c08f02a75c
|
|
| BLAKE2b-256 |
f0e3e0d1c8aad31bfaf683b087973a13e6bc24c3fe67d236fafd5976c7b27da4
|
File details
Details for the file zombie_vdp-1.0.8-py3-none-any.whl.
File metadata
- Download URL: zombie_vdp-1.0.8-py3-none-any.whl
- Upload date:
- Size: 58.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
23e40f7b5b89f4b5430c779e063e76b4c2826077e1bfd88a3938ae60afd3a9e2
|
|
| MD5 |
c8af8840f1adca63ce2a8ef8717b31b7
|
|
| BLAKE2b-256 |
c38ee63f1975b72d94bfbd251f186d2c71d92edee44e4137ebaca10e133044af
|