Skip to main content

🧟‍♂️ Zombie VDP – Ultimate Offensive Security Framework for VDP/Bug Bounty

Project description

🧟‍♂️ ZOMBIE VDP – Ultimate Offensive Security Framework


⚠️ DISCLAIMER

FOR AUTHORIZED SECURITY TESTING ONLY

This tool is designed exclusively for:

  • Vulnerability Disclosure Programs (VDP)
  • Authorized Bug Bounty programs
  • Security researchers with explicit written permission
  • Educational purposes in controlled lab environments

Unauthorized scanning of systems you do not own or have permission to test is ILLEGAL. The authors assume no liability for misuse of this software. You are solely responsible for complying with all applicable laws and regulations.


🎯 What is ZOMBIE VDP?

ZOMBIE VDP is an all-in-one offensive security automation framework that transforms your bug bounty workflow into a relentless, intelligent machine. Like the undead, it never stops hunting.

🧬 The Philosophy

Traditional scanners are noisy, linear, and predictable. ZOMBIE breaks that mold:

Traditional Scanners 🧟 ZOMBIE VDP
Sequential scanning 🔀 Concurrent multi-vector attacks
Static payloads 🧬 DNA Cloning — mutating payloads
Easy to fingerprint 👻 Ghost Mode — invisible to WAF
Single perspective 🪞 Mirror Mode — multi-identity rotation
Manual recon chain ⛓️ Automated end-to-end kill chain
Basic crawling 🕸️ Deep JavaScript endpoint extraction

🩸 Core Architecture


🚀 Features

🔍 Reconnaissance (OSINT + Passive)

  • Google/Bing/DDG Dorking — Automated dork generation from templates
  • Wayback Machine — Historical endpoint discovery via CDX API
  • CommonCrawl — Massive-scale URL indexing (billions of pages)
  • crt.sh Integration — SSL certificate transparency log mining
  • AlienVault OTX — Threat intelligence passive DNS/subdomain
  • URLScan.io — Domain scan history & screenshot analysis
  • WHOIS Lookup — Domain registration intelligence

🕷️ Advanced Crawler

  • JavaScript-aware crawling — Executes JS, extracts dynamic content
  • SPA Support — Single Page Application endpoint discovery
  • Sourcemap Parser — Extract hidden paths from .js.map files
  • JS Endpoint Extractor — Find API endpoints in minified JavaScript
  • Robots.txt respect — Ethical crawling with configurable bypass
  • Configurable depth & delay — Stealthy or aggressive modes

💉 Vulnerability Detection

Module Description CVEs Detected
IDOR Insecure Direct Object Reference Parameter manipulation, UUID prediction
XXE XML External Entity Injection Blind & error-based, SSRF chaining
JWT Attack JSON Web Token exploitation None algo, weak secrets, KID injection
GraphQL Introspection & injection Batching attacks, field suggestion abuse
WebSocket WS message tampering CSWSH, connection hijacking
Prototype Pollution JS object prototype injection Server-side & client-side vectors
SQL Injection Time-based, boolean, error-based MySQL, PostgreSQL, MSSQL, Oracle
XSS Reflected, Stored, DOM-based WAF bypass payloads included
SSRF Server-Side Request Forgery AWS metadata, GCP, internal services
LFI/RFI Local/Remote File Inclusion Log poisoning, PHP wrappers
CSRF Cross-Site Request Forgery Token validation, same-site bypass
Open Redirect URL redirection Header-based, meta-refresh, JS redirect

👻 Ghost/Mirror — Advanced Evasion

🛡️ Stealth & Anonymity

  • Anonymous Mode — Tor/SOCKS5 proxy chaining
  • Proxy Validation — Auto-test proxy health before use
  • SSL Verification Toggle — Accept self-signed certs when needed
  • Rate Limiting — Adaptive request throttling
  • Random Delays — Human-like timing patterns
  • Filter Systemninja, samurai, ghost presets

📦 Installation

Prerequisites

  • Python 3.9 or higher
  • pip (latest version recommended)
  • git

Quick Install

# Clone the repository
git clone https://github.com/pormes-90/ZOMBIE.git
cd ZOMBIE

# Basic installation
pip install .

# Full installation with all features
pip install ".[all]"

# Development installation
pip install -e ".[dev,ghost]"

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

zombie_vdp-1.0.8.tar.gz (61.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

zombie_vdp-1.0.8-py3-none-any.whl (58.2 kB view details)

Uploaded Python 3

File details

Details for the file zombie_vdp-1.0.8.tar.gz.

File metadata

  • Download URL: zombie_vdp-1.0.8.tar.gz
  • Upload date:
  • Size: 61.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for zombie_vdp-1.0.8.tar.gz
Algorithm Hash digest
SHA256 1362466ccba28ac33662955fadf2772db7596fada170dc8620ea8ebf699d5067
MD5 23aee4a4dc4b7f3af37fc6c08f02a75c
BLAKE2b-256 f0e3e0d1c8aad31bfaf683b087973a13e6bc24c3fe67d236fafd5976c7b27da4

See more details on using hashes here.

File details

Details for the file zombie_vdp-1.0.8-py3-none-any.whl.

File metadata

  • Download URL: zombie_vdp-1.0.8-py3-none-any.whl
  • Upload date:
  • Size: 58.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for zombie_vdp-1.0.8-py3-none-any.whl
Algorithm Hash digest
SHA256 23e40f7b5b89f4b5430c779e063e76b4c2826077e1bfd88a3938ae60afd3a9e2
MD5 c8af8840f1adca63ce2a8ef8717b31b7
BLAKE2b-256 c38ee63f1975b72d94bfbd251f186d2c71d92edee44e4137ebaca10e133044af

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page