Aria Pentest Automation

This repository contains the core components for the Aria Pentest Automation system. This system aims to automate various aspects of web application penetration testing, leveraging AI and integration with tools like Burp Suite.

Project Structure

• aria_operator.py: The main orchestration script that drives the automated pentest process.
• AriaConnector.py: A Burp Suite extension (Jython script) responsible for logging HTTP/S traffic and providing an API for external tools to interact with Burp Repeater.
• AriaConnectorClient.py: A Python client library that simplifies communication with the AriaConnector Burp extension's API.
• attack_executor.py: Executes defined attack plans, coordinating browser actions and Burp traffic capture.
• browser_manager.py: Manages browser instances (using Playwright) for automated navigation and interaction with web applications.
• config.py: Centralized configuration file for various settings, including Burp API URL, browser settings, etc.
• llm_service.py: Handles interactions with Large Language Models (LLMs) for AI-driven tasks such as generating attack plans or analyzing results.
• prompts.py: Stores predefined prompts and templates used for interacting with LLMs.
• utils.py: Contains various utility functions used across the project.
• attack_patterns.json: A JSON file defining various attack patterns or templates that the system can utilize.
• pentest_url.json: A JSON file to configure the target URLs for pentesting.
• test_execute_plan.py: Unit tests for the attack_executor.py module.

Features

• Automated Web Traffic Logging: Seamlessly captures and logs HTTP/S traffic via a custom Burp Suite extension.
• AI-Driven Attack Plan Generation: Leverages Large Language Models to generate intelligent and context-aware attack plans.
• Browser Automation: Utilizes Playwright for robust and reliable automated interaction with web applications.
• Burp Repeater Integration: Allows programmatic sending and modification of requests to Burp Repeater for advanced testing scenarios.
• Modular Design: Clear separation of concerns for easy maintenance and extensibility.

Installation

Follow these steps to set up the Aria Pentest Automation system.

1. Clone the Repository

First, clone the project repository to your local machine:

git clone https://github.com/your-username/aria_pentest.git
cd aria_pentest

(Replace your-username with the actual GitHub username or organization if this is a public repository.)

2. Set Up Python Environment

It is highly recommended to use a Python virtual environment to manage dependencies.

# Create a virtual environment
python3 -m venv venv

# Activate the virtual environment
source venv/bin/activate  # On Linux/macOS
# venv\Scripts\activate   # On Windows

3. Install Python Dependencies

Install all required Python libraries. Create a requirements.txt file in the root of your project with the following content:

httpx
playwright
python-dotenv
requests

Then, install them using pip:

pip install -r requirements.txt

4. Install Playwright Browsers

Aria Pentest Automation uses Playwright for browser automation. You need to install the necessary browser binaries:

playwright install

This command will install Chromium, Firefox, and WebKit browsers.

5. Burp Suite Setup

The AriaConnector.py script functions as a Burp Suite extension.

1. Open Burp Suite.
2. Navigate to the Extender tab.
3. Go to the Extensions sub-tab.
4. Click the Add button.
5. In the "Add extension" dialog:
   • Set "Extension type" to Python.
   • Click "Select file..." and browse to the AriaConnector.py file in your cloned repository (/path/to/aria_pentest/AriaConnector.py).
   • Ensure "Output file" and "Error file" are set to locations where Burp can write logs (e.g., temporary files or specific log files).
6. Click Next.
7. Verify that the extension loads successfully. You should see messages in the "Output" tab of the extension indicating that the API server has started (e.g., "API server started on http://127.0.0.1:1337").

Important: Ensure Burp Suite is running and the AriaConnector extension is active whenever you run the Aria Pentest Automation scripts, as they communicate via this API.

Configuration

config.py

Review and adjust settings in config.py as needed. Key settings include:

• BURP_API_URL: The URL where the AriaConnector Burp extension's API is listening (default: http://127.0.0.1:1337).
• Other browser-related or LLM-related configurations.

pentest_url.json

This file defines the target URLs for your pentesting operations. It should be a JSON array of objects, where each object represents a target.

Example pentest_url.json:

[
  "https://0ad10018039c1567d976c27d00fa004d.web-security-academy.net/post?postId=8"
]

Ensure this file is correctly formatted JSON.

Usage

To run the automated pentest process, execute the aria_operator.py script.

python3 aria_operator.py

The script will then orchestrate the process, including:

1. Initializing browser instances.
2. Communicating with the Burp extension to set attack IDs and retrieve traffic.
3. Executing attack plans based on the attack_patterns.json and LLM interactions.
4. Logging outcomes and captured HTTP traffic.

Monitor the console output for progress and any warnings or errors.

Contributing

Contributions are welcome! Please feel free to open issues or submit pull requests.

License

(Add your project's license information here, e.g., MIT, Apache 2.0, etc.)