C A S C A V E L .

v3.0.1 — Red Team Intelligence Engine

Quantum-grade offensive security framework for demanding Red Teams. Modular, extensible and brutally efficient. Zero tracking. Zero telemetry. Fully auditable code.

85Security Plugins

14Attack Categories

30+Recon Tools

4Report Formats

211Tests Passing

cascavel — v3.0.1 — zsh

# Full target scan
❯ python3 cascavel.py -t target.com
# List all 85 plugins
❯ python3 cascavel.py --list-plugins
# Check external tools
❯ python3 cascavel.py --check-tools
# CI/CD silent mode with JSON output
❯ python3 cascavel.py -t target.com --quiet --json

⚡ View on GitHub 📖 Plugin Docs

Arsenal

Elite capabilities for reconnaissance, exploitation and automated reporting.

🔌

85 Security Plugins

14 attack categories covering injection, server-side, auth bypass, protocol-level, API, infrastructure and more. Standardized run(target, ip, ports, banners) interface.

🛰️

30+ Recon Tools

Native integration with Nmap, Subfinder, Amass, Katana, Nuclei, Shodan, Nikto, WHOIS/RDAP, Traceroute and the entire modern OSINT ecosystem.

🖥️

Cinematic Terminal UX

Cinematic boot sequence with ASCII art fade-in, typewriter effects, Rich progress bars, Live interactive panel and Security Intel tips during scans.

📊

Multi-Format Reports

Automatic reports in PDF (ReportLab), Markdown and JSON with findings categorized by severity — CRITICAL, HIGH, MEDIUM, LOW, INFO.

🔒

CI/CD Hardened

Armored pipeline: Bandit SAST, CodeQL, Ruff, pip-audit, Semgrep, OpenSSF Scorecard, pre-commit hooks. Pinned dependencies and token permissions.

🧠

Intelligence Engine

ANSI escape sanitizer against terminal injection, graceful shutdown (SIGINT/SIGTERM/SIGPIPE), findings correlation and smart deduplication.

Plugin Categories

85 security plugins organized across 14 specialized attack categories.

💉 Injection & Code Execution 7

Plugin	File	Techniques
XSS Scanner	`xss_scanner.py`	Polyglot payloads, DOM-based, mutation XSS, WAF bypass, event handlers
SQLi Scanner	`sqli_scanner.py`	Time-based, error-based, union-based, boolean blind, DBMS fingerprint
SSTI Scanner	`ssti_scanner.py`	Jinja2, Twig, Mako, Freemarker, multi-engine polyglot payloads
RCE Scanner	`rce_scanner.py`	Command injection, OS detection, chained commands, encoding bypass
Blind RCE	`blind_rce.py`	Time-based OOB detection, sleep injection, DNS callback
NoSQL Scanner	`nosql_scanner.py`	MongoDB injection ($gt, $ne, $regex), JSON body injection
Log4Shell Scanner	`cve_2021_44228_scanner.py`	12 headers, 5 WAF bypass payloads, Java fingerprint, OOB tokens

🌐 Server-Side Attacks 4

Plugin	File	Techniques
SSRF Scanner	`ssrf_scanner.py`	IMDSv2, DNS rebinding, gopher://, redirect chain, cloud metadata
XXE Scanner	`xxe_scanner.py`	XML entity injection, OOB exfiltration, parameter entities
LFI Scanner	`lfi_scanner.py`	Path traversal, null byte, double encoding, wrapper protocols
Path Traversal	`path_traversal.py`	Directory traversal, encoding bypass, OS-specific paths

🔐 Authentication & Authorization 6

Plugin	File	Techniques
JWT Analyzer	`jwt_analyzer.py`	None algorithm, key confusion (RS→HS), JWKS poisoning, claim analysis
OAuth Scanner	`oauth_scanner.py`	PKCE enforcement, state validation, token leakage, redirect URI
CSRF Detector	`csrf_detector.py`	Token validation, SameSite, origin header check
IDOR Scanner	`idor_scanner.py`	Sequential ID enumeration, UUID prediction, access control bypass
Session Fixation	`session_fixation.py`	Cookie flags, session regeneration, pre-auth token analysis
Password Policy	`password_policy.py`	Policy strength analysis, common password testing, lockout detection

🔄 Protocol-Level Attacks 4

Plugin	File	Techniques
HTTP Smuggling	`http_smuggling.py`	CL-TE, TE-CL, TE-TE, H2.O desync, chunked mutation
HTTP/2 Smuggle	`http2_smuggle.py`	HTTP/2 downgrade, continuation flood, HPACK injection
WebSocket Scanner	`websocket_scanner.py`	CSWSH, origin bypass, message injection, upgrade detection
gRPC Scanner	`grpc_scanner.py`	Reflection enabled, insecure channel, service enumeration

🛡️ Defense Analysis & Bypass 7

Plugin	File	Techniques
CORS Checker	`cors_checker.py`	Wildcard origin, null origin, subdomain trust, credential exposure
CSP Bypass	`csp_bypass.py`	Unsafe-inline, unsafe-eval, data: URI, base-uri, *.cdn bypass
Clickjacking	`clickjacking_check.py`	X-Frame-Options, CSP frame-ancestors, transparent overlay
Host Header Injection	`host_header_injection.py`	Password reset poisoning, cache deception, SSRF via Host
Cache Poisoning	`web_cache_poison.py`	Unkeyed headers, cache key normalization, fat GET
Rate Limit Check	`rate_limit_check.py`	Brute force feasibility, IP rotation bypass, header spoofing
WAF Bypass	`waf_bypass.py`	Encoding mutation, chunked TE, case alternation, comment injection

🎯 API Security 4

Plugin	File	Techniques
GraphQL Probe	`graphql_probe.py`	Introspection enabled, field suggestion, type enumeration
GraphQL Injection	`graphql_injection.py`	Batch query, alias overload, nested depth, SQL in fields
API Enum	`api_enum.py`	Endpoint discovery, version detection, documentation exposure
API Versioning	`api_versioning.py`	Deprecated version detection, v1 vs v2 comparison, OpenAPI exposure

💣 Advanced Web Attacks 6

Plugin	File	Techniques
Mass Assignment	`mass_assignment.py`	Hidden field injection, role escalation, isAdmin bypass
Race Condition	`race_condition.py`	TOCTOU, parallel request race, last-write-wins detection
Prototype Pollution	`prototype_pollution.py`	`__proto__`, constructor pollution, JSON merge injection
Deserialization	`deserialization_scan.py`	Java/PHP/Python/Ruby serialized objects, magic bytes
Open Redirect	`open_redirect.py`	URL parameter manipulation, encoding bypass, scheme tricks
CRLF Injection	`crlf_scanner.py`	Header injection, response splitting, log injection

🏗️ Infrastructure Exposure 8

Plugin	File	Techniques
Docker Exposure	`docker_exposure.py`	Remote API (2375/2376), registry leak, socket exposure
K8s Exposure	`k8s_exposure.py`	API server, etcd, kubelet, dashboard, service accounts
Redis Unauth	`redis_unauth.py`	Unauthenticated access, INFO dump, config get
MongoDB Unauth	`mongodb_unauth.py`	No-auth access, database listing, collection dump
Elastic Exposure	`elastic_exposure.py`	Cluster health, index listing, Kibana dashboard
CI/CD Exposure	`cicd_exposure.py`	Jenkins, GitLab CI, GitHub Actions, artifact exposure
Cloud Metadata	`cloud_metadata.py`	AWS IMDS, GCP metadata, Azure IMDS, link-local bypass
Cloud Enum	`cloud_enum.py`	S3/GCS/Azure blob enumeration, DNS CNAME analysis

🔍 Reconnaissance & OSINT 11

Plugin	File	Techniques
Subdomain Hunter	`subdomain_hunter.py`	Certificate Transparency, DNS brute, zone transfer
Subdomain Takeover	`subdomain_takeou.py`	CNAME dangling, fingerprint matching, service detection
DNS Deep	`dns_deep.py`	All record types (A/AAAA/MX/TXT/NS/SOA/SRV/CAA/DMARC)
DNS Rebinding	`dns_rebinding.py`	TTL manipulation, private IP rebind, bypass detection
Network Mapper	`network_mapper.py`	Live host detection, service enumeration, port profiling
Email Harvester	`email_harvester.py`	Web scraping, SMTP VRFY, pattern generation
Email Spoof Check	`email_spoof_check.py`	SPF, DKIM, DMARC validation, spoofability scoring
Shodan Recon	`shodan_recon.py`	API-based reconnaissance, service fingerprint, CVE mapping
Wayback Enum	`wayback_enum.py`	Wayback Machine URL extraction, parameter discovery
WHOIS Recon	`whois_recon.py`	WHOIS/RDAP, domain age, registrar risk, privacy, DNSSEC, expiry
Traceroute Mapper	`traceroute_mapper.py`	Hop analysis, latency profiling, CDN/ISP detection, firewall filter

🕵️ Information Gathering 7

Plugin	File	Techniques
Tech Fingerprint	`tech_fingerprint.py`	Wappalyzer-style detection, header/meta/script analysis
JS Analyzer	`js_analyzer.py`	API key extraction, endpoint discovery, source map detection
Param Miner	`param_miner.py`	Hidden parameter brute force, reflected parameter discovery
Info Disclosure	`info_disclosure.py`	.env, .git, backup files, debug endpoints, error messages
Secrets Scraper	`secrets_scraper.py`	AWS/GCP/Azure keys, JWT, API tokens, passwords (regex-based)
Git Dumper	`git_dumper.py`	.git directory enumeration, HEAD/config/refs extraction
Admin Finder	`admin_finder.py`	Common admin paths, CMS-specific panels, status code analysis

🌐 Web Scanning 7

Plugin	File	Techniques
Dir Bruteforce	`dir_bruteforce.py`	Path enumeration, wordlist-based, status filtering
Nikto Scanner	`nikto_scanner.py`	Nikto integration (requires nikto binary)
Katana Crawler	`katana_crawler.py`	Katana integration (automated deep crawling)
HTTP Methods	`http_methods.py`	OPTIONS, TRACE, PUT, DELETE, PATCH method testing
WPS Scanmini	`wps_scanmini.py`	WordPress-specific: themes, plugins, user enum
Nuclei Scanner	`nuclei_scanner.py`	Nuclei integration (template-based vulnerability scanning)
Upload Detection	`fast_webshell.py`	PUT/PATCH method detection, WebDAV, extension acceptance (passive)

☁️ Cloud & Storage 2

Plugin	File	Techniques
S3 Bucket	`s3_bucket.py`	Public bucket detection, ACL misconfiguration, listing
SAML Scanner	`saml_scanner.py`	Signature wrapping, assertion injection, XML canonicalization

📊 Analysis & Profiling 6

Plugin	File	Techniques
SSL Check	`ssl_check.py`	Certificate validation, TLS version, cipher strength, HSTS
Security Headers	`security_headers.py`	Header analysis, CSP parsing, Information Disclosure detection
WAF Detection	`waf_detec.py`	WAF fingerprint (30+ products), bypass recommendations
Profiler	`profiler_bundpent.py`	Target profiling, technology stack, risk scoring
Nmap Advanced	`nmap_advanc.py`	Service version detection, script scanning, OS fingerprint
Auto Exploit	`auto_exploit.py`	CVE matching, exploit suggestion based on detected versions

🔐 Brute Force & Auth Testing 6

Plugin	File	Techniques
SSH Brute	`ssh_brute.py`	Paramiko-based auth testing, key auth detection
FTP Brute	`ftp_brute.py`	Anonymous login, credential testing, directory listing
SMB/AD	`smb_ad.py`	SMB share enumeration, null session, AD recon
SMTP Enum	`smpt_enum.py`	VRFY/EXPN user enumeration, open relay detection
Heartbleed	`heartbleed_scanner.py`	CVE-2014-0160, TLS heartbeat memory leak detection
Domain Transfer	`domain_transf.py`	DNS zone transfer (AXFR) testing

Architecture

Designed with defensive security principles at every layer.

🧬

ANSI Sanitizer

Anti-terminal injection: strips OSC/DCS/cursor sequences, preserves SGR colors

⚡

Signal Handling

Graceful shutdown SIGINT/SIGTERM/SIGPIPE with async-signal-safe os.write()

🔌

Plugin API

Standard run(target, ip, ports, banners) → dict interface with validated schema

🎬

Cinematic Boot

Fade-in logo with 256-color ramp, TTY detection, pipe/CI fallback

📦

Dep Bootstrap

Auto lib check on import, friendly error messages, zero crash

🔐

Supply Chain

Version-pinned deps, pip-audit CI, pre-commit hooks, Scorecard 10/10

📊

Severity Engine

5 levels — CRITICAL 💀 HIGH 🔴 MEDIUM 🟡 LOW 🔵 INFO ⚪ with visual icons

🧪

Security Intel

40+ threat intelligence tips and facts shown during scan waits

Integrations

External tools with native integration for maximum attack surface coverage.

🔍 Nmap🌐 Subfinder🗺️ Amass🕷️ Katana⚡ Nuclei📡 Shodan🔒 Nikto📋 WHOIS/RDAP🛤️ Traceroute⏪ Wayback Machine🛡️ Bandit SAST🔬 CodeQL🧠 Semgrep✨ Ruff🔎 pip-audit📄 ReportLab PDF🎨 Rich Terminal🔤 pyfiglet🪝 pre-commit🏆 OpenSSF Scorecard

Security Intel

Integrated intelligence engine — 40+ tips and facts displayed during scans in real time.

💀 FACTHackers compromise 93% of corporate networks in 2 days. Average data breach cost is $4.88M (2024).

🔐 TIPAlways validate JWT with a fixed algorithm — never trust the 'alg' header. None algorithm = total auth bypass.

⚡ FACTLog4Shell (CVE-2021-44228) saw 10M+ exploit attempts per hour. 86% of attacks exploit vulns with available patches.

🛡️ TIPRedis without auth = RCE via CONFIG SET + crontab/SSH key injection. IMDSv2 on AWS prevents SSRF credential theft.

🧬 TIPRace conditions: use single-packet attack to bypass rate limiting. Prototype Pollution in Node.js escalates to RCE via gadget chains.

📡 FACTShodan indexes 7+ billion devices. 95% of cloud security incidents are caused by misconfiguration.

💣 TIPGraphQL batching enables brute force of authenticated queries. Docker --privileged + docker.sock = trivial container escape.

🕷️ FACTSolarWinds hack compromised 18,000 organizations via supply chain. iOS zero-days are worth up to $2M on the market.

Quick Install

Setup in 60 seconds. Requires Python 3.10+. Compatible with Linux, macOS and WSL.


# Clone and configure

git clone https://github.com/glferreira-devsecops/Cascavel.git

cd Cascavel

python3 -m venv venv && source venv/bin/activate

pip install -r requirements.txt


# Run

python3 cascavel.py --help

python3 cascavel.py -t target.com

Automated installer available: bash install.sh — 15+ environment checks including Python version, venv, external tools, connectivity.
Zero tracking. Zero data collection. Zero telemetry. 100% auditable code. MIT License.

Roadmap

Technical direction — open to contributions and community feedback.

v3.0.1 — STABLE

✅ Current

85+ plugins with 2026-grade intelligence
JSON, Markdown, PDF + SARIF v2.1.0 reports
Plugin API v2 — CVSS v4.0 scoring
211 tests — plugin, schema, silent failure coverage
Docker multi-stage image (Go + system tools)
YAML scan profiles (web, api, cloud, network, full)
Silent failure hardening — SILENT_ERROR reporting
Manual dependency control — no automated bots
Cinematic UX with TTY detection
OpenSSF Best Practices Badge

v3.1.0 — Q3 2026

🚀 Next

Async plugin engine (3-5x speed)
API mode --serve (REST/SOAR)
AI-assisted triage with LLM severity
SBOM generation (CycloneDX)
Compliance mapping OWASP/NIST/PCI-DSS

v4.0.0 — 2027

🧠 Future

Distributed multi-node scanning
GitHub App (PR one-click audit)
Community plugin marketplace
Native man page
Full compliance automation engine

Governance & Community

Open-source project with transparent governance, full compliance and community-driven development.

📋 Contributing 🔒 Security Policy 🤝 Code of Conduct 🏛️ Governance 📝 Changelog 🗺️ Roadmap 💬 Support 📖 Citation 👥 Authors ⚖️ MIT License 🔌 Plugin Docs