Do NOT set websites that you do not own as "Parent Server". Do NOT attack any unrelated hosts.
Do NOT report any vulnerabilities of this software to IPA, JPCERT/CC, etc. You should accept all vulnerabilities (WHETHER INTENDED ONE OR NOT).
This is not a open source software. I cannot show you such dirty spaghetti code, sorry...
THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Recommended: Use it in Virtual Machine or in Sandbox.
Supporting vulnerabilities?
Cross Site Scripting (parameters, 501 error page, 404 error page)
SQL Injection (string, numeric)
OS Command Injection (with cmd.exe, with busybox-w32)
Path Traversal / Directory Traversal
Cross-Site Request Forgery (CSRF)
Use of Insufficiently Random Values (Simplify SessionId Cookie Values)
Cookie without HttpOnly Attribute
Cookie in HTTPS Session without Secure Attribute
HTTP TRACE/TRACK Method Enabled
HTTP PUT/DELETE Method Enabled
Clickjacking (X-Frame-Options Header Missing)
X-Content-Type-Options Header Missing
Strict-Transport-Security Header Missing
Information Exposure Through Directory Listing
XML External Entity (XXE) (windows, unix, url/SSRF) *New! at ver0.2
