This project is intended strictly for use in controlled environments such as penetration testing labs, Capture The Flag (CTF) platforms, or legally authorized security research.
Do not use this software against any system or target without proper authorization.
The authors and contributors are not responsible for any misuse or damage caused by this tool. Use of this project is entirely at your own risk.
By using this tool, you agree to comply with all applicable laws and ethical guidelines in your jurisdiction.
Based on HPTSA: https://arxiv.org/pdf/2406.01637
A hierarchical multi-agent based autonomous system for web vulnerability recon and exploitation. It consists of:
- A hierarchical planner for environment exploration and task planning
- A team manager for orchestrating task-specific agents
- A set of expert agents (SQLi, XSS, CSRF, SSTI, ZAP, Generic) for exploiting specific web vulnerabilities
planner/— Hierarchical planner logicmanager/— Team manager for agentsagents/— Task-specific expert agentstools/— Wrappers for Playwright, terminal, file management, ZAP, sqlmaputils/— HTML simplification and shared utilitiesmain.py— Entry point
- Install dependencies (in a virtual environment):
pip install -r requirements.txt playwright install
- Set up your API keys for OpenAI and Fireworks in a
.envfile:OPENAI_API_KEY=your-key FIREWORKS_API_KEY=your-key
- Run the system:
python main.py
- zap.sh and sqlmap must be installed and available in your PATH for their respective agents