SanguineRose

SanguineRose is a Python-based security testing tool for checking whether a website's account registration system has weak protections. The idea is that a registration endpoint with no rate limiting, no CAPTCHA, or no duplicate detection can be abused to create large numbers of fake accounts. This tool lets a security researcher or bug bounty hunter test for those weaknesses in a controlled, authorized way. The README is explicit that you should only run it against systems you own or have written permission to test.

The tool generates fake account details (email addresses, usernames, passwords) automatically and sends many signup requests to a target URL at a configurable speed. For each response it gets back, it classifies the outcome into one of several categories: the account was created, it was rejected as a duplicate, a CAPTCHA appeared, a web application firewall blocked the request, the server responded with an error, and so on. This classification is what tells you which defenses are present and which are not.

At the end of a test run, the tool prints a plain-language report summarizing what it found and saves a full log to a JSON file with per-request detail. There is also a dry-run mode that shows exactly what would be sent without actually sending anything, and a flag that stops the test the moment any protection layer engages.

Configuration is flexible. You can set the number of attempts, how many run in parallel, the delay between requests, custom field names for the signup form, and whether to send data as a form or as JSON. An interactive mode walks you through the settings step by step if you do not want to use command-line flags.

The only dependency beyond Python 3.8 is the httpx library for making HTTP requests.