3-day longest streak
Sandeep Wawdane Penetration tester. Web, mobile, API, thick-client, and network engagements. I open-source the tools I end up writing during audits, mostly to cut down the setup time on the…
Sandeep Wawdane
Penetration tester. Web, mobile, API, thick-client, and network engagements.
I open-source the tools I end up writing during audits, mostly to cut down the setup time on the next one. Long-form writeups on Medium.
---
Browser-based auditor suite
Static and live security analysis that runs entirely in the browser. No upload, no server, no installer.
| Tool | Purpose |
|---|---|
| IPA Auditor · ipaauditor.com | iOS .ipa static analysis. Mach-O internals, entitlements, ATS, provisioning, entropy-gated secret detection. |
| APK Auditor · apkauditor.com | Android .apk static analysis. DEX bytecode parse, binary AXML decode, signing certificate, tracker SDK detection, 80+ rules tagged with CWE / OWASP MASVS. |
| ADB Auditor · adbauditor.com | Live Android audit over WebUSB and the ADB protocol. App inventory, file browser with root, shell, screen capture, MASTG-aligned security tests. |
On-device runtime auditors
The dynamic-analysis siblings of the static suite. These install on the device and serve an HTTPS dashboard from the phone itself you drive it from any browser on the same network. Browse any installed app's private storage, query its databases, tail logs, drop to a root shell.
| Tool | Purpose |
|---|---|
| IOSspect · jailbroken iOS | On-device runtime audit. App bundle + data-container browser, SQLite SELECT, framework Mach-O probe, process / network tables, launchd log tail, root shell, .ipa repackage. |
| AndroidSpect · rooted Android | On-device runtime audit. /data/data browser, SQLite + SharedPreferences reader, manifest / component decode, native-lib scan, live logcat, process / socket tables, root shell. |
Selected projects
| Project | Description |
|---|---|
| GraphQL Grip | Burp Suite extension for auditing GraphQL endpoints (introspection, batching, depth/complexity, mutation safety). |
| BXEditor | VS Code extension that scaffolds, builds, and reloads Burp Suite extensions in-place. |
| frida-script-gen | Generator for Frida scripts covering common Android bypasses (root, SSL pinning, debugger). |
| Frida-Launcher | Android companion app that starts, stops, and monitors the on-device Frida server. |
| apk-components-inspector | Python CLI that enumerates exported components from an APK and emits ready-to-run am commands for each. |
| MobApp-Storage Inspector | Cross-platform GUI for inspecting iOS / Android app storage during a live engagement. |
| MobApp-DataExtractor | Extracts application data from iOS and Android devices for offline analysis. |
| Vuln-Down-Checker | PHP-based out-of-band interaction target for OOB / blind injection testing. |
| Cosmic Snapshot | C# thick-client walkthrough demonstrating SSL pinning bypass against a real API. |
More tooling, vulnerability demos, and research notes across the repositories above.
If any of this saves you time in an engagement, a star is appreciated.
-
frida-script-gen
Generate Frida bypass scripts for Android APK root and SSL checks.
Python ★ 211 1y agoExplain → -
Frida-Launcher
An Android app to easily manage Frida server on your device or emulator
Kotlin ★ 126 5mo agoExplain → -
apk-components-inspector
A lightweight Python-based tool to extract and enumerate Android components and automatically generate practical ADB commands
Python ★ 114 1y agoExplain → -
adbauditor
Browser-based Android security auditing tool.
JavaScript ★ 76 1mo agoExplain → -
ipaauditor
Browser-based iOS IPA security analyzer.
JavaScript ★ 73 20d agoExplain → -
graphql-grip
A Burp Suite extension for GraphQL security testing.
Java ★ 64 2mo agoExplain → -
apkauditor
Android APK security analysis tool. Decompiles DEX, scans for vulns, parses manifests and certs. Runs in your browser.
JavaScript ★ 63 1mo agoExplain → -
mobapp-storage-inspector
A tool for inspecting and analyzing mobile application storage files.
Java ★ 51 19d agoExplain → -
MobApp-DataExtractor
A tool for listing and extracting installed Android APKs and decrypted iOS IPAs (plus app storage) from rooted or jailbroken devices.
Python ★ 40 19d agoExplain → -
androidspect
Live runtime audit for installed Android apps. Runs on the rooted phone, serves a browser dashboard.
Kotlin ★ 24 27d agoExplain → -
bxeditor
A comprehensive VS Code extension for developing Burp Suite extensions
TypeScript ★ 14 11mo agoExplain → -
iosspect
Live iOS runtime auditor for jailbroken devices. HTTPS dashboard served from the phone.
Swift ★ 13 19d agoExplain → -
frida-android-safetynet-playprotect-bypass
frida-android-safetynet-playprotect-bypass
JavaScript ★ 8 11mo agoExplain → -
NFC_Infiltrator
No description.
Java ★ 6 1y agoExplain → -
app-to-ipa_abb-to-apk
No description.
★ 2 10mo agoExplain → -
external-pentest-suggester
External penetration testing suggestion tool for CTF and security research purposes
Python ★ 2 1y agoExplain → -
nosqlprobe
No description.
Python ★ 1 1y agoExplain → -
vulnerable-website-down-checker
No description.
PHP ★ 1 1y agoExplain → -
Buggy-Bird-Game
No description.
Python ★ 1 1y agoExplain → -
thecybersandeep
No description.
★ 0 19d agoExplain → -
inbrowserauditor
No description.
HTML ★ 0 2mo agoExplain → -
Wnmap
Browser-based port timing scanner.
JavaScript ★ 0 5mo agoExplain → -
Cosmic-Snapshot-Java-Edition
A JavaFX application that displays NASA's Astronomy Picture of the Day (APOD)
Shell ★ 0 1y agoExplain → -
Cosmic-Snapshot
No description.
C# ★ 0 1y agoExplain →
No repos match these filters.