yakit
Cyber Security ALL-IN-ONE Platform
An all-in-one desktop security testing toolkit for web apps and networks, with an intercepting proxy, web fuzzer, and reverse connection handler, powered by the custom Yaklang scripting language.
Yakit is a desktop security testing platform built for professionals who test web applications and network systems for vulnerabilities. It provides a graphical interface on top of a purpose-built security language called Yaklang, which the same team developed. Think of it as an all-in-one toolkit that bundles the most common security testing tasks into a single application, rather than requiring users to stitch together separate tools.
The platform includes an intercepting proxy, which works similarly to the popular BurpSuite tool. When you route your browser traffic through it, Yakit captures each HTTP request and response so you can inspect, modify, or replay them. This is useful for finding weaknesses in how a web application handles data. The Web Fuzzer module lets users send custom HTTP requests with automatically generated variations, which is how testers discover input-handling flaws. A built-in tag system called Fuzztag handles common patterns like generating numeric ranges or loading wordlists from files, which reduces manual setup compared to similar tools.
The reverse connection module lets a tester set up a listener on a single port that can handle multiple different protocols at once. This matters for exploit testing scenarios where an attacker-controlled server needs to receive callbacks from a target machine. Yakit's implementation identifies the incoming protocol automatically and responds accordingly, so fewer ports and external services are needed. The reverse shell feature provides a terminal experience closer to a native SSH session than older approaches.
Yakit runs on a gRPC server architecture, meaning the backend engine and the graphical frontend communicate through a well-defined protocol. Users can run the backend remotely and connect the desktop client over a network, or run everything locally. The platform also supports plugins, so teams can extend it with custom Yaklang scripts at any point during a testing workflow.
The project is primarily documented in Chinese. It is licensed for authorized security testing and personal learning only. Commercial use requires obtaining official permission from the Yaklang.io team.
Where it fits
- Capture and modify live HTTP requests from your browser to find weaknesses in how a web app handles data.
- Send automated fuzzing requests with custom payloads to discover input-validation flaws in a web API.
- Set up a single reverse connection listener that handles multiple protocols for authorized penetration test callbacks.