PHToolBox is an advanced penetration testing toolbox powered by Node.js. It offers a powerful web-based interface for running vulnerability assessments, subdomain and content discovery, security header checks, and proxying traffic via Tor.
✅ Developed for bug bounty hunters, red teamers, and security researchers.
- 🔸 HTTP Verb Scanner – Detect supported HTTP methods.
- 🔸 Security Headers Checker – Identify missing security headers.
- 🔸 Weak SSL Scanner – Analyze weak SSL configurations.
- 🔸 Server Header Analyzer – Reveal server fingerprinting headers.
- 🔸 Host Header Injection Test – Check for host header vulnerabilities.
- 🔸 Content Discovery – Perform brute-force endpoint discovery with custom wordlists.
- 🔸 Subdomain Discovery – Discover subdomains via VirusTotal, Wayback Machine, and brute-force.
- 🔸 Checklist Viewer – Load and view pre-built application checklists.
- 🔸 AI Integration (Gemini) – De-obfuscate JS code or generate text via Google Gemini API.
- 🔸 Tor Proxy Integration – Route traffic through Tor and rotate IPs.
- 🔸 System Proxy Toggle – Set/unset system-wide proxy settings via the web UI.
- 🔸 Wordlist Upload Support – Upload and manage
.txtwordlists directly.
Runs locally on:
http://localhost:9999
git clone https://github.com/yourusername/PHToolBox.git
cd PHToolBox
npm installCreate a keys.js file in the root with your API keys:
module.exports = {
GEMINI_API_KEY: 'your-google-gemini-api-key',
VIRUSTOTAL_API_KEY: 'your-virustotal-api-key'
};
⚠️ Run as Administrator/root
node run.jsThen open your browser to:
http://localhost:9999
| Method | Endpoint | Description |
|---|---|---|
| POST | /API/testAllMethods |
Test HTTP methods |
| POST | /API/checkSecurityHeaders |
Check security headers |
| POST | /API/checkWeakSSL |
Analyze SSL security |
| GET | /api/getServerHeader?url= |
Fetch server headers |
| GET | /api/host-header-injection?url= |
Host header injection test |
| GET | /getDomainIP?domain= |
Get IP of domain |
| GET | /waybackurls?domain= |
Extract archived URLs |
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/upload-wordlist |
Upload wordlist |
| GET | /api/wordlists |
List uploaded wordlists |
| GET | /api/wordlist-count?path= |
Count wordlist entries |
| POST | /api/subdomain-upload-wordlist |
Upload subdomain wordlist |
| GET | /api/subdomain-wordlists |
List subdomain wordlists |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/discovery-stream |
Stream endpoint discovery |
| GET | /api/subdomain-discovery-stream |
Stream subdomain brute force |
| GET | /api/subdomains-online?domain= |
Get known subdomains |
| Method | Endpoint | Description |
|---|---|---|
| POST | /gemini-AI-generate |
Process prompt using Gemini |
| Method | Endpoint | Description |
|---|---|---|
| GET | /start-tor |
Start Tor process |
| POST | /tor-rotate |
Rotate Tor IP |
| GET | /tor-ip |
Get current Tor IP |
| GET | /stop-tor |
Stop Tor & disable proxy |
| GET | /set-system-proxy |
Enable system proxy |
| GET | /unset-system-proxy |
Disable system proxy |
| GET | /proxy-status |
Check proxy status |
PHToolBox/
├── API/
│ ├── getVerbRequest.js
│ ├── getMissingSecurityHeader.js
│ ├── getWeakSSL.js
│ ├── getServerHeader.js
│ └── getHostHeaderInjection.js
├── Json/
│ └── static_web_application_checklist.json
├── public/
│ ├── index.html
│ ├── Checklist/
│ └── WaybackUrlView.html
├── wordlists/
├── subdomain_wordlists/
├── tor.exe
├── run.js
└── keys.js
This tool is for educational and authorized testing purposes only. Use responsibly. The author is not liable for misuse.
Created by kr rathod Website: https://pentesterhelper.in
If you like this project, give it a ⭐ on GitHub!