Releases: Su1ph3r/indago
v1.1.0 - Interactive TUI, Checkpointing, Credential Storage
What's New in v1.1.0
Major Features
- Interactive TUI Mode: Real-time progress display, findings list with keyboard navigation, and interactive triage (
--interactiveorindago interactive) - Scan Checkpointing: Save and resume interrupted scans (
--checkpoint,--resume) - Secure Credential Storage: Platform keychain integration (macOS Keychain, Linux Secret Service) with encrypted file fallback (
indago credentials) - Dry Run Mode: Preview requests without sending them (
--dry-run) - Request Logging: Log all HTTP traffic to file (
--log-requests) - Finding Verification: Re-test findings with payload variations (
--verify)
Configuration Profiles
Pre-built configs in configs/ directory:
idor-focus.yaml- IDOR/BOLA focused scanninginjection-focus.yaml- Injection attacks focusci-quick.yaml- Fast CI pipeline scans (SARIF output)thorough.yaml- Comprehensive security audit
Backend Improvements
- False positive filtering with confidence scoring
- Request caching and deduplication
- LLM rate limiting with exponential backoff
- Plugin system for custom payloads and matchers
- Comprehensive test suite
New CLI Flags
--interactive, --dry-run, --log-requests, --verify, --resume, --checkpoint, --checkpoint-interval, --validate-config
Installation
macOS (Apple Silicon)
```bash
curl -L https://github.com/Su1ph3r/indago/releases/download/v1.1.0/indago-v1.1.0-darwin-arm64.tar.gz | tar xz
sudo mv indago-darwin-arm64 /usr/local/bin/indago
```
macOS (Intel)
```bash
curl -L https://github.com/Su1ph3r/indago/releases/download/v1.1.0/indago-v1.1.0-darwin-amd64.tar.gz | tar xz
sudo mv indago-darwin-amd64 /usr/local/bin/indago
```
Linux (amd64)
```bash
curl -L https://github.com/Su1ph3r/indago/releases/download/v1.1.0/indago-v1.1.0-linux-amd64.tar.gz | tar xz
sudo mv indago-linux-amd64 /usr/local/bin/indago
```
See CHANGELOG.md for full details.
v1.0.3 - Burp Suite Extension
What's New in v1.0.3
This release adds a Burp Suite Professional extension for seamless integration with Indago.
Burp Suite Extension
A Java-based extension using the Montoya API that brings Indago's AI-powered API security testing directly into Burp Suite:
- Context Menu Integration - Right-click on any request to send it to Indago or start an immediate scan
- Export Queue - Batch multiple requests for scanning
- Direct Scan Launch - Execute Indago scans from Burp with live output streaming
- Finding Import - Indago findings automatically appear as Burp audit issues
- Custom Tab UI - Manage exports, monitor scans, view findings, configure settings
- Severity Color Coding - Findings displayed with visual severity indicators
Installation
- Download
indago-burp-extension-1.0.0.jar - In Burp Suite: Extensions > Installed > Add
- Select the JAR file
- Configure Indago path in the Indago > Settings tab
Requirements
- Burp Suite Professional 2023.1+
- Java 17+
- Indago CLI installed
See extensions/burp/README.md for full documentation.
Full Changelog: v1.0.2...v1.0.3
v1.0.2 - Advanced Security Testing Features
What's New in v1.0.2
This release adds powerful advanced security testing capabilities:
GraphQL Support
- Introspection-based scanning
- Depth attacks, batch attacks, alias attacks
- New attack types:
graphql_depth,graphql_batch,graphql_introspection,graphql_alias
Multi-Auth Differential Analysis
- Compare responses across authentication contexts
- Detect BOLA/IDOR vulnerabilities automatically
- Configurable auth contexts with priority levels
Stateful Session Tracking
- Extract tokens/IDs from responses
- Inject values into subsequent requests
- Custom extraction rules via YAML
Attack Chains
- Multi-step attack sequences
- Privilege escalation and data leakage chains
WAF Detection & Bypass
- Automatic WAF detection
- Bypass techniques (encoding, case manipulation)
Out-of-Band (OOB) Detection
- Built-in callback server
- Blind SSRF, XXE, command injection detection
Schema Inference
- Generate OpenAPI specs from traffic
Business Rules Engine
- Custom validation rules for API behavior
Security Fixes
- Auth tokens excluded from JSON reports
See CHANGELOG.md for full details.
Installation
macOS (Apple Silicon)
curl -L https://github.com/Su1ph3r/indago/releases/download/v1.0.2/indago-darwin-arm64.tar.gz | tar xz
sudo mv indago /usr/local/bin/macOS (Intel)
curl -L https://github.com/Su1ph3r/indago/releases/download/v1.0.2/indago-darwin-amd64.tar.gz | tar xz
sudo mv indago /usr/local/bin/Linux (amd64)
curl -L https://github.com/Su1ph3r/indago/releases/download/v1.0.2/indago-linux-amd64.tar.gz | tar xz
sudo mv indago /usr/local/bin/Linux (arm64)
curl -L https://github.com/Su1ph3r/indago/releases/download/v1.0.2/indago-linux-arm64.tar.gz | tar xz
sudo mv indago /usr/local/bin/Windows
Download indago-windows-amd64.zip and extract to your PATH.
v1.0.1 - Context-Aware LLM Payload Generation
What's New
Context-Aware Payload Generation
Indago now uses LLM-suggested payloads from endpoint analysis, making attacks more targeted and relevant to the API's business logic.
Dynamic LLM Payload Generation
New --use-llm-payloads flag enables on-the-fly payload generation using LLM analysis of each endpoint's parameters and context.
Parallel LLM Processing
New --llm-concurrency flag (default: 8) allows concurrent LLM calls for faster payload generation on powerful hardware.
Improved LLM Response Handling
Added FlexibleString and FlexibleStringSlice types to robustly handle variable LLM output formats.
Bug Fixes
- Fixed issue where AI analysis failure would cause endpoint loss (now gracefully falls back to static analysis)
Usage Example
# Full AI-powered scan with parallel LLM payload generation
indago scan --spec api.yaml \
--provider lmstudio --llm-url http://localhost:1234/v1 \
--use-llm-payloads --llm-concurrency 20 \
-f textDemo
Updated demo GIFs showing scan against OWASP Juice Shop:
- 12 endpoints analyzed
- 942 context-aware payloads generated
- 469 vulnerabilities discovered (177 High, 155 Medium, 137 Low)
Full Changelog: v1.0.0...v1.0.1
v1.0.0 - Initial Release
Indago v1.0.0 - Initial Release
AI-Powered API Security Fuzzer that uses LLMs to understand API business context and generate intelligent attack payloads.
Features
- LLM Providers: OpenAI, Anthropic Claude, Ollama, LM Studio
- Input Formats: OpenAPI/Swagger, Postman, HAR, Burp Suite exports, raw URLs
- Attack Types: IDOR, SQLi, NoSQLi, XSS, Command Injection, Auth Bypass, SSRF, Path Traversal, and more
- Output Formats: JSON, HTML, Markdown, SARIF (for CI/CD)
Downloads
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | indago-linux-amd64.tar.gz |
| Linux | arm64 | indago-linux-arm64.tar.gz |
| macOS | Intel | indago-darwin-amd64.tar.gz |
| macOS | Apple Silicon | indago-darwin-arm64.tar.gz |
| Windows | amd64 | indago-windows-amd64.zip |
Installation
# Linux/macOS
tar xzf indago-<platform>-<arch>.tar.gz
sudo mv indago /usr/local/bin/
# Windows
# Extract indago.exe and add to PATHQuick Start
export ANTHROPIC_API_KEY=your-key
indago scan --spec api.yaml --provider anthropic