Tishna Automated pentest framework for Servers, Application Layer to Web Security - 7 min read

Tishna is a complete Automated pentest framework for Servers, Application Layer to Web Security. The software has 62 Options full automation and can be used for web security swiss knife.

Tishna Automated pentest framework

A Brief Introduction

Tishna is Web Server Security Penetration Software for Ultimate Security Analysis
Tishna is useful in Banks, Private Organisations and Ethical hacker personnel for legal auditing.
It serves as a defense method to find as much information possible for gaining unauthorized access and intrusion.
With the emergence of more advanced technology, cybercriminals have also found more ways to get into the system of many organizations.
Tishna software can audit, servers and web-behavior.
Tishna can perform Scanning & Enumeration as much as possible of the target.
It’s the first step to stop cybercriminals by securing your Servers and Web Application Security.
Tishna is false positive free when there is something it will show no matter what, if it is not, it will give blank results rather error.

The developer of this tool (Haroon Awan) has made these 62 options:

[1] Audit HTTP Methods
[2] Extract Response Header
[3] Extr Images
[4] Extract URLs
[5] Identify Form
[6] Find XSS in Forms Advanced Attack
[7] Find XSS in Forms Simple Attack
[8] Web Server Mount Response Splitting Attack
[9] Header Inject Poison
[10] Cache Poison Defacer
[11] CRLF Response Splitting Attack & Fuzzer
[12] HTTP Response Smuggling Fuzzing
[13] Web Cache Deception Attack Check
[14] HTTP Methods Information
[15] Custom CSRF Injection Request
[16] Load CSRF HTML Templates
[17] Shell Shock
[18] Cross-Site Request Forgery Audit Toolkit
[19] Find Available HTTP Methods
[20] XSS in Parameters using Screaming Cobra
[21] Find Missing HTTPS Methods
[22] Server Side Request Forgery
[23] Find Available HTTPS Methods
[24] Audit XML RPC Methods, Extract All Information
[25] Cookie Stealer XSS Localhost Server
[26] Command Injections Exploits
[27] Show JSON Endpoint List
[28] Perform Blind, Encoded, Responsive XXE Injection
[29] File Upload Injections
[30] Perform Side Side Template Injection
[31] JSON Web Token Injection
[32] Perform Web Socket Injection
[33] Perform Amazon Bucket Injection 101 aws amazon|
[34] Extract Cnames Records for Hijacking
[35] Insecure Direct Object Reference – BURP
[36] Perform CSV Injection
[37] Perform XPATH Injection
[39] Find XPath and SQL Parameter Injection
[40] Show TWO-Factor Authentication Payloads
[41] Mutated XSS payloads
[42] Stored XSS payloads
[43] Reflected XSS payloads
[44] Waf Bypass payloads
[45] Find XSS Using Response Splitting
[46] Extract Links – Advanced
[47] Download Images – Exif Data
[48] Simple Response Splitting Attack
[49] Double Response Splitting Attack
[50] HTTP Cache Poison Attack
[51] * HTTP Cache Inject Poison
[52] HTTP Fuzzer
[53] IP Obfuscating
[54] RFI
[55] LFI
[56] Binary Buffer Overflow Finder
[57] Stored and Reflected XSS Angular JS Payloads
[58] Phantom JS XSS Payload Helper
[59] Agular JS Client-Side Automatic XSS Finder
[60] Session Hijacking Burp Method
[61] OAUTH Injections
[62] Bypass Firewall using DNS History
[0] Exit

Tishna is a complete Automated pentest framework for Servers, Application Layer to Web Security. The software has 62 Options full automation and can be used for web security swiss knife.

Some options highlighted

10 Cache Poison Defacer:

Cache poisoning is a type of attack in which corrupt data is inserted into the cache database of the Domain Name System (DNS) name server. DNS cache poisoning attacks are often used to spread computer worms and other malware.

14 HTTP Methods Information:

HTTP “Hypertext Transfer Protocol” defines a set of request methods to indicate the desired action to be performed for a given resource. Although they can also be nouns, these request methods are sometimes referred to as HTTP verbs.

17 Shell Shock:

Shellshock is a bug that uses a vulnerability in the common Unix command execution shell bash (Bourne-Again SHell) to potentially enable hackers to take control of the machine and remotely execute arbitrary code directly into the system.

26 Command Injections Exploits:

Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. 
* Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.

31 Perform JSON Web Token Injection:

JWT stands for JSON Web Token. It’s a JSON-based text format for exchanging information between parties. JWT is an open standard specified under RFC 7519. The information contained in the JWT is called claims and the JWT is usually digitally signed (i.e. JSON Web Signature) so that the information can be verified and trusted.

36 Perform CSV Injection:

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. … Most importantly Maliciously crafted formulas can be used for three key attacks: Hijacking the user’s computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524.

41 Mutated XSS payloads:

Mutation XSS vulnerabilities are caused by differences in how browsers interpret the HTML standard. Due to browser differences, it is very difficult to sanitize user input on the server.

53 IP Obfuscating:

Obfuscation is a programming technique in which code is intentionally obscured to prevent reverse engineering and deliver unclear code to anyone other than the programmer. Obfuscation is also applied to programs to ensure intellectual property (IP) protection through reverse engineering prevention.

55 LFI:

An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the webserver. Therefore an LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses the path to a file as input.

61 OAuth Injections:

Credential injection means an attacker somehow obtained a valid OAuth credential (code or token) and is able to utilize this for impersonation of the legitimate Resource Owner or to cause a victim to access resources under the attacker’s control (XSRF).


  • Cyber Space (Computer Security)
  • Terror Security (Computer Security)
  • National Cyber Security Services

Video How to install and use Tishna

Installing Tishna

Tishna has been tested on Kali Linux, Parrot OS, Black Arch, Termux and Android Led TV

Kali Installation

git clone https://github.com/haroonawanofficial/Tishna.git
cd Tishna
sudo chmod u+x *.sh

sudo reboot

Parrot Security Installation

git clone https://github.com/haroonawanofficial/Tishna.git
cd Tishna
sudo chmod u+x *.sh

sudo reboot

I assume for the installation on BlackArch, Termux and Android Led TV use the same commands. (I didn’t test it on these three.)


Make sure you are root if you use Tishna.
Tishna will integrate as system software.
Dependencies will be handled automatically
Third-party software(s)/dependencies/modules will be handled automatically

Importantly, after the installation is successful and you have done a reboot, use the following command:

sudo tishna

GitHub page:
Developer: Haroon Awan


  • This article was written for educational purposes and pentest only.
  • The author can not be held responsible for damages caused by the use of these resources.
  • You will not misuse the information to gain unauthorized access.
  • The information shall only be used to expand knowledge and not for causing malicious or damaging attacks.
  • Just remember, Performing any hacks without written permission is illegal ..!

Read also the Disclaimer


If you have any questions about this article, any feedback, suggestions if you want to share your thoughts, please feel free to do it using the below comment form.

Written by

21   Posts

My name is Jolanda de Koff and on the internet, I'm also known as Bulls Eye. Ethical Hacker, Penetration tester, Researcher, Programmer, Self Learner and forever n00b. Not necessarily in that order. Like to make my own hacking tools and I sometimes share them with you. "You can create art & beauty with a computer and Hacking is not a hobby but a way of life ..." I ♥ open source"
View All Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Do NOT follow this link or you will be banned from the site!