DOCUMENTATION
Complete technical reference for the ZION OFFSEC arsenal. Every tool, every API, every exploit — documented with precision.
Getting Started
ZION OFFSEC provides a comprehensive suite of offensive security tools accessible via web interface, REST API, and live terminal. All tools are designed for professional red team operators, penetration testers, and security researchers.
Authentication
Most API endpoints require authentication via session cookies (web) or API tokens (automation). Register an account and navigate to API Access to generate your token.
curl -H "Authorization: Bearer YOUR_API_TOKEN" \
"http://localhost/zion-offsec/zion-offsec/api/terminal.php" \
-d '{"tool":"whois","target":"example.com"}'
API Reference
Base URL
http://localhost/zion-offsec/zion-offsec/api/
Available Endpoints
| Endpoint | Method | Description | Auth |
|---|---|---|---|
/api/terminal.php | POST | Execute server-side hacking tools | Required |
/api/challenges.php | GET | List available CTF challenges | Optional |
/api/tracker.php | GET | Generate & track trap links | Required |
/api/contact.php | POST | Submit contact form | None |
/api/cart.php | GET/POST | Shopping cart operations | Required |
/api/search.php | GET | Search products & tools | None |
/api/download.php | GET | Download purchased products | Required |
/api/licenses.php | GET | Manage product licenses | Required |
Terminal Tools
The Terminal API provides access to 40+ server-side hacking tools with whitelist-based security, rate limiting, and execution timeouts.
Available Tools
whois
Domain WHOIS lookup
whois target.com
nmap
Network scanner (connect scan only)
nmap -sT target.com
nslookup
DNS resolution
nslookup target.com
host
DNS lookup utility
host target.com
traceroute
Network path tracing
traceroute target.com
curl
HTTP client
curl -I https://target.com
hashid
Hash type identifier
hashid $2y$10$...
cve
CVE database lookup
cve CVE-2024-1234
Security Model
- Input Validation: All user input is validated and sanitized before processing.
- Rate Limiting: API endpoints enforce per-IP rate limits (configurable via admin panel).
- Execution Timeouts: Terminal commands are capped at 30 seconds to prevent resource exhaustion.
- Tool Whitelist: Only explicitly allowed binaries can be executed via the terminal API.
- CSRF Protection: All state-changing operations require valid CSRF tokens.
- Session Security: HTTP-only, SameSite=Lax cookies with strict session management.
- PGP Signing: All official communications are signed. Verify before trusting.