DOCUMENTATION

Complete technical reference for the ZION OFFSEC arsenal. Every tool, every API, every exploit — documented with precision.

Getting Started

ZION OFFSEC provides a comprehensive suite of offensive security tools accessible via web interface, REST API, and live terminal. All tools are designed for professional red team operators, penetration testers, and security researchers.

Authentication

Most API endpoints require authentication via session cookies (web) or API tokens (automation). Register an account and navigate to API Access to generate your token.

curl -H "Authorization: Bearer YOUR_API_TOKEN" \
  "http://localhost/zion-offsec/zion-offsec/api/terminal.php" \
  -d '{"tool":"whois","target":"example.com"}'

API Reference

Base URL

http://localhost/zion-offsec/zion-offsec/api/

Available Endpoints

EndpointMethodDescriptionAuth
/api/terminal.phpPOSTExecute server-side hacking toolsRequired
/api/challenges.phpGETList available CTF challengesOptional
/api/tracker.phpGETGenerate & track trap linksRequired
/api/contact.phpPOSTSubmit contact formNone
/api/cart.phpGET/POSTShopping cart operationsRequired
/api/search.phpGETSearch products & toolsNone
/api/download.phpGETDownload purchased productsRequired
/api/licenses.phpGETManage product licensesRequired

Terminal Tools

The Terminal API provides access to 40+ server-side hacking tools with whitelist-based security, rate limiting, and execution timeouts.

Available Tools

whois Domain WHOIS lookup whois target.com
nmap Network scanner (connect scan only) nmap -sT target.com
nslookup DNS resolution nslookup target.com
host DNS lookup utility host target.com
traceroute Network path tracing traceroute target.com
curl HTTP client curl -I https://target.com
hashid Hash type identifier hashid $2y$10$...
cve CVE database lookup cve CVE-2024-1234

Security Model

  • Input Validation: All user input is validated and sanitized before processing.
  • Rate Limiting: API endpoints enforce per-IP rate limits (configurable via admin panel).
  • Execution Timeouts: Terminal commands are capped at 30 seconds to prevent resource exhaustion.
  • Tool Whitelist: Only explicitly allowed binaries can be executed via the terminal API.
  • CSRF Protection: All state-changing operations require valid CSRF tokens.
  • Session Security: HTTP-only, SameSite=Lax cookies with strict session management.
  • PGP Signing: All official communications are signed. Verify before trusting.