otsolain/sanguinerose

★ 17PythonAudience · developerComplexity · 2/5Setup · easy

Mindmap

mindmap
  root((SanguineRose))
    What It Does
      Fake signup requests
      Response classification
      Protection detection
    Tech Stack
      Python 3.8+
      httpx
    Use Cases
      Rate limit testing
      CAPTCHA detection
      Bug bounty audits
    Outputs
      Plain-text report
      JSON log file

mindmap root((SanguineRose)) What It Does Fake signup requests Response classification Protection detection Tech Stack Python 3.8+ httpx Use Cases Rate limit testing CAPTCHA detection Bug bounty audits Outputs Plain-text report JSON log file

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Test your own web app's registration endpoint to confirm rate limiting blocks repeated fake signups

USE CASE 2

Identify missing CAPTCHA or WAF protections during an authorized penetration test or bug bounty engagement

USE CASE 3

Generate a detailed JSON log of signup attempt outcomes to include as evidence in a security audit report

Tech stack

Pythonhttpx

Getting it running

Difficulty · easy Time to first run · 5min

Only requires Python 3.8+ and the httpx library, must only be used against systems you own or have written permission to test.

No license information is stated in the repository.

In plain English

SanguineRose is a Python-based security testing tool for checking whether a website's account registration system has weak protections. The idea is that a registration endpoint with no rate limiting, no CAPTCHA, or no duplicate detection can be abused to create large numbers of fake accounts. This tool lets a security researcher or bug bounty hunter test for those weaknesses in a controlled, authorized way. The README is explicit that you should only run it against systems you own or have written permission to test. The tool generates fake account details (email addresses, usernames, passwords) automatically and sends many signup requests to a target URL at a configurable speed. For each response it gets back, it classifies the outcome into one of several categories: the account was created, it was rejected as a duplicate, a CAPTCHA appeared, a web application firewall blocked the request, the server responded with an error, and so on. This classification is what tells you which defenses are present and which are not. At the end of a test run, the tool prints a plain-language report summarizing what it found and saves a full log to a JSON file with per-request detail. There is also a dry-run mode that shows exactly what would be sent without actually sending anything, and a flag that stops the test the moment any protection layer engages. Configuration is flexible. You can set the number of attempts, how many run in parallel, the delay between requests, custom field names for the signup form, and whether to send data as a form or as JSON. An interactive mode walks you through the settings step by step if you do not want to use command-line flags. The only dependency beyond Python 3.8 is the httpx library for making HTTP requests.

Copy-paste prompts

Prompt 1

Using SanguineRose, test my own /api/register endpoint with 50 parallel fake signup attempts and report which protections, rate limiting, CAPTCHA, or WAF, trigger first

Prompt 2

Run SanguineRose in dry-run mode against a signup form with custom field names 'user_email' and 'user_pass' and show exactly what requests it would send

Prompt 3

Write a Python script using httpx that replicates SanguineRose's response-classification logic, categorizing responses as created, duplicate, captcha, or blocked

Prompt 4

Parse a SanguineRose JSON output log and summarize how many requests succeeded, hit rate limiting, triggered CAPTCHA, and were blocked by a WAF

Open on GitHub → Explain another repo

← otsolain on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.