No system is really safe.
CLI tool for stress-testing web targets using k6.
Internal security research tool. Only use against targets you have authorization to test.
npm i -g @lazuardytech/ouraAfter linking, the oura command is available globally.
Launch a stress test against a target:
# Basic bombard with 100 VUs for 30 seconds
oura attack -t https://example.com
# Custom VUs, duration, and scenario
oura attack -t https://example.com -u 500 -d 1m -s ramping
# POST request with JSON payload and custom headers
oura attack -t https://api.example.com/endpoint \
-m POST \
-u 200 \
-d 45s \
-w '{"key":"value"}' \
-H '{"Content-Type":"application/json"}'
# Ramping scenario with custom stages
oura attack -t https://example.com -s ramping \
-r "0:10s,50:30s,100:60s,50:30s,0:10s"
# Soak test (long duration) and save report
oura attack -t https://example.com -s soak -u 200 -d 10m -o result.json
# Stealth mode with rotating headers and random delays
oura attack -t https://example.com -s stealth -u 50 -d 1m
# Stealth flag on any scenario
oura attack -t https://example.com -s bombard --stealth
# Form flood β auto-detect and fill form fields
oura attack -t https://example.com/submit -s form-flood -u 100 -d 30s
# Form flood with separate scan URL
oura attack -t https://example.com/submit -s form-flood \
--scan-url https://example.com/form-page
# Proxy support
oura attack -t https://example.com --proxy http://proxy:8080
oura attack -t https://example.com --proxy-file proxies.txt
# CDN bypass via origin IP
oura attack -t https://example.com --origin 1.2.3.4
# Custom thresholds
oura attack -t https://example.com \
--threshold 'http_req_duration:p(95)<500' \
--threshold 'http_req_failed:rate<0.1'
# Fixed iterations instead of duration
oura attack -t https://example.com --iterations 1000
# Rate limiting per VU
oura attack -t https://example.com --rps 50| Flag | Description | Default |
|---|---|---|
-t, --target |
Target URL (required) | β |
-m, --method |
HTTP method (GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS) | GET |
-u, --vus |
Number of virtual users | 100 |
-d, --duration |
Test duration (30s, 1m, 5m) |
30s |
-r, --ramp-up |
Custom ramp-up stages | β |
-w, --payload |
Request body (JSON string) | β |
-H, --headers |
Custom headers (JSON string) | β |
-s, --scenario |
Attack scenario | bombard |
-o, --output |
Output path for k6 summary JSON | β |
--threshold |
Pass/fail thresholds (repeatable) | β |
--iterations |
Iterations per VU (overrides duration for bombard) | β |
--no-check |
Disable default response checks | false |
--stealth |
Enable stealth mode (rotating headers, random delays) | false |
--proxy |
Proxy URL (HTTP/HTTPS/SOCKS5) | β |
--proxy-file |
Path to proxy list file (one per line) | β |
--origin |
Origin server IP to bypass CDN | β |
--rps |
Requests per second per VU | 1000 |
--scan-url |
URL to scan for form fields (form-flood scenario) | β |
- bombard β Constant load with fixed VUs for the entire duration
- ramping β Gradually increases and decreases load (default stages if
--ramp-upnot provided) - soak β Prolonged test with progressive load increase to find breaking points
- stealth β Rotating User-Agents, headers, spoofed IPs, and random delays to mimic real traffic
- form-flood β Auto-detect HTML form fields and flood with realistic data
Scan a frontend URL for API endpoints, WebSockets, webhooks, SSE, and GraphQL:
oura scan -t https://example.com
oura scan -t https://example.com -k # skip SSL verification| Flag | Description | Default |
|---|---|---|
-t, --target |
Target URL (required) | β |
-k, --insecure |
Skip SSL certificate validation | false |
View results from a previous test run:
oura report -f result.json
oura report -f result.json --detail| Flag | Description |
|---|---|
-f, --file |
Path to k6 summary JSON (required) |
--detail |
Show detailed metrics per endpoint |
Manage oura configuration:
oura config show
oura config set defaultVus 200
oura config set defaultDuration 1m
oura config set defaultScenario stealth
oura config set defaultRpsPerVu 50
oura config reset| Key | Type | Default |
|---|---|---|
k6Path |
string | "k6" |
defaultVus |
number | 100 |
defaultDuration |
string | "30s" |
defaultScenario |
string | "bombard" |
defaultRpsPerVu |
number | 1000 |
lastTarget |
string | "" |
src/
βββ index.ts # CLI entry point
βββ commands/
β βββ attack.ts # Attack command
β βββ report.ts # Report command
β βββ config.ts # Config management
β βββ scan.ts # Frontend API scanner
βββ k6/
β βββ runner.ts # k6 script compilation & execution
β βββ templates/
β βββ bombard.ts # Constant-load template
β βββ ramping.ts # Progressive-ramp template
β βββ soak.ts # Long-duration soak template
β βββ stealth.ts # Stealth mode template
β βββ form-flood.ts # Form auto-detection & flood template
β βββ utils/
β βββ stealth.ts # Stealth helpers (User-Agents, headers, IP spoofing)
β βββ form-scanner.ts # Form field detection from HTML
βββ utils/
βββ logger.ts # Colored console output
βββ validator.ts # Input validation
βββ sanitizer.ts # Script injection sanitization
βββ fetcher.ts # Node.js HTTP/HTTPS fetcher
npm install
npm run build
npm link
npm run dev # Watch mode build
npm run typecheck # Type checking
npm run lint # Lint
npm run format # FormatMIT