The Basics

Cohesion comes with several commands and options to help you automate various types of web application security tests.


The Scanner is a fully-automated, web security assessment tool. When configured, the tool will automatically discover web resources by spidering the application and bruteforcing common files and folder. Discovered resources are automatically tested for a wide range of vulnerabilities such as SQL Injection, Cross-Scripting, Code Execution, File Include vulnerabilities and much more.

To start a scan simply type:

$ cohesion scanner http://target

The target can also be a file containing a HTTP request.

The Scanner will automatically add the target URL to the current scope, set up all rules and security tests and start the testing process.


The Spider is the automatic resource identification and information gathering process used by the Scanner. You can use the spider to footprint the application and identify hidden files and folders.

Like the Scanner, it is easy to get started:

$ cohesion spider http://target


Use the Fuzzer to identify vulnerabilities within specific requests with great precision. This tools is most useful when testing API endpoints or re-testing previously reported issues identified by the Scanner.

Use the following command to get started:

$ cohesion fuzzer http://target/?param=a

The Fuzzer works best when provided with a request from a file rather then specified in the command line. File request help you customise the method, headers and the request body, which is particularly important when testing web services.


The Cohesion Proxy is capable of testing every request captured in transit and as such it can be used with other tools part of the testing pipeline, such as unit and integration tests. With the Proxy you can achieve the same level of security and reselience coverage as you get from your tests.

Use the following command to start the proxy:

$ cohesion proxy http://target/

By default, the proxy runs on localhost port 9090. You can change the address via the '--proxy' command line flag. Once running, you need to configure your existing tooling to use the proxy when performing tests. Please consult with the proxy setup manual specific to your development environment.

As a general rule of the thumb, proxy configuration can be passed with the "http_proxy" and "https_proxy" environment variables. Assuming that Cohesion Proxy runs on localhost port 9090, this is how existing tools can be configured:

$ export http_proxy=http://localhost:9090
$ export https_proxy=http://localhost:9090
$ ./


With the "show" command you can explore various Cohesion aspects such as the list of vulnerabilities, the list of vulnerability checks, severity levels and more.

For example, execute the following command to show the list of severity levels and their corresponding values. This is useful to configure various aspects of other tools.

$ cohesion show levels


This documentation is also available in Cohesion itself. To access the docs use the "docs" command.

$ cohesion docs

The docs view is fully interactive. You can access various topics using the built-in interactive menu.


Cohesion is a commercial software product. Use the license command to preview your current license.

$ cohesion license