vigolium module ls for the up-to-date enabled list (the registry can grow between releases without a docs refresh).
Active modules send modified requests to detect vulnerabilities; passive modules analyze existing request/response pairs without generating traffic. Recent additions include the GraphQL security suite, the Adobe Experience Manager (AEM) family, the SaaS data-exposure family (Salesforce / ServiceNow / Power Pages), the Model Context Protocol (MCP) suite, the expanded IIS family, the dependency-confusion and js-beautify passives, and the v0.2.1 batch (out-of-band SQLi, XPath injection, unauthenticated infra-service exposure, TLS protocol/cipher audit, session fixation, and the LLM-endpoint / payment-integration / DOM-clobbering / CSS-injection / cross-origin-isolation / reverse-tabnabbing passives) — see vigolium module ls --tag graphql, --tag aem, --tag salesforce, --tag servicenow, --tag powerpages, --tag mcp, and --tag iis to view them.
Severity Scale
critical > high > medium > low > suspect > info
Confidence Scale
- certain - Definitively confirmed (payload executed, error matched)
- firm - Likely confirmed by behavioral analysis
- tentative - Possible but unconfirmed (heuristic-based)
Active Modules (198)
Active modules send modified requests to detect vulnerabilities via fuzzing, injection, and behavioral analysis. The list below is a curated highlight, runvigolium module ls --type active for the full list.
XSS
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-xss-light-url-params | XSS Light - URL Parameters | Reflected XSS in URL parameters with POST→GET conversion | High | Firm | xss, injection |
active-xss-light-path | XSS Light - Path Injection | Reflected XSS via path manipulation (recursive, cut, append) | High | Firm | xss, injection |
active-xss-light-param-discovery | XSS Light - Parameter Discovery | Reflected XSS via echo parameter discovery | High | Firm | xss, injection |
SQL Injection
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-sqli-error-based | SQLi Error Based | Error-based SQLi via database error messages (MySQL, PostgreSQL, MSSQL, Oracle, SQLite) | Critical | Certain | sqli, injection |
active-sqli-boolean-blind | Blind SQL Injection (Boolean-Based) | Boolean-based blind SQLi using a randomized boundary matrix with difflib-style page-similarity comparison, a multi-round/multi-factor logic battery (AND/OR oracle, alternating comparison operators, invalid-syntax probe), and WAF-adaptive payload mutation. Only reports 200-vs-200 differentials with a large body-size delta (rejects status-flip false positives) | High | Certain | sqli, injection, heavy |
sqli-out-of-band | SQL Injection (Out-of-Band) | Blind SQLi confirmed via out-of-band DBMS callbacks (LOAD_FILE / xp_dirtree / UTL_HTTP) to a per-payload OAST subdomain — an unforgeable hit proves execution | Critical | Certain | sqli, injection, oast |
NoSQL Injection
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-nosqli-error-based | NoSQLi Error Based | NoSQL injection via error messages (MongoDB, CouchDB, Cassandra) | Critical | Certain | nosqli, injection |
active-nosqli-operator-injection | NoSQL Operator Injection | MongoDB operator injection ($ne, $gt, $regex, $where) for auth bypass | High | Firm | nosqli, injection |
Template Injection
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-reflected-ssti | Reflected SSTI | SSTI via math expression evaluation (e.g., {{7*7}}=49) | High | Certain | ssti, injection |
active-ssti-detection | SSTI Detection | Diff-based SSTI via Boolean Error-Based Blind technique | High | Certain | ssti, injection |
active-csti-detection | Client-Side Template Injection | CSTI in AngularJS/Vue.js applications via literal reflection | High | Firm | ssti, injection |
File Inclusion
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-lfi-generic | LFI Generic | LFI via path traversal payloads; matches known OS file signatures | Critical | Certain | lfi, injection |
active-lfi-path-traversal | LFI Path Traversal | Advanced LFI with null bytes, double encoding, Unicode bypass | High | Firm | lfi, injection |
Code Execution & Injection
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-code-exec | Code Execution (RCE) | OS command injection via time-based blind (sleep/delay measurement) | Critical | Certain | rce, injection |
command-injection-echo | OS Command Injection (Results-Based) | In-band OS command injection confirmed by reflecting a unique arithmetic marker, baseline-compared over multiple rounds to suppress false positives | Critical | Certain | rce, command-injection, injection |
command-injection-oast | OS Command Injection (Out-of-Band) | Blind OS command injection via DNS/HTTP OAST callbacks (classified distinctly from SSRF/XXE) | Critical | Certain | rce, command-injection, oast |
command-injection-timing | OS Command Injection (Time-Based) | Time-based blind OS command injection with delay-scaling confirmation across rounds | Critical | Tentative | rce, command-injection, injection, heavy |
active-crlf-injection | CRLF Injection | CRLF injection in HTTP headers via CR/LF character sequences | Medium | Firm | injection |
active-xxe-generic | XXE Generic | XML external entity injection in generic XML endpoints; includes blind / out-of-band detection via external- and parameter-entity DTDs referencing a unique OAST URL | Critical | Certain | xxe, injection |
xpath-injection | XPath Injection | XPath/XQuery injection detected via engine error signatures and a boolean oracle (e.g. ' or '1'='1) | High | Firm | xpath, injection |
active-insecure-deserialization | Insecure Deserialization | Error-based detection for Java, PHP, Python, Ruby, and .NET deserialization | High | Firm | injection |
active-input-behavior-probe | Input Behavior Probe | Behavior change detection via header, path, debug param, and char probing | Suspect | Tentative | injection |
SSRF & Out-of-Band (OAST)
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-ssrf-detection | SSRF Detection | SSRF via in-band probes (internal IPs, cloud metadata) with response differential | High | Firm | ssrf, injection |
active-oast-probe | OAST Probe | Blind vulnerabilities (blind SSRF, blind XXE, blind RCE) via DNS/HTTP callbacks, plus “Collaborator Everywhere” OAST headers | High | Certain | ssrf, injection |
active-proxy-pingback | Proxy Pingback | Open proxy/callback endpoints via OAST URL injection | High | Certain | ssrf, injection |
ssrf-filter-bypass | SSRF Filter Bypass (URL Parser Confusion) | SSRF that defeats URL allow/deny filters via parser confusion (@, #, backslash, embedded credentials) | High | Firm | ssrf, injection, heavy |
ssrf-protocol-smuggling | SSRF Protocol Smuggling (CRLF in URL) | SSRF via CRLF-in-URL protocol smuggling against fetchers that don’t sanitize the target URL | High | Firm | ssrf, injection, heavy |
routing-ssrf | Routing-Based SSRF (Request-Line) | Routing-based SSRF from PortSwigger’s “Cracking the Lens” — absolute-URI / @ / /// request-line targets with OAST + internal-marker confirmation | High | Firm | ssrf, proxy, routing, oast, heavy |
upgrade-routing-ssrf | WebSocket-Upgrade SSRF Filter Bypass | Routing SSRF that bypasses filters via a WebSocket Upgrade, confirmed by a with-vs-without differential | High | Firm | ssrf, proxy, websocket, heavy |
Misconfiguration
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-cors-misconfiguration | CORS Misconfiguration | Permissive CORS policies (reflected origins, null origin, wildcard+credentials) | Medium | Firm | misconfiguration |
active-spring-actuator-misconfig | Spring Actuator Misconfiguration | Exposed Spring Boot actuator endpoints leaking env vars, health, config | High | Firm | misconfiguration |
active-host-header-injection | Host Header Injection | Host header injection via value reflection (password reset/cache poisoning) | Medium | Firm | misconfiguration |
active-web-cache-poisoning | Web Cache Poisoning | Cache poisoning via unkeyed header injection (X-Forwarded-Host, X-Forwarded-Scheme) | High | Firm | misconfiguration |
cache-poisoned-dos | Cache-Poisoned Denial of Service (CPDoS) | CPDoS via header-only HMO/HHO variants that make a shared cache store and replay an origin error; safe unique-buster oracle, never affects shared keys | Medium | Firm | cache-poisoning, cpdos, dos |
unauth-service-exposure | Unauthenticated Infrastructure Service Exposure | Unauthenticated Docker / Kubernetes / datastore APIs exposed over HTTP, confirmed by a service-specific structural signature and re-verified | Critical | Certain | exposure, infrastructure, misconfiguration |
tls-protocol-cipher-audit | TLS Protocol & Cipher Audit | Grades a host’s TLS by directly negotiating deprecated protocols and weak cipher suites | Medium | Certain | tls, crypto, transport, misconfiguration |
Access Control
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-forbidden-bypass | 403/401 Forbidden Bypass | Bypass via path manipulation, header injection, method tampering | Medium | Firm | auth-bypass |
active-http-method-tampering | HTTP Method Tampering | Unexpectedly enabled HTTP methods (PUT, DELETE, PATCH) and overrides | Medium | Firm | auth-bypass |
active-csrf-verify | CSRF Token Verification | Verifies CSRF token enforcement by removing, emptying, or randomizing tokens | High | Firm | auth-bypass |
active-idor-detection | IDOR Detection | Missing authorization on object ID parameters via neighbor ID probing | High | Tentative | auth-bypass |
active-mass-assignment | Mass Assignment | Mass assignment via injecting privilege keys into JSON APIs | High | Firm | auth-bypass |
active-open-redirect | Open Redirect | Open redirect via injected external URL in Location/meta refresh | Medium | Firm | auth-bypass |
open-redirect-confusion | Open Redirect via URL Parser Confusion | Open redirect reached through URL-parser-confusion payloads (@, backslash, embedded host) that slip past naive redirect validation | High | Firm | open-redirect, ssrf, moderate |
session-fixation | Session Fixation | Permissive session mechanism that adopts an attacker-supplied session ID across authentication | Medium | Firm | session, auth, session-fixation |
Path Analysis
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-path-normalization | Path Normalization | Path normalization vulnerabilities via traversal payloads against middleware/reverse proxy | High | Firm | misconfiguration |
active-nginx-off-by-slash | Nginx Off-by-Slash | Nginx alias traversal via missing trailing slash | High | Tentative | misconfiguration |
active-nginx-path-escape | Nginx Path Escape Detection | Diff-based detection for alias traversal, URL encoding bypass, semicolon injection | High | Firm | misconfiguration |
reverse-proxy-path-confusion | Reverse Proxy Path Confusion | Reaches access-controlled backend paths the reverse proxy and origin normalize differently (encoded slashes, dot-segments, semicolons) | High | Firm | proxy, access-control, heavy |
Differential & Behavior Detection
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-smart-behavior-detection | Smart Behavior Detection | Diff-based injection detection via true/false behavioral payload pairs | Suspect | Firm | detection |
active-suspect-transform | Suspect Transform Detection | Expression evaluation, quote consumption, and unicode normalizations | Suspect | Firm | detection |
active-backslash-transformation | Backslash Transformation | Escape sequence interpretation, backslash consumption, character handling | Suspect | Firm | detection |
Prototype Pollution
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-prototype-pollution | Prototype Pollution | Server-side prototype pollution via __proto__ and constructor.prototype JSON injection | High | Firm | javascript, injection |
active-client-prototype-pollution | Client-Side Prototype Pollution | Client-side prototype pollution via JavaScript static analysis (source + gadget patterns) | High | Firm | javascript, injection |
Race Conditions
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-race-interference | Race Interference Detection | Race conditions via parallel request analysis (input storage, cross-contamination, TOCTOU) | High | Firm | injection |
XML, JWT & HTTP Protocol
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-xml-saml-security | XML SAML Security | XXE and DTD injection in SAML XML processing | High | Firm | injection |
active-jwt-vulnerability | JWT Vulnerability | JWT algorithm confusion (none algorithm, empty signature, RS256→HS256) | Critical | Certain | injection |
active-http-request-smuggling | HTTP Request Smuggling | CL.TE and TE.CL desync via conflicting Content-Length and Transfer-Encoding | High | Firm | injection |
API & Endpoint Security
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-graphql-scan | GraphQL Security Scanner | Runs only against a confirmed GraphQL endpoint: introspection & schema exercise, exposed IDE/console (GraphiQL/Playground/Altair), error- and boolean-based SQLi, field-level authorization (IDOR/BOLA), reflected XSS in errors, uncapped query batching, and DoS via deeply-nested/aliased/circular queries | Medium | Certain | graphql, injection, idor, bola, xss, dos, batching, console |
active-file-upload-scan | File Upload Scanner | File upload bypass (extension, null byte, magic bytes, SVG XXE, HTML XSS) | High | Certain | injection |
active-default-credentials | Default Credentials | Login endpoints tested with common credential pairs; CAPTCHA/lockout aware | High | Certain | auth-bypass |
active-sensitive-file-discovery | Sensitive File Discovery | ~25 marker-based sensitive files and ~1,350 generic paths (.env, .git, logs) | Medium | Firm | info-disclosure |
active-jsonp-callback | JSONP Callback Injection | JSONP endpoints via callback injection enabling cross-origin data theft | Medium | Firm | injection |
Proxy & Utility
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-proxy | Proxy | Replay all requests through configured proxy | Info | Firm | utility, light |
active-proxy-header-trust | Proxy Header Trust | Cross-framework proxy header trust issues via X-Forwarded-* manipulation | High | Firm | misconfiguration, moderate |
active-api-rate-limit-bypass | API Rate Limit Bypass | Rate limiting bypass via IP spoofing headers | Medium | Firm | auth-bypass, moderate |
active-websocket-security | WebSocket Security | Insecure WebSocket upgrade policies and missing origin validation | High | Firm | misconfiguration, light |
active-swagger-disclose | Swagger Disclosure | Exposed Swagger/OpenAPI documentation | Medium | Firm | api, info-disclosure, light |
active-backup-file-discovery | Backup File Discovery | Exposed backup archives derived from hostname and year variants | High | Firm | sensitive-file, moderate |
active-angular-template-injection | Angular Template Injection | Angular template injection via expression evaluation | High | Firm | angular, injection, ssti |
SQL Injection (Time-Based)
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-sqli-time-based-header | SQLi Time Based - Header | Time-based SQL injection in HTTP headers | Critical | Certain | injection, sqli, heavy |
active-sqli-time-based-params | SQLi Time Based - Params | Time-based SQL injection in parameters | Critical | Certain | injection, sqli, heavy |
active-sqli-time-blind | Blind SQL Injection (Time-Based) | Time-based blind SQLi with a per-target statistical delay threshold and multi-round confirmation that the delay scales with the injected sleep value (rejects fixed/jitter delays); prioritizes payloads by any DBMS identified for the host | High | Firm | injection, sqli, heavy |
SSRF & SSTI (Blind)
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-ssrf-blind | Blind SSRF Detection | Blind SSRF via OAST callbacks | High | Firm | ssrf, injection, heavy |
active-ssti-blind | Blind SSTI | Blind SSTI via OAST callbacks and time-delay payloads | Critical | Firm | injection, ssti, heavy |
Framework Security
Next.js
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-nextjs-data-leakage | Next.js Data Route Leakage | Unauthorized access to /_next/data/<buildId>/<path>.json | High | Firm | nextjs, javascript |
active-nextjs-middleware-bypass | Next.js Middleware Bypass | CVE-2025-29927 and path normalization bypasses | Critical | Firm | nextjs, javascript |
active-nextjs-image-ssrf | Next.js Image Optimizer SSRF | SSRF via /_next/image with OAST and in-band probes | High | Firm | nextjs, javascript |
active-nextjs-draft-mode-exposure | Next.js Draft Mode Exposure | Insecure or unprotected Draft/Preview Mode endpoints | High | Firm | nextjs, javascript |
nextjs-version-audit | Next.js Version Audit | Fingerprints Next.js version and maps to known CVE advisories | High | Firm | nextjs, javascript, fingerprint |
active-js-devserver-exposure | JS Dev Server Exposure | Exposed webpack HMR, Vite, Nuxt, Remix dev server endpoints | Medium | Firm | javascript |
Spring / Java
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-spring-actuator-misconfig | Spring Actuator Misconfiguration | Exposed Spring Boot actuator endpoints | High | Firm | spring, java |
active-spring-boot-admin-exposure | Spring Boot Admin Exposure | Exposed Spring Boot Admin dashboards | High | Firm | spring, java |
active-spring-cloud-config-exposure | Spring Cloud Config Exposure | Exposed Config Server endpoints leaking secrets | Critical | Firm | spring, java |
active-spring-data-rest-exposure | Spring Data REST Exposure | Auto-exposed repository endpoints with HAL/HATEOAS | Medium | Firm | spring, java |
active-spring-debug-exposure | Spring Debug Exposure | Debug endpoints, Whitelabel errors, stack traces | Medium | Firm | spring, java |
active-spring-gateway-exposure | Spring Gateway Exposure | Exposed Cloud Gateway actuator revealing routes | High | Firm | spring, java |
active-spring-h2-console-exposure | Spring H2 Console Exposure | Exposed H2 database web consoles | Critical | Firm | spring, java, rce |
active-spring-jolokia-exposure | Spring Jolokia Exposure | Exposed Jolokia JMX endpoints | High | Firm | spring, java |
active-java-appserver-console | Java App Server Console | Exposed admin consoles (WildFly, WebLogic, GlassFish) | High | Firm | java, tomcat |
active-java-sensitive-files | Java Sensitive Files | Java config files, WEB-INF, META-INF, build artifacts | High | Firm | java, sensitive-file |
active-tomcat-manager-exposure | Tomcat Manager Exposure | Exposed Tomcat Manager and Host Manager interfaces | High | Firm | tomcat, java |
Django / Flask / FastAPI (Python)
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
django-admin-exposure | Django Admin Exposure | Exposed Django admin panel and login page | Medium | Firm | django, python |
django-browsable-api-exposure | Django Browsable API Exposure | DRF browsable API detected via Accept header | Low | Firm | django, python |
django-debug-exposure | Django Debug Exposure | Django DEBUG=True information disclosure | High | Firm | django, python |
django-debug-toolbar-exposure | Django Debug Toolbar Exposure | Exposed django-debug-toolbar panels | High | Firm | django, python |
flask-werkzeug-debugger | Flask Werkzeug Debugger | Exposed Werkzeug interactive debugger (RCE) | Critical | Certain | flask, python, rce |
fastapi-docs-exposure | FastAPI Docs Exposure | Exposed FastAPI interactive API documentation | Low | Firm | fastapi, python |
fastapi-auth-inconsistency | FastAPI Auth Inconsistency | Unprotected operations found via OpenAPI schema | Medium | Firm | fastapi, python |
Laravel / Symfony / PHP
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-laravel-admin-exposure | Laravel Admin Exposure | Exposed admin panels, API docs, GraphQL endpoints | High | Firm | laravel, php |
active-laravel-devtool-exposure | Laravel Developer Tool Exposure | Exposed Web Tinker, Clockwork, Pulse, Log Viewer | High | Firm | laravel, php |
active-laravel-ignition-rce | Laravel Ignition RCE | CVE-2021-3129 RCE via exposed Ignition endpoints | Critical | Firm | laravel, php, rce |
active-laravel-misconfig | Laravel Misconfiguration | Debug mode, exposed debugbar, application logs | High | Firm | laravel, php |
active-laravel-sensitive-files | Laravel Sensitive Files | PHPUnit config, SQLite DB, storage internals | High | Firm | laravel, php |
active-symfony-misconfig | Symfony Misconfiguration | Exposed profiler, debug toolbar, dev front controller | High | Firm | symfony, php |
active-php-composer-exposure | PHP Composer Exposure | Exposed Composer manifests, vendor directory | High | Firm | php |
active-php-debug-exposure | PHP Debug Exposure | Exposed phpinfo, PHP-FPM status, phpMyAdmin | Medium | Firm | php |
active-php-framework-debug | PHP Framework Debug Exposure | Debug endpoints for Yii, CodeIgniter, CakePHP | Medium | Firm | php |
active-php-path-info-misconfig | PHP PATH_INFO Misconfiguration | cgi.fix_pathinfo routing ambiguity | Medium | Firm | php |
active-php-source-disclosure | PHP Source Disclosure | PHP source code via .phps handlers | High | Firm | php |
Rails (Ruby)
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-rails-info-exposure | Rails Info Exposure | Exposed Rails dev/debug endpoints in production | High | Firm | rails, ruby |
active-rails-admin-dashboard | Rails Admin Dashboard | Exposed Rails ecosystem admin panels | High | Firm | rails, ruby |
active-rails-sensitive-files | Rails Sensitive Files | Exposed Rails config, credentials, artifacts | Critical | Firm | rails, ruby |
active-rails-action-mailbox-probe | Rails Action Mailbox Probe | Exposed Action Mailbox ingress endpoints | Medium | Firm | rails, ruby |
active-rails-active-storage-probe | Rails Active Storage Probe | Exposed Active Storage direct upload endpoints | Medium | Firm | rails, ruby |
Express (Node.js)
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-express-debug-probe | Express Debug Probe | Stack trace and debug info leakage | Low | Firm | express, javascript |
active-express-directory-listing | Express Directory Listing | Directory listing via serve-index middleware | Low | Firm | express, javascript |
active-express-trust-proxy-misconfig | Express Trust Proxy Misconfiguration | Trust proxy misconfiguration via X-Forwarded-* | Medium | Firm | express, javascript |
ASP.NET / IIS
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-aspnet-blazor-exposure | ASP.NET Blazor Exposure | Exposed Blazor WebAssembly assemblies and Server endpoints | Medium | Firm | aspnet |
active-aspnet-health-exposure | ASP.NET Health Endpoint Exposure | Exposed health checks, monitoring dashboards, metrics | Medium | Firm | aspnet |
active-aspnet-identity-probe | ASP.NET Identity Probe | Exposed Identity endpoints and IdentityServer | Medium | Firm | aspnet |
active-aspnet-misconfig | ASP.NET Misconfiguration | Exposed diagnostics, debug endpoints, verbose errors | High | Firm | aspnet |
active-aspnet-sensitive-files | ASP.NET Sensitive Files | Exposed config files, backups, sensitive directories | High | Firm | aspnet |
active-aspnet-service-exposure | ASP.NET Service Exposure | Exposed ASMX, WCF, OData, legacy service paths | Medium | Firm | aspnet |
active-aspnet-viewstate-scan | ASP.NET ViewState Scan | ViewState MAC disabled, event validation bypass | High | Firm | aspnet |
active-iis-shortname-discovery | IIS Short Filename Discovery | IIS 8.3 short-filename enumeration via a tilde-based oracle, resolving names to feed content discovery | Medium | Certain | iis, aspnet, info-disclosure, heavy |
active-iis-cookieless-source-disclosure | IIS Cookieless Source/Config Disclosure | Downloads protected ASP.NET config/source via cookieless (S(X)) path-confusion | High | Firm | iis, aspnet, info-disclosure, heavy |
active-iis-extension-confusion-bypass | IIS Extension Confusion Bypass | NTFS ::$DATA source disclosure and trailing-dot / ::$INDEX_ALLOCATION access-control bypass | High | Firm | iis, aspnet, access-control, info-disclosure, heavy |
Firebase
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-firebase-auth-misconfig | Firebase Auth Misconfiguration | Firebase Authentication misconfigurations | Medium | Firm | firebase |
active-firebase-functions-exposure | Firebase Functions Exposure | Unauthenticated Cloud Functions | High | Firm | firebase |
active-firebase-misconfig | Firebase Misconfiguration | Exposed Firebase config, security rules, credentials | High | Firm | firebase |
active-firebase-rtdb-exposure | Firebase RTDB Exposure | Publicly readable Realtime Database | Critical | Certain | firebase |
active-firebase-storage-exposure | Firebase Storage Exposure | Publicly accessible Cloud Storage buckets | High | Certain | firebase, cloud |
Cloud Infrastructure
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-cloud-bucket-takeover | Cloud Bucket Takeover | Dangling cloud storage buckets vulnerable to takeover | High | Firm | cloud |
active-cloud-origin-bypass | Cloud Origin Bypass | Direct access to origins bypassing CDN security | Medium | Firm | cloud |
active-cloud-public-read | Cloud Public Read | Publicly readable sensitive paths on cloud storage | High | Firm | cloud |
active-cloud-storage-listing | Cloud Storage Listing | Publicly listable S3 buckets and Azure containers | High | Certain | cloud |
CMS (WordPress, Drupal, Joomla, Magento)
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-wp-misconfig | WordPress Misconfiguration | Exposed config files, debug logs, dangerous endpoints | High | Firm | wordpress, php |
active-wp-user-enum | WordPress User Enumeration | User enumeration via author archives and REST API | Medium | Certain | wordpress, php |
active-wp-xmlrpc | WordPress XML-RPC Abuse | XML-RPC multicall brute-force and pingback abuse | Medium | Firm | wordpress, php |
active-wp-ajax-exposure | WordPress AJAX Action Exposure | Publicly accessible AJAX actions from plugins | High | Firm | wordpress, php |
active-drupal-misconfig | Drupal Misconfiguration | Exposed config files, update scripts, installer | High | Firm | drupal, php |
active-drupal-user-enum | Drupal User Enumeration | User enumeration via user profiles and JSON:API | Medium | Certain | drupal, php |
active-joomla-misconfig | Joomla Misconfiguration | Exposed config backups, log/temp dirs, debug settings | High | Firm | joomla, php |
active-joomla-user-enum | Joomla User Enumeration | User enumeration via registration, API, admin login | Medium | Firm | joomla, php |
active-magento-misconfig | Magento Misconfiguration | Exposed setup wizard, downloader, version files | High | Firm | magento, php |
active-cms-installer-exposure | CMS Installer Exposure | Exposed WordPress, Drupal, and Joomla install wizards | Critical | Firm | wordpress, drupal, joomla |
Adobe Experience Manager (AEM)
Every module gates on a confirmed AEM instance (passive-aem-fingerprint), is detection-only, and confirms across multiple rounds.
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-aem-dispatcher-bypass | AEM Dispatcher ACL Bypass | Differential confirmation: a protected servlet blocked on the direct path but reachable through a path-normalization trick | High | Certain | aem, adobe, dispatcher, cms |
active-aem-sensitive-servlet | AEM Sensitive Servlet Disclosure | Info disclosure via AEM servlets (QueryBuilder password-hash leak, GQL/DefaultGetServlet dumps, userinfo, loginstatus, truststore), incl. dispatcher-bypass reachability | High | Firm | aem, adobe, info-disclosure, cms |
active-aem-console-exposure | AEM Console & Admin Panel Exposure | Internet-reachable AEM developer/admin consoles (CRXDE Lite, CRX Package Manager, CRX Explorer, admin dashboards) and ACL bypasses to them | High | Firm | aem, adobe, misconfiguration, cms |
active-aem-content-discovery | AEM Repository Content Discovery | Routing-aware JCR enumeration via Sling selectors (.1.json) and QueryBuilder predicates, harvesting config secrets, user accounts, and writable nodes (rep:password → Critical) | High | Firm | aem, adobe, info-disclosure, jcr, cms |
active-aem-default-credentials | AEM Default Credentials | AEM default and demo-account credentials on the Granite login and Felix Web Console | High | Certain | aem, adobe, default-credentials, cms |
active-aem-cloudsettings-injection | AEM Cloud Settings Node Write / EL Injection | BulkImportConfigServlet pre-auth node write (CVE-2025-54246) and the EL injection it enables (CVE-2025-54247/54248), proven with a benign marker / 7*7 read-back | Critical | Firm | aem, adobe, el-injection, rce, cms |
active-aem-xss | AEM Reflected XSS | Reflected XSS in AEM-specific sinks (childlist selector, CRXDE setPreferences, DAM merge-metadata, WCM contentfinder) with headless popup confirmation | High | Firm | aem, adobe, xss, cms |
active-aem-ssrf | AEM SSRF-Capable Proxy Servlet Exposure | Reachable AEM proxy/fetch servlets known for SSRF (ContentInsight proxy, opensocial/shindig, SalesforceSecretServlet, accesstoken/verify) — surface detection, no OAST fired | Medium | Tentative | aem, adobe, ssrf, cms |
active-aem-oob-injection | AEM Blind SSRF / XXE (Out-of-Band) | Out-of-band probes for the AccessTokenServlet full-read SSRF (CVE-2025-54249) and CRX Package Manager blind XXE (CVE-2025-54251), confirmed by collaborator callback | High | Firm | aem, adobe, ssrf, xxe, oob, cms |
active-aem-xxe | AEM Adaptive Forms XXE | XML external-entity processing in Adaptive Forms guideContainer internalsubmit (CVE-2019-8086) via an exploit-free internal-entity expansion proof | High | Firm | aem, adobe, xxe, cms |
active-aem-rce-surface | AEM RCE-Capable Surface Exposure | Exposed AEM code-execution surfaces (Groovy Console, ACS Fiddle, Forms GetDocumentServlet, WebDAV PUT) — detection only, no exec/write payload sent | Critical | Firm | aem, adobe, rce, cms |
SaaS Platforms (Salesforce / ServiceNow / Power Pages)
Each family gates on a live per-vendor fingerprint, pairs a catch-all negative control with the positive, and confirms across multiple rounds.| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-salesforce-aura-object-exposure | Salesforce Aura Guest Object Enumeration | An Experience Cloud Guest user can invoke the Aura getConfigData action and enumerate accessible SObjects (incl. custom __c) — an over-permissive Guest profile | Medium | Firm | salesforce, aura, lightning, info-disclosure |
active-salesforce-aura-record-exposure | Salesforce Aura Guest Record Exposure | Unauthenticated read of SObject records (User, Contact, Case, Lead, custom __c) through the Aura getItems action | High | Certain | salesforce, aura, lightning, idor, info-disclosure |
active-salesforce-aura-apex-execution | Salesforce Aura Guest Apex Execution | An unauthenticated Guest user can invoke @AuraEnabled Apex via ApexActionController.execute — the pivot for guest-driven SSRF, DML, and exfiltration | High | Firm | salesforce, aura, lightning, apex, ssrf |
active-salesforce-lightning-debug-mode | Salesforce Lightning Debug Mode Enabled | A Lightning/Experience Cloud site served in an Aura debug mode (PRODDEBUG/DEV/JSTESTDEBUG) leaking un-minified code and backend stacktraces | Medium | Firm | salesforce, aura, lightning, debug, info-disclosure |
active-servicenow-widget-data-exposure | ServiceNow Public Widget Data Exposure | Unauthenticated read of arbitrary ServiceNow tables (sys_user, incident, cmdb_ci, attachments, OAuth) via the public Simple/Unordered List widgets | High | Certain | servicenow, idor, info-disclosure, api |
active-servicenow-kb-widget-exposure | ServiceNow Knowledge Base Widget Exposure | Unauthenticated read of KB article contents via the public KB Article Page widget (not covered by the 2023 ACL hardening — KB access is gated by User Criteria, not ACLs) | High | Certain | servicenow, idor, info-disclosure, api |
active-powerpages-dataverse-exposure | Power Pages Dataverse Web API Data Exposure | Unauthenticated read of Microsoft Dataverse tables (contacts, accounts, leads, cases, custom) via a Power Pages portal’s /_api/ Web API | High | Certain | powerpages, dataverse, idor, info-disclosure, api |
Model Context Protocol (MCP)
Audited against OWASP; every active probe gates on a reachable MCP endpoint (passive-mcp-endpoint-detect).
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
active-mcp-server-probe | MCP Server Probe | Probes for exposed MCP servers, enumerates tools, and attempts unauthenticated invocation | High | Firm | mcp, api-security, misconfiguration |
active-mcp-tool-fuzz | MCP Tool Argument Fuzzer | Fuzzes every enumerable MCP tool’s arguments for OS command injection, LFI, SSRF (OAST), and prompt injection | High | Firm | mcp, rce, lfi, ssrf, injection |
active-mcp-resource-fuzz | MCP Resource URI Fuzzer | Probes resources/read with file://, cloud-metadata, path-traversal, and OAST SSRF payloads | High | Firm | mcp, lfi, ssrf, path-traversal |
active-mcp-prompt-fuzz | MCP Prompt Argument Fuzzer | Fuzzes prompts/get arguments for SSTI, command injection, and reflective prompt injection | High | Firm | mcp, ssti, rce, prompt-injection |
active-mcp-completion-enum | MCP Completion Enumeration | Uses completion/complete to leak valid resource URIs and prompt argument values | Medium | Firm | mcp, info-disclosure, enumeration |
active-mcp-method-enum | MCP JSON-RPC Method Enumeration | Wordlist enumeration of undocumented JSON-RPC methods on MCP servers | Medium | Firm | mcp, enumeration, info-disclosure |
active-mcp-session-checks | MCP Session Hardening Checks | Tests Mcp-Session-Id entropy, attacker-supplied SID acceptance (fixation), and post-handshake reuse | Medium | Firm | mcp, session, auth-bypass |
active-mcp-batch-abuse | MCP JSON-RPC Batch Abuse | Tests JSON-RPC batch handling: a smuggled tools/call inside an initialize batch | High | Firm | mcp, auth-bypass |
active-mcp-origin-rebinding | MCP Origin / DNS-Rebinding Check | Verifies an MCP server enforces Origin validation on streamable HTTP transports | High | Firm | mcp, dns-rebinding, origin |
active-mcp-tool-definition-drift | MCP Tool Definition Drift | Detects MCP servers serving mutating, non-deterministic tool definitions (rug-pull risk) | Medium | Tentative | mcp, rug-pull, integrity |
active-mcp-dos-amplification | MCP DoS Amplification | An unbounded oversized ping batch processed with no size or rate limit | Medium | Firm | mcp, dos, rate-limit |
Passive Modules (115)
Passive modules analyze existing request/response pairs without sending new traffic.XSS
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-dom-xss-detect | DOM XSS Detect | DOM XSS source-to-sink data flows (location.hash, innerHTML, eval, document.write) | Medium | Firm | xss |
css-injection-detect | CSS Injection | Request values reflected into a <style> block or style= attribute | Info | Tentative | client-side, css-injection, reflection |
dom-clobbering | DOM Clobbering Gadget | JavaScript that feeds a named-property global (window.x / id-addressed element) into a dangerous sink | Info | Tentative | client-side, dom-clobbering, javascript |
Authentication & Session
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-auth-headers-detect | Auth Headers Detect | Authorization headers (Bearer tokens, API keys) in requests | High | Firm | session, auth |
passive-jwt-weak-secret | JWT Weak Secret Detection | Offline brute-force of JWT HMAC secrets against ~104K wordlist | High | Firm | session, auth |
passive-cookie-security-detect | Cookie Security Detect | Insecure cookie attributes (missing Secure, HttpOnly, SameSite) | Low | Certain | session, auth |
passive-cacheable-https-detect | Cacheable HTTPS Response | Sensitive HTTPS responses without proper Cache-Control | Low | Firm | session, auth |
passive-password-autocomplete-detect | Password Autocomplete | Password fields without autocomplete="off" | Info | Certain | session, auth |
Injection Signals
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-sql-syntax-detect | SQL Syntax in Request | SQL statements/keywords in HTTP request parameter values | Info | Firm | injection |
passive-serialized-object-detect | Serialized Object Detection | Serialized Java/PHP/.NET/Python objects in request parameters | Medium | Firm | injection |
passive-input-reflection-detect | Input Reflection Detect | Request parameter values reflected verbatim in response bodies | Info | Tentative | injection |
passive-base64-data-detect | Base64 Data Detect | Interesting base64 data (JSON, PHP objects, URLs, Java objects) in requests/responses | Info | Tentative | injection |
Information Disclosure
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-secret-detect | Secret Detection | Leaked secrets, API keys, and credentials via Kingfisher engine | High | Firm | info-disclosure |
passive-info-disclosure-detect | Info Disclosure Detect | Server versions, internal IPs, stack traces, debug information | Low | Firm | info-disclosure |
passive-error-message-detect | Error Message Detect | Error messages from debug pages, Apache, ASP.NET, Java, PHP, Ruby, Node.js, SQL | Info | Firm | info-disclosure |
passive-sourcemap-detect | Sourcemap Exposure | Exposed JavaScript sourcemaps via SourceMappingURL references | Low | Firm | info-disclosure |
passive-sensitive-url-params | Sensitive URL Params | Passwords, tokens, API keys passed in URL query parameters | Medium | Firm | info-disclosure |
passive-content-type-mismatch | Content Type Mismatch | Content-Type/body mismatches enabling MIME confusion attacks | Low | Firm | info-disclosure |
Source & Supply-Chain Analysis
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-js-beautify | JavaScript Beautifier | Unminifies and unpacks bundled first-party JS into readable, module-annotated source (embedded jsscan/webcrack, no eval); rewrites the stored JS record so downstream analysis reads clean source | Info | Certain | javascript, beautify, deobfuscation, source-analysis |
passive-dependency-confusion | Dependency Confusion Candidate | Flags scoped npm package names referenced in first-party JS that are left unclaimed (404) on the public registry | Suspect | Tentative | dependency-confusion, supply-chain, source-analysis, npm |
Security Headers & Configuration
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-security-headers-missing | Security Headers Missing | Missing X-Content-Type-Options, X-Frame-Options, HSTS, CSP, Permissions-Policy | Info | Certain | header-security |
passive-mixed-content-detect | Mixed Content Detect | HTTP resources loaded on HTTPS pages (src, href, action attributes) | Low | Certain | header-security |
CORS & Redirect
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-cors-headers-detect | CORS Headers Detect | Permissive CORS headers (wildcard origin, credentials enabled) | Low | Firm | cors |
passive-openredirect-params | Open Redirect Params | URL parameter names associated with open redirects (redirect, url, next, goto) | Info | Tentative | cors |
passive-oauth-facebook-detect | Facebook OAuth Detect | Facebook OAuth redirect parameters for OAuth flow analysis | Medium | Firm | cors |
reverse-tabnabbing-detect | Reverse Tabnabbing | target=_blank links to cross-origin URLs missing rel=noopener | Low | Firm | client-side, tabnabbing, html |
Access Control
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-csrf-detect | CSRF Detection | State-changing requests (POST/PUT/DELETE/PATCH) missing anti-CSRF protections | Medium | Tentative | auth-bypass |
passive-idor-params-detect | IDOR Parameter Detection | Parameters referencing object identifiers for IDOR/BOLA triage | Info | Tentative | auth-bypass |
payment-integration-audit | Payment Integration Risk Surface | Flags client-controlled amounts / trusted payment-status params on payment-gateway checkout pages (Stripe, PayPal, Braintree, Square, Adyen, Razorpay, Checkout.com) | Info | Tentative | payment, business-logic, recon |
Cryptography
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-crypto-weakness-detect | Cryptographic Weakness | PHP magic hashes, weak MD5/SHA1, padding oracle errors, unprotected encrypted cookies | Medium | Tentative | crypto |
Anomaly Detection
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-anomaly-ranking | Anomaly Ranking | Statistical anomaly detection across per-host response batches; updates risk_score | Suspect | Tentative | detection |
JS Framework Security (Runtime Analysis)
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-js-framework-fingerprint | JS Framework Fingerprint | Identifies Next.js, Nuxt, Angular, React, Remix, SvelteKit, Gatsby; extracts buildId | Info | Certain | javascript |
passive-ssr-data-exposure | SSR Data Exposure | Sensitive data in SSR state blobs (__NEXT_DATA__, __NUXT__, __INITIAL_STATE__) | Medium | Firm | javascript |
passive-cache-auth-misconfiguration | Cache-Auth Misconfiguration | Cacheable responses with user-specific data missing Vary headers | Medium | Firm | javascript |
passive-server-action-auth | Server Action Auth Check | Next.js Server Actions with mutation operations but no authorization | High | Tentative | javascript |
passive-nextjs-config-audit | Next.js Config Audit | Insecure Next.js config (dangerouslyAllowSVG, wildcard image domains, prod sourcemaps) | Medium | Firm | javascript |
passive-client-auth-guard | Client Auth Guard Check | Client-only auth guards (useEffect redirects) without server-side enforcement | High | Tentative | javascript |
passive-cache-data-leak | Cache Data Leak | getStaticProps/force-static with auth, unstable_cache without user-scoped keys | Medium | Tentative | javascript |
JS Framework Security (Source Analysis)
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-unsafe-html-sink | Unsafe HTML Sink | Raw HTML injection sinks: dangerouslySetInnerHTML, v-html, {@html}, innerHTML | High | Firm | javascript |
passive-insecure-token-storage | Insecure Token Storage | Auth tokens stored in localStorage/sessionStorage | Medium | Firm | javascript |
passive-env-secret-exposure | Environment Secret Exposure | Secrets in NEXT_PUBLIC_, VITE_, REACT_APP_ public env vars; served .env files | High | Firm | javascript |
passive-build-misconfig-detect | Build Misconfiguration | Prod sourcemaps, dev mode in production, SVG XSS risk, broad image remotePatterns | High | Firm | javascript |
Framework Fingerprinting
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-aspnet-fingerprint | ASP.NET Fingerprint | Fingerprints ASP.NET version and configuration | Info | Firm | aspnet, fingerprint |
passive-aspnet-viewstate-detect | ASP.NET ViewState Detect | Analyzes ViewState fields for security issues | Medium | Firm | aspnet |
passive-django-fingerprint | Django Fingerprint | Fingerprints Django framework indicators | Info | Firm | django, python, fingerprint |
passive-express-fingerprint | Express Fingerprint | Fingerprints Express.js indicators | Info | Firm | express, fingerprint |
passive-fastapi-fingerprint | FastAPI Fingerprint | Fingerprints FastAPI framework indicators | Info | Firm | fastapi, python, fingerprint |
passive-firebase-fingerprint | Firebase Fingerprint | Fingerprints Firebase SDK usage and config | Info | Firm | firebase, fingerprint |
passive-flask-fingerprint | Flask Fingerprint | Fingerprints Flask framework indicators | Info | Firm | flask, python, fingerprint |
passive-laravel-fingerprint | Laravel Fingerprint | Fingerprints Laravel framework indicators | Info | Firm | laravel, php, fingerprint |
passive-rails-fingerprint | Rails Fingerprint | Fingerprints Rails framework indicators | Info | Firm | rails, ruby, fingerprint |
passive-spring-fingerprint | Spring Fingerprint | Fingerprints Spring Boot indicators | Info | Firm | spring, java, fingerprint |
passive-drupal-fingerprint | Drupal Fingerprint | Fingerprints Drupal CMS indicators | Info | Firm | drupal, php, fingerprint |
passive-joomla-fingerprint | Joomla Fingerprint | Fingerprints Joomla CMS indicators | Info | Firm | joomla, php, fingerprint |
passive-wp-fingerprint | WordPress Fingerprint | Fingerprints WordPress CMS indicators | Info | Firm | wordpress, php, fingerprint |
passive-aem-fingerprint | AEM Fingerprint | Identifies Adobe Experience Manager (Sling/CRX/Granite) from headers, cookies, and body markers, and gates the aem-* active family | Info | Certain | aem, adobe, cms, fingerprint |
passive-salesforce-fingerprint | Salesforce Experience Cloud Detection | Identifies Salesforce Experience Cloud / Lightning (Aura) sites and gates the salesforce-* active family | Info | Certain | salesforce, aura, lightning, fingerprint |
passive-servicenow-fingerprint | ServiceNow Detection | Identifies ServiceNow instances (glide_* cookies, g_ck / window.NOW markers) and gates the servicenow-* active family | Info | Certain | servicenow, fingerprint |
passive-powerpages-fingerprint | Microsoft Power Pages Detection | Identifies Microsoft Power Pages / Power Apps portals (Dataverse-backed) and gates the powerpages-* active family | Info | Certain | powerpages, dataverse, microsoft, fingerprint |
API & Protocol Analysis
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-api-version-detect | API Version Detection | Detects API versioning patterns in URLs and headers | Info | Firm | api |
passive-graphql-introspection-detect | GraphQL Introspection Detect | Detects enabled GraphQL introspection | Medium | Certain | api, graphql |
passive-grpc-web-detect | gRPC-Web Detect | Detects gRPC-Web traffic patterns | Info | Firm | api |
passive-endpoint-classifier | Endpoint Classifier | Classifies endpoint types (API, auth, admin, static) | Info | Tentative | api |
passive-mcp-endpoint-detect | MCP Endpoint Detect | Detects Model Context Protocol (MCP) server endpoints from HTTP responses (gates the mcp-* active family) | Medium | Firm | mcp, api-security |
passive-mcp-description-injection | MCP Tool/Prompt Description Injection | Prompt-injection imperatives, bidi/zero-width unicode, and base64 payloads inside MCP tool/prompt descriptions | High | Firm | mcp, prompt-injection, supply-chain |
passive-mcp-dangerous-tool-exposure | MCP Dangerous Tool Exposure | Inventories MCP tools whose names expose high-impact capabilities (code exec, file write/delete, outbound fetch, raw SQL, secret access) | Low | Firm | mcp, excessive-permissions, api-security |
llm-endpoint-fingerprint | LLM Endpoint Fingerprint | Identifies application-level LLM chat/completion API endpoints (backed by the infra/llmsig signature catalog) | Info | Firm | llm, ai, fingerprint |
Security Headers & Policy
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-csp-weakness-audit | CSP Weakness Audit | Content-Security-Policy weaknesses and bypasses | Medium | Firm | header-security |
passive-permissions-policy-detect | Permissions-Policy Detect | Missing or weak Permissions-Policy/Feature-Policy | Info | Certain | header-security |
passive-hsts-preload-audit | HSTS Preload Audit | HSTS header configuration and preload readiness | Info | Firm | header-security |
passive-referrer-policy-detect | Referrer-Policy Detect | Missing or weak Referrer-Policy | Info | Firm | header-security |
passive-subresource-integrity-detect | Subresource Integrity Detect | Scripts/styles loaded without SRI attributes | Low | Firm | header-security |
passive-cors-vary-origin-missing | CORS Vary: Origin Missing | CORS responses without Vary: Origin header | Low | Firm | cors, header-security |
cross-origin-isolation-audit | Cross-Origin Isolation Headers Missing | Authenticated responses missing COOP / COEP / CORP cross-origin isolation headers (XS-Leaks exposure) | Info | Firm | client-side, xs-leaks, headers |
Cloud & Firebase
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-cloud-storage-fingerprint | Cloud Storage Fingerprint | Identifies cloud storage provider from URLs/headers | Info | Firm | cloud, fingerprint |
passive-cloud-storage-error-info | Cloud Storage Error Info | Cloud storage error messages revealing bucket names | Low | Firm | cloud, info-disclosure |
passive-cloud-signed-url-leak | Cloud Signed URL Leak | Cloud signed URLs with excessive permissions or long expiry | Medium | Firm | cloud, info-disclosure |
CMS Detection
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-drupal-api-detect | Drupal API Detect | Detects Drupal JSON:API and REST endpoints | Info | Firm | drupal, api |
passive-joomla-api-detect | Joomla API Detect | Detects Joomla API endpoints and versions | Info | Firm | joomla, api |
passive-wp-rest-api-detect | WordPress REST API Detect | Detects WordPress REST API endpoints | Info | Firm | wordpress, api |
Advanced JS Framework Analysis
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-nextjs-dynamic-param-audit | Next.js Dynamic Param Audit | Audits Next.js dynamic route parameters for injection | Medium | Tentative | nextjs, javascript |
passive-nextauth-config-audit | NextAuth.js Config Audit | Audits NextAuth.js configuration for security issues | Medium | Firm | nextjs, javascript |
passive-nuxt-config-audit | Nuxt Config Audit | Audits Nuxt.js configuration for security issues | Medium | Firm | nuxt, javascript |
passive-remix-loader-exposure | Remix Loader Exposure | Detects exposed Remix loader data | Medium | Firm | remix, javascript |
passive-ssr-hydration-xss | SSR Hydration XSS | Detects XSS via SSR hydration mismatches | High | Firm | javascript, xss |
passive-server-action-bind-audit | Server Action Bind Audit | Audits Next.js Server Action .bind() usage for security | Medium | Tentative | nextjs, javascript |
passive-server-action-input-audit | Server Action Input Audit | Audits Next.js Server Action input validation | Medium | Tentative | nextjs, javascript |
passive-server-only-boundary-audit | Server-Only Boundary Audit | Audits server-only module boundary enforcement | Medium | Tentative | nextjs, javascript |
passive-javascript-uri-sink | JavaScript URI Sink | Detects javascript: URI usage in links and event handlers | High | Firm | javascript, xss |
passive-wasm-module-detect | WebAssembly Module Detect | Detects WebAssembly module loading | Info | Firm | javascript |
Session & Authentication (Passive)
| Module ID | Name | Description | Severity | Confidence | Tags |
|---|---|---|---|---|---|
passive-express-session-audit | Express Session Audit | Audits Express session cookie configuration | Medium | Firm | express, session |
passive-jwt-claims-detect | JWT Claims Detect | Analyzes JWT payload claims for security issues | Info | Firm | auth, session |
passive-jackson-deserialize-detect | Jackson Deserialization Detect | Detects Jackson default typing indicators | Medium | Firm | java, injection |
passive-python-debug-detect | Python Debug Detect | Detects Python debug/traceback indicators | Low | Firm | python |
passive-rails-debug-detect | Rails Debug Detect | Detects Rails debug page indicators | Medium | Firm | rails, ruby |
passive-rails-action-cable-detect | Rails Action Cable Detect | Detects Rails Action Cable WebSocket endpoints | Info | Firm | rails, ruby |
passive-rails-active-storage-detect | Rails Active Storage Detect | Detects Active Storage blob URLs and signed tokens | Info | Firm | rails, ruby |
passive-sensitive-api-fields-detect | Sensitive API Fields Detect | Detects sensitive field names in API responses | Medium | Tentative | api, info-disclosure |
