Your entire web attack surface, in one place.
GloomProxy is an open-source DAST platform built around a full MITM proxy. Browse a target normally and watch the attack surface graph build itself — endpoints, parameters, auth sessions, findings — all correlated in real time. Then hit it with distributed scanner plugins, replay and fuzz interesting requests, and manage auth across the whole engagement from a single UI.
Built for pentesters who are tired of juggling a proxy, a scanner, a note-taking tool, and a spreadsheet.
git clone https://github.com/CommonHuman-Lab/gloomproxy
cd gloomproxy
./gloomproxy.sh
# Default Login
# Email: admin@gloomproxy.local
# Pass: changeme
# UI: http://localhost:3000
# API: http://localhost:3000/api
# Proxy: 127.0.0.1:8080gloomproxy.sh builds the images and starts the stack. Point your browser (or Burp upstream) at 127.0.0.1:8080 and start browsing — the graph builds itself.
./gloomproxy.sh --cluster # cluster mode (Redis + 2 workers)
./gloomproxy.sh --cluster --workers 4 # 4 workers
./gloomproxy.sh --lab-net # connect to OctoRig lab networks
./gloomproxy.sh restart # stop and restart without rebuilding
./gloomproxy.sh down # stop everything
./gloomproxy.sh status # show running services- Intercept & inspect — MITM proxy with full traffic history, request/response editor, and intercept queue
- Attack surface graph — every endpoint, parameter, redirect, and auth flow mapped automatically as you browse
- Distributed scanning — scanner plugins run locally or fan out across a Redis-backed worker cluster
- Secure plugin execution — plugins run in isolated asyncio tasks, child processes, or ephemeral containers with enforced resource limits, health gating, and a finding validation gateway
- Auth orchestration — cookie jars, bearer tokens, JWT, API keys, and multi-step login flows — sessions stay live, CSRF tokens update automatically, workers get auth injected at job time
- Replay & fuzz — clone any request from history or findings, replay with modifications, compare responses
- Workflow automation — event-driven chains that wire scanners, replay sessions, auth flows, and graph queries into full attack workflows
- Correlation engine — automatic deduplication, near-duplicate grouping, attack chain inference, endpoint clustering, and replay lineage tracking across all findings
- Projects & engagements — organize work into named projects; track pentest engagements with scope, type (pentest, bug bounty, red team, internal review), status, and timeline
- Team IAM — role-based access control (read_only → analyst → security_lead → org_admin → platform_admin), permission-gated UI, multi-user finding assignment and commenting
- Audit log — immutable record of every platform action with actor, resource, and timestamp; queryable by resource type and action
- Observability — distributed tracing across every work unit (scan jobs, replays, workflow runs) with waterfall timelines, span lineage, and subsystem metrics
- Traffic tagging — tag flows and findings with custom or auto-applied labels, filter across the whole history
- Command palette — Ctrl+K from anywhere to navigate, launch scans, or control the dashboard
- Real-time everything — WebSocket event bus feeds the UI live; no polling
| Plugin | What it scans |
|---|---|
| BreachSQL | SQL injection — detect, exploit, and dump in one pass |
| StingXSS | Reflected, DOM, stored, and browser-confirmed XSS |
| PhaseAccess | IDOR / BOLA — dual-session object-level access control |
| VaultRip | Post-exploitation credential harvesting |
All are pre-installed when you run ./gloomproxy.sh — they appear in the workspace UI out of the box.
- Distributed Mode — single-node vs cluster, scaling workers
- Plugin System — writing scanners, BaseScanner interface, Finding schema, SDK
- Plugin Security — trust tiers, isolation modes, sandbox enforcement, health & audit API
- Correlation Engine — deduplication, attack chains, endpoint clusters, replay lineage
- Workflow Automation — triggers, steps, template substitution, built-in examples
- Observability — distributed tracing, span model, subsystems, redaction, performance
- Internal Contracts — EventEnvelope, schema validation, backward compatibility
- API Reference — full REST + WebSocket endpoint list
- Configuration — all environment variables (orchestrator, worker, frontend)
- Development — running backend/frontend locally, Docker builds
Only run GloomProxy against applications you own or have explicit written authorization to test. Authorized use includes penetration testing engagements, bug bounty programs within defined scope, CTF competitions, and security research in controlled lab environments.
The MITM proxy intercepts and records all traffic passing through it — including credentials, session tokens, and personal data. You are responsible for ensuring this is permitted by your engagement scope and applicable law, and for securing any data captured during testing.
Auth profiles store credentials encrypted at rest. Do not commit .env files or database files containing real credentials to version control.
Scanner plugins send active probes to target systems. Confirm you have authorization before running any scan — passive browsing and active scanning carry different legal weight in most jurisdictions.
The authors accept no liability for unauthorized or illegal use.
Copyright (c) 2026 CommonHuman-Lab
This project is dual-licensed.
You may use, modify, and distribute this software under the terms of the GNU Affero General Public License v3.0 (AGPL-3.0).
If you distribute this software or make it available as a network service, you must comply with the requirements of the AGPL, including providing access to the corresponding source code.
A separate commercial license is available for organizations that wish to use this software without the obligations of the AGPL, including proprietary products, closed-source services, OEM integrations, white-label solutions, or commercial redistribution.
For commercial licensing inquiries, contact the author.