Web CTF Orchestrator — Automates Recon → Fuzzing → Parameter Discovery → Vulnerability Probing → AI Analysis
This tool is intended for authorized security testing and CTF challenges only. Unauthorized scanning of systems you do not own or have explicit permission to test is illegal. You are solely responsible for ensuring proper authorization before running any scans.
The Bridge automates the manual reconnaissance and initial vulnerability assessment workflow:
Target URL/IP
│
▼
[1] RECON — nmap port scan, HTTP fingerprinting, tech stack detection
│
▼
[2] FUZZING — ffuf directory fuzzing, in-process crawler, JS endpoint extraction
│
▼
[3] PARAMETERS — static parameter mining from forms, endpoints, JS assets
│
▼
[4] PROBING — error-based SQLi, LFI traversal + PHP wrappers, reflected XSS detection
│
▼
[5] AI ANALYSIS — Groq LLM analyzes state and suggests prioritized attack vectors
│
▼
report.md / state.json (saved in workspaces/<id>/)
All scan data is saved in workspaces/<uuid>/ — never committed to git.
| Tool | Required | Purpose |
|---|---|---|
| Node.js | ✅ ≥20 | Runtime |
| nmap | ✅ | Port scanning |
| ffuf | ✅ | Directory fuzzing |
| nuclei | ⬜ | Vulnerability templates |
| httpx | ⬜ | HTTP probing |
| gau | ⬜ | URL collection |
Check availability with: bridge doctor
git clone https://github.com/your-username/the-bridge
cd the-bridge
npm install
npm run build
npm link # adds 'bridge' to PATHOr run directly:
npx tsx src/cli/index.ts --helpOn first launch, bridge prompts for your Groq API key (free at console.groq.com):
╔══════════════════════════════════════════════╗
║ The Bridge — First Run Setup ║
╚══════════════════════════════════════════════╝
Select LLM provider:
[1] groq
[2] anthropic
Paste your groq API key: ***************
Testing key... OK
Saved to ~/.bridge/config.json
# Full pipeline
bridge run http://target.local
# With scope file (one host per line)
bridge run http://target.local --scope scope.txt
# Disable AI analysis
bridge run http://target.local --no-ai
# Check available tools
bridge doctor
# List workspaces
bridge workspaces
# Resume a stopped scan
bridge resume <workspaceId>
# Generate report
bridge report <workspaceId>
bridge report <workspaceId> --format json
# Run only AI analysis on existing state
bridge analyze <workspaceId>
# List registered plugins
bridge plugins
# Manage LLM config
bridge config show
bridge config set-key
bridge config resetAll output uses a fixed-width, no-color-by-default format for easy piping:
[HH:MM:SS] [module ] [info ] Scanning 10.10.10.5 (tcp/1-1000)
[HH:MM:SS] [recon ] [ok ] Found 3 open ports
[HH:MM:SS] [probe.sqli] [warn ] Potential SQLi on /login.php?user=...
Enable color with NO_COLOR=0 bridge run ... or --color.
Every module is a BridgePlugin. You can register third-party plugins:
import type { BridgePlugin, PluginContext, PluginResult } from 'the-bridge';
export class MyPlugin implements BridgePlugin {
readonly name = 'custom.myprobe';
readonly stage = 'probing';
readonly priority = 50;
async run(ctx: PluginContext): Promise<PluginResult> {
// ctx.state — access/mutate scan state
// ctx.logger — structured logger
// ctx.scopeGuard — check target in scope
// ctx.rateLimiter — rate limiting
return { status: 'ok' };
}
}src/
├── cli/ — Commander CLI + commands + first-run wizard
├── core/ — Orchestrator, StateManager, Logger, SubprocessRunner
├── modules/ — Recon, Fuzzing, Parameters, VulnProbe, AI Agent
├── plugins/ — BridgePlugin interface + PluginRegistry
├── parsers/ — nmap XML, ffuf JSON, header parsers
├── schemas/ — TargetState TypeScript types
└── utils/ — Validators, hash, redactor, pathUtils
See docs/ARCHITECTURE.md for full details.
- Scan data never leaves your machine (no telemetry)
- API keys stored in
~/.bridge/config.json(chmod 0600) - All state written through redactor — tokens/cookies auto-stripped
- Probe payloads stored by category only, raw payloads go to gitignored
workspaces/ --safe-mode(default ON) limits to low-impact probes
To report a vulnerability in this tool: see SECURITY.md.
MIT — see LICENSE