Web application security scanner
Branch: master
Clone or download
Latest commit dd62acd Feb 14, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
Doc Update Http and Web Form bruteforcing.md Jan 5, 2019
Misc Added taipan images Feb 21, 2018
.gitignore modified .gitignore Nov 28, 2018
LICENSE.md Update LICENSE.md Feb 14, 2019
RELEASE_NOTES.md release commit Jan 5, 2019


Taipan - Web Application Security Scanner

Release Build Software License

Taipan is a an automated web application scanner that allows to identify web vulnerabilities in an automatic fashion. This project is the core engine of a broader project which includes other components, like a web dashboard where you can manage your scans, download a PDF report and a scanner agent to run on specific host. Below are some screenshots of the Taipan dashboard:

If you are interested in trying the full product, you can visit the dedicated web site: https://taipansec.com/index.html.


Chat Room

We have a chat room in case you feel like chatting a bit.

Chat Room

Build Release

If you want to try the dev version of Taipan without to wait for an official release, you can download the build version. This version is built every time that a commit is done and the build process is not broken.

You can download it from the Artifacts Directory.

Using Taipan

Taipan can run on both Windows (natively) and Linux (with mono). To run it in Linux you have to install mono in version >= 4.8.0. You can track the implementation of the new features in the related Kanban board.

Scan Profile

Taipan allow to scan the given web site by specify different kind of profiles. Each profile enable or disable a specific scan feature, to show all the available profile just run Taipan with the --show-profiles_ option.

Pause/Stop/Resume a scan

During a scan you can interact with it by set the scan in Pause or Stop it if necessary. In order to do so you have to press:

  • P: pause the scan
  • S: stop the scan
  • R: resume a paused scan

The change is not immediate and you have to wait until all threads have reached the desider state.

Launch a Full scan

To launch a new scan you have to provide the url and the profile which must be used. It is not necessary to specify the full profile name, a prefix is enough.

Taipan.exe -p Full -u

Below an example of execution:

Using Docker

berez23 created a docker image for the CI release. For more information take a look at his project.

Build Taipan

Taipan is currently developed with using VisualStudio 2017 Community Edition and uses paket as packet manager. To build the source code you have to:

  • clone the repository
  • run paket.exe install
  • open the solution in VisualStudio and compile it

Taipan Components

Taipan is composed of four main components:

Web Application fingerprinter

it inspects the given application in order to identify if it is a COTS application. If so, it extracts the identified version. This components is very important since it allows to identify vulnerable web applications.

Hidden Resource Discovery

this component scans the application in order to identify resources that are not directly navigable or that shouldn't be accessed, like secret pages or test pages.


This component navigates the web site in order to provide to the other components a list of pages to analyze. It allows to mutate the request in order to find not so common pathes.

Vulnerability Scanner

this component probes the web application and tries to identify possible vulnerabilities. It is composed of various AddOn in order to easily expand its Knowledge Base. It is also in charge for the identification of know vulnerabilities which are defined by the user.


We use SemVer for versioning. For the versions available, see the tags on this repository.


  • Antonio Parata - Core Developer - s4tan
  • Andrea Gulino - Front End Developer - andreagulino

See also the list of contributors who participated in this project.


Taipan is licensed under the Creative Commons.