Skip to content

v3.1.0

Latest
Latest

Choose a tag to compare

View all tags
@hahwul hahwul released this 14 Jun 14:45
· 11 commits to main since this release
v3.1.0
7ffbbd2
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

3.1.0

A feature release: out-of-band (blind) XSS detection, external- and modern-DOM-sink analysis, CSP / Trusted Types awareness, filter-aware payload synthesis, HAR input, a global rate limiter, and broad WAF-bypass and server/MCP hardening.

Added

  • Blind / out-of-band XSS (--blind-oob): OAST detection via an interactsh server, catching execution in stored, async, and other non-reflecting sinks. CLI-only for now.
  • External JavaScript analysis (--analyze-external-js): Fetches a target's same-origin <script src> bundles (16 files / 512 KiB cap) and runs them through AST DOM-XSS analysis. Fixes #1094.
  • Wider DOM-XSS coverage: Models Document.parseHTMLUnsafe() and window.open() as sinks (#1127) and extends the recognized JS sink-name set (#1139).
  • Outdated JS library detection (--detect-outdated-libs): Flags known-vulnerable front-end library versions as informational findings. Opt-in. Fixes #1074.
  • CSP & Trusted Types awareness: Emits strict-dynamic / nonce gadget payloads and adapts to Trusted Types when a policy is present. Fixes #1097.
  • Filter-aware payload synthesis: Computes exact JS breakout sequences from the observed script prefix, including escaped-quote and nested-context cases. Fixes #1075, #1072, #1073.
  • Attribute-decode WAF-bypass mutations: Four mutations (KeywordEntityEncode, SchemeBreak, EntityScheme, MultiSlash) that exploit the HTML tokenizer's attribute-value entity decoding — a layer literal-string WAF regexes don't model.
  • Size-limited WAF inspection-window bypass: Detects WAFs that inspect only the first N bytes of a request and positions payloads past the window. Part of #1106.
  • HAR input (--input-type har): Accepts a HAR / proxy export (Burp, Caido, ZAP, DevTools, mitmproxy) as a scan source, one target per request. Restores a Go v2.x capability. Fixes #1095.
  • Global rate limiting (--rate-limit / -r / --rl): A requests-per-second token bucket shared across all workers and targets (0 = unlimited), bounding the aggregate outbound rate that --delay can't. Fixes #1096.
  • Transient retry policy (--retries / --retry-delay): Optional exponential-backoff retries for HTTP 5xx and transient transport errors (off by default; HTTP 429 is always retried).
  • --insecure TLS flag: Makes TLS certificate validation configurable for scan / server / mcp (default on; --insecure=false enforces). Fixes #1111.
  • Whole-scan timeout for server & MCP (scan_timeout): Bounds total scan duration for concurrent REST / MCP jobs. Part of #1103.
  • Structured output metadata (SARIF / Markdown / TOML): The scan meta envelope (version, targets, duration, request/finding counts, per-target WAF info) now appears in all three formats for parity with JSON. Fixes #1093.

Changed

  • Adaptive WAF evasion (--waf-evasion): Replaced the blunt workers=1 / delay=3000ms preset with randomized inter-request jitter and an escalating cooldown on clusters of blocked responses. Part of #1096.
  • HTTP server internals: Refactored the REST server into a dedicated subsystem with an extracted job domain.

Fixed

  • Cut reflected-XSS false positives and corrected path special-character probing — higher recall with ~31% fewer requests. Fixes #1117.
  • Require a payload's handler/sink to survive on the marker element before verifying [V], removing truncated-reflection false positives. Fixes #1118.
  • Demoted inert encoded-echo reflections for non-tag payloads. Fixes #1133.
  • Clear DOM taint on clean / sanitized reassignment, removing a class of DOM-XSS false positives. Fixes #1087.
  • --encoders now accepts htmlpad, unicode, and zwsp. Fixes #1076.
  • Closed xssmaze WAF-facade detection gaps. Fixes #1104.
  • Parse-DoS hardening against deeply nested hostile JS, plus assorted false-negative and WAF / lifecycle fixes. Fixes #1115.
  • --blind-oob no longer swallows the target URL. Fixes #1132.
  • Closed 10 latent bugs from a source audit (#1107) and a batch of low-severity fixes (#1116).

Security & Reliability

  • Hardened the scanner / server / MCP against hostile responses — capped body reads and reflection-scan work to prevent OOM and hangs (#1119, #1129).
  • REST responses now set an explicit Content-Type with nosniff, and the server warns on non-loopback binds without auth. Fixes #1122.
  • Fixed a per-job scope leak and added rate-limit / concurrency caps for server and MCP scans (#1105, #1090).

New Contributors

Full Changelog: v3.0.2...v3.1.0

Contributors

aodihis and akagifreeez
Assets 26
Loading