3.1.1
A maintenance release: reflected-XSS recall and false-positive fixes, url/file/pipe subcommand parity, request-fan-out bounding, and unified logging.
Changed
- Unified scan target parameter: Server and MCP now take
target; REST keepsurlas a backward-compatible alias. Fixes #1152. - Unified debug logging: Routed all debug output through a single stderr
dbg_log!macro and structured server/MCP loggers, and aligned OOB / blind output with the standard log format (#1145, #1147, #1144).
Fixed
- Restored reflected-XSS recall in raw-JS-expression and regex-literal contexts. Fixes #1161.
- Demoted inert URL-scheme and
javascript:self-link reflections, clearing the residual false positive from #1153 (#1154, #1160). - Front-loaded the protocol-scheme payload family so the per-param cap can no longer evict it. Fixes #1159.
url/file/pipesubcommands now apply config files, global flags, and--include-all(#1151) and respect an explicit-i/--input-type(#1149).--outputwrite failures are now reported via stderr and a non-zero exit code. Fixes #1150.- Scoped
--scan-timeoutcancellation to the timed-out target so it no longer aborts other targets, plus assorted OOB and retry edge-case fixes. - Fixed the Nix build by dropping removed
darwin.apple_sdkframework inputs. Fixes #1158.
Performance & Reliability
- Per-parameter payload safety cap and recall-preserving DOM-phase early-exit to bound request fan-out (#1155, #1156).
- Bounded unbounded task spawning in parameter mining and cut server / hot-path lock-hold and allocations.
- Capped the HPP reflection body read to bound scanner memory. Fixes #1148.
Full Changelog: v3.1.0...v3.1.1