v0.2.0 - From Beta to Stable
v0.2.0 - From Beta to Stable, with 29 New Detectors
The first stable (non-beta) release. This message summarizes everything landed since v0.1.43-beta: a major detection-coverage expansion (six new module families), deeper discovery and data-portability tooling, and a broad false-positive-hardening and severity-calibration sweep across the existing detectors.
Cumulative range: v0.1.44-beta -> v0.1.45-beta -> v0.1.46-beta -> v0.1.47-beta -> v0.2.0.
Highlights
- Six new module families: GraphQL security testing, Adobe Experience Manager (AEM), SaaS data-exposure (Salesforce / ServiceNow / Power Pages), Internet Information Services (IIS), an enlarged Model Context Protocol (MCP) suite, plus standalone dependency-confusion and JavaScript-beautification passives.
- 29 new registered modules (22 active + 7 passive), bringing the registry to 193 active + 109 passive. Every new active family is tech-gated, fail-closed, and multi-round-confirmed to keep the false-positive floor low.
- Version dropped its
-betaprerelease label and jumped to a minor release, reflecting the size of the coverage expansion.
New Module Families and Detection Coverage
- GraphQL security scanning (OWASP WSTG) — the
graphql_scanmodule gains a full phase suite backed by a newpkg/graphqlxlibrary: operation-name expansion, introspection/console exposure, query batching, field-level authorization (IDOR), reflected-XSS-in-errors, boolean-based SQL injection, and denial-of-service (deeply-nested / aliased / circular queries). Every phase runs only against an endpoint confirmed to speak GraphQL (a{ __typename }probe returning a spec-shaped envelope) and confirms findings across multiple rounds. - Adobe Experience Manager (AEM) — 11 active + 1 passive
aem_*modules over a shared, fail-closedinfra/aemgate (ConfirmAEM): dispatcher-bypass (differential), sensitive-servlet and console exposure, QueryBuilder content discovery (surfacingrep:passwordas Critical), default credentials, CloudSettings injection, reflected XSS (headless-confirmed), SSRF, out-of-band injection, XXE (CVE-2019-8086 entity-expansion proof), and RCE, alongside a passiveaem-fingerprint. Detection-only; every active probe is gated to a genuine AEM instance. - SaaS data-exposure (Salesforce / ServiceNow / Power Pages) — 7 active + 3 passive modules over a shared
infra/saasprobegate: Salesforce Aura object/record exposure (getConfigData/getItems), Salesforce Aura guest Apex execution (ApexActionController.execute), Salesforce Lightning debug-mode exposure (PRODDEBUG/DEV/JSTESTDEBUG), ServiceNow widget and KB-article data exposure (g_ck+ cookie, treating a401as not a finding), and Power Pages Dataverse/_apiexposure, each paired with a per-vendor passive fingerprint. Every active probe gates on a live Aura gateway, pairs a catch-all negative control with the positive, and confirms across multiple independent rounds. - IIS —
iis-shortname-discoverygains true 8.3 short-name resolution (a Go port of the gen8dot3/checksum technique that feeds deparos content-discovery with embedded wordlists), joined by two new active modules:iis-cookieless-source-disclosureandiis-extension-confusion-bypass(::$DATA/ trailing-dot). All IIS/ASPX-gated and multi-round-confirmed. - MCP suite expansion — two new active modules (
mcp-tool-definition-drift,mcp-dos-amplification) and a new passivemcp-dangerous-tool-exposureextend the Model Context Protocol family audited against OWASP. dependency-confusionpassive — extracts scoped npm import specifiers from first-party JS responses only and flags any package left unclaimed (404) onregistry.npmjs.org. Suspect/Tentative severity, batched registry lookup via a flusher, with over-query guards (public-scope skiplist + statement-boundary regex) and fail-closed handling of any indeterminate lookup.js-beautifypassive — unminifies and unpacks minified or bundled first-party scripts (React/Next/Vue SPA output) into readable source via the embedded jsscan tool over webcrack (static unpacking, noeval-based deobfuscation). Runs as a boundedbunsubprocess (capped atGOMAXPROCS-2, max 4). For JS responses the stored record body is rewritten in place with the beautified document and taggedjs-beautified, so linkfinder, observed-word harvesting, and manual review all read clean source; inline<script>code in HTML is beautified into finding evidence only. A cheap Go-side pre-gate avoids spawning a subprocess for tiny or already-readable scripts, results are deduped per host+path, and known third-party assets are skipped unless the scan is targeting that vendor. Informational severity; cleanly no-ops when the embedded binary is unavailable.
Added
- Spider response-aware form filling (v0.1.47-beta) — the crawler derives form values from the target and the response instead of always using fixed placeholders: it recalls a value entered earlier in the same crawl (so a registered identity is reused at login), falls back to target-derived values, then to an on-page example, then to smart/fixed defaults. Passwords are never taken from the page. Default-on and non-destructive.
- Common-credential login spray on confirmed login forms (v0.1.47-beta) — at
balancedintensity the spider tries a minimal list (admin:admin,admin:123456) and atdeepthe full documented short list (never a wordlist), but only after confirming a genuine local login form and that a bogus control pair is rejected first. On success the session cookies persist and the crawl continues authenticated. Off atquick/lite. vigolium importmerges vigolium SQLite databases (v0.1.47-beta) —importaccepts another vigolium result database as its source (auto-detected by SQLite magic header) and folds it into the destination--db. A lossless, idempotent SQLite->SQLite merge of HTTP records, findings, scans, agentic scans, and OAST interactions, deduped on natural keys, each row keeping its originalproject_uuid. The natural companion toscan -S --format sqlite.agent audit --output-dir <dir>(v0.1.47-beta, stateless-only) — bundles a-Srun's HTML report and a copy of each driver's rawvigolium-results/tree into one folder.vigolium server --passive-only(v0.1.47-beta) — with-S/--scan-on-receive, restricts scanning to passive modules only (no active scan traffic; secret detection still runs) on every ingested request.vigolium replaybulk mode (v0.1.46-beta) — passing--all(or any of--host/--method/--status/--path/--source/--search/--body) replays every matching stored record instead of a single source. Any--mutateis applied per record; without one, records are re-sent verbatim. Results stream as JSONL, throttled with-c/--concurrencyand capped with-n/--limit.replay -S/--stateless --db <file>(v0.1.46-beta) — replay can read baselines from a standalone.sqliteor.jsonlexport with project scoping off, matching the read semantics oftraffic/finding.- Secret findings labelled by credential family (v0.1.45-beta) —
secret-detecttags each finding with a short classification (JWT,Google API key,reCAPTCHA site key,Google OAuth client ID, or the Kingfisher rule name), rendered as a leading[JWT]bracket and carried in the jsonl/DBmeta.patternfield.
Changed
- Version dropped its
-betalabel and jumped to a minor release (v0.2.0) — v0.2.0 is the first stable release. - MCP false-positive hardening (v0.2.0) across the existing family — method-enum negative control, batch singleton baseline, session-fixation gate, origin locality, server-probe
isError/skip handling, and resource-fuzz OAST/metadata checks, plus expandedmcp-description-injectioncoverage. - Example blocks refreshed (v0.1.47-beta) —
replay,update,agent triage, andextensions examplecarry inline--helpexamples; theimportexamples document the new SQLite-merge source. replayno longer prints the banner (v0.1.46-beta) — added to the banner-suppression list alongsidescan/run/traffic, keeping JSONL output clean for piping.traffic --replayexamples refreshed (v0.1.46-beta) — document stateless-export replay, method/host filtering, and--all --with-browser.
Fixed (False-Positive Hardening and Severity Calibration)
- Markup-reflection oracles ignore JSON/XML-echoed payloads (v0.1.45-beta) — a new
modkit.IsNonHTMLReflectionContexttreats an HTML/template marker echoed inside a non-HTML response (the canonical FastAPI/Pydantic422 application/jsonvalidation-error echo) as a data value, not rendered markup. Applied tocsti-detection,pdf-generation-injection, andws-injection; evaluated-result oracles left alone. - Error-signature detectors bound their match span (v0.1.45-beta) — a loosely-anchored
X.*?Ypattern could bridge two coincidental words across a large body (Oracle.*?Driverspanning 60 KB of a Salesforce Aura shell). The sharedmodkit.MatchWithinSpan/MaxErrorSignatureSpan(512 B) gate requires a compact span. Applied tosqli-error-based,insecure-deserialization, and siblings. - IDOR detectors no longer flag bare sequential integers (v0.1.45-beta) —
authzutil.ClassifyParamdrops the value signal for a plain sequential integer lacking both an identifier-shaped name and a resource-noun path context, so telemetry/pagination/status params (page_number=5,responseStatus=200) stop being misreported. Wired intoidor-guidandidor-params-detect. - Passive server-side detectors skip client build bundles (v0.1.45-beta) —
jsframework.IsClientBuildArtifactskips immutable framework output (/_next/static/,/_nuxt/), so a shared vendor chunk no longer yields one false positive per host. Applied across the Next.js/Nuxt/server-action detectors andcache-data-leak. - Differential detectors confirm against non-determinism (v0.1.45-beta) —
http-method-tamperingandrace-interferenceadd determinism controls so a per-request token/nonce or SSR variance between legs isn't mistaken for a method-override or race divergence. - Discovery extension-fuzz gating (v0.1.45-beta) — deparos trusts a start URL's
.aspx/.php/.jspsuffix as a stack signal only when the URL was actually served as that extension (2xx/401/403, not a 3xx/404/5xx recon seed), plus a per-extension catch-all guard so an SPA/CDN that 200s any path isn't fingerprinted into a wrong-stack wordlist fuzz. - Lower-signal passive findings recalibrated (v0.1.45-beta) —
oauth-facebook-detectandgraphql-introspection-detect-> Info;serialized-object-detect,jackson-deserialize-detect,sensitive-api-fields-detect,api-pagination-leak,auth-headers-detect-> Low;jwt-claims-detectnow grades per-issue (hygiene -> Low,alg=none-> High);postmessage-handler-detect,javascript-uri-sink,openredirect-params,input-reflection-detect, andunsafe-html-sinkgained value-shape/context gates. - Path-probe exposure modules ignore their own reflected slug (v0.1.44-beta) — a marker that is just the probe's last path segment (
filamentfor/filament,redoc,healthchecks-ui) self-matched when a content/SEO route echoed the requested slug. A new slug-reflection control probes a nonexistent sibling carrying a canary and drops the finding only when the route reflects it into a 200. Applied tolaravel-admin-exposure,swagger-exposure, andaspnet-health-exposure. struts-ognl-injectionconfirms the addHeader variant via a real response header (v0.1.44-beta) — detection now keys onX-Struts-Testbeing a genuinely parsed response header, and confirmation re-injects a fresh random marker and requires it back as a real header each round, closing a forged-marker FP where a gateway echoes the injectedContent-Typeinto the error body.- Injection detectors strip the reflected payload before matching (v0.1.44-beta) — a new
modkit.StripReflectedremoves the injected payload from the response before signature matching, so an endpoint that merely rejects and quotes the input back can't self-trigger. Fixesinsecure-deserializationandxxe-generic;nosqli-error-baseduses the shared helper, and thestruts-ognl-injectionarithmetic variant strips as defense in depth. secret-detectdowngrades documentation-page demo credentials (v0.1.44-beta) — a secret-shaped string served as rendered page content from a docs/reference/manual/CLI/tutorial route (Supabase demo JWTs, local-devpostgresql://postgres:postgres@...URLs, placeholder connection strings) drops to Low/Tentative. Gated on both the route and an HTML/RSC content type; a validated live secret always outranks this to Critical.
Internal
- New shared libraries:
pkg/graphqlx(GraphQL detection, introspection, schema, operation building) and theinfra/aem/infra/saasprobegate packages backing the AEM and SaaS families. (v0.2.0) - Tech-fingerprint tags added for the new gating (
aem/adobe,salesforce/lightning/aura,servicenow,powerpages/dataverse) intech_tags.go, published by the respective*_fingerprintpassives. The jsscanwebpackExtractorwas extended to recover per-module source paths forjs-beautify. (v0.2.0) - New
form.FillContext(per-crawl identity memory) threads response-aware values through form filling;DetectedInputgainsDefaultValue/DatalistOptions. Login spray lives incrawler/login_creds.go(single-flight per host, negative-control gated). SQLite file detection centralized inpkg/database/detect.go. (v0.1.47-beta) - The single-source and bulk replay paths share one call shape via a new
replayRunstruct; client construction, cookie-jar save, header-overlay parsing, and output-writer setup extracted into reusable helpers; bulk selection maps ontodatabase.QueryFiltersviabuildReplayBulkFilters. (v0.1.46-beta) - New shared helpers
modkit.IsNonHTMLReflectionContext,modkit.MatchWithinSpan+modkit.MaxErrorSignatureSpan,jsframework.IsClientBuildArtifact, theauthzutil.ClassifyParamsequential-int gate, andsecret_detect.PatternLabel;format_screen.gorenders any finding'sMetadata["pattern"]as a leading bracket. (v0.1.45-beta) - New shared path-decomposition and slug-reflection helpers in
modkit/pathprobe.go;modkit.StripReflectedas the request-body analogue ofStripReflectedProbePath;secret-detectgainsIsDocDemoSecretContext. (v0.1.44-beta) - Regression and unit coverage added throughout alongside each new module and hardened detector.