londonmax12/HyperZ-Scanner
GitHub: londonmax12/HyperZ-Scanner
Stars: 2 | Forks: 0
# 🚀 HyperZ
**A modern web vulnerability scanner, written in Go.**
[](go.mod)
[](LICENSE)
[](#-checks)
[](#scan-modes)
`security-headers` · `tls-audit` · `sqli` · `xss` · `ssrf` · `xxe` · `graphql-audit` · `jwt-vulns` · `request-smuggling` · `race-condition` · …
## ✨ Why HyperZ?
- **Tiered, predictable surface.** Three scan levels (`passive` / `default` /
`aggressive`) form a strict superset, so an aggressive scan never silently
drops a cheap observation. Pick the level, get every check at or below it.
- **Out-of-band first-class.** Built-in `--oob` HTTP listener threads canary
URLs into blind SSRF / XXE / SSTI / command-injection probes - findings
fire when a target *actually* calls back, not on flaky timing heuristics.
- **Real browser when you need one.** `--js` spins up a headless
Chrome/Chromium pool for DOM-based checks (`dom-xss`). Off by default;
costs nothing when you don't need it.
- **CI-friendly diffs.** `--baseline` annotates every finding `new` /
`persisting` / `resolved`, and `--fail-on` gates only on *new* issues -
drop it into a pipeline without re-flagging known debt.
- **Doesn't blow up your target.** Per-host rate limits, a scan-wide RPS
ceiling, request budget, retry-with-`Retry-After`, and a session sentinel
that halts on session loss. Proxy pool with epsilon-greedy ranking on
per-proxy success rate, plus optional auto-scraping.
- **Lua-defined checks.** Detection logic lives in `internal/checks/*.lua`,
one file per check, executed by an embedded Lua VM against typed Go
bridges for HTTP, cookies, OOB, browser, scope, and the rest. Editing a
finding's prose, severity, or dedupe shape doesn't require rebuilding Go.
- **Seven report formats.** Text, JSON, JSONL, CSV, SARIF, Markdown, PDF.
## 🚀 Quick start
# build
go build ./cmd/hyperz
# fastest path - passive observations against a single target
./hyperz scan --url https://example.com
# active probes + crawler, structured output
./hyperz scan \
--url https://example.com \
--crawl --scope-max-depth 3 \
--mode default \
--format sarif -o report.sarif
# blind-vuln callbacks via the built-in OOB listener
./hyperz scan \
--url https://example.com \
--mode default \
--oob --oob-host scanner.example.com:7777
# CI: diff against last run, fail only on NEW high-or-above findings
./hyperz scan \
--url https://example.com \
--mode default \
--baseline last-scan.json \
--fail-on high \
--format json -o this-scan.json
Inspect the catalog any time:
hyperz checks list # name + level for every built-in check
hyperz formats # supported output formats
hyperz version # build info
## 📚 Table of contents
- [Checks](#-checks)
- [Scan modes](#scan-modes)
- [Authentication & cookies](#authentication--cookies)
- [Session sentinel & CSRF](#session-sentinel--csrf)
- [Proxies](#proxies)
- [Scope](#scope)
- [Crawling & API discovery](#crawling--api-discovery)
- [Out-of-band callbacks (`--oob`)](#out-of-band-callbacks---oob)
- [Headless browser (`--js`)](#headless-browser---js)
- [State-mutating checks (`--pollute`)](#state-mutating--disruptive-checks---pollute)
- [Concurrency & rate limiting](#concurrency-rate-limiting--request-budget)
- [Logging](#logging)
- [Baseline diff & fail-on](#baseline-diff--fail-on)
- [Project layout](#project-layout)
- [Adding a check](#adding-a-check)
## 🔍 Checks
`hyperz checks list` prints the live registry at runtime. The grouping below
mirrors `--mode`: each level is a superset of the cheaper ones.