
A fast, Rust-based web vulnerability scanner for finding OWASP Top 10 issues in web applications.
# Interactive mode
cargo run
# Quick scan (no crawling)
cargo run -- --scanner cors --target https://example.com --no-crawl
# Specify scanner
cargo run -- --scanner sql --target https://example.com
| Option | Description |
|---|---|
--target |
Single target URL |
--target-list |
File with URLs (one per line) |
--scanner |
Scanner type (see below) |
--no-crawl |
Skip crawling, scan target URL directly |
--max-depth |
Maximum crawl depth (default: 2) |
--max-urls |
Maximum URLs to crawl (default: 50) |
| Scanner | Flag |
|---|---|
| XSS | xss |
| SQL Injection | sql |
| CSRF | csrf |
| File Inclusion | file |
| Auth Bypass | auth |
| Access Control | bac |
| 403/401 Bypass | bypass |
| Directory | dir |
| CORS | cors |
| SSRF | ssrf |
| Exposed Files | exposed |
cargo build --release
./target/release/webhunter --scanner xss --target https://example.com
cargo test
cargo clippy -- -D warnings
cargo fmt -- --check
Customize wordlists in wordlists/:
xss/payloads.txt - XSS polyglotssql_injection/ - Boolean, error, time-based payloadsssrf/payloads.txt - localhost, cloud metadata, internal IPsexposed_files/ - Source maps and debug endpointsReports go to directories named after targets (dots converted to underscores):
example_com_443/
├── XSS-output.md
├── SQL-Injection-output.md
└── ...
Only scan targets you own or have permission to test. Unauthorized scanning is illegal.
Apache-2.0
$ claude mcp add Project-WebHunter \
-- python -m otcore.mcp_server <graph>