Proxy-driven, template-based DAST engine (active + passive scanning, stateful flows)

[xhzeem]

Summary

I’d like to propose (and implement) an experimental proxy-driven DAST engine that combines:

• intercepted traffic (proxy mode)
• template-based active scanning (Nuclei-style DSL)
• stateful sessions & login flows

This is intentionally closer to Burp Suite Scanner + BApp logic / bugbountypro workflows, but designed to remain:

• open-source
• deterministic
• automatable
• compatible with ProjectDiscovery’s ecosystem

The goal is to support two modes:

1. Target mode – provide a base URL and scan automatically
2. Proxy mode – act as an intercepting proxy and scan live traffic streams

---

Motivation / problem

Current PD tools are excellent for known-request scanning, but real-world testing (especially bug bounty and enterprise apps) often requires:

• discovering POST bodies and complex request shapes
• understanding state (auth, CSRF, tokens, roles)
• scanning what the app actually does, not just what crawling finds
• applying professional-grade DAST logic over real traffic

Today, users bridge this gap by:

• using Burp/ZAP as a proxy
• exporting traffic
• feeding it into Nuclei manually

This breaks automation and creates friction.

---

Proposed concept

1) Proxy-first request capture

Run as an HTTP(S) proxy that:

• observes real user/browser/API traffic
• captures requests + responses
• normalizes them into a canonical Request Model
• tracks session context (cookies, tokens, CSRF)

This enables:

• automatic POST/JSON/form discovery
• SPA + SSO compatibility
• realistic request replay

---

2) Template-based scanning engine

Templates define how to attack, not just what to match:

• injection points (query / form / JSON / headers / cookies)
• mutation strategies (replace, append, prefix, type-aware)
• baseline → mutate → confirm flows
• extractors (regex / JSONPath / headers / cookies)
• matchers (reflection, diff, timing, errors)

Conceptually similar to:

• Burp Scanner logic
• BApp / extension scanners
• bug bounty “attack playbooks”

…but declarative and reusable.

---

3) Dual operating modes

A) Target mode (hands-off)

tool scan https://target.com

• optional browser-assisted login
• auto-discovery (crawl + proxy capture)
• active scanning using templates
• similar UX to classic DAST

B) Proxy mode (hands-on)

tool proxy --scan

• user browses app normally

• scanner passively observes traffic

• templates run:

  • passively (analysis)
  • actively (replay + mutation)

• findings generated from real flows

This mirrors how many security researchers actually work.

---

4) Stateful session handling

Sessions are explicit:

• cookie jars
• token stores
• refresh hooks
• role separation (user/admin)

Templates can declare:

auth:
  required: true
  role: admin

---

Relationship to existing PD tools

This is not a replacement for Nuclei.

Instead, it could be:

• a separate experimental repo, or

• a new engine that reuses:

  • Nuclei templates / DSL concepts
  • Katana (optional discovery)
  • Proxify (traffic capture inspiration)

Nuclei remains:

• fast
• stateless
• CI-first

This engine targets:

• realistic app behavior
• deep DAST
• bug bounty & enterprise workflows

---

Non-goals (explicit)

• No browser-based automatic fuzzing
• No uncontrolled brute-force payload spraying
• No attempt to fully replicate Burp UI
• No breaking changes to existing tools

---

Why this might be valuable for ProjectDiscovery

• Fills a clear ecosystem gap
• Matches real-world usage patterns
• Attracts advanced users and researchers
• Creates a professional-grade, open DAST alternative
• Still aligns with modular, composable tooling philosophy

---

Next steps / request for feedback

Before building this fully, I’d appreciate guidance on:

1. Should this live as:

   • a separate experimental repo, or
   • a companion to Nuclei / Proxify?

2. Which parts would be considered in-scope for PD?

3. Would reusing Nuclei’s template DSL be desirable, or should this evolve independently?

I’m happy to prototype this and iterate based on maintainer feedback.