loading
loading
Scanners
The Swiss Army knife for automated Web Application Testing.
overview
jaeles tests web applications against a library of signatures, each a small rule that describes one request to send and one condition that marks a finding. Because the logic lives in signatures rather than code, you can select, exclude, or write rules per engagement and run the same engine across a wide scope without rebuilding it each time.
It accepts a single URL, a file of URLs, or a raw request exported from Burp, which lets it replay real authenticated traffic against your signature set. Concurrency, thread, delay, and timeout controls keep wide runs in check, and chunk mode splits very large inputs so a big URL list does not overwhelm a single pass.
On Trickest, jaeles is a Scanners node that takes targets and writes a folder of results. Store output as JSON, generate an HTML report, and chain it after a prober so it only tests hosts that already answered. Feed it the live URLs from httpx or a crawler to keep signature runs focused on real surface.
use cases
Select a signature set with the --signs selector and scan a URL or URL file so each rule sends its request and reports the matches as findings.
Feed a raw request exported from Burp with --raw so jaeles tests real, authenticated traffic against your signatures instead of an unauthenticated guess.
Enable chunk mode on a big URL list so jaeles splits the input with --chunk and runs signatures in batches without overloading one pass.
Store output as JSON and generate an HTML report so findings land in a shareable artifact alongside the rest of the workflow results.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | --url | URL of the target to scan. |
| urls | FILE | --urls | File of target URLs for bulk scanning. |
| raw | FILE | --raw | Raw request exported from Burp, used as the origin request. |
| signatures | STRING | --signs | Signature selector for the rules to run. Multiple selectors are accepted. |
| exclude | STRING | --exclude | Exclude a signature selector. Multiple flags are accepted. |
| level | STRING | --level | Filter signatures by level so only rules at or above the threshold run (default 1). |
| json | BOOLEAN | --json | Store output as JSON. |
| html | BOOLEAN | --html | Generate an HTML report after the scan finishes. |
Showing key inputs. jaeles exposes 50 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| raw | FILE | --raw | Raw request from Burp for origin |
| url | STRING | --url | URL of target |
| html | BOOLEAN | --html | Generate an HTML report after the scan finishes |
| json | BOOLEAN | --json | Store output as JSON |
| urls | FILE | --urls | URLs file of target |
| chunk | BOOLEAN | --chunk | Enable chunk running against big input |
| debug | BOOLEAN | --debug | Enable debug output |
| delay | STRING | --delay | Delay time between requests |
| found | STRING | --found | Run a host OS command when a vulnerability is found |
| level | STRING | --level | Filter signature by level (default 1) |
| local | BOOLEAN | --local | Enable local analyze (accept input as a local path) |
| no-db | BOOLEAN | --no-db | Disable the database |
| proxy | STRING | --proxy | HTTP proxy to route requests through |
| quiet | BOOLEAN | --quiet | Quiet output |
| retry | STRING | --retry | HTTP retry count |
| title | STRING | --title | Report title name |
| config | FILE | --config | Config file (default is $HOME/.jaeles/config.yaml) |
| inline | STRING | --inline | Inline detections |
| params | STRING | --params | Custom params -p='foo=bar' (multiple -p flags are accepted) |
| report | STRING | --report | Report name |
| scanID | STRING | --scanID | Scan ID |
| single | BOOLEAN | --single | Disable parallel mode (use this when a signature needs single-threaded logic) |
| exclude | STRING | --exclude | Exclude signature selector (multiple flags are accepted) |
| headers | STRING | --headers | Custom headers (e.g: -H 'Referer: {{.BaseURL}}') (multiple flags are accepted) |
| passive | BOOLEAN | --passive | Turn on passive detections |
| refresh | STRING | --refresh | Refresh time for background task (default 10) |
| rootDir | FOLDER | --rootDir | Root project (default "~/.jaeles/") |
| signDir | FOLDER | --signDir | Folder containing default signatures (default "~/.jaeles/base-signatures/") |
| threads | STRING | --threads | Set the concurrency level inside a single signature (default 10) |
| timeout | STRING | --timeout | HTTP timeout (default 20) |
| verbose | BOOLEAN | --verbose | Verbose output |
| base-url | BOOLEAN | --ba | Shortcut to take raw input as {{.BaseURL}} |
| save-raw | BOOLEAN | --save-raw | Save the raw request |
| chunk-dir | STRING | --chunk-dir | Temp directory to store the chunk directory |
| no-output | BOOLEAN | --no-output | Do not store output |
| chunk-size | STRING | --chunk-size | Chunk size (default 20000) |
| signatures | STRING | --signs | Signature selector (multiple -s flags are accepted) |
| always-true | BOOLEAN | --at | Enable Always True detection to observe the response |
| chunk-limit | STRING | --chunk-limit | Limit size to trigger a chunk run (default 200000) |
| concurrency | STRING | --concurrency | Set the concurrency level (default 20) |
| local-proxy | BOOLEAN | --lc | Shortcut for '--proxy http://127.0.0.1:8080' |
| quietFormat | STRING | --quietFormat | Format for quiet output (default "{{.VulnURL}}") |
| format-input | BOOLEAN | --format-input | Enable special input format |
| selectorFile | FILE | --selectorFile | Signature selector from a file |
| chunk-threads | STRING | --chunk-threads | Number of chunk threads (default 2) |
| no-background | BOOLEAN | --no-background | Do not run background task (default true) |
| store-verbose | BOOLEAN | --sverbose | Store verbose info in the summary file |
| filtering-mode | BOOLEAN | --fi | Enable filtering mode (to use Diff() detection) |
| passive-selector | STRING | --sp | Selector for passive detections (default "*") |
| disable-replicate-request | BOOLEAN | --dr | Shortcut to disable replicate request (avoid sending many requests to timeout) |
example
# run custom signatures against live URLs, store JSON and an HTML reportjaeles scan --urls live-urls.txt --signs 'common/.*' --level 2 --json --html[*] Loaded 1042 signatures[*] Start scanning 37 URLs from live-urls.txt[High][GET] Spring Boot Actuator env exposure - https://api.example.com/actuator/env[Medium][GET] Open Redirect - https://app.example.com/out?url=//198.51.100.24[Low][GET] Exposed .git directory - https://staging.example.com/.git/config[*] Done. 3 findings written to jaeles-report/[*] HTML report: jaeles-report/index.htmlguidance
Use jaeles when you want to test live hosts against a curated set of custom signatures, especially with raw Burp requests for authenticated flows. It tests, it does not discover, so feed it httpx or crawler output. For a larger community template ecosystem, nuclei is the broader sibling.
Template-driven scanner with a huge community ecosystem. jaeles leans on custom signatures and raw Burp replay.
Classic web server scanner. jaeles is signature-driven and easier to extend per engagement.
Black-box web app scanner that crawls and injects. jaeles focuses on running your own detection rules.
faq
related
Find reflected XSS during recon by checking payload reflection.
Fast and customizable subdomain wordlist generator using patterns.
Scans software bills of materials for security vulnerabilities.
Find broken links, missing images, and other dead references within your HTML.
A command-line scanner that finds exposed services, files, and folders through the web root.
A CMS detection and exploitation suite.
A URL list is probed by httpx, then jaeles runs its signatures against the live hosts and writes the findings folder for triage.
Facts on this page come from the live Trickest tool library.