loading
loading
Cloud Storage
Scans URLs with multiple HTTP methods and basic exploit modules to surface easy bugs.
overview
ScanT3r reads a list of URLs and probes each one with multiple HTTP methods, testing URL parameters and request headers for common web vulnerabilities. Its module system covers XSS, SSRF, SQLi, RCE, SSTI, reflected parameters, and header injection, so a single run sweeps a captured URL set for the parameter-driven bugs that slower manual testing tends to leave for last.
It is built to chain. Point it at the output of a URL harvester like waybackurls or gau so your manual hours go to logic and business functions while the scanner clears the obvious cases. A worker count controls concurrency, custom headers carry session cookies into authenticated endpoints, and an external host plus an XSS Hunter host record out-of-band hits such as blind SSRF and blind XSS.
On Trickest, ScanT3r takes a URL list and writes a file and a folder of findings. Run it right after URL harvesting so a large captured surface gets a fast first pass before you commit to deeper, tool-specific scanners.
use cases
Feed the output of waybackurls or gau and let ScanT3r test each URL's parameters and methods for common vulnerabilities in one pass.
Select a module such as xss, ssrf, sqli, ssti, or rce with -m to focus the run on one vulnerability type instead of the full set.
Set an external host with -x and an XSS Hunter host with -b so blind SSRF and blind XSS callbacks are captured during the scan.
Add custom headers and cookies with -H so authenticated endpoints are tested as a logged-in user rather than as an anonymous visitor.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url-list | FILE | · | URL list file to scan, passed on stdin (for example the output of gau). |
| module | STRING | -m | Run one module: lorsrf, ssrf, paths, xss, sqli, rce, finder, xss_param, ssti, injheaders, reflect. |
| header | STRING | -H | Add a custom header, such as a session cookie (Cookie: test=1). |
| methods | STRING | -y | HTTP methods allowed against the target (for example GET,POST). |
| workers | STRING | -w | Number of concurrent workers. Default: 50. |
| external-host | STRING | -x | Your out-of-band host for callbacks (Burp Collaborator, interactsh, etc.). |
| xss-hunter-host | STRING | -b | Your XSS Hunter host, or any blind-XSS callback host. |
| proxy | STRING | -p | Forward all requests through a proxy (host:port). |
Showing key inputs. scant3r exposes 14 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| api | BOOLEAN | -a | Start the ScanT3r API server instead of running a direct scan. |
| proxy | STRING | -p | Forward all requests through a proxy (host:port). |
| header | STRING | -H | Add a custom header, such as a session cookie (Cookie: test=1). |
| module | STRING | -m | Run one module: lorsrf, ssrf, paths, xss, sqli, rce, finder, xss_param, ssti, injheaders, or reflect. |
| silent | BOOLEAN | -n | Silent mode: suppress the banner and progress noise. |
| methods | STRING | -y | HTTP methods allowed against the target (for example GET,POST). |
| timeout | STRING | -t | Connection timeout in seconds. Default: 10. |
| workers | STRING | -w | Number of concurrent workers. Default: 50. |
| url-list | FILE | · | URL list file to scan, passed on stdin (for example the output of gau). |
| external-host | STRING | -x | Your out-of-band host for callbacks (Burp Collaborator, interactsh, etc.). |
| debugging-mode | BOOLEAN | -d | Debugging mode: print the raw requests and responses. |
| xss-hunter-host | STRING | -b | Your XSS Hunter host, or any blind-XSS callback host. |
| random-parameters | BOOLEAN | -g | Generate common parameter names when a URL has none of its own. |
| random-user-agent | BOOLEAN | -R | Rotate a random User-Agent on each request. |
example
# scan a harvested URL list for reflected and blind XSScat urls.txt | scant3r -m xss -H "Cookie: session=t0ken" -w 50 -b xss.example.com[*] scant3r modules: xss workers: 50[*] 218 URLs queued from urls.txt[xss] reflected parameter 'q' GET https://example.com/search?q=FUZZ[xss] reflected parameter 'return' GET https://app.example.com/login?return=FUZZ[xss] reflected header 'Referer' GET https://example.com/account[xss] blind payload fired callback at xss.example.com (GET /profile)[-] no reflection https://static.example.com/ (no parameters)[*] done 4 findings written to scant3r-out/guidance
Use ScanT3r as a fast first pass over a large harvested URL list for parameter-driven bugs. For deeper template-based scanning use nuclei; for focused XSS or SQLi hunting, dalfox and sqlmap go further. Chain it after gau or waybackurls.
Template-driven scanner with far broader, community-maintained vulnerability coverage.
Specialized XSS scanner with deeper parameter analysis than a general sweep.
Harvests URLs from archives, the upstream that feeds ScanT3r's URL list.
faq
A seed feeds gau to harvest URLs, which ScanT3r then probes for parameter-driven bugs before the findings land as a queryable output.
Facts on this page come from the live Trickest tool library.