Share
## https://sploitus.com/exploit?id=BFA85ECC-D927-5C97-A786-EB1A6E10520B
โ๏ธ TSURUGI v3.0
Offensive Web Security Framework
Detect. Verify. Exploit.
---
## What is Tsurugi?
**Tsurugi** (ๅฃ - Japanese for "sword") is a modular offensive security framework for Bug Bounty hunters and penetration testers. Unlike basic scanners, Tsurugi **confirms vulnerabilities** before reporting them.
### Key Differentiators
| Feature | Basic Scanners | Tsurugi v3.0 |
|---------|---------------|--------------|
| XSS Detection | Pattern matching | โ
**Browser-confirmed** (zero false positives,flagged for manual analysis) |
| Secret Detection | Regex only | โ
**API-verified** (tests if keys work) |
| DOM XSS | โ Not supported | โ
**Static JS analysis** |
| CVE Scanning | Limited | โ
**6000+ Nuclei templates** |
| Hidden Params | โ Not supported | โ
**100+ param fuzzing** |
---
## Features
### Vulnerability Scanners
- **SQLi** โ Error-based + Time-based blind with dynamic threshold
- **XSS** โ Reflected + Blind (OOB) + **Headless Confirmation**
- **LFI** โ Path traversal with encoding bypass
- **SSTI** โ Jinja2, Twig, Freemarker, Velocity, Smarty, Mako
- **Secrets** โ 30+ patterns (AWS, Stripe, GitHub, JWT...) with **active verification**
### v3.0 New Modules
- **DOM XSS** โ Static JavaScript analysis (sinks/sources)
- **Params** โ Hidden parameter discovery
- **Nuclei** โ Integration with 6000+ vulnerability templates
### Recon & Automation
- **Crawler** โ Discovers endpoints, forms, JS routes
- **Hunter** โ Automated subfinder โ nuclei pipeline
- **Mass Scan** โ Multi-threaded batch scanning
### Evasion & Stealth
- **Cloudflare Bypass** โ cloudscraper + playwright-stealth
- **Stealth Mode** โ Timing delays + header randomization
- **Proxy Support** โ Route through Burp/ZAP
---
## Installation
```bash
git clone https://github.com/ThreatBiih/HikariSystem-Tsurugi.git
cd TSURUGI
pip install -r requirements.txt
# For headless features (--confirm, --heavy, --cf-bypass)
playwright install chromium
```
**Optional dependencies:**
- `nuclei` โ For CVE scanning ([install](https://docs.projectdiscovery.io/tools/nuclei/install))
- `subfinder` โ For subdomain enumeration
---
## Quick Start
### Scan for SQL Injection
```bash
python tsurugi.py attack "http://target.com/page?id=1"
```
### XSS with Browser Confirmation
```bash
python tsurugi.py xss "http://target.com/search?q=test" --confirm
```
### Find Hidden Parameters
```bash
python tsurugi.py params "http://target.com/api/user"
```
### DOM XSS Analysis
```bash
python tsurugi.py domxss "http://target.com"
```
### Scan for CVEs with Nuclei
```bash
python tsurugi.py nuclei "http://target.com" --templates cves,exposures
```
### Detect & Verify Secrets
```bash
python tsurugi.py secrets "http://target.com/app.js" --verify
```
---
## Full Command Reference
| Command | Description |
|---------|-------------|
| `attack ` | SQL Injection scanner |
| `xss [--confirm]` | XSS scanner with optional browser confirmation |
| `lfi ` | Local File Inclusion scanner |
| `ssti ` | Server-Side Template Injection |
| `secrets [--verify]` | Secret/credential detection |
| `params ` | Hidden parameter discovery |
| `domxss ` | DOM XSS static analysis |
| `nuclei ` | CVE/vuln scan (6000+ templates) |
| `crawl ` | Spider for endpoints |
| `hunter ` | Full recon automation |
| `mass_check ` | Batch scanning |
| `report` | Generate HTML report |
### Global Flags
| Flag | Description |
|------|-------------|
| `--cookie`, `-c` | Session cookie |
| `--proxy`, `-p` | Proxy URL (Burp, ZAP) |
| `--stealth`, `-s` | Evasion mode |
| `--cf-bypass` | Cloudflare bypass |
| `--oob` | Out-of-band detection |
| `--heavy` | Headless browser mode |
---
## Output Structure
```
TSURUGI/
โโโ loot/ # Vulnerability findings (JSON)
โ โโโ sqli_*.json
โ โโโ xss_confirmed_*.json
โ โโโ secrets_*.json
โ โโโ screenshots/ # XSS confirmation screenshots
โโโ reports/ # HTML reports
โโโ payloads/ # Custom payload files
```
---
## ๐ฅ Example Workflow
```bash
# 1. Crawl target for endpoints
python tsurugi.py crawl "https://target.com" --depth 2
# 2. Test for SQLi
python tsurugi.py attack "https://target.com/api?id=1"
# 3. Test for XSS (confirmed in browser)
python tsurugi.py xss "https://target.com/search?q=x" --confirm
# 4. Find hidden parameters
python tsurugi.py params "https://target.com/api/user"
# 5. Scan for CVEs
python tsurugi.py nuclei "https://target.com"
# 6. Generate report
python tsurugi.py report
```
---
## โ ๏ธ Disclaimer
This tool is intended for **authorized security testing only**.
Usage against systems without explicit permission is illegal. The authors assume no liability for misuse of this software.
---
Open Source Security Framework by HikariSystem