Package Exports
- vulcn
- vulcn/dist/index.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (vulcn) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
🔐 Vulcn
Security testing made simple. Record once, test with payloads, find vulnerabilities.
⚡ Quick Start
# Install globally
npm install -g vulcn
# Record a session
vulcn record --url https://example.com/login
# Run with XSS payloads
vulcn run session.vulcn.yml --payload xss-basicZero-config browser support — Vulcn uses your existing Chrome or Edge. No browser downloads needed.
🎯 What is Vulcn?
Vulcn is a security testing tool that:
- Records your browser interactions (clicks, form inputs, navigation)
- Replays them with security payloads injected into input fields
- Detects vulnerabilities like XSS and SQL injection
Think of it as Playwright + Burp Suite, but simpler and focused on automated payload testing.
🚀 Features
| Feature | Description |
|---|---|
| 🎬 Record | Capture browser sessions as replayable YAML files |
| 🔍 Test | Inject XSS, SQLi, and custom payloads automatically |
| 🌐 Cross-platform | Works on macOS, Linux, and Windows |
| 🚫 Zero-config | Uses system Chrome/Edge by default |
| 📊 CI/CD Ready | Exit codes for pipeline integration |
| 🔧 Extensible | Add custom payloads and detection patterns |
📦 Installation
CLI
npm install -g vulcnProgrammatic API
npm install @vulcn/engineimport { Recorder, Runner, parseSession } from "@vulcn/engine";
// Record programmatically
const session = await Recorder.start("https://example.com");
// ... user interacts ...
const recorded = await session.stop();
// Run with payloads
const result = await Runner.execute(recorded, ["xss-basic"]);
console.log(result.findings);🎬 Recording
Start recording a session:
vulcn record --url https://target.com/loginOptions:
--url, -u— Start URL (required)--output, -o— Output file (default:session.vulcn.yml)--browser, -b— Browser (chromium,firefox,webkit)--headless— Run headless
When recording:
- Browser opens to your start URL
- Interact normally (fill forms, click buttons)
- Press
Ctrl+Cto stop and save
🔍 Running Tests
Run a recorded session with payloads:
vulcn run session.vulcn.yml --payload xss-basic --payload sqli-basicOptions:
--payload, -p— Payload to use (can specify multiple)--headless— Run headless (default: true)--browser, -b— Browser to use
Built-in Payloads
| Payload | Category | Description |
|---|---|---|
xss-basic |
XSS | Script tags and event handlers |
xss-event |
XSS | Event handler injection |
xss-svg |
XSS | SVG-based XSS |
sqli-basic |
SQLi | Basic SQL injection |
sqli-error |
SQLi | Error-based SQLi detection |
sqli-blind |
SQLi | Blind SQLi payloads |
List all payloads:
vulcn payloads📄 Session Format
Sessions are stored as YAML:
version: "1"
name: Login Test
recordedAt: "2026-02-05T12:00:00Z"
browser: chromium
viewport:
width: 1280
height: 720
startUrl: https://example.com/login
steps:
- id: step_001
type: navigate
url: https://example.com/login
timestamp: 0
- id: step_002
type: input
selector: input[name="username"]
value: testuser
injectable: true
timestamp: 1500
- id: step_003
type: click
selector: button[type="submit"]
timestamp: 3000🩺 Browser Management
Check available browsers:
vulcn doctorInstall Playwright browsers (if needed):
vulcn install chromium
vulcn install --all # Install all browsers🔧 CI/CD Integration
Vulcn returns exit code 1 when vulnerabilities are found:
# GitHub Actions example
- name: Security Test
run: |
npm install -g vulcn
vulcn run tests/login.vulcn.yml --payload xss-basic --headless📚 Documentation
🛣️ Roadmap
- HTML/JSON reports
- Custom payload definitions
- SSRF and path traversal payloads
- Authenticated session support
- API endpoint testing
- Vulnerability severity scoring
📝 License
Made with ❤️ by rawlab