Plugin Configuration

Plugins Array

Plugins are configured in the plugins array:

plugins:
  - name: "@vulcn/plugin-payloads"
    config:
      builtin: true
    enabled: true

  - name: "@vulcn/plugin-detect-xss"
    config:
      detectDialogs: true

Plugin Entry Schema

Field	Type	Description
`name`	string	Plugin package name (required)
`config`	object	Plugin-specific configuration
`enabled`	boolean	Enable/disable the plugin (default: true)

Official Plugins

@vulcn/plugin-payloads

Handles all payload loading:

- name: "@vulcn/plugin-payloads"
  config:
    # Include built-in payloads
    builtin: true

    # Only include specific payload sets
    include:
      - xss-basic
      - sqli-basic

    # Exclude specific payload sets
    exclude:
      - xss-polyglot

    # Fetch from PayloadsAllTheThings
    payloadbox:
      - xss
      - sql-injection

    # Load custom payload files
    files:
      - ./my-payloads.yml
      - ./enterprise-payloads.json

Option	Type	Default	Description
`builtin`	boolean	`true`	Include built-in payloads
`include`	string[]	-	Only include these payload sets
`exclude`	string[]	-	Exclude these payload sets
`payloadbox`	string[]	-	Fetch from PayloadsAllTheThings
`files`	string[]	-	Custom payload file paths

@vulcn/plugin-detect-xss

Execution-based XSS detection:

- name: "@vulcn/plugin-detect-xss"
  config:
    # Monitor dialogs (alert, confirm, prompt)
    detectDialogs: true

    # Monitor console markers
    detectConsole: true

    # Console marker prefix
    consoleMarker: "VULCN_XSS:"

    # DOM mutation detection (experimental)
    detectDomMutation: false

    # Alert patterns to match
    alertPatterns:
      - "XSS"
      - "1"
      - "document.domain"

    # Finding severity
    severity: high

Option	Type	Default	Description
`detectDialogs`	boolean	`true`	Monitor alert/confirm/prompt
`detectConsole`	boolean	`true`	Detect console markers
`consoleMarker`	string	`"VULCN_XSS:"`	Console marker prefix
`detectDomMutation`	boolean	`false`	Check for injected scripts
`alertPatterns`	string[]	`["XSS", "1", ...]`	Patterns to match in alerts
`severity`	string	`"high"`	Finding severity level

@vulcn/plugin-detect-reflection

Pattern-based reflection detection:

- name: "@vulcn/plugin-detect-reflection"
  config:
    # Detection modes
    detectBody: true
    detectScript: true
    detectAttribute: true

    # Minimum payload length to check
    minPayloadLength: 4

    # Severity by context
    bodySeverity: low
    scriptSeverity: medium
    attributeSeverity: medium

    # Dangerous patterns to watch for
    dangerousPatterns:
      - onerror
      - onclick
      - javascript:

Option	Type	Default	Description
`detectBody`	boolean	`true`	Detect reflection in HTML body
`detectScript`	boolean	`true`	Detect reflection in script context
`detectAttribute`	boolean	`true`	Detect reflection in attributes
`minPayloadLength`	number	`4`	Skip payloads shorter than this
`bodySeverity`	string	`"low"`	Severity for body reflection
`scriptSeverity`	string	`"medium"`	Severity for script reflection
`attributeSeverity`	string	`"medium"`	Severity for attribute reflection

Disabling Plugins

Temporarily disable a plugin without removing it:

- name: "@vulcn/plugin-detect-reflection"
  enabled: false
  config:
    detectBody: true

Or use the CLI:

vulcn plugin disable @vulcn/plugin-detect-reflection

Plugin Loading Order

Plugins are loaded in the order they appear in the config file. This affects:

Payload loading (first payload plugin provides payloads first)
Hook execution (hooks run in plugin order)
Finding collection (findings accumulated in order)

Keep detection plugins after the payloads plugin so payloads are loaded before detection begins.

Getting Started

CLI Reference

Configuration

Plugin Configuration

Plugins Array

Plugin Entry Schema

Official Plugins

@vulcn/plugin-payloads

@vulcn/plugin-detect-xss

@vulcn/plugin-detect-reflection

Disabling Plugins

Plugin Loading Order

Getting Started

CLI Reference

Configuration

​Plugins Array

​Plugin Entry Schema

​Official Plugins

​@vulcn/plugin-payloads

​@vulcn/plugin-detect-xss

​@vulcn/plugin-detect-reflection

​Disabling Plugins

​Plugin Loading Order

Plugins Array

Plugin Entry Schema

Official Plugins

@vulcn/plugin-payloads

@vulcn/plugin-detect-xss

@vulcn/plugin-detect-reflection

Disabling Plugins

Plugin Loading Order