Skip to main content
Vulcn Hero

What is Vulcn?

Vulcn is a driver-based security testing framework that makes it easy to find vulnerabilities in applications. Instead of manually testing each input with different payloads, Vulcn lets you:
  1. Record interactions once (browser clicks, API requests, CLI commands)
  2. Replay sessions with security payloads injected into inputs
  3. Detect vulnerabilities via plugins (XSS, SQLi, reflection, etc.)

Quickstart

Get up and running in under 5 minutes

CLI Reference

Explore all available commands

Drivers

Browser, API, and CLI recording

Plugins

Extend Vulcn with detection plugins

Architecture

Vulcn v0.3.0 introduces a modular architecture with drivers for different targets and plugins for detection:

Key Features

Modular drivers for different recording targets. Browser driver included, with API and CLI drivers coming soon.
# Record web application
vulcn record https://example.com --driver browser

# Future: Record API calls
vulcn record https://api.example.com --driver api
Automatically injects security payloads into injectable fields during replay. Built-in payloads cover XSS, SQLi, SSRF, XXE, and more. bash vulcn run session.vulcn.yml --payload xss-basic sqli-basic
Extend Vulcn with plugins for custom detection, payload loading, and reporting. Hook-based architecture for easy customization. yaml # vulcn.config.yml plugins: - name: "@vulcn/plugin-detect-xss" - name: "@vulcn/plugin-detect-reflection"
Unlike pattern-matching tools, Vulcn detects actual JavaScript execution—when alert() fires, you know the XSS is real.

How It Works

1

Record a Session

Choose a driver (browser, api, cli) and record your interactions. Vulcn captures every action as a replayable session.
2

Choose Payloads

Select from built-in payloads (XSS, SQLi, etc.) or load custom ones from files or PayloadsAllTheThings.
3

Run Tests

Vulcn replays your session, injecting each payload into every input field and monitoring for vulnerabilities.
4

Review Findings

Get detailed reports of confirmed vulnerabilities with evidence, payloads, and affected URLs.

Installation

npm install -g vulcn
Vulcn uses Playwright for browser automation. System Chrome/Edge is used by default. Run vulcn doctor to check browser availability.

Quick Example

# Initialize configuration
vulcn init

# Record a session (opens browser)
vulcn record https://vulnerable-app.com --output session.vulcn.yml

# Run security tests
vulcn run session.vulcn.yml

# List available payloads
vulcn payloads

Packages

PackageDescription
vulcnCLI tool
@vulcn/engineCore engine with driver & plugin systems
@vulcn/driver-browserBrowser recording with Playwright
@vulcn/plugin-payloadsXSS, SQLi, SSRF payloads
@vulcn/plugin-detect-xssExecution-based XSS detection
@vulcn/plugin-detect-reflectionPattern-based reflection detection

Ready to start?

Follow our quickstart guide to find your first vulnerability