Skip to main content

Overview

Vulcn’s plugin system allows you to extend its capabilities with custom detection logic, payload sources, and reporting formats. The architecture is based on hooks—lifecycle events that plugins can listen to and respond to. 
┌──────────────────────────────────────────────────────────────────────┐
│                          @vulcn/engine                                │
│  ┌─────────────┐  ┌─────────────┐  ┌──────────────────────────────┐  │
│  │   Recorder  │  │   Runner    │  │       Plugin Manager         │  │
│  │  (capture)  │  │  (replay)   │  │  ┌──────┐ ┌──────┐ ┌──────┐  │  │
│  └─────────────┘  └─────────────┘  │  │  P1  │ │  P2  │ │  P3  │  │  │
│                                     │  └──────┘ └──────┘ └──────┘  │  │
│        ▲               ▲           └──────────────────────────────┘  │
│        │               │                        ▲                     │
│        └───────────────┴────────────────────────┘                     │
│                    Plugin Hooks                                       │
└──────────────────────────────────────────────────────────────────────┘

Plugin Types

TypePurposeExample
LoadersProvide payloads@vulcn/plugin-payloads
DetectorsFind vulnerabilities@vulcn/plugin-detect-xss
ReportersOutput findings@vulcn/plugin-report-sarif
TransformersModify sessions/payloadsCustom preprocessing

Official Plugins

@vulcn/plugin-payloads

Load built-in, PayloadBox, and custom payloads

@vulcn/plugin-detect-xss

Execution-based XSS detection

@vulcn/plugin-detect-reflection

Pattern-based reflection detection

Configuration

Plugins are configured in vulcn.config.yml: 
plugins:
  - name: "@vulcn/plugin-payloads"
    config:
      builtin: true

  - name: "@vulcn/plugin-detect-xss"
    config:
      detectDialogs: true
      severity: high

Managing Plugins

Use the CLI to manage plugins: 
# List configured plugins
vulcn plugin list

# Add a plugin
vulcn plugin add @vulcn/plugin-detect-reflection

# Remove a plugin
vulcn plugin remove @vulcn/plugin-detect-reflection

# Enable/disable
vulcn plugin enable @vulcn/plugin-detect-xss
vulcn plugin disable @vulcn/plugin-detect-xss

Default Plugins

When you run vulcn run without a config file, the CLI automatically loads:
  1. Payloads: Loads xss-basic built-in payload set
  2. Detection: Loads @vulcn/plugin-detect-xss for XSS detection
This ensures Vulcn is useful out of the box.

Plugin Lifecycle

Creating Plugins

Creating Custom Plugins

Learn how to build your own Vulcn plugins