https://github.com/xalgord/xalgorix

Xalgorix - The Most Powerful Open-Source AI Pentesting Agent
https://github.com/xalgord/xalgorix
ai ai-tools bug-bounty bugbounty cybersecurity security technology
Last synced: 3 days ago
JSON representation
Xalgorix - The Most Powerful Open-Source AI Pentesting Agent
Host: GitHub
URL: https://github.com/xalgord/xalgorix
Owner: xalgord
License: mit
Created: 2026-03-13T08:56:13.000Z (2 months ago)
Default Branch: main
Last Pushed: 2026-04-07T15:55:41.000Z (about 1 month ago)
Last Synced: 2026-04-07T16:32:43.566Z (about 1 month ago)
Topics: ai, ai-tools, bug-bounty, bugbounty, cybersecurity, security, technology
Language: Go
Homepage: https://www.xalgorix.com
Size: 460 MB
Stars: 33
Watchers: 1
Forks: 3
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project

README

          







[![Go](https://img.shields.io/badge/Go-1.24-00ADD8?style=for-the-badge&logo=go&logoColor=white)](https://go.dev)

[![License](https://img.shields.io/badge/License-MIT-00ff88?style=for-the-badge)](LICENSE)

[![Buy Me a Coffee](https://img.shields.io/badge/Buy%20Me%20a%20Coffee-ffdd00?style=for-the-badge&logo=buymeacoffee&logoColor=black)](https://buymeacoffee.com/xalgord)

The most powerful open-source AI autonomous pentesting agent.




---

## 📸 Screenshots

### Web UI Dashboard

![Web UI](assets/ui-screenshot-1.png)

### Live Feed & Vulnerabilities

![Live Feed](assets/ui-screenshot-2.png)

### Vulnerability Details

![Vulnerability Details](assets/ui-screenshot-3.png)

### Chat Interface

![Chat Interface](assets/ui-screenshot-4.png)

---

## 🚀 Xalgorix — The Most Powerful Open-Source AI Pentesting Agent

**Xalgorix is the most comprehensive open-source autonomous penetration testing platform.** It combines the power of AI with 70+ security tools to deliver enterprise-grade pentesting — completely free.

### Why Xalgorix is #1

| Claim | Reality |

|-------|---------|

| **Most Complete** | ✅ Only open-source tool with Web UI + Live Feed + Chat + PDF + Discord |

| **Most Thorough** | ✅ 3 scan modes + zero-day discovery: Single → DAST → Wildcard + behavioral fuzzing |

| **Most Automated** | ✅ Auto-installs tools, auto-generates PDF, auto-sends Discord alerts |

| **Most Flexible** | ✅ Works with any LLM (OpenAI, Anthropic, DeepSeek, **MiniMax ⭐**, Google, Groq, Ollama) |

| **Most Production-Ready** | ✅ Rate limiting, circuit breaker, queue system, severity filtering |

| **Most Customizable** | ✅ Named scans, per-phase methodology selection, branded PDF reports with logo upload |

> **TL;DR:** Give it a target URL, and Xalgorix will find vulnerabilities, generate a professional PDF report, and send Discord alerts — all automatically.

### What Makes Xalgorix Different?

- **🚀 Autonomous** — Give it a target, watch it work. No human intervention needed.

- **🧠 AI-Powered** — Leverages LLMs for intelligent decision-making.

- **🔓 100% Free** — No SaaS, no per-scan fees, no limits.

- **🏠 Self-Hosted** — Your data never leaves your machine.

- **⚡ Lightning Fast** — Uses maximum threads, comprehensive flags.

- **🎯 Precision** — Only reports exploitable vulnerabilities, not false positives.

- **🔬 Zero-Day Hunter** — Behavioral fuzzing, parser differentials, and timing side-channels to find novel vulns.

- **🛡️ Safe** — Blocks destructive commands, rate limiting protects your IP.

---

## ✨ Key Features

| Feature | Description |

|---------|-------------|

| 🤖 **Autonomous Agent** | LLM-driven pentesting with 22-phase methodology |

| 🎯 **Single Scan** | Scan a single URL/target with full vulnerability testing |

| 🔍 **DAST Scan** | Scan specific URLs with deep vulnerability testing |

| 🌐 **Wildcard Scan** | Enum all subdomains → scan each individually |

| 📝 **Named Scans** | Give each scan a custom name for easy identification |

| 💾 **Save & Launch Later** | Prepare scans without starting — launch when ready |

| 🔬 **Phase Selection** | Choose specific methodology phases per scan (e.g., recon only) |

| 🎯 **Severity Filter** | Filter by Critical/High/Medium/Low/Info |

| 🚫 **Out of Scope** | Define targets to exclude from testing |

| 🔒 **Safety First** | Blocks destructive commands, encoding bypass detection |

| 🛡️ **Self-Scan Prevention** | Automatically blocks local/private IPs (127.0.0.1, 10.x, 192.168.x, etc.) |

| 🔌 **Circuit Breaker** | Auto-blocks failing tools after 5 attempts |

| 🌐 **Web UI** | Dark mode dashboard with live feed & token tracking |

| 💬 **Chat During Scan** | Send messages to agent while scan is running |

| 📱 **Mobile Ready** | Works on phones & tablets |

| 💾 **Scan Persistence** | Resume interrupted scans after restart |

| 📊 **PDF Reports** | Professional branded pentest reports with custom logo |

| 🏷️ **Report Branding** | Upload company logo and set company name for white-label reports |

| 🔔 **Discord Alerts** | Severity-filtered notifications on scan start/vuln/completion |

| 🔧 **Auto-Install** | 70+ tool→package mappings |

| 🧠 **Multi-LLM** | OpenAI, Anthropic, DeepSeek, MiniMax, Groq, Ollama, Google |

| 🔐 **Authentication** | Optional login protection for dashboard |

| 🔍 **CVE Search** | Query NIST NVD database for CVE details |

| 🐛 **Exploit Search** | Search Exploit-DB for public exploits |

| 🔎 **Web Search** | Gemini, Brave, Google, Bing, DuckDuckGo integration |

| ✅ **Tool Pre-Check** | Auto-installs missing tools before running |

| 📧 **AgentMail** | Built-in email for sign-up verification & OTP |

| 🛡️ **Python venv** | Auto-creates ~/venv for Python tools |

| 🔬 **Zero-Day Discovery** | Behavioral fuzzing, parser differentials, timing oracles, type confusion |

---

## 🆚 Why Xalgorix?

### Comprehensive Comparison with Open-Source Alternatives

| Feature | Xalgorix | Shannon | Strix | PentestGPT | HexStrike | PentAGI | Nebula |

|---------|:--------:|:------:|:-----:|:----------:|:---------:|:-------:|:------:|

| **Self-Hosted** | ✅ | ⚠️ SaaS | ✅ | ✅ | ✅ | ✅ | ✅ |

| **Blackbox Testing** | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |

| **Whitebox Testing** | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ |

| **Web UI Dashboard** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |

| **Live Real-Time Feed** | ✅ | ❌ | ❌ | ⚠️ Term | ❌ | ❌ | ❌ |

| **Chat During Scan** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |

| **PDF Reports Auto** | ✅ | ✅ | ✅ | ⚠️ Manual | ❌ | ❌ | ❌ |

| **Discord Alerts** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |

| **Browser Automation** | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |

| **Auto-Install Tools** | ✅ 70+ | ❌ | ⚠️ Docker | ⚠️ Docker | ⚠️ MCP | ⚠️ Docker | ⚠️ CLI |

| **Rate Limiting** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |

| **Multi-Target Queue** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |

| **Severity Filtering** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |

| **Circuit Breaker** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |

| **DAST Mode** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |

| **Wildcard Scan** | ✅ | ❌ | ❌ | ⚠️ Manual | ❌ | ⚠️ Manual | ❌ |

| **CVE Search Built-in** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |

| **Exploit Search** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |

| **Web Search** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |

| **Requires Source Code** | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |

| **Zero-Day Discovery** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |

| **Bug Bounty Focus** | ✅ | ⚠️ SaaS | ✅ | ✅ | ⚠️ MCP | ⚠️ Docker | ✅ |

### Feature Details

- **Shannon** — Requires source code (white-box only), part of paid Keygraph platform

- **Strix** — Docker-based, good for bug bounty, no web UI

- **PentestGPT** — Published at USENIX Security 2024, terminal-only interface

- **HexStrike** — MCP server integration, 150+ tools via MCP protocol

- **PentAGI** — Multi-agent Docker system, complex setup required

- **Nebula** — CLI assistant, good for quick scans but limited methodology

### Why Xalgorix is the Best Choice?

1. **🎯 Most Complete Web UI**

   - Only tool with full dashboard, live feed, chat, token tracking

   - See everything in real-time, interact with agent during scan

2. **🔄 Multiple Scan Modes**

   - Single: Quick target scan

   - DAST: Deep URL vulnerability testing  

   - Wildcard: Subdomain enum → scan each individually

   - Most comprehensive coverage

3. **🔔 Built-in Notifications**

   - Discord alerts on start/vuln/complete

   - PDF reports auto-generated

4. **🛡️ Production Ready**

   - Rate limiting (protect your IP)

   - Circuit breaker (auto-block failing tools)

   - Queue system (scan multiple targets)

   - Severity filtering (focus on what matters)

5. **🔍 Built-in Research Tools**

   - CVE search (NIST NVD)

   - Exploit search (Exploit-DB)

   - Web search (Gemini/Brave/Google)

6. **💰 100% Free & Open Source**

   - No SaaS subscription

   - No per-scan fees

   - Your data stays local

### Competitive Advantages Summary

| What You Get | Xalgorix | Others |

|--------------|----------|--------|

| **Web Dashboard** | ✅ | ❌ Most |

| **Live Feed + Chat** | ✅ | ❌ |

| **Auto PDF + Discord** | ✅ | ❌ |

| **3 Scan Modes** | ✅ | ❌ |

| **Tool Auto-Install** | ✅ 70+ | ⚠️ Manual |

| **Production Safety** | ✅ | ❌ |

| **Free Forever** | ✅ | ✅ |

---

## 🛠️ Quick Start

### 1️⃣ Install

> ⚠️ **Requires Go 1.24+** — Check with `go version`. Install/upgrade: [go.dev/dl](https://go.dev/dl/)

>

> ```bash

> # Quick install Go 1.24 on Linux:

> sudo rm -rf /usr/local/go

> wget -q https://go.dev/dl/go1.24.2.linux-amd64.tar.gz

> sudo tar -C /usr/local -xzf go1.24.2.linux-amd64.tar.gz && rm go1.24.2.linux-amd64.tar.gz

> export PATH=/usr/local/go/bin:$HOME/go/bin:$PATH

> ```

```bash

# Recommended — build from source

git clone https://github.com/xalgord/xalgorix.git

cd xalgorix

make install

# Or install via Go

GOPROXY=direct go install -v github.com/xalgord/xalgorix/v4/cmd/xalgorix@latest

```

> **💡 Update:** Run `xalgorix --update` to get the latest version. Xalgorix also auto-updates on every start by downloading binaries from GitHub releases.

### 2️⃣ Configure

```bash

# Create ~/.xalgorix.env

nano ~/.xalgorix.env

```

```bash

# ⭐ Recommended — MiniMax (best performance-to-cost ratio for pentesting)

XALGORIX_LLM=minimax/MiniMax-M2.7

XALGORIX_API_KEY=your_minimax_api_key

# OR use OpenAI:

# XALGORIX_LLM=openai/gpt-5.4

# XALGORIX_API_KEY=sk-...

# OR use Anthropic:

# XALGORIX_LLM=anthropic/claude-sonnet-4-20250514

# XALGORIX_API_KEY=sk-ant-...

# Optional

XALGORIX_DISCORD_WEBHOOK=https://discord.com/api/webhooks/...

```

> 🎁 **Exclusive 10% OFF MiniMax:** [Get your discount here](https://platform.minimax.io/subscribe/coding-plan?code=4ujDUlOIz3&source=link)

> ⚠️ **Note:** Xalgorix will refuse to start if `~/.xalgorix.env` is missing or missing required variables (`XALGORIX_LLM` and `XALGORIX_API_KEY`).

### 3️⃣ Run

```bash

# Web UI (recommended)

xalgorix --web

# Or CLI

xalgorix --target https://example.com

```

---

## 📖 Command Reference

### CLI Flags

| Flag | Alias | Description |

|------|-------|-------------|

| `--web` | `-w` | Launch the Web UI dashboard |

| `--port` | `-p` | Web UI port (default: 1337) |

| `--target` | `-t` | Target URL, IP, or local path (repeatable) |

| `--instruction` | `-i` | Custom instructions for the agent |

| `--model` | `-m` | LLM model (overrides XALGORIX_LLM) |

| `--update` | `-up` | Update to latest version |

| `--version` | `-v` | Show version |

| `--start` | — | Install and start as systemd service |

| `--stop` | — | Stop the service |

| `--restart` | — | Restart the service |

| `--uninstall` | — | Remove from system |

| `--help` | `-h` | Show help |

### Environment Variables

#### Required

| Variable | Description | Example |

|----------|-------------|---------|

| `XALGORIX_LLM` | Model name (with optional provider prefix) | `openai/gpt-5.4`, `anthropic/claude-opus-4-1-20250805`, `deepseek/deepseek-v4-pro`, `google/gemini-3.1-pro-preview`, `minimax/MiniMax-M2.7`, `custom/my-model` |

| `XALGORIX_API_KEY` | API key | `sk-...` |

#### Optional - API Base (for custom providers)

| Variable | Description | Example |

|----------|-------------|---------|

| `XALGORIX_API_BASE` | API base URL (auto-detected from provider prefix if not set) | `https://api.openai.com/`, `https://api.anthropic.com`, `https://api.minimax.io/`, `https://your-custom-llm.com/v1` |

#### Optional - Web Search

| Variable | Description | Example |

|----------|-------------|---------|

| `GEMINI_API_KEY` | Google Gemini API key for web search | `AIza...` |

> **💡 Web Search:** If `GEMINI_API_KEY` is set, xalgorix will use Gemini for web search. Otherwise falls back to Brave/Google/Bing/DuckDuckGo scraping.

> **💡 Custom Providers:** To use any custom LLM provider, just set `XALGORIX_LLM=custom/modelname` and `XALGORIX_API_BASE=https://your-api-endpoint.com/v1`

>

> **💡 Custom Model IDs:** The dashboard model fields provide suggestions but accept typed model IDs, so newly released models can be used without waiting for the dropdown list to be updated.

>

> **💡 Gemini API:** For Google Gemini keys, use the `google/` or `gemini/` prefix when possible. If you set an unprefixed/custom Gemini model with `XALGORIX_API_BASE=https://generativelanguage.googleapis.com/v1`, Xalgorix will still use Gemini's `generateContent` request format and `x-goog-api-key` authentication. Current text-model suggestions include `gemini-3.1-pro-preview`, `gemini-3.1-pro-preview-customtools`, `gemini-3-flash-preview`, and `gemini-3.1-flash-lite-preview`.

#### Supported Provider Prefixes (auto-detected)

| Prefix | API Base |

|--------|----------|

| `openai/` | `https://api.openai.com/v1` |

| `anthropic/` | `https://api.anthropic.com` |

| `deepseek/` | `https://api.deepseek.com/v1` |

| `groq/` | `https://api.groq.com/openai/v1` |

| `google/` | `https://generativelanguage.googleapis.com/v1` |

| `gemini/` | `https://generativelanguage.googleapis.com/v1` |

| `ollama/` | `http://localhost:11434/v1` |

| `minimax/` | `https://api.minimax.io/v1` |

#### Optional - Model Settings

| Variable | Default | Description |

|----------|---------|-------------|

| `XALGORIX_REASONING_EFFORT` | `high` | Reasoning effort: `low`, `medium`, `high` |

| `XALGORIX_LLM_MAX_RETRIES` | `5` | Max retries on API failure |

| `XALGORIX_MEMORY_COMPRESSOR_TIMEOUT` | `60` | Context compression timeout (seconds) |

| `XALGORIX_MAX_ITERATIONS` | `0` | Max iterations (0 = unlimited) |

#### Optional - Integrations

| Variable | Description | Example |

|----------|-------------|---------|

| `XALGORIX_DISCORD_WEBHOOK` | Discord webhook for alerts | `https://discord.com/api/webhooks/...` |

| `XALGORIX_DISCORD_MIN_SEVERITY` | Min severity for Discord alerts (skip noise) | `low`, `medium`, `high`, `critical` |

| `XALGORIX_USERNAME` | Dashboard username (enables auth) | `admin` |

| `XALGORIX_PASSWORD` | Dashboard password | `secret123` |

#### Optional - Rate Limiting

| Variable | Default | Description |

|----------|---------|-------------|

| `XALGORIX_RATE_LIMIT_REQUESTS` | `60` | Requests per window |

| `XALGORIX_RATE_LIMIT_WINDOW` | `60` | Window in seconds |

#### Optional - Browser

| Variable | Default | Description |

|----------|---------|-------------|

| `XALGORIX_DISABLE_BROWSER` | `false` | Set to `true` to disable browser automation |

### Supported Models

Xalgorix supports multiple LLM providers. These are examples, not a hard allowlist:

- ⭐ **MiniMax (Recommended)** — `minimax/MiniMax-M2.7`, `minimax/MiniMax-M2.7-highspeed`, `minimax/MiniMax-M2.5` — Best performance-to-cost for autonomous pentesting

- **OpenAI** — `openai/gpt-5.4`, `openai/gpt-5.4-mini`, `openai/gpt-5.2`, `openai/gpt-4.1`, `openai/o3`

- **Anthropic** — `anthropic/claude-opus-4-1-20250805`, `anthropic/claude-sonnet-4-20250514`, `anthropic/claude-3-7-sonnet-latest`

- **DeepSeek** — `deepseek/deepseek-v4-pro`, `deepseek/deepseek-v4-flash` (`deepseek/deepseek-chat` and `deepseek/deepseek-reasoner` remain legacy compatibility aliases until DeepSeek retires them)

- **Google** — `google/gemini-3.1-pro-preview`, `google/gemini-3.1-pro-preview-customtools`, `google/gemini-3-flash-preview`, `google/gemini-3.1-flash-lite-preview`, `google/gemini-2.5-pro`, `google/gemini-2.5-flash`

- **Groq** — `groq/openai/gpt-oss-120b`, `groq/openai/gpt-oss-20b`, `groq/qwen/qwen3-32b`, `groq/meta-llama/llama-4-scout-17b-16e-instruct`

- **Ollama** — `ollama/llama3.3`, `ollama/qwen3`, `ollama/qwen3-coder` (local)

> 🎁 **Exclusive 10% OFF MiniMax:** [Get your discount here](https://platform.minimax.io/subscribe/coding-plan?code=4ujDUlOIz3&source=link)

---

## 📖 Usage Guide

### Web UI Features

| Feature | Usage |

|---------|-------|

| 🎯 **Single Scan** | Enter URL, click Start |

| 🔍 **DAST Scan** | Select "DAST" mode for URL vulnerability testing |

| 🌐 **Wildcard Scan** | Select "Wildcard" mode for subdomain enum → each subdomain gets full scan |

| 📂 **Multi-Target** | Upload a `.txt` file with one target per line |

| 📝 **Named Scans** | Give each scan a descriptive name for tracking |

| 💾 **Save Without Start** | Click "Save" to prepare a scan, launch it later from the scan details page |

| 🔬 **Phase Selection** | Tick only the methodology phases you want (e.g., Recon + Injection only) |

| 🎯 **Severity Filter** | Check only Critical/High to skip Low/Info |

| 🚫 **Out of Scope** | Exclude targets from testing |

| 💬 **Custom Instructions** | Tell Xalgorix what to focus on |

| 🏷️ **Report Branding** | Upload a company logo and enter company name for white-label PDF reports |

| ⚙️ **LLM Provider** | Switch providers in settings |

| 🔔 **Discord** | Add webhook for alerts (with configurable severity threshold) |

### Example Instructions

```text

# Focus on specific vulns

"Focus on SQL Injection and IDOR. Skip XSS."

# Traditional authenticated testing

"Login with: admin@email.com / Password123"

# API key authentication

"API: am_us_pod_474368638921786eec2228b27f..., username: agentmail"

# Email-based service testing  

"AgentMail credentials: api_key=xxx, email=user@agentmail.to"

# Bug bounty rules

"This is a HackerOne program. Out of scope: DoS, social engineering."

# Internal network

"Scan 10.0.0.0/24. Focus on SMB and database services."

# 🔬 Zero-day hunting

"Focus on zero-day hunting. Use behavioral fuzzing and parser differentials."

# Targeted anomaly research

"Hunt for novel vulns on the API. Use mutation fuzzing and timing analysis."

```

---

## 🏗️ Architecture

```

xalgorix/

├── cmd/xalgorix/          # CLI entry point

├── internal/

│   ├── agent/             # 🤖 Core agent loop

│   ├── config/            # ⚙️ Configuration

│   ├── llm/               # 🧠 LLM client & parser

│   ├── tools/             # 🔧 11 built-in tools

│   │   ├── terminal/      # 💻 Command execution

│   │   ├── browser/      # 🌐 Headless Chrome

│   │   ├── python/       # 🐍 Python scripts

│   │   ├── reporting/     # 📊 Vulnerability reports

│   │   └── ...

│   ├── web/

│   │   ├── server.go      # 🌎 HTTP + WebSocket

│   │   └── static/        # 🎨 Web UI (HTML/CSS/JS)

│   └── tui/               # 📟 Terminal UI

└── internal/tools/skills/  # 📚 Vulnerability knowledge (zero-day hunting, response anomaly detection, ...)

```

---

## 🛡️ Safety Features

### Self-Scan Prevention

Xalgorix automatically blocks scans targeting local or internal IP addresses. This prevents the agent from accidentally scanning its own server and reporting false vulnerabilities.

**Blocked address ranges:**

- `127.0.0.0/8` (loopback)

- `10.0.0.0/8` (private)

- `172.16.0.0/12` (private)

- `192.168.0.0/16` (private)

- `169.254.0.0/16` (link-local)

- `::1`, `fe80::` (IPv6 loopback/link-local)

- `localhost`, `0.0.0.0`

### Blocked Commands

```

❌ Filesystem:  rm -rf /, rm -rf ~, mkfs, dd

❌ SQL:         DROP TABLE, DELETE FROM, UPDATE

❌ System:      shutdown, reboot, halt, poweroff

❌ Code:        shutil.rmtree, os.remove

```

### Encoding Bypass Detection

Xalgorix detects obfuscated commands:

| Technique | Example |

|----------|--------|

| Base64 | `echo cm0gL3JmIC8= \| base64 -d` |

| Hex | `\x72\x6d\x20\x2d\x72\x66` |

| URL | `%72%6d%20%2d%72%66` |

### Circuit Breaker

After **5 consecutive failures**, a tool is temporarily blocked for **60 seconds** to prevent wasting time.

---

## 📊 API Endpoints

### Scans

| Method | Endpoint | Description |

|--------|----------|-------------|

| `POST` | `/api/scan` | Start or save scan (supports `name`, `phases`, `company_name`, `logo_path`) |

| `POST` | `/api/stop` | Stop scan |

| `GET` | `/api/status` | Get status |

| `GET` | `/api/scans` | List scans |

| `GET` | `/api/scans/:id` | Get scan details |

| `GET` | `/api/report/:id` | Download PDF |

### Uploads

| Method | Endpoint | Description |

|--------|----------|-------------|

| `POST` | `/api/upload-logo` | Upload company logo for report branding (png/jpg/svg/gif/webp, 5MB max) |

| `POST` | `/api/upload-targets` | Upload target list file (.txt) |

### Queue

| Method | Endpoint | Description |

|--------|----------|-------------|

| `GET` | `/api/queue/status` | Check interrupted queue |

| `POST` | `/api/queue/resume` | Resume scan |

| `POST` | `/api/queue/clear` | Clear queue |

### Settings

| Method | Endpoint | Description |

|--------|----------|-------------|

| `GET` | `/api/settings/rate-limit` | Get rate limit |

| `POST` | `/api/settings/rate-limit` | Update rate limit |

---

## 🧰 Toolkit Architecture (Auto-Installed)

Xalgorix intelligently auto-resolves, installs, and manages **70+ security tools** on-the-fly. If an agent tries to use a tool that isn't installed, Xalgorix pauses the execution, instantly installs it (via `apt`, `go install`, `cargo`, pip, etc.), and resumes transparently.

### 🌐 Asset Discovery & Networking

*   **Subdomain & DNS:** `subfinder`, `findomain`, `assetfinder`, `dnsx`, `amass`, `nslookup`, `dig`, `host`, `whois`

*   **Network & Ports:** `nmap`, `masscan`, `naabu`, `netcat` (`nc`), `socat`, `tcpdump`, `traceroute`

### 🔎 Web Crawling & URL Discovery

*   **Spiders & Crawlers:** `katana`, `gospider`, `hakrawler`

*   **Archive Extractors:** `gau` (GetAllUrls), `waybackurls`

*   **Parameters:** `paramspider`, `arjun`

### 💥 Vulnerability Scanners & Fuzzers

*   **Scanners:** `nuclei`, `sqlmap`, `dalfox` (XSS)

*   **Fuzzers:** `ffuf`, `gobuster`, `wfuzz`, `feroxbuster`, `dirb`

*   **Web Toolkit:** `httpx`, `curl`, `wget`, `httpie`

### 📦 Utilities & System

*   **Text & Data:** `jq`, `xmllint`, `html2text`, `awk`, `sed`, `grep`

*   **Security & Crypto:** `openssl`, `base64`, `xxd`, `strings`

*   **Environment:** `python3`, `pip3`, `python3-venv`, `git`, `unzip`

---

## 📋 22-Phase Methodology

> **💡 Tip:** You can select which phases to run per scan via the dashboard's phase checkboxes.

1. 🔍 **Deep Reconnaissance & Attack Surface Mapping** — Subdomains, ports, tech stack fingerprinting

2. 🦠 **Manual Vulnerability Discovery** — Nuclei, nmap scripts, manual probing

3. 📂 **Directory & File Discovery** — Fuzzing, backups, admin panels, hidden paths

4. 🔐 **CORS & Cookie Analysis** — Cross-origin policy, cookie flags, SameSite

5. 🔑 **Authentication & Session Testing** — Login bypass, brute-force, session fixation, OAuth flaws

6. 💉 **Injection Testing** — XSS, SQLi, Command injection, XXE, SSTI

7. 🔄 **SSRF Testing** — Parameter fuzzing, cloud metadata, internal service access

8. 🚪 **IDOR & Broken Access Control** — Privilege escalation, object reference manipulation

9. 🌐 **API & GraphQL Testing** — REST/GraphQL introspection, rate limiting, auth bypass

10. 📤 **File Upload Testing** — Extension bypass, webshells, content-type abuse

11. ⚙️ **Deserialization & RCE** — Unsafe deserialization, Log4Shell, command chaining

12. ⏱️ **Race Conditions & Business Logic** — TOCTOU, double-spend, workflow bypass

13. 🌟 **Subdomain Takeover** — Dangling CNAMEs, unclaimed services

14. 🔀 **Open Redirect Testing** — Parameter-based redirects, header injection

15. 📧 **Email Security Testing** — SPF, DKIM, DMARC misconfigurations

16. ☁️ **Cloud & Infrastructure** — S3 buckets, Azure blobs, GCP, K8s misconfigs

17. 🔌 **WebSocket Testing** — Origin validation, injection, protocol abuse

18. 🔌 **CMS-Specific Testing** — WordPress, Joomla, Drupal plugin/theme vulns

19. 🔗 **Broken Link Hijacking & Content Spoofing** — Expired domains, unclaimed resources

20. ✅ **Exploit Verification** — Confirm and verify all findings with PoC

21. 🔬 **Zero-Day & Novel Vulnerability Discovery** — Behavioral fuzzing, parser differentials, type confusion, timing oracles

22. 📝 **Final Report** — JSON + branded PDF with executive summary

---

## 📄 PDF Report Contents

The auto-generated report includes:

- ✅ Cover page with target, date & company branding

- 🏷️ Custom logo and company name (uploaded via dashboard)

- 📊 Executive summary with vuln counts

- 🐛 Vulnerability details (CVSS, PoC, remediation)

- 🔗 Tested endpoints

- 📋 Methodology phases applied

- ⏱️ Timestamps for blue team log correlation

- ⚠️ Legal disclaimer

---

## 📁 Data Storage

```

~/xalgorix-data/

├── logos/                      # Uploaded company logos for report branding

│   └── 1736000000_logo.png

├── target.com/

│   └── 2026-01-15/

│       └── example.com_abc123/

│           └── scan.json

│       └── target.io_def456/

│           └── scan.json

└── queue_state.json

```

- 📅 30-day auto-cleanup

- 💾 Survives page refresh

- 🔄 Queue resume after restart

---

## 🤝 Contributing

Pull requests welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.

---

## 📜 License

MIT License — see [LICENSE](LICENSE).

---

## 🔗 Links

| Resource | URL |

|----------|-----|

| 📖 Documentation | [docs.xalgorix.com](https://docs.xalgorix.com) |

| 🐛 Issues | [github.com/xalgord/xalgorix/issues](https://github.com/xalgord/xalgorix/issues) |

| ☕ Donate | [buymeacoffee.com/xalgord](https://buymeacoffee.com/xalgord) |

---



**Built with ⚡ by [@xalgord](https://github.com/xalgord)**  

*Use responsibly.*
ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/xalgord/xalgorix

Awesome Lists containing this project

README
