<div align="center"> <img src="https://img.shields.io/badge/OmniStrike-v1.65-blueviolet?style=for-the-badge&labelColor=1a1a2e" alt="Version"/>

OmniStrike

The last Burp extension you'll ever install.

17 active scanners. 6 passive analyzers. 11 auto-triggered technology scanners. SQL exploitation engine. AI-powered fuzzing.<br/> Technology profiling. Session automation. Custom OOB server. File payload generator. Zero false positives.<br/> One JAR. One click. Everything.

<br/>

<br/>

Download JAR  |  Quick Start  |  Modules  |  OmniMap  |  Build

</div>

---

The Problem

You install Burp Suite. Then you install 15 extensions. They fight for threads, duplicate requests, miss the gaps between them, and half of them haven't been updated since 2021. Your Burp is slow, your findings are fragmented, and you're still missing bugs.

The Solution

OmniStrike replaces your entire extension stack with a single JAR. Every scanner shares one thread pool, one deduplication engine, one findings database, and one Collaborator pipeline. No conflicts. No duplicates. No gaps.

Extensions tab  -->  Add  -->  Java  -->  omnistrike.jar  -->  Done.

---

What It Scans

17 Active Injection Scanners + 11 Auto-Triggered Technology Scanners

| Scanner | What It Does | |:--------|:-------------| | SQL Injection | 6-phase detection: error-based + UNION + boolean-blind (2-round) + time-blind (3-step) + OOB (64 payloads) + auth bypass. ~375 payloads/param across 10 DBMS. REST path segment injection. | | Command Injection | 3-step time verification, structural regex output matching, 140 payloads/param (Unix + Windows), $IFS/backtick/encoding bypasses. | | SSRF | Collaborator OOB, DNS rebinding, 49 localhost bypasses, 31 protocol smuggling payloads (file/gopher/dict/ftp/ldap/tftp). | | SSTI | 20 template engines, large-number canaries, template syntax consumption verification, 32 OOB payloads. | | XSS | (Removed in v1.63 — use Burp's built-in scanner for XSS) | | XXE | 4-phase: XML body + XInclude + JSON-to-XML + Content-Type forcing. UTF-16 bypass, SAML detection, 14 OOB payloads. | | Deserialization | 6 languages, 137+ gadget chains (Java/PHP/.NET/Python/Ruby/Node.js). Jackson Tier 2 gadgets with PTV bypass probes. Passive fingerprinting + OOB-first detection. | | Path Traversal | 24 Unix + 9 Windows targets, 26 encoding bypasses, PHP wrappers, structural content validation with multi-marker confirmation. | | GraphQL | 7-phase: introspection (4 bypasses), schema analysis, injection testing, IDOR, DoS config, HTTP-level, error disclosure. | | CORS | Reflected origin, null trust, subdomain trust, scheme downgrade, wildcard+credentials, preflight bypass. | | Cache Poisoning | 30 unkeyed header vectors, 29 unkeyed query params, cacheability analysis, canary-based poison confirmation. | | Host Header | Password reset poisoning via Collaborator, routing SSRF, duplicate Host, override headers. | | HTTP Param Pollution | Duplicate param precedence, privilege escalation patterns, WAF bypass via splitting. | | Prototype Pollution | Server-side __proto__/constructor.prototype with canary persistence verification, behavioral gadgets. | | LDAP Injection | 4-phase: error-based (2+ signature requirement), boolean differential (2-round), auth bypass (multi-signal), wildcard amplification. Zero FP design. | | Bypass URL Parser | 13 modes for 403/401 bypass: path manipulation, encoding variants, method override, IP spoofing, rewrite headers, user-agent rotation. | | CSRF Manipulator | 11 token manipulation tests: remove, empty, random, truncated, char flip, case swap, nonce reuse, Referer/Origin removal. | | WebSocket | (Removed in v1.63) | | OmniMap | Post-detection SQL exploitation engine. Details below. |

11 Auto-Triggered Technology Scanners

These scanners cannot be manually triggered. They passively detect specific technologies in responses and automatically launch targeted attacks when confirmed. Zero noise on non-target systems. Each scanner's detection gate uses only technology-exclusive patterns — no generic error strings.

| Scanner | Trigger | Attack | |:--------|:--------|:-------| | Dynamics 365 FetchXML | D365 error patterns (Microsoft.Xrm.Sdk, OrganizationServiceFault, CRM-context error codes) + D365 headers | FetchXML injection: data exposure via <all-attributes/>, filter bypass tautologies, <link-entity> cross-entity joins, sensitive entity enumeration. Encoding-preserving (base64/URL/raw). | | SAP OData Injection | SAP error patterns (SAP-ABAP, CX_SY_, /IWBEP/) + SAP-specific headers | OData $filter injection, entity enumeration (S/4HANA A_ prefix + legacy naming), $expand cross-entity access, $metadata exposure. | | Salesforce SOQL Injection | Salesforce-exclusive patterns (System.QueryException, System.SObjectException, Visualforce) + SF headers | SOQL filter tautology (OR Id != null), object enumeration (12 sensitive objects), FIELDS(ALL) field enumeration, SOSL search injection. | | Firebase Misconfiguration | Firebase URL patterns (.firebaseio.com, firestore.googleapis.com) + config triple-check (projectId+storageBucket+apiKey) | Unauthenticated read (.json suffix), write test with automatic cleanup, Firestore collection enumeration with differential probe, Firebase Auth enumeration (signInWithPassword + createAuthUri). | | SharePoint CAML Injection | SP error patterns (Microsoft.SharePoint, \bSPWeb\b, Invalid CAML) + SP-specific headers (sprequestguid, x-sharepointhealthscore) | CAML filter injection (tautology), ViewFields expansion (JSON key format), REST list enumeration (mandatory odata.metadata marker), cross-list joins with <ProjectedFields> verification. | | ServiceNow GlideRecord | SN error patterns (GlideRecord, GlideSystem, com.glide.(db\|script\|processors)) + x-is-logged-in header | Encoded query injection (tautology/wildcard), table enumeration with differential probe, field exposure filtered to SENSITIVE_FIELDS set, ACL bypass via dot-walking with password value validation. | | Apache Solr Query | Solr error patterns (SolrException, org.apache.solr) + /solr/ URL + body markers (responseHeader, numFound) | *:* query injection with numFound differential, fl=* field enumeration, admin endpoint probes (_cat/indices equivalent) with differential, streaming expression detection, SSRF via shards (connection-error only). | | Odoo Domain Filter | Odoo-exclusive patterns (odoo.exceptions.*, openerp.exceptions) + 3-signal URL gate (Odoo URL + JSON-RPC body + odoo. body marker) | Domain filter tautology (correct Polish-notation OR for multi-clause domains), admin-only model enumeration (7 restricted models), field exposure with non-trivial value validation, fields_get schema probing at INFO severity. | | Elasticsearch Query | ES-exclusive patterns (ElasticsearchException, org.elasticsearch., SearchPhaseExecutionException) + URL/body dual-signal | *:* query injection with total_hits differential (anchored to hits context, ES 6.x/7.x+), index enumeration (_cat/indices, _cluster/health, _nodes), _source=* field exposure, _exists_ query syntax confirmation. | | Spring Boot Actuator | Spring-exclusive patterns (Whitelabel Error Page, org.springframework., DispatcherServlet) + actuator URL/HAL JSON dual-signal | Actuator root discovery with differential, 15 sensitive endpoint probes with per-endpoint JSON validation (env/configprops/heapdump/mappings/httptrace/sessions/etc.), legacy Spring Boot 1.x paths with differential probes. Binary Content-Type validation for heapdump. Per-host dedup. | | WordPress REST API | (Coming soon) | User enumeration, exposed drafts, plugin enumeration. |

6 Passive Analyzers

| Analyzer | What It Finds | |:---------|:--------------| | Client-Side | DOM XSS source-to-sink, prototype pollution, hardcoded secrets (entropy-validated), postMessage, open redirects. Auto-skips minified libraries. | | Endpoint Finder | Extracts API endpoints and paths from JS/HTML/JSON via 13+ regex patterns. | | Subdomain Collector | Discovers subdomains from CSP, CORS, redirects, and response bodies. | | Security Headers | HSTS, CSP, CORS, cookie flags, X-Frame-Options, server version disclosure. Consolidated per host. | | Tech Fingerprinter | Detects servers, languages, frameworks, CMS, JS libraries, WAF/CDN, caches, cloud platforms. | | Sensitive Data | Credit cards (Luhn), SSNs (range-validated), emails, phones, internal IPs, JWTs, DB connection strings, AWS ARNs, crypto addresses, IBANs. A