DursGo: The Go-Powered Web Application Scanner for Cybersecurity

What Is DursGo?

DursGo is a web application security scanner designed for penetration testing and automated security audits. Built with Go, it offers high performance and flexibility, making it ideal for quick scans without sacrificing accuracy. Unlike commercial scanners, DursGo is open-source and free under the MIT License, allowing you to customize it to your needs.

The tool supports scanning modern web applications, including JavaScript-based Single-Page Applications (SPAs), and integrates with Out-of-Band Application Security Testing (OAST) services like Interactsh. It also enriches findings with data from the CISA Known Exploited Vulnerabilities (KEV) catalog, helping you prioritize real-world exploited vulnerabilities.

Additionally, there's a supporting repository called LabVulnerDursGo, which includes vulnerable applications for testing DursGo, complete with video walkthroughs. This is a fantastic resource for beginners looking to learn through hands-on practice.

Features of DursGo

DursGo stands out with its context-aware and intelligent approach. Here are its key features:

  • Intelligent, Context-Aware Scanning: Detects a wide range of vulnerabilities with high accuracy, tailoring logic to contexts like HTML or JavaScript.
  • Comprehensive Authentication Support: Scans applications protected by login forms, bearer tokens, or session cookies.
  • In-Depth Automated Discovery: Crawls web apps thoroughly, including SPAs and API endpoints, with JavaScript rendering via a headless browser (Chrome/Chromium).
  • Accurate Finding Deduplication: Normalizes and removes duplicate findings for clean reports.
  • OAST Integration: Detects blind vulnerabilities like SSRF through out-of-band verification.
  • KEV Enrichment: Adds context from the CISA KEV catalog to findings.
  • Flexible Configuration: Customizable via YAML files and CLI flags.
  • High-Performance Engine: Lightweight and fast, leveraging Go's concurrency.

DursGo also prioritizes reducing false positives with baseline comparison logic, such as in its IDOR and SQLi scanners.

Scan Workflow

DursGo follows a systematic, multi-stage workflow for comprehensive coverage:

  1. Technology Fingerprinting: Identifies the target's technologies (e.g., WordPress, Laravel) to tailor scan modules.
  2. Intelligent Crawling: Discovers URLs, forms, and endpoints, with the -render-js option for SPAs.
  3. Proactive Parameter Discovery: Injects common parameter names to uncover hidden vulnerabilities.
  4. Scanner Execution: Runs selected modules (e.g., XSS, SQLi) concurrently against discovered targets.
  5. OAST Verification: Checks out-of-band interactions if enabled.
  6. Deduplication & Reporting: Aggregates unique findings and generates console or JSON output.

Note: Scans with -s all can take longer due to the multiplicative effect (URLs x Parameters x Payloads x Scanners). For speed, target specific scanners instead.

Installing DursGo

Installation is straightforward but requires Go version 1.23 or newer.

Clone the Repository:

git clone https://github.com/roomkangali/dursgo.git
cd dursgo

Build the Application:

go build -o dursgo ./cmd/dursgo

Copy to PATH (Optional):

sudo cp dursgo /usr/local/bin/

For JavaScript rendering or DOM XSS features, install Chrome/Chromium:

  • Ubuntu: sudo apt-get install -y chromium-browser
  • macOS: brew install --cask google-chrome

Initial configuration uses a config.yaml file in the working directory for target and authentication settings.

Basic Usage and Examples

Start with a simple command:

  • Basic Scan:
./dursgo -u http://example.com -c 10 -r 3 -s xss,sqli
  • Scan with OAST:
./dursgo -u http://example.com -c 10 -r 3 -s blindssrf --oast
  • Scan DOM XSS with JavaScript Rendering:
./dursgo -u http://spa.example.com -c 10 -r 3 -s domxss -render-js

Full CLI options include -d (crawl depth), -delay (request delay), -enrich (KEV enrichment), and -output-json (JSON report).

Available Scanners

DursGo offers a variety of scanner modules, runnable with -s (e.g., -s xss,sqli or -s all):

  • blindssrf: Blind SSRF (requires -oast).
  • cmdinjection: Command Injection (supports OAST).
  • domxss: DOM-Based XSS (requires -render-js).
  • bola: Broken Object Level Authorization.
  • cors: CORS misconfigurations.
  • csrf: Cross-Site Request Forgery.
  • exposed: Exposed files/directories.
  • fileupload: Unrestricted File Upload.
  • graphql: GraphQL vulnerabilities (introspection, injection).
  • idor: Insecure Direct Object Reference.
  • lfi: Local File Inclusion.
  • massassignment: Mass Assignment.
  • openredirect: Open Redirect.
  • securityheaders: Missing security headers.
  • sqli: SQL Injection.
  • ssrf: In-band SSRF.
  • ssti: Server-Side Template Injection.
  • xss: Combines Reflected and Stored XSS.

Use none for crawling only, without vulnerability scanning.

Configuration File (config.yaml)

Use YAML for complex settings, such as authentication:

  • General: Target, concurrency, scanners, etc.
  • Output: Verbose, format (JSON), output file.
  • Authentication: Supports form-based, cookie, header (Bearer), or auth-token.

Example form-based authentication:

authentication:
  enabled: true
  type: "header"
  header_name: "X-Auth-Token"
  value: "eyJhbGciOiJIUzI1Ni...[token]"

For IDOR, specify scan_idor with the authenticated user ID.

JSON Report Structure

The JSON report includes:

  • scan_summary: Scan metadata (duration, scanners, technologies).
  • discovered_endpoints: List of URLs and parameters.
  • vulnerabilities: Detailed vulnerability data (type, URL, severity, remediation).

This format is ideal for CI/CD integration or security dashboards.

Development Roadmap

DursGo is an evolving project. Current priorities include:

  • IDOR Scanner: Add parameter-based support and non-numeric IDs (UUIDs).
  • Enhancements: OpenAPI support, JWT attacks, OAuth misconfigs, HTTP smuggling, etc.
  • New Scanners: XXE, Deserialization, Prototype Pollution, Secret Scanning.
  • Reporting: HTML/CSV output, evidence snippets.
  • Integration: Baseline scans for CI/CD, a web dashboard with LLM AI for analysis.

Conclusion

DursGo is a powerful tool for anyone serious about web security. With Go's performance and advanced features like OAST and KEV enrichment, it's a free alternative to commercial scanners. However, remember: Use it only for authorized testing, as responsibility lies with the user.

If you try DursGo, share your experience in the comments! Check the GitHub repository for the latest updates: https://github.com/roomkangali/dursgo.