{"id":2624,"date":"2026-06-02T03:22:32","date_gmt":"2026-06-02T03:22:32","guid":{"rendered":"https:\/\/tucumandevelopers.com\/index.php\/2026\/06\/02\/i-built-an-open-source-dast-scanner-that-outfound-zap\/"},"modified":"2026-06-02T03:22:32","modified_gmt":"2026-06-02T03:22:32","slug":"i-built-an-open-source-dast-scanner-that-outfound-zap","status":"publish","type":"post","link":"https:\/\/tucumandevelopers.com\/index.php\/2026\/06\/02\/i-built-an-open-source-dast-scanner-that-outfound-zap\/","title":{"rendered":"I built an open-source DAST scanner that outfound ZAP"},"content":{"rendered":"
\n
\n
\n

I built KageSec.<\/p>\n

<\/a><\/p>\n

\n

<\/a> What’s wrong with existing DAST tools <\/h2>\n

Nuclei<\/strong> is great \u2014 ProjectDiscovery built something genuinely impressive. But it’s a template-matching engine, not a DAST scanner. It hits the root URL, matches YAML patterns and reports findings. It does not crawl your app, discover parameters, or inject payloads into forms. The companies charging enterprise pricing for “Nuclei as a service” are essentially charging you for a UI on top of a YAML runner.<\/p>\n

ZAP<\/strong> is the other go-to. It crawls. It injects. But it generates a lot of noise, misses logic-layer vulnerabilities, and has no AI filtering step to tell you which findings are actually exploitable.<\/p>\n

The gap is: something that crawls like ZAP, runs templates like Nuclei, and uses AI to cut the noise.<\/p>\n

\n

<\/a> The benchmark <\/h2>\n

I tested against ginandjuice.shop<\/a> \u2014 <\/p>\n

Here’s what each tool found:<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n
<\/th>\nKageSec<\/th>\nZAP<\/th>\nNuclei (standalone)<\/th>\n<\/tr>\n<\/thead>\n
Total findings<\/strong><\/td>\n21<\/strong><\/td>\n7<\/strong><\/td>\n12<\/strong><\/td>\n<\/tr>\n
Critical<\/td>\n4<\/td>\n0<\/td>\n0<\/td>\n<\/tr>\n
High<\/td>\n4<\/td>\n4<\/td>\n0<\/td>\n<\/tr>\n
Medium<\/td>\n5<\/td>\n3<\/td>\n0<\/td>\n<\/tr>\n
Low \/ Info<\/td>\n8<\/td>\n0<\/td>\n12<\/td>\n<\/tr>\n
Scan time<\/td>\n10m 22s<\/td>\n~25 min<\/td>\n6m<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

Nuclei’s 12 findings were all INFO \u2014 missing HTTP headers on the root URL. It found zero actual vulnerabilities because it never crawled the app or injected anything. That’s not a criticism of Nuclei. It’s just not what it’s for.<\/p>\n

<\/a> Vulnerability breakdown <\/h3>\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Vulnerability<\/th>\nKageSec<\/th>\nZAP<\/th>\nNuclei<\/th>\n<\/tr>\n<\/thead>\n
OS Command Injection<\/td>\n\u2705 CRITICAL<\/td>\n\u2717<\/td>\n\u2717<\/td>\n<\/tr>\n
XML External Entity (XXE)<\/td>\n\u2705 CRITICAL<\/td>\n\u2717<\/td>\n\u2717<\/td>\n<\/tr>\n
AngularJS CSTI<\/td>\n\u2705 CRITICAL<\/td>\n\u2717<\/td>\n\u2717<\/td>\n<\/tr>\n
DOM-Based XSS<\/td>\n\u2705 HIGH<\/td>\n\u2705 HIGH<\/td>\n\u2717<\/td>\n<\/tr>\n
Reflected XSS<\/td>\n\u2705 HIGH<\/td>\n\u2705 HIGH<\/td>\n\u2717<\/td>\n<\/tr>\n
SSI Injection<\/td>\n\u2705 HIGH<\/td>\n\u2717<\/td>\n\u2717<\/td>\n<\/tr>\n
SQL Injection<\/td>\n\u2717<\/td>\n\u2705 HIGH<\/td>\n\u2717<\/td>\n<\/tr>\n
Missing CSRF Protection<\/td>\n\u2705 MEDIUM<\/td>\n\u2705 MEDIUM<\/td>\n\u2717<\/td>\n<\/tr>\n
Business Logic<\/td>\n\u2705 MEDIUM<\/td>\n\u2717<\/td>\n\u2717<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

KageSec missed SQL injection. ZAP missed OS command injection and XXE. Neither tool is complete \u2014 that’s an honest benchmark.<\/p>\n

\n

<\/a> How it works <\/h2>\n

<\/a> 1. Crawl first, scan everything found <\/h3>\n

KageSec uses Playwright to crawl the app like a real browser. JavaScript rendered, SPAs handled, forms discovered. Every page found becomes a scan target. Nuclei never does this.<\/p>\n

<\/a> 2. 61 exploitation modules per page <\/h3>\n

For each page, KageSec runs 61 vulnerability modules concurrently \u2014 XSS, SQLi, SSRF, SSTI, XXE, deserialization, request smuggling, prototype pollution, JWT attacks and more. Each module is an active exploit attempt, not a passive header check.<\/p>\n

<\/a> 3. A Go template engine that isn’t Nuclei <\/h3>\n

I built kagesec-engine<\/code> \u2014 a purpose-built Go binary that runs 7,417 HTTP-compatible Nuclei templates. It is not a Nuclei wrapper. The key differences:<\/p>\n