Sn1per Community Edition v8.4 Released!

In case you missed it, Sn1per v8.4 was released today 6/8/2020 and features a slew of new improvements and fixes which will further enhance the speed and functionality of Sn1per.

Introducing Project “Sc0pe”

To start with, Sn1per v8.4 features a completely new active and passive vulnerability scanner called “Sc0pe” which will serve as the backbone of Sn1per’s new vulnerability scan engine. The new framework will make it quick and easy to scan for the latest CVE’s and web vulnerabilities as well as open up a slew of possibilities for users to create and share their own exploits and scanners (Submit your PR’s!). For a full list of scan templates, check here.

Sc0pe Templates

Sn1per Sc0pe Templates

For anyone interested in writing or porting existing exploits over to Sc0pe, the process is super simple. First, you will need to create a new file under /usr/share/sniper/templates/active/ for active scanners and /usr/share/sniper/templates/passive/ for passive scanners. You can now copy an existing template to rename or create a new file with the following format:

VULN_NAME='Apache Solr Detected'
MATCH='Solr Admin'
CURL_OPTS="--user-agent '' -s -L --insecure"

Passive scanners use grep regex matching of any local file to determine vulnerability detection and use the following format:

VULN_NAME='CORS Policy - Allow-Credentials Enabled'
MATCH='Access-Control-Allow-Credentials: true'

One thing to note is that when saving file you created, be sure to not use spaces in the files (ie. CORS Policy – Allow-Credentials Instead, use underscores like “”.

Once your new template is created, all you need to do is run a scan. For active checks, you can choose from ‘normal’, ‘web’, ‘vulnscan’, ‘webporthttp’ and ‘webporthttps’ as well as any of the mass scan modes (ie. massweb, etc.). All other modes will only use passive scan modules to detect vulnerabilities.

Sn1per Sc0pe vulnerability report

OWASP ZAP Integration

Another major improvement added in v8.4 is the integration with OWASP ZAP. For this to work properly, you will need to have OWASP ZAP running on the same host as Sn1per and listening on port 8081/tcp.

OWASP ZAP Proxy Configuration

In addition, you will need to enable the ZAP API service and disable the API key.


The last step is to update your /root/.sniper.conf file and enable the following setting:


After, you can run the ‘webscan’ mode (ie. sniper -t -m webscan -w After the scan completes, all HTML reports will be saved to /usr/share/sniper/loot/workspace/<workspace>/web/zap-report-$TARGET-$DATE.html.

Sn1per Configuration Templates

Sn1per Configuration Templates

Another major addition to Sn1per v8.4 is eight new configuration templates which can be referenced and loaded dynamically to fine tune each Sn1per scan. In the following example, we can quickly run all Metasploit web exploits against the target and skip most of the default modules to quickly scan for web vulnerabilities.

Usage: sniper -t -m web -c /usr/share/sniper/conf/webpwn_only -w

The possibilities are endless, but you can save and reference your own custom configuration templates or use the default options and templates as a reference. Check here for some examples and feel free to submit your PR’s with your own unique templates.


  • v8.4 – Added project “Sc0pe” active/passive vulnerability scanner
  • v8.4 – Added 68 new active sc0pe templates
  • v8.4 – Added 14 new passive sc0pe templates
  • v8.4 – Added OWASP ZAP API integration
  • v8.4 – Added 8 new Sn1per configuration templates (see /usr/share/sniper/conf/)
  • v8.4 – Added Gau (
  • v8.4 – Added rapiddns subdomain retrieval
  • v8.4 – Updated web content wordlists
  • v8.4 – Improved efficiency of ‘web’ and ‘recon’ mode scans
  • v8.4 – Disabled legacy Metasploit web exploits (check Sn1per conf to re-enable)
  • v8.4 – Fixed issue with dirsearch asterisk being used incorrectly
  • v8.4 – Fixed issue with airstrike mode not updated Sn1per Professional v8.0 host list
  • v8.4 – Fixed issue with webtech re.error: invalid group reference 1 at position 130


To apply the update, run ‘sniper -u’ if Sn1per is already installed to automatically download the latest release. For new users, run: ‘git clone’ and run the file.

Sn1per Professional v8.0 Fuzzer Add-on Released!

Sn1per Professional Fuzzer Add-on

XeroSecurity is proud to announce the release of our Fuzzer Add-on for Sn1per Professional v8.0! This will further enhance Sn1per’s ability to automatically fuzz for OWASP TOP 10 vulnerabilities and discover hidden web content. The new add-on comes with a host of options that can be easily configured from the Sn1per web UI and launched via the Command Execution Add-on. The result is a powerful combination of dynamic scanning options combined with professional reporting to help you quickly and easily find vulnerabilities in your environment.


  • Automatically fuzz dynamic URL’s for OWASP TOP 10 vulnerabilities.
  • Discover hidden content in a target environment.
  • Spider all URL’s within a target environment.
  • Single & built-in multi target selections.
  • Customized wordlist selections and options via the GUI.
  • HTML and text based reports for all tools (ie. Black Widow, InjectX, SQLMap, Arachni, FFuf, Dirsearch, Gobuster)
  • Reporting of all output via the Command Execution Add-on.


Sn1per Professional Fuzzer Add-on GUI
Sn1per Professional Fuzzer Add-on HTML Reports
Sn1per Professional Fuzzer Add-on InjectX Fuzzer
Sn1per Professional Fuzzer Add-on Gobuster Hidden Web Content


Sn1per Professional Fuzzer Add-on Demo

Buy now!

As always, feel free to reach out to us at [email protected] with any questions!

Aftermath2020 #002 with @xer0dayz – Live Bug Bounty Recon with Sn1per Professional


0:00 – Basic stealth mode single domain recon with Sn1per Professional v8.0
5:00 – Leveraging built-in Sn1per Professional recon links to passively gather #OSINT
6:15 – Using InjectX fuzzer to fuzz dynamic URL’s (unreleased)
8:04 – Levaging Sn1per Professional’s Fuzzer Add-on to brute force files/directories (unreleased)
9:00 – More stealth mode single target recon with split panel/search/host jump features
11:20 – Manual scan analysis of discovered URL’s
16:20 – Levaging Sn1per Professional’s Fuzzer Add-on to brute force files/directories (unreleased)
17:35 – Use of Sn1per Professional’s host table filter
17:45 – Use of Sn1per Professional’s quick links to view websites in browser
18:52 – Use of Sn1per Professional’s built-in Google Dorks links to discover hidden content
19:20 – Levaging Sn1per Professional’s Fuzzer Add-on to brute force files/directories (unreleased)
22:22 – Using Burpsuite Professional JSLinkFinder plugin to analyze Javascript files
24:20 – Leveraging built-in Sn1per Professional recon links to passively gather #OSINT
25:54 – Discovering hidden/cached content via
29:55 – Use of Sn1per Professional’s built-in Notepad add-on to keep notes on workspace
30:37 – Use of Fofa to conduct recon on target domain
35:31 – Levaging Sn1per Professional’s Fuzzer Add-on to brute force files/directories with extensions (unreleased)
36:26 – Using Google dorks to discover content and URL’s
43:17 – Manual Javascript analysis from the command line
44:42 – Discovering pre-production and internal domains in Javascript files
53:18 – Digging deeper into hidden/discovered content on a target
57:14 – Discovering PayPal github repos in Javascript source
57:42 – Conducting basic github recon on PayPal developers for sensitive data

Recent Comments