finds.dev← search

// the find

s0md3v/Striker

★ 2,339 · Python · GPL-3.0 · updated Jun 2023

Striker is an offensive information and vulnerability scanner.

Striker is a multi-phase recon and vulnerability scanner for web targets — subdomain enumeration, port scanning, header misconfiguration checks, technology fingerprinting, and outdated JS library detection, all chained automatically from a single domain. It's aimed at pentesters and bug bounty hunters who want a quick attack surface overview without stitching together five separate tools. The catch is it's been in 'prototype phase' since at least 2019 and last touched in mid-2023.

The pipeline approach is genuinely useful — phases run in logical order so you're not scanning ports on dead hosts. Borrowing signatures from retire.js, Wappalyzer, and sqlmap's WAF detection means the fingerprinting databases are maintained by active projects rather than rotting in place. The architecture is simple enough to actually read and extend: each phase is its own module, no framework magic to wade through. Sub-takeover detection via a JSON signature database is a nice practical touch that many scanner projects skip.

The README still says 'prototype phase not intended for regular users' — that's three-plus years of being publicly unmaintained in a state the author themselves considers unfinished, which is a red flag for anything touching prod targets. Vulnerability scanning (Phase 4) is explicitly marked as under development and appears to not exist. The tool leans hard on third-party web services (DNSDumpster, SecurityTrails, findsubdomains.com) that require API keys or have changed their interfaces since 2023, meaning several modules likely just fail silently now. No tests, no CI green in years — you'd need to audit it before trusting output.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →