# π¦ Corrode
**Passive reconnaissance tool for extracting secrets, credentials, and security-relevant data from web applications**
Built with Rust and chromiumoxide for fast, headless scanning. Corrode performs passive analysis onlyβno active exploitation or fuzzing. Use its output to inform manual penetration testing and security assessments.
[](https://www.rust-lang.org/)
[](LICENSE)
## Project Structure
```
src/
βββ api/ # API endpoint discovery (passive extraction from JS)
βββ cli.rs # CLI definitions
βββ config.rs # Config normalization
βββ detectors/ # Secrets, DOM, JS (and AST) collectors
βββ network/ # Network monitor
βββ reporting/ # JSON/Markdown report writers
βββ scanner/ # Browser orchestration + workflow
βββ types.rs # Shared data structures
βββ main.rs # Entry point
fixtures/ # Static fixture pages for local testing
corrode-output/ # Default output directory (per scan)
```
## Architecture
### High-Level Architecture
```mermaid
graph TD
A[URL Input] --> B[Headless Chrome/Chromium]
B --> C[Network Monitor]
B --> D[DOM/Storage Extractor]
B --> E[Script + AST Scanner]
E --> G[Secret Scanner]
D --> H[Tech Fingerprinter]
C --> I[Security Analysis]
G --> Results[Reporting JSON + MD]
C --> Results
D --> Results
H --> Results
I --> Results
classDef purple fill:#e9d5ff,stroke:#7c3aed,stroke-width:2px,color:#000
class A,B,C,D,E,F,G,H,I,Results purple
```
### Scanning Workflow
```mermaid
graph TD
U[User Input] --> CLI[CLI Parser]
CLI --> B[Headless Browser]
B --> N[Network Tracking]
B --> S[HTML/Script Extraction]
S --> SC[Secret Scanner]
N --> SEC[Security Analysis]
SC --> R[Reporter]
SEC --> R
N --> R
R --> OUT[JSON + Markdown Output]
classDef green fill:#d1fae5,stroke:#059669,stroke-width:2px,color:#000
class U,CLI,B,N,S,SC,SEC,R,OUT green
```
### Secret Detection Pipeline
```mermaid
graph TD
S1[HTML Content] --> P[Pattern Matching]
S2[Inline Scripts] --> P
S3[External Scripts] --> P
S4[Hidden Inputs] --> P
S5[localStorage/sessionStorage] --> P
S6[Window Objects] --> P
S7[Cookies] --> P
P --> D1[Regex Patterns]
P --> D2[JWT Decoder]
P --> D3[Base64 Decoder]
D1 --> R[Extract & Classify]
D2 --> R
D3 --> R
R --> F1[Secret Findings]
R --> F2[Source Location]
R --> F3[Severity Level]
classDef blue fill:#dbeafe,stroke:#2563eb,stroke-width:2px,color:#000
class S1,S2,S3,S4,S5,S6,S7,P,D1,D2,D3,R,F1,F2,F3 blue
```
## Features
### Core Scanning Capabilities
- β‘ **Fast Headless Scanning** - Optimized Chromium workflow for low-latency scans
- π **Deep Analysis** - Extracts and scans HTML, JavaScript bundles, inline scripts, and external resources
- π **Network Monitoring** - Tracks all HTTP requests, API calls, and third-party domains
- π― **Pattern Matching** - Detects 30+ types of secrets and credentials
- π **Comprehensive Reporting** - JSON results and detailed Markdown reports per site
### Advanced Analysis
- π **API Endpoint Discovery** - Extracts API endpoints from JavaScript for manual testing
- π οΈ **Technology Detection** - Identifies 40+ frameworks, libraries, and services in use
- π **DOM Analysis** - Analyzes forms, hidden inputs, iframes, meta tags, and data attributes
- πͺ **Cookie Security Analysis** - Checks for insecure cookie configurations
- πͺ **Window Object Inspection** - Extracts sensitive data from window objects (Next.js, Nuxt, etc.)
- π **Source Map Detection** - Identifies exposed source maps
## Installation
### Install via Cargo
```bash
cargo install corrode-scanner
```
For local development (from source):
```bash
git clone https://github.com/ul0gic/corrode.git
cd corrode
cargo build --release
./target/release/corrode --url https://example.com
```
### Requirements
| Rust | 1.70+ (install from [rustup.rs](https://rustup.rs)) |
| Chrome/Chromium | Installed and discoverable; auto-detected, or override with `--chrome-bin`/`CHROME_BIN` |
| OS | Linux/macOS |
## Usage
### Command Line Options
| `--url <URL>` | Target URL to scan | β | β
|
| `-o, --output <DIR>` | Output directory (`<output>/<domain>/scan_result.json`, `REPORT.md`) | `corrode-output` | |
| `--chrome-bin <PATH>`| Path to Chrome/Chromium binary (overrides auto-detect) | auto-detect | |
| `-t, --timeout <s>` | Page-load timeout in seconds | `30` | |
| `-v, --verbose` | Verbose progress + findings | off | |
| `--format <fmt>` | Output format: `json`, `md`, or `both` | `both` | |
| `-h, --help` | Show help | β | |
| `-V, --version` | Show version | β | |
Chrome/Chromium is auto-detected via PATH and common install locations. Override with `--chrome-bin <path>` or `CHROME_BIN`/`CHROMIUM_BIN` if you have a nonstandard install.
### Usage Examples
- Standard scan:
```bash
./target/release/corrode --url https://example.com
```
- Custom output directory:
```bash
./target/release/corrode --url https://example.com -o recon-$(date +%Y%m%d)
```
- Extended timeout for slow sites:
```bash
./target/release/corrode --url https://example.com -t 60 -v
```
- Explicit Chrome binary override:
```bash
./target/release/corrode --url https://example.com --chrome-bin "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
```
## Detected Secrets & Credentials
Corrode detects 30+ types of secrets and credentials:
### Authentication & Authorization
- π **JWT Tokens** - Including Supabase service_role detection
- π **Bearer Tokens** - Authorization header tokens
- π **Basic Auth** - Base64 encoded credentials
- π **OAuth Client Secrets** - Google OAuth and others
- π **Private Keys** - RSA, EC, and OpenSSH private keys
### Cloud Providers
- βοΈ **AWS Access Keys** - AKIA keys
- βοΈ **AWS Secret Keys** - Secret access keys
- βοΈ **AWS ARN** - Amazon Resource Names
- π₯ **Firebase API Keys** - AIza keys
- ποΈ **Supabase URLs** - Project URLs
- ποΈ **Supabase Anon Keys** - Anonymous keys
- βοΈ **Heroku API Keys** - UUID format keys
### Payment & Financial
- π³ **Stripe Publishable Keys** - pk_live/pk_test keys
- π³ **Stripe Secret Keys** - sk_live keys
- π³ **Stripe Restricted Keys** - rk_live keys
### Communication & Collaboration
- π¬ **Slack Tokens** - xox tokens
- π¬ **Slack Webhooks** - Webhook URLs
- π§ **SendGrid Keys** - SG keys
- π§ **Mailgun Keys** - API keys
- π§ **Mailchimp Keys** - API keys
- π **Twilio Keys** - SK keys
- π **Twilio Account SIDs** - AC identifiers
### Version Control & Development
- π **GitHub Tokens** - Personal access tokens (classic and fine-grained)
- π¦ **GitLab Tokens** - Personal access tokens
- π¬ **Discord Tokens** - Bot and webhook tokens
### Database Connection Strings
- ποΈ **PostgreSQL URLs** - Connection strings with credentials
- ποΈ **MongoDB URLs** - Connection strings with credentials
- ποΈ **MySQL URLs** - Connection strings with credentials
- ποΈ **Redis URLs** - Connection strings with credentials
### Other
- π **Internal IPs** - Private network IP exposure (10.x, 172.16-31.x, 192.168.x)
- π **JWT in URLs** - Tokens passed in query parameters
- π **Netlify Tokens** - Personal access tokens (nfp_)
- ποΈ **Supabase New Keys** - sb_publishable_ and sb_secret_ formats
## Security Issue Detection
- πͺ **Insecure Cookies** - Missing Secure, HttpOnly, or SameSite flags
- π **CORS Misconfiguration** - Detects wildcard Access-Control-Allow-Origin headers
- π‘οΈ **Missing Security Headers** - CSP, HSTS, X-Frame-Options, X-Content-Type-Options
- π **Mixed Content** - HTTP resources loaded on HTTPS pages
- π **Debug Mode Detection** - Identifies debug mode enabled in production
- π **Source Map Exposure** - Flags exposed source maps that aid reverse engineering
- β οΈ **CVE-2025-55182** - React Server Components RCE vulnerability detection
### Technology Detection
Corrode automatically identifies 40+ technologies:
**Frameworks**: React, Vue.js, Angular, Svelte, Solid.js, Next.js, Nuxt.js, Remix, Gatsby
**Backend-as-a-Service**: Supabase, Firebase, Appwrite, AWS Cognito
**Authentication**: Auth0, Clerk, Okta
**Payment**: Stripe, PayPal, Square, Braintree
**Analytics**: Google Analytics, Mixpanel, Segment, Amplitude, HubSpot
**CMS**: WordPress, Drupal, Webflow, Contentful, Sanity
**Libraries**: jQuery, Bootstrap, Tailwind CSS, Material-UI
**State Management**: Redux, MobX, Zustand, Apollo Client, Relay
## Roadmap
- [ ] Custom secret pattern definitions via config file
- [ ] HTML report generation
- [ ] Additional CVE detectors
## Disclaimer
**IMPORTANT: For Authorized Security Testing Only**
This tool is designed for legitimate security research, penetration testing, and vulnerability assessment. By using Corrode, you agree to the following:
- β
Only scan websites and applications you own or have explicit written permission to test
- β
Use this tool for defensive security purposes, security research, and authorized penetration testing
- β
Comply with all applicable laws and regulations in your jurisdiction
- β
Respect responsible disclosure practices for any vulnerabilities discovered
**We are NOT responsible for:**
- β Any unauthorized scanning or testing of websites without permission
- β Any damage, legal consequences, or violations resulting from misuse of this tool
- β Any actions taken based on the scan results
- β False positives or missed vulnerabilities in scan results
**Legal Notice**: Unauthorized access to computer systems is illegal under laws such as the Computer Fraud and Abuse Act (CFAA) in the United States and similar legislation in other countries. Always obtain proper authorization before testing.
Corrode is provided by **ul0gic** on an "as-is" basis with no warranty. You assume all responsibility for how you use the tool.
## License
Corrode is licensed under the **GNU Affero General Public License v3.0 (AGPL-3.0)**. See `LICENSE` for the complete terms. Highlights:
- β
Any modifications or derivative works must remain AGPL and be published when distributed or offered as a hosted service.
- β
Keep attribution to **ul0gic** and the Corrode project in downstream forks and hosted deployments.
- β
Free for security research, internal assessments, and community contributionsβcommercial users simply follow the same AGPL requirements.
- β οΈ The software is provided without warranty; use it only when you have authorization.
## Contributing
Read `CONTRIBUTING.md` before opening a PR. Key points:
- β
All patches are accepted under AGPL-3.0 and you confirm you have the right to contribute the code.
- β
Public shoutouts, talks, and demos must credit Corrode and ul0gic.
- β
Redistributed builds must keep license headers, this disclaimer, and README attribution intact.
Questions about contributions? Open an issue or ping @ul0gic on GitHub.
## Contact
For questions, issues, or security concerns, please open an issue on GitHub.