Crate kalamari

Crate kalamari 

Source
Expand description

§Kalamari - Lightweight Headless Browser

A pure Rust headless browser designed for XSS scanning and web crawling. No Chrome/Chromium dependency - uses boa_engine for JavaScript execution.

§Features

  • Lightweight: ~10MB vs Chrome’s 200MB+
  • Fast startup: No browser process to spawn
  • XSS Detection: Built-in alert/confirm/prompt interception
  • Stored XSS: Complete stored XSS detection flow
  • Full DOM API: createElement, MutationObserver, localStorage
  • Cookie management: Full cookie jar support with auth tokens
  • Network interception: CDP-like request/response capture
  • Form extraction: Automatically detect forms with CSRF tokens
  • Iframe handling: Recursive frame processing with XSS hooks
  • SPA route detection: Vue/React/Angular route extraction
  • WebSocket discovery: Find WebSocket endpoints in JS
  • CSP Analysis: Parse and detect CSP bypasses
  • Browser Pool: Parallel scanning with page pooling
  • Framework Detection: Vue, React, Angular vulnerability patterns

§Example

use kalamari::{Browser, BrowserConfig};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let browser = Browser::new(BrowserConfig::default()).await?;
    let page = browser.new_page().await?;

    page.navigate("https://example.com").await?;

    // Check for XSS triggers
    let xss_results = page.get_xss_triggers();
    for trigger in xss_results {
        println!("XSS detected: {:?}", trigger);
    }

    Ok(())
}

Re-exports§

pub use browser::Browser;
pub use browser::BrowserConfig;
pub use browser::Page;
pub use browser::PageConfig;
pub use browser::ResourceType;
pub use browser::Crawler;
pub use browser::CrawlConfig;
pub use browser::CrawlResult;
pub use browser::Form;
pub use browser::FormField;
pub use browser::FormSubmitter;
pub use browser::Frame;
pub use browser::FrameTree;
pub use browser::FrameHandler;
pub use browser::XSS_HOOK_SCRIPT;
pub use browser::PrintToPdfOptions;
pub use browser::ReportFormat;
pub use browser::AuthSession;
pub use browser::AuthSessionExtractor;
pub use browser::ScriptSource;
pub use browser::ScriptAnalyzer;
pub use browser::ScriptAnalysisResult;
pub use browser::SpaRoute;
pub use browser::SpaFramework;
pub use browser::WebSocketEndpoint;
pub use browser::WebSocketDiscoveryMethod;
pub use browser::BrowserPool;
pub use browser::PooledPage;
pub use browser::PoolStats;
pub use browser::FrameworkDetector;
pub use browser::FrameworkInfo;
pub use browser::Framework;
pub use browser::FrameworkSink;
pub use browser::VueDetector;
pub use browser::ReactDetector;
pub use browser::AngularDetector;
pub use browser::BrowserMetrics;
pub use browser::MetricsReport;
pub use browser::MetricsTimer;
pub use browser::MetricsOperation;
pub use dom::Document;
pub use dom::Element;
pub use dom::Node;
pub use error::Error;
pub use error::Result;
pub use error::NetworkLogEntry;
pub use error::ErrorContext;
pub use http::CookieJar;
pub use http::HttpClient;
pub use http::Request;
pub use http::Response;
pub use http::Cookie;
pub use js::JsRuntime;
pub use js::JsRuntimeConfig;
pub use js::JsValue;
pub use js::ConsoleMessage;
pub use js::ConsoleLevel;
pub use js::TimerQueue;
pub use js::JsIdleConfig;
pub use js::JsIdleResult;
pub use js::DomApiInstaller;
pub use js::DomBindings;
pub use network::NetworkEvent;
pub use network::NetworkInterceptor;
pub use network::EventType;
pub use network::RequestType;
pub use network::RequestTiming;
pub use network::SecurityInfo;
pub use network::RequestInfo;
pub use network::ResponseInfo;
pub use network::RequestInterceptor;
pub use network::InterceptAction;
pub use network::InterceptorChain;
pub use network::AuthHeaderInjector;
pub use network::RequestLogger;
pub use network::CookieCaptureInterceptor;
pub use security::CspAnalyzer;
pub use security::CspAnalysis;
pub use security::CspBypass;
pub use security::extract_csp_from_html;
pub use security::SriChecker;
pub use security::SriViolation;
pub use security::SriViolationType;
pub use security::DomClobberDetector;
pub use security::DomClobberResult;
pub use security::ClobberedElement;
pub use xss::XssDetector;
pub use xss::XssTrigger;
pub use xss::XssTriggerType;
pub use xss::XssResult;
pub use xss::PayloadGenerator;
pub use xss::XssPayload;
pub use xss::PayloadContext;
pub use xss::StoredXssTest;
pub use xss::StoredXssResult;
pub use xss::StoredXssTester;
pub use xss::stored_xss_payloads;

Modules§

browser
Browser and Page API
dom
DOM engine for HTML parsing and manipulation
error
Error types for Kalamari browser
http
HTTP client layer for Kalamari browser
js
JavaScript runtime using boa_engine
network
Network interception and monitoring
security
Security analysis modules
xss
XSS Detection module

Constants§

VERSION
Kalamari version