[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-81823":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":14,"stars30d":16,"stars90d":15,"forks30d":15,"starsTrendScore":15,"compositeScore":17,"rankGlobal":10,"rankLanguage":10,"license":18,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":19,"hasPages":19,"topics":21,"createdAt":10,"pushedAt":10,"updatedAt":40,"readmeContent":41,"aiSummary":42,"trendingCount":15,"starSnapshotCount":15,"syncStatus":13,"lastSyncTime":43,"discoverSource":44},81823,"WonderSuite-Ai-Bug-Bounty","sfr-development\u002FWonderSuite-Ai-Bug-Bounty","sfr-development","AI-Powered Offensive Security Research Engine - desktop-native security testing platform with native MCP integration. 90 tools, MITM proxy, stealth browser, autonomous AI agent. Built on Tauri + Rust + React.","https:\u002F\u002Fwondersuite.xyz\u002F",null,"Rust",34,2,1,0,3,42.23,"MIT License",false,"main",[22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39],"ai-agent","bug-bounty","burp-suite-alternative","desktop-app","llm-tools","mcp","mitm-proxy","model-context-protocol","offensive-security","pentesting","react","rust","security","security-tools","tauri","typescript","vulnerability-scanner","web-security","2026-06-12 04:01:35","\u003Cdiv align=\"center\">\n\n\u003Cimg src=\"public\u002Fwondersuite_logo.png\" alt=\"WonderSuite\" width=\"420\" \u002F>\n\n### AI-Powered Offensive Security Research Engine\n\nA desktop-native security testing platform built on Rust and Tauri with native Model Context Protocol (MCP) integration for AI-driven vulnerability research.\n\n[![Rust](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FRust-1.78+-DE5C0B?style=flat-square&logo=rust&logoColor=white)](https:\u002F\u002Fwww.rust-lang.org\u002F)\n[![Tauri](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FTauri-2.x-24C8D8?style=flat-square&logo=tauri&logoColor=white)](https:\u002F\u002Ftauri.app\u002F)\n[![React](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FReact-19-61DAFB?style=flat-square&logo=react&logoColor=black)](https:\u002F\u002Freact.dev\u002F)\n[![MCP](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FMCP-JSON--RPC_2.0-8B5CF6?style=flat-square)](https:\u002F\u002Fmodelcontextprotocol.io\u002F)\n[![License](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-MIT-success?style=flat-square)](LICENSE)\n[![PRs Welcome](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FPRs-welcome-brightgreen.svg?style=flat-square)](#contributing)\n\n[![Latest Release](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fv\u002Frelease\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty?style=flat-square&logo=github&label=latest&color=success)](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Freleases\u002Flatest)\n[![Release Date](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Frelease-date\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty?style=flat-square&color=blue)](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Freleases\u002Flatest)\n[![Downloads (total)](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fdownloads\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Ftotal?style=flat-square&logo=github&color=orange&label=downloads)](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Freleases)\n[![Downloads (latest)](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fdownloads\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Flatest\u002Ftotal?style=flat-square&color=orange&label=downloads%20%28latest%29)](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Freleases\u002Flatest)\n[![Stars](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fstars\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty?style=flat-square&logo=github&color=yellow)](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Fstargazers)\n[![Forks](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fforks\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty?style=flat-square&logo=github&color=blueviolet)](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Fnetwork\u002Fmembers)\n[![Last Commit](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Flast-commit\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty?style=flat-square&color=informational)](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Fcommits\u002Fmain)\n[![CI](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Factions\u002Fworkflow\u002Fstatus\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Fci.yml?branch=main&style=flat-square&logo=github&label=CI)](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Factions\u002Fworkflows\u002Fci.yml)\n[![CodeQL](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Factions\u002Fworkflow\u002Fstatus\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Fcodeql.yml?branch=main&style=flat-square&logo=github&label=CodeQL)](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Factions\u002Fworkflows\u002Fcodeql.yml)\n\n[**Download**](#download) ·\n[**Features**](#core-capabilities) ·\n[**Screenshots**](#screenshots) ·\n[**Getting Started**](#getting-started) ·\n[**MCP Tools**](#mcp-server--85-tools--operator-skill) ·\n[**Contributing**](#contributing)\n\n\u003C\u002Fdiv>\n\n---\n\n## Overview\n\n**WonderSuite** is a desktop native offensive security engine that combines Burp Suite-class tooling with autonomous AI agent capabilities. It provides a fully integrated environment for web application security testing, network reconnaissance, and exploit development — all orchestrated through an MCP-compatible AI interface.\n\nThe platform ships with **91 purpose-built security tools** accessible via JSON-RPC (trimmed from 100 in v0.3.11 — the standalone OAST tools were folded into `active_scan(with_oast: true)` to keep the AI's context budget lean), a full MITM proxy with **Chrome 137 JA3\u002FJA4 + HTTP\u002F2 fingerprint impersonation** (defeats Cloudflare, Akamai Bot Manager, DataDome, PerimeterX), a **bundled Chrome-for-Testing 148** with stealth extension and per-version isolation, a pentest-grade browser MCP surface with stable element refs and OAST-integrated blind-vuln detection, and automated vulnerability scanning across SQLi, XSS, SSTI, LFI, CRLF, Open Redirect, plus blind cmdi \u002F SSRF \u002F Log4Shell via the bundled OAST listener.\n\n\u003Cdiv align=\"center\">\n\u003Cimg src=\"docs\u002Fscreenshots\u002Fdashboard.png\" alt=\"WonderSuite Dashboard\" width=\"900\" \u002F>\n\u003C\u002Fdiv>\n\n## See it in action\n\n\u003Cdiv align=\"center\">\n\n\u003Cimg src=\"docs\u002Fpreview.gif\" alt=\"Claude Opus 4.7 driving WonderSuite end-to-end\" width=\"900\" \u002F>\n\n*Claude Opus 4.7 driving WonderSuite end-to-end: opens WonderBrowser, walks through a registration form on its own (fills email + password fields, presses Sign up), and watches the resulting traffic stream through the proxy live — auth POST captured, JWT\u002FCSRF surfaced, ready to fuzz. Zero scripted steps, the agent picks the tool sequence itself (`browser_open` → `browser_snapshot` → `browser_fill_form` → `browser_click` → `proxy_get_traffic` → `analyze_jwt`).*\n\n[▶ Full-quality MP4 (1.9 MB, with audio)](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Freleases\u002Fdownload\u002Fv0.3.11\u002Fpreview.mp4)\n\n\u003C\u002Fdiv>\n\n## Core Capabilities\n\n### Intercepting Proxy\n\nFull man-in-the-middle proxy with TLS interception and dynamic certificate authority generation. Supports real time request and response modification, match-and-replace rules with regex (5 targets: request_header\u002Fbody\u002Furl, response_header\u002Fbody), WebSocket message capture, upstream proxy chaining (HTTP\u002FSOCKS5), traffic annotation with color highlighting, and proper HAR\u002FJSON export (headers, queryString, statusText all populated). Upstream requests can be re-originated through a **BoringSSL stack tuned to match Chrome 137's exact ClientHello, JA3\u002FJA4 fingerprint and HTTP\u002F2 SETTINGS frame ordering** — bypasses Cloudflare, Akamai Bot Manager, DataDome, and PerimeterX.\n\n### WonderBrowser — Bundled Chrome-for-Testing 148\n\nA pinned Chromium build (CfT 148.0.7778.97) shipped inside WonderSuite — version-locked, SHA-256-verified, never auto-updates, per-version cached. Uses a separate `.wondersuite\u002F` profile so it doesn't touch the user's system Chrome. The bundled WonderSuite extension applies minimal stealth at `document_start` (deletes `navigator.webdriver` from the prototype, purges automation globals) — verified `isBot: false` on all 18 deviceandbrowserinfo.com checks. All outbound requests flow through the WonderSuite proxy for capture and TLS impersonation.\n\n### Verified Undetected — 17 \u002F 17 Bot-Detection Signals Clean\n\nOut of the box, no per-target tuning, no manual evasion: WonderBrowser plus the impersonating proxy passes **every signal** on third-party bot-detection fingerprinting suites. Live test against the public detector at [deviceandbrowserinfo.com\u002Fare_you_a_bot](https:\u002F\u002Fdeviceandbrowserinfo.com\u002Fare_you_a_bot):\n\n\u003Cdiv align=\"center\">\n\u003Cimg src=\"docs\u002Fscreenshots\u002Fwonderbrowser-bot-detection.png\" alt=\"WonderBrowser passing deviceandbrowserinfo.com — verdict: 'You are human!'\" width=\"900\" \u002F>\n\u003C\u002Fdiv>\n\n```jsonc\n{\n \"isBot\": false,\n \"details\": {\n \"hasBotUserAgent\": false, \"isPlaywright\": false,\n \"hasWebdriverTrue\": false, \"hasInconsistentChromeObject\": false,\n \"hasWebdriverInFrameTrue\": false, \"isPhantom\": false,\n \"isNightmare\": false, \"isSequentum\": false,\n \"isSeleniumChromeDefault\": false, \"isHeadlessChrome\": false,\n \"isWebGLInconsistent\": false, \"isAutomatedWithCDP\": false,\n \"isAutomatedWithCDPInWebWorker\": false, \"hasInconsistentClientHints\": false,\n \"hasInconsistentGPUFeatures\": false, \"isIframeOverridden\": false,\n \"isIframeMissing\": false\n }\n}\n```\n\n#### How — three independent stealth layers\n\nWonderSuite stacks three orthogonal layers, each defeating a *different* class of fingerprinting:\n\n1. **TLS layer (proxy upstream).** Every outbound TLS handshake is re-originated through a BoringSSL stack tuned to Chrome 137's exact ClientHello — cipher suite order, ALPN, GREASE bytes, extensions, key shares — plus HTTP\u002F2 SETTINGS frame ordering. The resulting **JA3\u002FJA4 fingerprint is byte-identical to a real Chrome**. Cloudflare, Akamai Bot Manager, DataDome and PerimeterX classify the request as a real browser at the TCP\u002FTLS layer before any JS even runs.\n\n2. **Browser layer (binary + extension).** WonderBrowser **is Chrome-for-Testing 148** — not a fork, not CEF, not Electron. It runs an isolated `.wondersuite\u002F` profile separate from your system Chrome. A bundled MV3 extension hooks `document_start` (before any page JS) to delete `navigator.webdriver` directly off `Navigator.prototype` (no easy override-leak) and purges automation globals (`window.cdc_*`, CDP-injection artifacts). The binary is SHA-256-verified, version-pinned, never auto-updates.\n\n3. **Input layer (agent automation).** When the AI agent drives the browser via MCP tools, every click \u002F keystroke \u002F scroll goes through **Chrome's real input pipeline** via `CDP.Input.dispatchMouseEvent` \u002F `dispatchKeyEvent` \u002F `insertText` — resulting DOM events carry `event.isTrusted === true`, indistinguishable from a physical keyboard and mouse. Mouse paths are humanlike Bezier trajectories with Gaussian jitter; typing cadence is drawn per-character from a normal distribution; pre-action dwell time and `document.hasFocus()` emulation are configurable per **stealth profile** (`fast` \u002F `human` \u002F `paranoid`). The AI cursor overlay lives in a **closed Shadow DOM** — visible to the operator, completely invisible to page JS. Fraud SDKs like FriendlyCaptcha, DataDome, Cloudflare Bot Management and Imperva — which silently drop programmatic form submissions when `isTrusted: false` — let WonderSuite traffic through.\n\n#### How it flows — browser, proxy, optional impersonation\n\n```mermaid\nflowchart LR\n AI([\"AI Agent \u002F Operator\"])\n\n subgraph WB[\"WonderBrowser · pinned Chrome-for-Testing 148\"]\n direction TB\n CDP[\"CDP Input Pipeline\u003Cbr\u002F>\u003Csub>dispatchMouseEvent · dispatchKeyEvent · insertText\u003Cbr\u002F>isTrusted: true · Bezier mouse · Gaussian cadence\u003C\u002Fsub>\"]\n EXT[\"WonderSuite MV3 Extension\u003Cbr\u002F>\u003Csub>document_start\u003Cbr\u002F>navigator.webdriver deleted\u003Cbr\u002F>window.cdc_* purged\u003C\u002Fsub>\"]\n Page[\"Page JS\u003Cbr\u002F>\u003Csub>sees real Chrome surface\u003C\u002Fsub>\"]\n end\n\n subgraph PX[\"WonderSuite MITM Proxy\"]\n direction TB\n MITM[\"TLS MITM\u003Cbr\u002F>\u003Csub>Dynamic CA · decrypt · capture · edit\u003C\u002Fsub>\"]\n Decision{\"Impersonate\u003Cbr\u002F>Chrome TLS?\"}\n Boring[\"BoringSSL upstream\u003Cbr\u002F>\u003Csub>wreq + boring-sys2\u003Cbr\u002F>Chrome 137 ClientHello + JA3\u002FJA4\u003Cbr\u002F>HTTP\u002F2 SETTINGS frame order\u003C\u002Fsub>\"]\n Native[\"native-tls upstream\u003Cbr\u002F>\u003Csub>reqwest TLS 1.3 default\u003Cbr\u002F>fingerprint-detectable\u003C\u002Fsub>\"]\n end\n\n Target[(\"Target Origin\u003Cbr\u002F>\u003Csub>Cloudflare · Akamai Bot Manager\u003Cbr\u002F>DataDome · PerimeterX\u003Cbr\u002F>FriendlyCaptcha · Imperva\u003C\u002Fsub>\")]\n\n AI ==>|\"MCP browser_click \u002F type \u002F fill_form\"| CDP\n CDP --> Page\n EXT -.->|\"installs before page JS\"| Page\n Page ==>|\"fetch \u002F XHR \u002F navigation\"| MITM\n MITM --> Decision\n Decision ==>|\"ON · default\"| Boring\n Decision -.->|\"OFF · for delta testing\"| Native\n Boring ==>|\"identical fingerprint to real Chrome\"| Target\n Native -.->|\"detectable JA3\u002FJA4\"| Target\n\n classDef browser fill:#064e3b,stroke:#10b981,stroke-width:2px,color:#d1fae5\n classDef proxy fill:#3b0764,stroke:#a855f7,stroke-width:2px,color:#f3e8ff\n classDef decide fill:#1e3a8a,stroke:#60a5fa,stroke-width:2px,color:#dbeafe\n classDef target fill:#7c2d12,stroke:#fb923c,stroke-width:2px,color:#fed7aa\n classDef actor fill:#1f2937,stroke:#94a3b8,stroke-width:1.5px,color:#e2e8f0\n\n class WB,CDP,EXT,Page browser\n class PX,MITM,Boring,Native proxy\n class Decision decide\n class Target target\n class AI actor\n```\n\n#### Optional impersonation toggle\n\nTLS impersonation is **on by default**. It can be disabled in **Settings → Browser → \"Impersonate Chrome TLS (JA3\u002FJA4 + HTTP\u002F2)\"** — useful when you want to compare how a target reacts to a fingerprint-detectable vs. fingerprint-impersonated client (the \"what does Cloudflare actually block?\" experiment). With the toggle off, upstream falls back to `native-tls` \u002F stock `reqwest`, exposing a standard Rustls\u002FOpenSSL JA3 fingerprint.\n\n### Browser MCP — Human-Native Agent Surface (v0.3.3+)\n\n24 browser tools driving WonderBrowser via a single persistent CDP WebSocket. **All input goes through Chrome's real input pipeline** (CDP `Input.dispatchMouseEvent` \u002F `dispatchKeyEvent` \u002F `insertText`) so resulting DOM events have `event.isTrusted === true` — indistinguishable from a physical keyboard and mouse, defeats the class of fraud SDKs (FriendlyCaptcha, DataDome, Cloudflare Bot Management, Imperva) that silently drop programmatic form submissions. On top: humanlike Bezier mouse trajectories with Gaussian jitter, per-character typing cadence drawn from a normal distribution, configurable pre-action dwell, focus emulation so `document.hasFocus()` reports true. Three **stealth profiles** (`fast` \u002F `human` \u002F `paranoid`) trade speed against detection-resistance — pick one in Settings → Browser, or override per call. The **AI cursor overlay lives in a closed Shadow DOM** so it's visible to the user but completely invisible to page-JS. `browser_stealth_check` self-tests the stack and reports an `isTrusted` score with verdict (`indistinguishable` \u002F `good` \u002F `partially-detectable` \u002F `detectable`). Plus everything from v0.3.2: ref-based snapshots, `browser_fill_form` accepting ref\u002Fselector\u002Fname, `browser_storage_full` one-shot auth dump, `browser_replay_to_proxy`, `browser_dom_sinks`, CSP-violation-forwarding console, `browser_resource_hints`, CDP-native scroll wheel events.\n\n### Crawler\n\nMulti-level fetcher with robots.txt + sitemap.xml + `\u002F.well-known\u002F` + JS endpoint extraction discovery, soft-404 detection, SPA-aware rendering hooks, cookie + path canonicalization. Regex-based fast path for static apps; for SPAs the browser MCP surface is the better tool.\n\n### Code Audit (v0.3.24+)\n\nA passive source-level audit that analyses every asset the proxy has captured. Lives inside the **Sitemap** module as a second tab alongside the tree view — no separate crawl step needed.\n\n**Three-panel layout:** Asset tree (domain → type → file) · Syntax-highlighted source editor with jump-to-finding · Findings + Summary panel.\n\n**Finder engine** — 60+ regex patterns across five categories:\n\n| Category | Examples |\n|---|---|\n| **Secrets** | AWS\u002FGCP\u002FAzure keys, OpenAI\u002FAnthropic\u002FHuggingFace\u002FReplicate tokens, Stripe live keys, GitHub tokens (ghp\u002Fgho\u002Fghu\u002Fghs\u002Fghr\u002Fgha\u002FPAT), Slack webhooks, Supabase service\u002Fanon keys, MongoDB\u002FPostgres\u002FMySQL\u002FRedis connection strings, private key blocks, `.env`-style `NEXT_PUBLIC_` \u002F `VITE_` \u002F `REACT_APP_` leaks |\n| **Tokens** | JWT, Bearer, Basic Auth, OAuth, id\\_token, refresh\\_token, session cookies |\n| **API Endpoints** | `fetch()`, `axios.*()`, XHR `.open()`, API path strings, GraphQL operations, WebSocket URLs, gRPC\u002FtRPC endpoints |\n| **Links** | Absolute URLs, relative paths |\n| **Comments** | TODO\u002FFIXME\u002FHACK\u002FBUG, comments referencing credentials |\n\n**Source editor** powered by Shiki (`one-dark-pro` theme) with js-beautify auto-formatting — minified assets rendered readable. Click any finding → editor scrolls + flash-highlights that line.\n\n**Export options** (context menu per domain \u002F type-group \u002F file):\n- Beautified source, concatenated sources, HTML security report, per-category CSV\u002FTXT\n- **Export as ZIP** — full asset bundle in `js\u002F` · `css\u002F` · `html\u002F` · `api\u002F` · `findings\u002F` folders + `README.txt` + `assets.json` manifest; saved via Tauri's native file-chooser dialog\n\n**Ctrl+click** selects multiple nodes in the Sitemap tree (highlighted, additive, cleared on plain click).\n\n### Port Scanner — In-Process, Adaptive, Three-Mode (v0.3.7+)\n\nBuilt-in port scanner with **three real engines**: TCP Connect (no admin, default), TCP SYN (raw sockets via bundled WinDivert on Windows \u002F pnet on Linux+macOS), and UDP (no admin, response-based protocol detection). **No nmap subprocess** — service detection runs against the real `nmap-service-probes` file (187 probes, 12k+ regex match patterns) embedded at build time. **Adaptive concurrency via Little's Law** (`in_flight = target_pps × RTT_p50`) — the permit pool floats with observed network conditions every 2 seconds, where RustScan's `batch_size` is fixed at startup. Live streaming results to a virtualized table; presets (Top-100, Top-1000, Web, Dev, DB, All); timing templates T0 paranoid → T6 ludicrous; export to JSONL, CSV, Nmap XML, gnmap, or `ip:port`. CIDR + range + hostname expansion. Idle-mode caps at ~100 pps for field-laptop use.\n\n#### How it flows — three modes, one orchestrator\n\n```mermaid\nflowchart TB\n UI([\"Ports module\u003Cbr\u002F>\u003Csub>target · ports · mode · timing · service_detect\u003C\u002Fsub>\"])\n\n UI --> Orch{\"Orchestrator\u003Cbr\u002F>\u003Csub>portscan::orchestrator\u003C\u002Fsub>\"}\n\n subgraph Modes[\"Engine dispatch by mode\"]\n direction LR\n Connect[\"\u003Cb>TCP Connect\u003C\u002Fb>\u003Cbr\u002F>\u003Csub>tokio::net::TcpStream\u003Cbr\u002F>kernel TCP\u002FIP stack\u003Cbr\u002F>no admin\u003C\u002Fsub>\"]\n Syn[\"\u003Cb>TCP SYN\u003C\u002Fb> · raw sockets\u003Cbr\u002F>\u003Csub>WinDivert (Win) · pnet (Linux\u002FmacOS)\u003Cbr\u002F>SipHash stateless cookies\u003Cbr\u002F>masscan-style RX dedup\u003C\u002Fsub>\"]\n Udp[\"\u003Cb>UDP\u003C\u002Fb>\u003Cbr\u002F>\u003Csub>tokio::net::UdpSocket\u003Cbr\u002F>14 protocol-specific probes\u003Cbr\u002F>DNS · NTP · SNMP · SSDP · …\u003C\u002Fsub>\"]\n end\n\n Orch -->|mode=connect| Connect\n Orch -->|mode=syn| Syn\n Orch -->|mode=udp| Udp\n\n subgraph Timing[\"Adaptive permits — Little's Law\"]\n direction TB\n RTT[\"RTT EWMA p50\"]\n Calc[\"target_pps × RTT_p50\u003Cbr\u002F>= in_flight permits\"]\n Sem[\"tokio::Semaphore\u003Cbr\u002F>\u003Csub>permits live-resized\u003Cbr\u002F>every 2 s · dead-band ±20 %\u003C\u002Fsub>\"]\n RTT --> Calc --> Sem\n end\n\n Connect & Syn & Udp --> Sem\n Sem -->|\"acquire_owned().await\"| Probe[\u002F\"Per-probe socket I\u002FO\"\u002F]\n\n Probe -->|response| ProbeDb[\"\u003Cb>nmap-service-probes\u003C\u002Fb>\u003Cbr\u002F>\u003Csub>include_str!() at build time\u003Cbr\u002F>187 probes · 11 971 matches\u003Cbr\u002F>compiled regex via Lazy<ProbeDb>\u003C\u002Fsub>\"]\n ProbeDb -->|match| Result[\"ScanResult\u003Cbr\u002F>\u003Csub>state · service · product · version · banner\u003C\u002Fsub>\"]\n\n Result --> Emit[\"Tauri emit\u003Cbr\u002F>\u003Csub>portscan:result · :progress · :done\u003C\u002Fsub>\"]\n Emit --> Live([\"Live UI\u003Cbr\u002F>\u003Csub>virtualized table\u003Cbr\u002F>pps sparkline\u003Cbr\u002F>services donut\u003C\u002Fsub>\"])\n Emit -->|persists| Store[\"zustand portscanStore\u003Cbr\u002F>\u003Csub>survives module-unmount + pop-out\u003C\u002Fsub>\"]\n\n classDef ui fill:#1f2937,stroke:#94a3b8,stroke-width:1.5px,color:#e2e8f0\n classDef orch fill:#3b0764,stroke:#a855f7,stroke-width:2px,color:#f3e8ff\n classDef engine fill:#064e3b,stroke:#10b981,stroke-width:2px,color:#d1fae5\n classDef store fill:#1e3a8a,stroke:#60a5fa,stroke-width:2px,color:#dbeafe\n classDef probe fill:#7c2d12,stroke:#fb923c,stroke-width:2px,color:#fed7aa\n\n class UI,Live ui\n class Orch orch\n class Connect,Syn,Udp,Probe engine\n class RTT,Calc,Sem orch\n class ProbeDb probe\n class Result,Emit,Store store\n```\n\n#### Privilege model\n\n| Platform | Connect | SYN | UDP |\n|---|---|---|---|\n| Linux | no admin | `cap_net_raw` via `setcap` | no admin (raw ICMP optional for closed-port detection) |\n| macOS | no admin | root (signed launchd helper coming) | no admin |\n| Windows | no admin | bundled **WinDivert** (LGPLv3, EV-signed by Reqrypt LLC) — one UAC consent for the SCM service install, no external download | no admin |\n\nWonderSuite ships WinDivert 2.2.2 inside the installer (`WinDivert.dll` + `WinDivert64.sys`, 140 KB total). At first SYN scan the UI offers a one-click \"Install network driver\" button → `ShellExecuteExW` with verb `runas` → UAC consent → `sc.exe create` + `sc.exe start` register the kernel service. WinDivert.dll is dlopened from the resource_dir at scan time via `libloading` — **no compile-time link**, so the .exe launches cleanly on machines that don't have the driver yet (graceful fallback to TCP connect with a clear error message). HVCI \u002F Memory Integrity detected via registry; on HVCI-strict machines the SYN engine surfaces a clear \"disable Memory Integrity\" message and falls back to connect.\n\n### Multi-Window Workspace (v0.3.7+)\n\nRight-click any sidebar module → **\"Pop out to window\"** spawns a native Tauri window with just that module. Cross-monitor workflow: Comparer on monitor 1, Repeater on monitor 2, Logger on monitor 3, main shell on monitor 4. Geometry persists per moduleId in localStorage — windows respawn at the same position on app restart (workspace save). Cross-window state bridge via Tauri events: \"Send to Repeater\" from the Traffic tab in the main window still works when Repeater is detached. 240 ms pop-in animation, 240 ms scale-down re-dock. Each detached window is a separate WebView (~40-60 MB RAM) but shares one Rust backend — no IPC duplication.\n\n### MCP Server — 90 Tools + Operator Skill\n\nNative Model Context Protocol server enabling AI agents (Claude, Cursor, Windsurf, VS Code, Antigravity, Gemini CLI, …) to autonomously conduct security research against WonderSuite's tool surface. Ships with a project-level Claude skill ([`.claude\u002Fskills\u002Fwondersuite.md`](.claude\u002Fskills\u002Fwondersuite.md)) that teaches the AI workflows, error-recovery, and when-to-ask-vs-act — see [Skill File](#skill-file--teach-your-ai-how-to-use-wondersuite) below.\n\n| Category | Tools |\n|----------|-------|\n| HTTP | `send_request` · `send_to_repeater` · `send_to_intruder` (auto-categorises payloads per param name) · `h2_send_request` · `mtls_send_request` |\n| Proxy | `proxy_start` · `proxy_stop` · `proxy_status` · `proxy_toggle_intercept` · `proxy_get_traffic` · `proxy_search_traffic` · `proxy_clear_traffic` · `proxy_export_traffic` (JSON \u002F **HAR** with full headers + queryString) · `proxy_get_statistics` · `proxy_add_match_replace` · `proxy_add_interception_rule` · `proxy_add_tls_passthrough` · `proxy_set_upstream` · `proxy_annotate_traffic` · `proxy_get_websocket_messages` · `get_intercepted` · `forward_intercepted` |\n| Scanner | `active_scan` (SQLi · XSS · SSTI · LFI · Open Redirect · CRLF) with optional `with_oast:true` for **blind cmdi, blind SSRF, Log4Shell** via the bundled OAST listener · `passive_scan` (headers, cookies, CORS, info disclosure) |\n| Intruder | `fuzz_request` — Sniper · Battering Ram · Pitchfork · Cluster Bomb |\n| Browser (24) | `browser_open` · **`browser_attach`** (reuse running WonderBrowser; `auto_launch:true` spawns) · `browser_close` · `browser_navigate` · **`browser_snapshot`** (a11y tree + ref=eN + forms-with-labels + honeypot detection + security block) · `browser_screenshot` (writes JPEG to disk, returns path) · **`browser_click`** (CDP-native, isTrusted:true, humanlike trajectory) · **`browser_type`** (CDP `insertText` with Gaussian cadence) · **`browser_fill_form`** (ref\u002Fselector\u002Fname + auto-submit; ref path goes through humanlike CDP input) · `browser_press_key` (CDP `dispatchKeyEvent`) · `browser_scroll` (CDP `mouseWheel` event) · `browser_select_option` · `browser_set_file_input` · `browser_get_outer_html` · `browser_evaluate` · **`browser_storage_full`** (cookies+LS+SS+IDB+SW+caches+cookie_header) · `browser_console` (incl. CSP violations) · `browser_dom_sinks` (innerHTML\u002Feval\u002FpostMessage enum) · `browser_network_traffic` (CDP ring buffer) · **`browser_replay_to_proxy`** (hand browser request to Repeater) · `browser_resource_hints` (robots\u002Fwell-known\u002Fsourcemaps) · `browser_wait_for` · `browser_tabs` · **`browser_stealth_check`** (self-test the human-emulation stack) |\n| Recon | `crawl_target` · `discover_content` · `discover_subdomains` (concurrent DNS) · `find_secrets` · `dns_resolve` (with CDN detection) · `js_link_finder` |\n| Port Scanner (5) | **`port_scan`** (host + presets + 15 in-process probes) · **`port_scan_range`** (CIDR\u002Frange\u002Flist, `exclude_cdn`) · **`service_detect`** (probe a known-open port) · **`banner_grab`** (raw bytes, custom payload) · **`port_scan_results`** (paginated drill-down) |\n| OSINT | `whois_lookup` · `asn_lookup` · `crtsh_search` · `wayback_lookup` · `hackertarget_lookup` · `ip_geolocation` · `tech_detect` · `favicon_hash` · `reverse_ip_lookup` · `graphql_introspect` |\n| Codec | `encode` · `decode` · `hash` · `smart_decode` · **`analyze_jwt`** (alg=none, kid SQLi\u002Ftraversal, jku\u002Fx5u SSRF, HS\u002FRS confusion) |\n| OAST | Embedded in-process listeners (HTTP \u002F DNS \u002F SMTP) with path-correlated callbacks; drive from `active_scan(with_oast: true)` (recommended for AI agents) or the OAST UI panel. Standalone `oast_*` MCP tools are not in the agent surface as of v0.3.11 — un-comment in `src-tauri\u002Fsrc\u002Fmcp\u002Fhandlers\u002Fmod.rs` if you need raw payload control. |\n| Exploit | `race_request` · `raw_tcp_send` · `websocket_connect` · `analyze_cdn_waf` (with CDN bypass strategies) |\n| Reporting | `generate_report` (markdown \u002F JSON \u002F summary) · `bambda_filter` · `payload_manager` · `get_traffic_log` |\n\n### Autonomous Security Research\n\nThe AI agent operates independently through the MCP interface. It can launch WonderBrowser, walk the app with `browser_snapshot`'s stable refs, drive forms with `browser_fill_form` (by ref OR selector OR name), capture the authenticated session via `browser_storage_full` (cookies + LS + SS + IDB + SW + Cache in one call, ready-to-replay `Cookie:` header), and hand any browser-discovered request to the proxy's Repeater via `browser_replay_to_proxy`. From there: `active_scan with_oast:true` fires error+time-based SQLi, reflected XSS, SSTI, LFI, Open Redirect, **AND** blind-injection probes (curl\u002Fwget\u002FJNDI-LDAP\u002FLog4Shell-style) that callback to the bundled OAST listener — every callback becomes a critical-severity, certain-confidence finding. `analyze_jwt` flags alg=none, kid-as-SQLi-sink, jku\u002Fx5u SSRF, and HS\u002FRS key-confusion classes. `analyze_cdn_waf` returns actionable bypass strategies cross-referenced to other tools (origin discovery via `dns_history`\u002F`crtsh_search`\u002F`favicon_hash`, header-manipulation evasion, payload obfuscation, protocol-level bypass).\n\n## Screenshots\n\n\u003Ctable>\n\u003Ctr>\n\u003Ctd align=\"center\" width=\"50%\">\n\u003Cstrong>Project Launcher\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Fproject-launcher.png\" alt=\"Project Launcher\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003Ctd align=\"center\" width=\"50%\">\n\u003Cstrong>Dashboard\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Fdashboard.png\" alt=\"Dashboard\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd align=\"center\">\n\u003Cstrong>Intercepting Proxy\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Fintercept-proxy.png\" alt=\"Intercept Proxy\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003Ctd align=\"center\">\n\u003Cstrong>Traffic History · Context Menu\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Ftraffic-context-menu.png\" alt=\"Traffic Context Menu\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd align=\"center\">\n\u003Cstrong>Repeater\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Frepeater.png\" alt=\"Repeater\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003Ctd align=\"center\">\n\u003Cstrong>Intruder · Sniper Mode\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Fintruder.png\" alt=\"Intruder\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd align=\"center\">\n\u003Cstrong>Scanner\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Fscanner.png\" alt=\"Scanner\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003Ctd align=\"center\">\n\u003Cstrong>Vulnerability Templates\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Ftemplates.png\" alt=\"Templates\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd align=\"center\">\n\u003Cstrong>Sitemap · Tree View\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Fsitemap-tree.png\" alt=\"Sitemap Tree\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003Ctd align=\"center\">\n\u003Cstrong>Sitemap · Diagram View\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Fsitemap-diagram.png\" alt=\"Sitemap Diagram\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd align=\"center\">\n\u003Cstrong>OSINT · DNS Records\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Fosint-dns.png\" alt=\"OSINT DNS\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003Ctd align=\"center\">\n\u003Cstrong>Token Sequencer\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Fsequencer.png\" alt=\"Sequencer\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd align=\"center\">\n\u003Cstrong>Decoder \u002F Codec Tools\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Ftools-decoder.png\" alt=\"Tools Decoder\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003Ctd align=\"center\">\n\u003Cstrong>Sitemap · Mixed Explore View\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Fsitemap-mixed.png\" alt=\"Sitemap Mixed\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftable>\n\n\u003Cdetails>\n\u003Csummary>\u003Cstrong>Settings Panels\u003C\u002Fstrong> (click to expand)\u003C\u002Fsummary>\n\n\u003Ctable>\n\u003Ctr>\n\u003Ctd align=\"center\" width=\"50%\">\n\u003Cstrong>General · System Info\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Fsettings-general.png\" alt=\"Settings General\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003Ctd align=\"center\" width=\"50%\">\n\u003Cstrong>MCP Server · IDE Integration\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Fsettings-mcp.png\" alt=\"Settings MCP\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd align=\"center\">\n\u003Cstrong>Proxy Configuration\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Fsettings-proxy.png\" alt=\"Settings Proxy\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003Ctd align=\"center\">\n\u003Cstrong>Appearance · Themes\u003C\u002Fstrong>\u003Cbr\u002F>\n\u003Cimg src=\"docs\u002Fscreenshots\u002Fsettings-appearance.png\" alt=\"Settings Appearance\" width=\"100%\" \u002F>\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftable>\n\n\u003C\u002Fdetails>\n\n## Architecture\n\n```mermaid\nflowchart TB\n pentester([\"Pentester\"])\n ai([\"AI Client\u003Cbr\u002F>\u003Csub>Claude · Cursor · Windsurf · VS Code · Antigravity\u003C\u002Fsub>\"])\n\n subgraph DT[\"WonderSuite Desktop · Tauri 2\"]\n direction TB\n\n FE[\"\u003Cb>React 19 Frontend\u003C\u002Fb>\u003Cbr\u002F>\u003Csub>22 modules · TypeScript · Vite · Zustand\u003C\u002Fsub>\"]\n\n FE \u003C==>|\"Tauri IPC\u003Cbr\u002F>~100 commands\"| BE\n\n subgraph BE[\"Rust Backend Engine\"]\n direction TB\n\n subgraph CORE[\" \"]\n direction LR\n Proxy[\"\u003Cb>MITM Proxy\u003C\u002Fb>\u003Cbr\u002F>\u003Csub>tokio · native-tls · dynamic CA\u003Cbr\u002F>+ Chrome 137 JA3\u002FJA4 + HTTP\u002F2\u003Cbr\u002F>upstream impersonation (BoringSSL)\u003C\u002Fsub>\"]\n Browser[\"\u003Cb>WonderBrowser\u003C\u002Fb>\u003Cbr\u002F>\u003Csub>Bundled Chrome-for-Testing 148\u003Cbr\u002F>Stealth extension · CDP capture\u003Cbr\u002F>Per-version SHA-256-verified cache\u003C\u002Fsub>\"]\n end\n\n subgraph TOOLS[\" \"]\n direction LR\n Scanner[\"\u003Cb>Scanner\u003C\u002Fb>\u003Cbr\u002F>\u003Csub>SQLi · XSS · SSTI · LFI\u003Cbr\u002F>CRLF · Open Redirect\u003Cbr\u002F>+ OAST blind cmdi\u002FSSRF\u002FLog4Shell\u003C\u002Fsub>\"]\n Intruder[\"\u003Cb>Intruder \u002F Fuzzer\u003C\u002Fb>\u003Cbr\u002F>\u003Csub>Sniper · Battering Ram\u003Cbr\u002F>Pitchfork · Cluster Bomb\u003Cbr\u002F>Auto payload-category inference\u003C\u002Fsub>\"]\n Crawler[\"\u003Cb>Crawler\u003C\u002Fb>\u003Cbr\u002F>\u003Csub>robots · sitemap · .well-known\u003Cbr\u002F>JS endpoint extraction · soft-404\u003C\u002Fsub>\"]\n OAST[\"\u003Cb>OAST Listener\u003C\u002Fb>\u003Cbr\u002F>\u003Csub>HTTP · DNS · SMTP\u003Cbr\u002F>Path-correlated callbacks\u003C\u002Fsub>\"]\n end\n\n MCP[\"\u003Cb>MCP Server\u003C\u002Fb>\u003Cbr\u002F>\u003Csub>Axum · JSON-RPC 2.0 · :3100\u003Cbr\u002F>\u003Cb>90 security tools\u003C\u002Fb>\u003Cbr\u002F>incl. 24 browser + 5 port-scan tools\u003C\u002Fsub>\"]\n\n Payloads[(\"Payload Arsenal\u003Cbr\u002F>\u003Csub>SecLists · PayloadsAllTheThings\u003Cbr\u002F>157k payloads\u003C\u002Fsub>\")]\n end\n end\n\n target[(\"Target Web Apps\u003Cbr\u002F>\u003Csub>HTTP\u002F1.1 · HTTP\u002F2 · WebSocket · mTLS\u003C\u002Fsub>\")]\n osint[\u002F\"OSINT Sources\u003Cbr\u002F>\u003Csub>crt.sh · RDAP · Wayback · ASN · HackerTarget\u003C\u002Fsub>\"\u002F]\n callbacks[\u002F\"Out-of-Band Callbacks\u003Cbr\u002F>\u003Csub>DNS · HTTP · SMTP\u003C\u002Fsub>\"\u002F]\n\n pentester ==> FE\n ai \u003C==>|\"HTTP \u002F JSON-RPC\"| MCP\n\n Proxy \u003C==>|\"intercept · TLS MITM\"| target\n Browser \u003C==>|\"CDP · network capture\"| target\n Scanner -.->|\"vulnerability probes\"| target\n Intruder -.->|\"payload waves\"| target\n OAST \u003C==>|\"out-of-band\"| callbacks\n MCP -.->|\"lookup\"| osint\n Scanner --- Payloads\n Intruder --- Payloads\n\n classDef person fill:#064e3b,stroke:#10b981,stroke-width:2px,color:#d1fae5\n classDef desktop fill:#0f172a,stroke:#1e40af,stroke-width:2px,color:#e0e7ff\n classDef frontend fill:#1e3a8a,stroke:#60a5fa,stroke-width:2px,color:#dbeafe\n classDef engine fill:#451a03,stroke:#fb923c,stroke-width:2px,color:#fed7aa\n classDef mcp fill:#3b0764,stroke:#a855f7,stroke-width:3px,color:#f3e8ff\n classDef payload fill:#1f2937,stroke:#94a3b8,stroke-width:1px,color:#e2e8f0\n classDef external fill:#1f2937,stroke:#94a3b8,stroke-width:1.5px,color:#e2e8f0\n classDef hidden fill:transparent,stroke:transparent\n\n class pentester,ai person\n class DT desktop\n class FE frontend\n class BE,Proxy,Browser,Scanner,Intruder,OAST engine\n class MCP mcp\n class Payloads payload\n class target,osint,callbacks external\n class CORE,TOOLS hidden\n```\n\n**How it flows.** The pentester drives the React UI; every action travels through Tauri IPC into the Rust engine. The MITM proxy MITM-decrypts the browser's TLS, then re-originates each upstream request through a BoringSSL stack tuned to Chrome 137's exact ClientHello + JA3\u002FJA4 + HTTP\u002F2 SETTINGS fingerprint — so Cloudflare\u002FAkamai\u002FDataDome\u002FPerimeterX see real Chrome. WonderBrowser is the bundled Chrome-for-Testing 148 with a stealth extension shipped in the install (no system Chrome dependency). Scanner and intruder probe the target, posting blind-vuln callbacks to the integrated OAST listener via path-correlated `callback_url`s. In parallel, any MCP-compatible AI client speaks JSON-RPC to the same 85-tool surface — including 24 pentest-grade browser tools that share state with the proxy via a stable request-ID space — so a human and an AI agent can investigate the same target with the exact same primitives.\n\n## Tech Stack\n\n| Component | Technology |\n|-----------|------------|\n| Backend | Rust 1.78+ |\n| Framework | Tauri 2.x |\n| Frontend | React 19, TypeScript, Vite, Zustand |\n| Proxy | tokio, native-tls, rsa\u002Fx509-cert (dynamic CA) |\n| TLS impersonation | `wreq` + `boring-sys2` (BoringSSL), `webpki-root-certs` (Mozilla CA bundle) — win+mac only, Linux fallback to native-tls |\n| Browser | Bundled Chrome-for-Testing 148.0.7778.97 (SHA-256-verified lazy download) + WonderSuite extension (MV3) |\n| Browser MCP | Persistent CDP WebSocket (tokio-tungstenite) with multiplexed request correlation + a11y-tree snapshot engine |\n| MCP | Axum HTTP server (JSON-RPC 2.0), dedicated thread\u002Fruntime |\n| HTTP Client | reqwest with TLS 1.3 |\n| OAST | Embedded axum HTTP listener + tokio UDP DNS server + raw-TCP SMTP listener, shared `INTERACTIONS` log |\n\n## Download\n\nPre-built, code-signed installers for all major platforms are published on every release. The Tauri updater also serves these binaries — running WonderSuite checks `latest.json` on startup and offers an in-app update when a new version is available.\n\n\u003Cdiv align=\"center\">\n\n| Platform | Installer | Notes |\n|---|---|---|\n| **Windows 10\u002F11 (x64)** | [`.msi`](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Freleases\u002Flatest) · [`.exe` (NSIS)](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Freleases\u002Flatest) | Bundles WinDivert 2.2.2 — one UAC consent on first SYN scan, none afterward |\n| **macOS (Apple Silicon)** | [`WonderSuite_*_aarch64.dmg`](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Freleases\u002Flatest) | M1 \u002F M2 \u002F M3 \u002F M4 native |\n| **macOS (Intel)** | [`WonderSuite_*_x64.dmg`](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Freleases\u002Flatest) | x86_64 native |\n| **Linux (x86_64)** | [`.AppImage`](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Freleases\u002Flatest) · [`.deb`](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Freleases\u002Flatest) · [`.rpm`](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Freleases\u002Flatest) | Raw-socket SYN scan needs `CAP_NET_RAW` |\n\n**[📥 Latest release →](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Freleases\u002Flatest)**  ·  **[All releases →](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Freleases)**  ·  **[Changelog →](CHANGELOG.md)**\n\n![Total downloads](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fdownloads\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Ftotal?style=for-the-badge&logo=github&color=orange&label=total%20downloads)\n![Latest release downloads](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fdownloads\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Flatest\u002Ftotal?style=for-the-badge&color=success&label=latest%20release)\n![Stars](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fstars\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty?style=for-the-badge&logo=github&color=yellow)\n\n\u003C\u002Fdiv>\n\nEvery artifact is reproducibly built in GitHub Actions and ships with a Tauri-updater signature (`.sig` next to each installer). Verify a download against the published Ed25519 public key in [`src-tauri\u002Ftauri.conf.json`](src-tauri\u002Ftauri.conf.json) (`plugins.updater.pubkey`).\n\n## Getting Started\n\n> Skip this section if you just want to run WonderSuite — grab a [pre-built installer](#download) above. The instructions below are for building from source.\n\n### Prerequisites\n\n- [Rust](https:\u002F\u002Frustup.rs\u002F) 1.78 or later\n- [Node.js](https:\u002F\u002Fnodejs.org\u002F) 18 or later\n- On **Windows**: Microsoft Visual Studio Build Tools (Desktop C++ workload) and WebView2 Runtime\n- On **Linux**: `webkit2gtk-4.1`, `libayatana-appindicator3-dev`, `librsvg2-dev`, `build-essential`\n- On **macOS**: Xcode Command Line Tools\n\n### Installation (from source)\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty.git\ncd WonderSuite-Ai-Bug-Bounty\nnpm install\n```\n\n### Development\n\n```bash\nnpm run tauri dev\n```\n\n### Production Build\n\n```bash\nnpm run tauri build\n```\n\nOutput is written to `src-tauri\u002Ftarget\u002Frelease\u002Fbundle\u002F` (`.msi`, `.exe`, `.dmg`, `.AppImage`, `.deb`, depending on platform).\n\nA helper `build-release.cmd` is provided for Windows developers (opens a visible console window, prints the artifact paths when done).\n\n### Connecting an AI Client to MCP\n\nThe MCP server auto-starts on `http:\u002F\u002F127.0.0.1:3100\u002Fmcp`. The **Settings → MCP Server** tab auto-detects supported IDEs (Cursor, Windsurf, VS Code, Antigravity, Gemini CLI, Void) and offers one-click install. Manual config snippet:\n\n```json\n{\n \"mcpServers\": {\n \"wondersuite\": {\n \"url\": \"http:\u002F\u002F127.0.0.1:3100\u002Fmcp\"\n }\n }\n}\n```\n\n### Skill File — Teach Your AI How to Use WonderSuite\n\nWonderSuite ships a project-level Claude skill that turns your AI client into a senior pentester instead of a tool-calling chatbot. The skill is at [`.claude\u002Fskills\u002Fwondersuite.md`](.claude\u002Fskills\u002Fwondersuite.md) and contains:\n\n- The pre-flight sequence (proxy check + recon basics) the AI should run on every new engagement\n- Workflows: recon→crawl→triage, manual browser testing, OAST blind-vuln hunt, JWT analysis, SQLi\u002FXSS hunting, race conditions, HTTP smuggling\n- A decision tree for `browser_open` vs `browser_attach` vs `browser_attach({auto_launch, use_real_profile})`\n- Tool-by-tool reference for all 91 MCP tools (parameters, when to use, killer-feature notes)\n- Error-code recovery table (`PROXY_DOWN`, `STALE_REF`, `CDP_LOST`, `PROFILE_LOCKED` …)\n- Anti-patterns and ask-vs-act guidance\n\n**Install into your own project (one-time):**\n\n```powershell\n# Windows PowerShell\nmkdir .claude\\skills -Force\niwr https:\u002F\u002Fraw.githubusercontent.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Fmain\u002F.claude\u002Fskills\u002Fwondersuite.md -OutFile .claude\\skills\\wondersuite.md\n```\n\n```bash\n# macOS \u002F Linux\nmkdir -p .claude\u002Fskills\ncurl -fsSL https:\u002F\u002Fraw.githubusercontent.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Fmain\u002F.claude\u002Fskills\u002Fwondersuite.md -o .claude\u002Fskills\u002Fwondersuite.md\n```\n\nOr clone the repo and copy the file:\n```bash\ncp WonderSuite-Ai-Bug-Bounty\u002F.claude\u002Fskills\u002Fwondersuite.md .claude\u002Fskills\u002F\n```\n\n**Use:** open a Claude Code \u002F compatible session in that directory. The skill auto-loads — its frontmatter tells Claude to apply it whenever the user says things like \"test this target\", \"scan\", \"pentest\", \"find vulnerabilities\", \"attach to my browser\". You can also force-invoke it with `\u002Fwondersuite`.\n\n**Keep it current:** the skill is versioned with the rest of the repo. After a release, re-run the install command above to pick up new tools \u002F workflow improvements.\n\n## Project Structure\n\n```\nwondersuite\u002F\n├── src\u002F # React frontend\n│ ├── components\u002F # Shared UI components\n│ ├── modules\u002F # Feature modules (dashboard, intercept,\n│ │ # traffic, repeater, intruder, scanner,\n│ │ # sitemap, discovery, osint, sequencer,\n│ │ # comparer, logger, templates, organizer,\n│ │ # agent, tools, findings, websocket,\n│ │ # oast, settings)\n│ └── stores\u002F # State management (zustand)\n├── src-tauri\u002F\n│ ├── resources\u002F\n│ │ ├── chromium_pin.json # Pinned CfT version + SHA-256\n│ │ └── wondersuite-extension\u002F # Bundled MV3 stealth extension\n│ └── src\u002F\n│ ├── mcp\u002F # MCP server engine\n│ │ ├── browser\u002F # Human-native browser MCP (23 tools, CDP-Input, top-frame cursor overlay)\n│ │ │ ├── session.rs # CDP WS lifecycle + event dispatch\n│ │ │ ├── snapshot.rs # a11y tree + ref=eN + forms + security\n│ │ │ ├── network.rs # request capture ring buffer\n│ │ │ └── handlers.rs # tool handlers\n│ │ ├── handlers\u002F # Other tool handlers (proxy, scanner, …)\n│ │ ├── router.rs # JSON-RPC dispatcher\n│ │ └── mod.rs # Tool definitions (90 tools)\n│ ├── proxy\u002F # MITM proxy engine\n│ │ ├── engine.rs # Core proxy logic + impersonate branch\n│ │ ├── ca.rs # Certificate authority\n│ │ └── state.rs # Traffic storage\n│ ├── chromium\u002F # Bundled Chromium download\u002Fverify\u002Fextract\u002FGC\n│ ├── crawler\u002F # Robots\u002Fsitemap\u002Fwell-known\u002FJS-endpoint crawler\n│ ├── oast.rs # Shared HTTP\u002FDNS\u002FSMTP listeners + INTERACTIONS\n│ ├── tls_impersonate.rs # wreq + BoringSSL Chrome-137 emulation (win+mac)\n│ ├── browser.rs # Browser process launcher + CDP helpers\n│ └── lib.rs # Tauri application entry\n├── docs\u002Fscreenshots\u002F # README assets\n└── .github\u002Fworkflows\u002Frelease.yml # Cross-platform CI release\n```\n\n## Responsible Use\n\nWonderSuite is intended for **authorized security testing**, defensive research, and educational use. Only test systems you own or have explicit written permission to assess. The authors and contributors are not responsible for misuse.\n\n## Contributing\n\n**Contributions are welcome and very much appreciated.** WonderSuite is open source under the MIT License and we'd love your help to make it better.\n\nWhether you want to:\n\n- **Fix a bug** — open a [Pull Request](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Fpulls) (small fixes don't need an issue first)\n- **Propose a new feature** — open an [Issue](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Fissues) to discuss the design before sending a PR\n- **Report a bug** — open an [Issue](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Fissues) with reproduction steps, expected vs. actual behavior, and your OS\u002Fversion\n- **Add a new MCP tool** — see `src-tauri\u002Fsrc\u002Fmcp\u002Fhandlers\u002F` for examples, and register the tool in `src-tauri\u002Fsrc\u002Fmcp\u002Fmod.rs::tool_definitions()`\n- **Improve documentation, screenshots, or examples** — PRs go straight in\n- **Share an idea** — open a [Discussion](https:\u002F\u002Fgithub.com\u002Fsfr-development\u002FWonderSuite-Ai-Bug-Bounty\u002Fdiscussions) (or an Issue if discussions are off)\n\nThere's no CLA. By contributing, you agree that your contributions will be licensed under the project's MIT License.\n\nPlease run `npm run tauri build` locally before submitting a PR to make sure it still builds across the full pipeline. If you touch the Rust side, `cargo check --manifest-path src-tauri\u002FCargo.toml` is a quick sanity check.\n\n### Copyright\n\nThe WonderSuite name and the original codebase are © SFR Development (\u003Chttps:\u002F\u002Fsfr-development.de>). The project is licensed under the [MIT License](LICENSE) — you may use, modify, fork, and redistribute it under those terms. Contributions remain copyrighted by their respective authors but are licensed to the project (and downstream users) under the same MIT terms.\n\n## Star History.\n\n[![Star History Chart](https:\u002F\u002Fapi.star-history.com\u002Fsvg?repos=sfr-development\u002FWonderSuite-Ai-Bug-Bounty&type=Date)](https:\u002F\u002Fwww.star-history.com\u002F#sfr-development\u002FWonderSuite-Ai-Bug-Bounty&Date)\n\n## License\n\nReleased under the [MIT License](LICENSE) © 2026 SFR Development.\n\n---\n\n\u003Cdiv align=\"center\">\n\u003Csub>Built with Rust, Tauri, and React · Made by \u003Ca href=\"https:\u002F\u002Fsfr-development.de\">SFR Development\u003C\u002Fa>\u003C\u002Fsub>\n\u003C\u002Fdiv>\n","WonderSuite-Ai-Bug-Bounty 是一个基于AI的进攻性安全研究引擎,提供了一个桌面原生的安全测试平台。该项目集成了90多种工具、MITM代理、隐身浏览器和自主AI代理,并通过Model Context Protocol (MCP) 实现了AI驱动的漏洞研究功能。它使用Rust和Tauri构建,前端采用React开发,确保了高性能和良好的用户体验。适用于需要进行渗透测试、漏洞扫描以及安全评估的专业场景。","2026-06-11 04:06:50","CREATED_QUERY"]