Pynzor

Got some feedback from the voting system and implemented the following modifications:
1: fuzzer baseline detection (modules/fuzzer.py, tests/test_fuzzer.py)
2: subdomain wildcard detection (modules/subdomain.py, new tests/test_subdomain.py)
added pipx install and per-command sample output in README. added new CLI flags: –no-baseline, –include-wildcard. pyproject.toml bumped,

completed the XSS and SQLi scanning modules. On XSS, the big find was that 18 of 20 payloads — everything that wasn’t a tag — were being silently dropped even when reflected verbatim in the response, so we fixed the detection logic, split the reflection check into raw vs. encoded helpers, added 6 context-aware payloads for attribute injection and JS string breakout, and wired up POST form scanning so the scanner actually finds input fields on the page instead of only testing URL params. On SQLi, the blind detection was completely fabricated — it was checking whether the word SLEEP appeared in the payload string and calling that a finding, which means it was flagging every time-based payload on every 200 response regardless of what the server did. We replaced it with real time-based detection (measures actual response latency against a 4-second threshold) and boolean-based detection (compares true/false condition responses by body length), expanded the error signature list from 17 to 31 entries covering MySQL, MSSQL, PostgreSQL, SQLite, and Oracle, and added POST form scanning there too. 24 new tests across both modules, all 43 green, shipped as v1.0.6.

Got a message from a judge saying the video demo couldn’t be accepted. So got it make it work this time. Since Pynzor is a Python CLI and I’m on macOS, the approach was to use PyInstaller to bundle everything into a standalone binary and let GitHub Actions build it on the right runners. Before writing anything, dug into how the app loads its data files. Config is loaded in cli/commands.py using Path(file).parent.parent - fine for a frozen exe. But the wordlist paths inside config.yaml are plain
relative strings, which Python resolves against CWD at runtime, not the bundle root. Fixed it by resolving all relative wordlist paths against the config file’s own directory at load time in load_config().

After that, wrote the PyInstaller spec file. Declared the three data bundles - wordlists/, output/templates/, and config.yaml - and listed hidden imports that PyInstaller won’t catch on its own: the dns stack, lxml, bs4, jinja2, and a few others. Set it to –onefile and console mode.

Released v1.0.0

Shipped the first public release of Pynzor today.

Pre-release cleanup: committed outstanding module updates (fuzzer, headers, sqli, subdomain, cli/commands) alongside four new test files (test_fuzzer, test_headers, test_reporter, test_sqli). 241 lines of additions across 9 files.

Pushed to main, tagged v1.0.0, and published the GitHub release. Project is now public with a full feature set: port scanning, directory fuzzing, header analysis, SQLi/XSS probing, subdomain enumeration, JSON/HTML reporting, async HTTP via httpx, and a pytest suite.

XSS false positives. Every XSS scan was lying. _test_payload() in xss.py had a fallback at the end of its detection logic that returned a vulnerability whenever a payload was reflected — even if the reflection was HTML-encoded and completely harmless. So <script> in a response body was being reported as XSS. Removed the fallback entirely. Now a reflected payload only becomes a finding if it lands in an executable context: inside a tag, as a raw unencoded <script string, or alongside a known DOM sink. Anything else is None.

_test_payload() had four branches for classifying a detected XSS. The first three were correct script tag context, unencoded <script in response body, DOM sink patterns. The fourth was the fallback: if the payload appeared in the response but matched none of the above, it returned an XSSVulnerability with type="reflected" and evidence="Payload reflected". This fired on HTML encoded reflections where the payload cannot execute — e.g., <script> in the response body. Every scan against a target that encoded output correctly was producing false positives.

Removed the fallback return XSSVulnerability(...) block entirely. Replaced with return None. Now a reflected payload only becomes a finding if it lands in a script tag context, unencoded in the body alongside the raw <script marker, or alongside a known DOM sink.

Implemented an asynchronous port scanning module using asyncio to perform concurrent TCP connection checks against a predefined set of common ports. A semaphore-based concurrency limiter was used to control connection volume, and results are returned via a structured PortResult dataclass containing port state classification (open, closed, filtered) and measured latency.

Built an async directory fuzzing component with wordlist-driven path discovery and configurable HTTP status filtering. The module supports concurrent request execution with a semaphore to manage load, and includes fixes to internal imports to correctly reference modules.fuzz. Future improvements include adding recursive traversal capabilities for deeper endpoint discovery.

Developed an asynchronous security header analysis routine that evaluates HTTP responses against a set of key security headers, assigning a weighted risk score based on missing or misconfigured protections. The scoring system maps results to an A–F grading scale. The implementation was refactored from synchronous to asynchronous execution to resolve asyncio event loop conflicts, with planned enhancements for actionable remediation output.

Implemented an SQL injection probing module that tests a set of canonical injection payloads against input vectors and detects database error signatures in responses. The module reports vulnerability status along with the payload that triggered the behavior. Future work includes extending detection to support time-based blind SQL injection techniques.

Created an XSS detection module that evaluates reflected and stored cross-site scripting vulnerabilities by injecting common script payloads and inspecting server responses for reflection. It returns a boolean vulnerability indicator along with the effective payload when detected. Planned improvements include support for DOM-based XSS analysis.

Built a subdomain enumeration tool that performs DNS-based discovery using wordlist expansion combined with A and CNAME record resolution, optionally validating discovered hosts via HTTP requests. A formatting bug was corrected by switching from dictionary-style access to dataclass attribute handling, improving internal consistency and stability.

Set up the initial CLI structure for Pynzor with a clean entry point and a modular command layer. Now main.py runs with a cool title banner.