20 scanner modules. SQL exploitation engine. AI-powered fuzzing. Prerequisite chain automation. Custom OOB server. One JAR.
Download · Modules · OmniMap · AI Scanning · Stepper · Custom OOB · Build
Most Burp extensions do one thing. You end up with 15 extensions loaded, fighting for threads, duplicating requests, and missing the gaps between them.
OmniStrike replaces that entire stack with a single extension — 16 active scanners, 4 passive analyzers, an AI fuzzer, a SQL exploitation engine, a prerequisite request chain (Stepper), and a built-in OOB callback server. Everything shares one thread pool, one deduplication store, one findings database, and one Collaborator pipeline.
Drop one JAR. Get everything.
1. Download omnistrike.jar from Releases
2. Burp Suite → Extensions → Add → Java → select omnistrike.jar
3. Set target scope → click Start → browse normally
4. Or right-click any request → Send to OmniStrike
| Module | Highlights |
|---|---|
| SQLi Detector | Auth bypass, error-based, UNION, time-based blind (3-step verification), boolean-blind (2-round), 64 OOB payloads. ~375 payloads/param across 10 database engines. |
| OmniMap Exploiter | Post-detection SQL exploitation engine — sqlmap-equivalent. 4 techniques (UNION, Error, Boolean blind, Time blind), 5 DBMS dialects, auto boundary/DBMS detection, parallel extraction, WAF bypass tamper engine. Details below. |
| XSS Scanner | 6 reflection contexts, smart filter probing, adaptive evasion, DOM XSS flow analysis, CSTI, framework-specific payloads (Angular/Vue/React/jQuery), blind XSS via Collaborator. |
| SSRF Scanner | Collaborator OOB, cloud metadata with multi-marker validation (AWS/Azure/GCP/Oracle), DNS rebinding, 49 localhost bypasses, 31 protocol smuggling payloads. |
| SSTI Scanner | 20 template engines, large-number canaries, template syntax consumption verification, 32 OOB payloads. |
| Command Injection | 3-step time-based, structural regex output matching, 140 payloads/param (Unix + Windows), $IFS/%0a/backtick/double-encoding bypasses. |
| XXE Scanner | 4-phase: XML body, XInclude, JSON→XML, Content-Type forcing. UTF-16 bypass, SAML detection, 14 OOB payloads. |
| Deserialization | 6 languages, 137+ gadget chains, passive fingerprinting, OOB-first detection, blind spray mode. Details below. |
| WebSocket Scanner | Passive frame analysis + OOB-first active fuzzing across 8 injection categories. Details below. |
| GraphQL Tool | 7-phase: introspection (4 bypasses), schema analysis, injection (SQLi/NoSQLi/CMDi/SSTI/traversal), IDOR, DoS config, HTTP-level, error disclosure. |
| CORS Misconfiguration | Reflected origin, null trust, subdomain trust, scheme downgrade, wildcard+credentials, preflight bypass. |
| Cache Poisoning | 30 unkeyed header vectors, 29 unkeyed query params, cacheability analysis, poison confirmation. |
| Host Header Injection | Password reset poisoning via Collaborator, routing SSRF, duplicate Host, override headers. |
| HTTP Param Pollution | Duplicate param precedence, privilege escalation patterns, WAF bypass via splitting. |
| Prototype Pollution | Server-side __proto__/constructor.prototype with canary persistence verification, behavioral gadgets. |
| Path Traversal / LFI | 24 Unix / 9 Windows targets with structural content validation, 26 encoding bypasses, PHP wrappers (filter/data/iconv). |
CSRF Manipulator — right-click only module with 11 token manipulation tests (remove, empty, random, truncated, char flip, case swap, static fake, nonce reuse, Referer/Origin removal, token relocation, method change).
| Module | Highlights |
|---|---|
| Client-Side Analyzer | DOM XSS source-to-sink, prototype pollution, hardcoded secrets with entropy validation, postMessage, open redirects, endpoint extraction. Auto-skips minified libraries. |
| Hidden Endpoint Finder | Extracts API endpoints and paths from JS/HTML/JSON via 13+ regex patterns. |
| Subdomain Collector | Discovers subdomains from CSP, CORS, redirects, and response bodies. |
| Security Header Analyzer | HSTS, CSP, CORS, cookie flags, X-Frame-Options, Referrer-Policy, server version disclosure. Consolidated findings per host. JWT-in-Cookie detection. |
Post-detection SQL injection exploitation engine — extracts databases, tables, columns, and data from confirmed injection points. All payloads sourced from sqlmap.
| Technique | Speed | Method |
|---|---|---|
| UNION | Fastest | Full row per request. NEGATIVE WHERE mode, DBMS-aware hex markers. |
| Error-based | Fast | Data inside DBMS error messages. MySQL (EXTRACTVALUE, UPDATEXML, FLOOR, etc), PostgreSQL (CAST), MSSQL (IN/CONVERT), Oracle (XMLType, UTL_INADDR). Inference fallback. |
| Boolean blind | Medium | Bisection via true/false page comparison. Parallel multi-threaded extraction. Adaptive tiers (a-z > 0-9 > full ASCII). |
| Time-based blind | Slowest | DBMS-agnostic — tries ALL 5 DBMS sleep functions. Zero-sleep validation + consistency checks. |
Capabilities: 5 DBMS dialects (MySQL, PostgreSQL, MSSQL, Oracle, SQLite) · Auto boundary detection · 3-strategy DBMS fingerprinting · Level/Risk system · WAF bypass (9 tamper transforms) · Database tree view · CSV export
6 languages, 137+ gadget chains, OOB-first Collaborator detection, blind spray mode.
| Language | Chains | Highlights |
|---|---|---|
| Java | 34 | Full ysoserial coverage (CommonsCollections 1-7, Spring, Hibernate, Groovy, C3P0, ROME, etc) |
| .NET | 32 × 9 | Gadget + Formatter dropdowns (ysoserial.net-style) |
| PHP | 47 | phpggc port — Laravel, Symfony, Monolog, Guzzle, WordPress, Doctrine, CodeIgniter4, ThinkPHP |
| Python | 26 | Pickle protocol 0/2/4, PyYAML, jsonpickle |
| Ruby | 13 | Marshal binary encoding, Rails ActiveSupport, Oj library |
| Node.js | 17 | node-serialize, js-yaml, cryo, funcster, prototype pollution |
Payload Generator — standalone tool (replaces ysoserial/ysoserial.net/phpggc). 4 output encodings, terminal-style preview, one-click copy.
| Category | Detection Strategy | Confidence |
|---|---|---|
| CSWSH | Binary accept/reject origin validation | CERTAIN |
| SQL Injection | OOB (xp_dirtree, extractvalue) → Error-based fallback | CERTAIN / FIRM |
| Command Injection | OOB (nslookup, curl) → Time-based (3x statistical, >=4s delta) | CERTAIN / FIRM |
| SSRF | Collaborator URLs in URL params | CERTAIN |
| SSTI | Multi-engine OOB → Math eval ({{7*7}}→49) | CERTAIN / FIRM |
| XSS | OOB (img onerror fetch) → Canary reflection | CERTAIN / FIRM |
| IDOR | ID substitution + response diff | TENTATIVE |
| AuthZ Bypass | Auth vs unauth response comparison | FIRM |
Right-click any request to trigger AI analysis. Never auto-fires — zero wasted tokens.
Capabilities: Smart fuzzing · WAF fingerprinting + bypass · Adaptive multi-round scanning (up to 5 rounds with full response feedback) · Cross-file batch analysis · Payload learning from confirmed findings · Collaborator data exfiltration · Fuzz history (remembers every payload per URL/param/vuln type) · Multi-step exploitation
| Provider | Models |
|---|---|
| Anthropic | claude-opus-4-6, claude-sonnet-4-6, claude-haiku-4-5-20251001 |
| OpenAI | gpt-5.2, gpt-4o, o3-mini |
| gemini-3.1-pro, gemini-3-flash-preview, gemini-2.5-flash |
Also supports CLI tools: Claude Code, Gemini CLI, Codex CLI, OpenCode CLI.
API keys stored in memory only — never persisted to disk.
Multi-step web flows (login → CSRF token → session refresh → form load) produce single-use tokens that expire immediately. Testing the final request requires replaying the entire chain first.
Stepper automates this. Send each prerequisite request to Stepper, define extraction rules (regex, header, cookie, JSON path), and every outgoing HTTP request — Repeater, Intruder, OmniStrike active scans — automatically triggers the full chain first, extracting fresh tokens and patching them into the outgoing request.
- Automatic cookie jar — captures all
Set-Cookieheaders from chain responses and injects them into subsequent requests - Variable substitution — use
{{variable_name}}placeholders in any request header or body - 4 extraction types — Body Regex, Header, Cookie, JSON Path
- Token cache with TTL — prevents redundant chain re-runs during high-throughput active scanning
- Recursion-safe — Stepper's own prerequisite requests don't re-trigger the chain
- Serialized execution — concurrent requests share one chain run, then all use cached results
Built-in Out-of-Band callback server — no Burp Professional required, no internet required. Works on air-gapped intranets.
- HTTP listener — catches
http://<your-ip>:<port>/<payload-id>callbacks - DNS listener — catches DNS queries where the first subdomain label is the payload ID
- Transparent — all 20 modules automatically use Custom OOB when enabled (same
CollaboratorManagerAPI as Burp Collaborator) - AI Analyzer included — AI-generated OOB payloads route through the custom listener too
Configure via the OmniStrike tab: select network interface, set HTTP port + DNS port, click Start.
| Feature | Description |
|---|---|
| Scope filtering | Only scans in-scope hosts — never touches third-party traffic |
| Static resource skip | Active scanners skip .js, .css, .png, etc. — passive analyzers still run |
| Cross-module dedup | Normalized URL deduplication prevents redundant findings |
| Session Keep-Alive | Right-click login request → Set as Session Login Request. Auto-replays periodically. |
| 29 UI themes | CyberPunk, Dracula, Monokai, Nord, Solarized, and more |
| Request/Response highlighting | All modules annotate findings with byte-range markers in Burp Dashboard |
| OOB-first strategy | Collaborator/Custom OOB payloads fire before time-based; if OOB confirms, remaining phases skipped |
| 3-step timing verification | Baseline → true delay → false must NOT delay |
| Smart filter probing | Probes which characters survive filtering, then sends only viable payloads |
| Burp Dashboard integration | Findings appear as native scan issues in the Dashboard task box |
OmniStrike is built around zero false positives. Every finding requires structural proof — not just response differences.
- OOB-first — Collaborator/Custom OOB payloads fire before anything else. If OOB confirms, skip everything else.
- Multi-step verification — Time-based uses 3-step validation. Boolean-blind uses 2-round confirmation. Error-based requires regex-validated error strings.
- Smart payload selection — Probes which characters survive WAF/filtering, then generates only viable payloads. No shotgun approach.
- Structural evidence — Every finding includes the request, response, matched pattern, and byte-range highlighting. No guesswork.
git clone https://github.com/worldtreeboy/OmniStrike.git
cd OmniStrike
./gradlew shadowJar
# → build/libs/omnistrike.jarRequires JDK 17+. Dependencies: montoya-api 2026.2, gson 2.11.0.
- Fork and create a feature branch
./gradlew shadowJarmust compile cleanly- Test against DVWA, Juice Shop, or PortSwigger Academy
- Open a PR
GitHub Issues for bugs and feature requests.
v1.37 (2026-03-03) — Stepper, Custom OOB DNS
- Stepper — Prerequisite Request Chain: New framework tool. Automates multi-step authentication flows by replaying prerequisite requests before every outgoing HTTP request. Automatic cookie jar, 4 extraction types (Body Regex, Header, Cookie, JSON Path), variable substitution with
{{placeholders}}, token cache with TTL, recursion-safe, serialized execution with lock. - Custom OOB DNS Listener: Self-hosted DNS server (UDP DatagramSocket) alongside existing HTTP listener. Parses RFC 1035 DNS queries, extracts payload ID from first subdomain label, responds with A record. DNS failure is non-fatal — HTTP still works.
- CustomOobInteraction: Now supports
InteractionType.DNS(was hardcoded to HTTP). - UI: DNS port field added to Custom OOB configuration. Preview shows both HTTP and DNS payload formats.
v1.36 (2026-03-02) — CSRF Manipulator
- CSRF Manipulator: 11 token manipulation tests with baseline comparison. Auto-detects CSRF tokens via wildcard patterns. Skips Bearer-only endpoints.
- Security Header Analyzer: Consolidated findings per host. JWT-in-Cookie detection.
v1.35 (2026-02-28) — OmniMap 4 techniques
- OmniMap: UNION, Error-based, Boolean blind, Time-based blind extraction. 5 DBMS dialects. DBMS re-detection. Inference fallback.
v1.34 (2026-02-27) — OmniMap Exploiter
- Initial OmniMap release — boolean blind extraction, 5 DBMS dialects, auto boundary detection, parallel extraction, WAF bypass tamper engine.
v1.33 (2026-02-27) — WebSocket Scanner
- Passive frame analysis + OOB-first active fuzzing across 8 injection categories.
v1.30 (2026-02-27) — Deserialization expansion
- 137+ chains (47 PHP, 26 Python, 17 Node.js, 13 Ruby). PHP function dropdown. Encoding-aware preview.
OmniStrike is for authorized penetration testing and security research only. Use exclusively against systems you have written permission to test.