DS1 Hunter
Autonomous 5-phase web application security scanner developed by DigitalSecurity1. DS1 Hunter discovers endpoints, maps attack chains across vulnerabilities, and generates safe exploit proofs so findings are evidence-backed and defensible in any report.
From a quick polite recon to a full-saturation assault. Every depth is a tuned preset: rate, concurrency, wordlist size, and payload budget. Not just a slider.
the target's stack first
Standard scanners blast the same payload library at every target: Django apps get PHP injections, Nginx gets Apache-specific exploits. Think Mode eliminates that noise. It fingerprints the target first, then selects and generates payloads that actually apply.
# Enable Think Mode (requires deep or aggressive) ds1hunter https://target.com --depth deep --think # Aggressive + Think + WAF bypass: maximum coverage ds1hunter https://target.com --depth aggressive --think --waf-bypass
DS1 Hunter builds a complete picture of the target across 5 linked phases before generating a final risk-scored report. No one-shot scans.
Built for bug bounty hunters and pentesters. No cloud subscription, no per-target fees, no paywalled payloads.
Most commercial scanners fire a fixed payload library at every target regardless of stack. DS1 Hunter thinks before it shoots.
| Capability | Traditional Scanners | DS1 Hunter |
|---|---|---|
| Payload approach | Fixed library, same for every target | 🧠 Think Mode · tech-aware, runtime-generated |
| Scan depth control | Usually one-size-fits-all | ✓ Normal / Deep / Aggressive presets |
| Out-of-band (OAST) | External cloud service or not included | ✓ Built-in OAST server, no external dependency |
| WAF bypass | Basic evasion only | ✓ WAF profiling + origin-IP bypass |
| Attack chain mapping | Individual findings, no chaining | ✓ 5-phase chain mapping, scored paths |
| Intercepting proxy | Separate tool required | ✓ Integrated: Repeater, Intruder, Decoder |
| AI / LLM testing | ✗ Not included | ✓ Dedicated AI/LLM module |
| Mobile testing | ✗ Not included | ✓ Dedicated mobile module |
| Binary exploitation | ✗ Web-only | ✓ Buffer, stack, heap, memory corruption |
| Deployment | Cloud / SaaS subscription | ✓ 100% self-hosted, your data stays local |
| Price | $449 – $999+/year | ✓ Free · Community Edition, no limits |
Dedicated professional tools for specialized testing. All included in the free community edition.
Hunts
The main 5-phase autonomous security scanner. Runs endpoint discovery, authorization analysis, attack chain mapping, business logic testing, and exploit proof generation in one automated pipeline.
- 5-phase automated pipeline, each phase feeds the next
- Authenticated and dual-mode scanning
- Think Mode AI: tech-stack-aware payload selection
- WAF bypass and origin-IP bypass
- PDF, HTML, and JSON report generation
Recon
Maps the full attack surface before any scanning begins. Six dedicated tools covering passive and active reconnaissance.
- Target Intelligence: headers, tech stack, cookies
- Spider / Crawl: SPA-aware web crawler
- Subdomain Takeover detection
- SSL / TLS certificate analysis
- Git and SVN repository exposure
- JavaScript secrets extraction
Discovery
Active discovery tools that probe the target for hidden endpoints, undocumented parameters, and exploitable surfaces not visible from the outside.
- Active Scanner: Playwright crawl + vulnerability probing
- Param Miner: wordlist-based hidden parameter discovery
- Probe: targeted manual endpoint probing
Intercept
Full HTTP/HTTPS interception suite for manual testing, request replay, fuzzing, and encoding directly inside the dashboard.
- Proxy: intercept and modify live traffic
- Repeater: manual request replay and editing
- Intruder: payload-based request fuzzing
- Decoder: Base64, JWT, URL, HTML encoding
- Comparer: side-by-side response diffing
Injection
Ten dedicated injection and blind vulnerability modules covering every major injection surface in web applications and APIs.
- SQLi Mapper: error-based, boolean-blind, time-blind
- XSS Scanner and DOM XSS
- SSTI Detector: 5 template engine payloads
- XXE Injector: file read and SSRF via XML
- Command Injection: timing and error-based
- SSRF Tester: URL params and cloud metadata
- Prototype Pollution, Open Redirect, OAST
Protocol Attacks
Tests for weaknesses at the HTTP protocol level, including request smuggling, response splitting, race conditions, and WebSocket security.
- HTTP Request Smuggling (CL.TE, TE.CL, TE.TE)
- HTTP Response Splitting
- Race Condition testing
- WebSocket security testing
Auth & Access
Four tools targeting authentication weaknesses, broken access control, and token predictability.
- JWT Analyzer: algorithm confusion, none alg, weak secrets
- BOLA / IDOR: object-level access control testing
- CORS Scanner: misconfiguration detection
- Sequencer: token entropy and randomness analysis
API Testing
Four dedicated API security tools covering REST, GraphQL, OpenAPI/Swagger schemas, and full API audit reporting.
- API Pentest: 19 check types, path and param fuzzing
- GraphQL Scanner: introspection, batching, injection
- OpenAPI / Swagger: schema-driven endpoint testing
- API Audit: compliance and security audit reporting
Binary
HTTP-level memory corruption fuzzer. Sends cyclic and oversized payloads to detect crashes, stack traces, and crash boundaries in HTTP-exposed services.
- Buffer Overflow: cyclic pattern fuzzing, crash detection
- Stack Overflow: stack corruption boundary detection
- Heap Overflow: heap corruption via HTTP inputs
- Memory Corruption: error pattern and crash analysis
Mobile Pentest
OWASP MASVS v2 aligned testing for Android APK and iOS IPA. Combines static analysis with Frida-based dynamic instrumentation.
- Android APK static analysis
- iOS IPA binary checks
- Frida script generation for runtime analysis
- Certificate pinning and auth flow testing
Source Code Review
Multi-language SAST with OWASP Top 10, CWE, and CVSS mapping. Scans source files for security issues without executing the code.
- Hardcoded credentials and secrets detection
- Insecure function and pattern matching
- OWASP Top 10 and CWE classification
- Dependency CVE and vulnerability lookup
AI / LLM Scanner
Tests AI-powered applications against the OWASP LLM Top 10 (2025). Detects prompt injection, data leakage, and exposed model APIs.
- Prompt Injection and system prompt leakage
- Sensitive information disclosure via model
- Excessive agency and unbounded consumption
- Exposed model API and API key leakage detection
Every module ships in Community Edition. No locked features, no paywalled payloads.
Runs on Linux, macOS, and Windows. After install, the ds1hunter command is available globally.
# Linux (Kali, Debian, Ubuntu) sudo bash ds1hunter-CE-v1.0.0-linux.run # macOS (Ventura 13+, Intel + Apple Silicon) sudo bash ds1hunter-CE-v1.0.0-macos.run # Windows (PowerShell as Administrator) powershell -ExecutionPolicy Bypass -File ds1hunter-CE-v1.0.0-windows.ps1 # After install: open your browser # Web UI → https://127.0.0.1:13000 # API → https://127.0.0.1:18000
# Standard scan ds1hunter https://target.com # Deep + Think Mode ds1hunter https://target.com --depth deep --think # Max aggression: Think + WAF + origin bypass ds1hunter https://target.com --depth aggressive \ --think --waf-bypass --origin-bypass # Auth testing with dual tokens ds1hunter https://target.com --mode auth \ --token-user-a $TOKEN_A --token-user-b $TOKEN_B # Deep scan via Tor → PDF report ds1hunter https://target.com --depth deep --think \ --proxy socks5://127.0.0.1:9050 --output pdf
Free to download. Self-hosted. No account required. No usage limits.
Also available on GitHub · v1.0.0 release assets.
DS1 Hunter is free. Keep it that way.
If DS1 Hunter saved you time on an engagement, consider buying us a coffee. Every contribution helps us maintain and improve the tool for the community.
Donate via PayPalReal feedback from security professionals and researchers who use DS1 Hunter.
Leave a Review
Used DS1 Hunter? Share your experience to help others.