se/labs
← All projects

SurfaceScan

active

Web attack-surface mapper. Subdomain discovery, tech fingerprinting, endpoint discovery.

View on GitHub

Overview

Maps the externally exposed surface of a web target. Discovery starts from passive OSINT sources (crt.sh, SecurityTrails), then does light active verification (DNS and HTTP HEAD), fingerprints the technology behind each host with confidence scores, and crawls reachable endpoints within a fixed scope. A Playwright headless browser handles JavaScript-rendered surfaces. Output is a JSON inventory of hosts, detected tech and endpoints.

scope Recon and asset inventory, not a DAST scanner - it won't try to exploit what it finds.

What it does

  • Passive-first discovery via crt.sh and SecurityTrails before any active probing
  • SSRF guard rejects private, loopback and cloud-metadata addresses before requests go out
  • Headless browser via Playwright for JavaScript-rendered surfaces, depth- and page-capped

Interface

ShieldEye SurfaceScan desktop dashboard showing discovered hosts, fingerprinted technologies and scan metrics