β¨ Uncover Hidden Threats with ABSpider Recon
ABSpider is a cutting-edge, browser-based reconnaissance dashboard crafted for security professionals, penetration testers, and bug bounty hunters. It offers a sleek UI, blazing-fast performance, and a powerful blend of passive-first and optional active modules, all powered by Vite + React.
Dive deep into web targets, gather actionable intelligence, and identify vulnerabilities with unparalleled ease.
Experience ABSpider Recon Dashboard in action right now!
- π΅οΈββοΈ Intelligence-First Approach: Prioritizes passive data collection (WHOIS, CT Logs, GeoIP) to minimize footprint, with powerful active scans (SQLi, XSS, LFI, Port Scanning) available when authorized.
- π Professional Reporting: Generate comprehensive, exportable PDF reports summarizing all findings, complete with severity, evidence, and remediation advice.
- π Real-time Notifications: Stay informed with Discord webhook notifications for instant scan updates and critical alerts.
- βοΈ Seamless Configuration: Manage all scan parameters, proxies, and API keys directly through a secure, centralized Dashboard Settings UI.
- π‘οΈ Intelligent Bypass: Overcome common web protections with built-in CORS & Cloudflare Bypass mechanisms.
- β‘ Blazing Fast: Built with Vite + React for a lightning-fast development and user experience.
- β° Client-Side Scheduling: Automate your reconnaissance tasks with flexible daily, weekly, or monthly scheduling (requires the browser tab to be open).
ABSpider employs a modular approach, offering both stealthy passive checks and comprehensive active vulnerability scans.
| Module | Description | Type |
|---|---|---|
| π Site Information | Basic website details, IP, web server, CMS, and robots.txt analysis. |
Passive |
| π‘οΈ HTTP Headers Analysis | Real-time security header scoring (HSTS, CSP, XFO) and technology fingerprinting. | Passive |
| π» Tech Stack Fingerprinting | Identifies web technologies, frameworks, and analytics used by the target. | Passive |
| π WHOIS / RDAP Lookup | Domain registration, registrar, nameservers, and date information. | Passive |
| π GeoIP Location | Pinpoints the physical location of the target server's IP address. | Passive |
| π‘ DNS Records | Enumerates A, AAAA, CNAME, TXT, MX, NS, and SOA records. | Passive |
| π§ MX Records | Analyzes mail server configurations, including SPF and DMARC. | Passive |
| π Subdomain Enumeration | Discovers subdomains using Certificate Transparency (CT) logs and DNS lookups. | Passive |
| π Reverse IP Lookup | Identifies other domains hosted on the same IP address. | Passive |
| π SEO Analysis | Analyzes meta tags, headings, links, and page performance for SEO insights. | Passive |
| π Port Scanning | Checks connectivity and identifies services on common ports, with Shodan integration. | Active |
| π SQL Injection Test | Checks for potential SQL Injection (SQLi) vulnerabilities. | Active |
| βοΈ XSS Detection | Detects reflected, DOM, and stored XSS vulnerabilities. | Active |
| π LFI Scanning | Scans for Local File Inclusions using real payloads. | Active |
| Identifies Cross-Origin Resource Sharing (CORS) vulnerabilities. | Active | |
| π¦ VirusTotal Scan | Domain reputation, malware scanning, and threat intelligence via VirusTotal API. | Active |
| π Broken Link Checker | Scans for broken internal and external links on the target website. | Active |
| 𧱠DDoS Firewall Test | Detects WAF/DDoS protection mechanisms (e.g., Cloudflare, Sucuri). | Active |
| π SSL/TLS Analysis | Analyzes SSL/TLS certificate details, issuer, expiry, and common names. | Passive |
| π’ Subnet Scan | Calculates network range details for a given IP and CIDR. | Utility |
| βοΈ WordPress Scan | Identifies WordPress versions, plugins, themes, and common vulnerabilities. | Utility |
ABSpider leverages Supabase for robust and passwordless user authentication. Users gain access via a Magic Link sent to their email, eliminating the need to manage passwords and enhancing security. Access to the dashboard is strictly enforced, ensuring only authorized users can initiate scans and view sensitive data.
Our reports are designed for professional security analysis and include:
- Executive Summary and overall security grade.
- Module-by-Module Findings with raw evidence.
- Vulnerability severity & confidence scores.
- Reproducible steps & Proof-of-Concept (PoC) snippets.
- Actionable remediation recommendations for discovered flaws.
- Discord Webhooks: Real-time scan completion notifications and alerts.
- Local Storage: Persists scan history and settings locally within the browser for convenience.
- Export Options: Provides findings in PDF / JSON formats for triage and submission.
β οΈ CRITICAL WARNING: Client-Side Accessible API Key Storage API keys are stored in your Supabase database, but are still accessible client-side. This means any Cross-Site Scripting (XSS) vulnerability or physical access to your browser could expose these keys. DO NOT store sensitive, paid, or production API keys here. This feature is intended for testing with non-critical keys only. For production use, a secure backend for API key management is strongly recommended.
| Service | Purpose | Status |
|---|---|---|
| Shodan | Enhanced port scanning, banner grabbing, and vulnerability detection. | Optional |
| VirusTotal | Domain reputation, malware scanning, and threat intelligence. | Optional |
| SecurityTrails | Historical DNS data, subdomain discovery, and WHOIS history. | Optional |
| BuiltWith | Technology stack detection, analytics, and framework identification. | Optional |
| OpenCage | Enhanced geocoding, reverse geocoding, and detailed location data. | Optional |
| Hunter.io | Email discovery, domain search, and email verification. | Optional |
| Clearbit | Company data enrichment, logo API, and business intelligence. | Optional |
To start your development server, follow these simple steps:
# 1. Clone the repository
git clone https://github.com/zanesense/abspider-recon.git
cd abspider-recon
# 2. Install dependencies using npm or yarn
npm install
# or
yarn install
# 3. Start the development server
npm run dev
# or
yarn devOpen your browser at
http://localhost:5000. βοΈ Note: All scan configurations (targets, proxies, webhooks) are managed exclusively through the Dashboard Settings UI.
ABSpider is strictly for authorized security testing only.
Unauthorized scanning of domains you do not own or do not have explicit written permission to test may be illegal. Always comply with applicable local, state, and international laws. Use responsibly.
β οΈ IMPORTANT WARNING: Authorized Use Only
- You may ONLY scan websites and systems you own or have explicit written authorization to test.
- Unauthorized scanning may be illegal in your jurisdiction.
- You are solely responsible for ensuring you have proper authorization. Keep documentation of authorization for all scans performed.
- Comply with all applicable laws including Computer Fraud and Abuse Act (CFAA), GDPR, and local regulations.
- Unauthorized access to computer systems is a criminal offense in most jurisdictions. Penalties may include fines, imprisonment, and civil liability.
- This tool does not grant permission to scan any system.
β οΈ WARNING: Internal Targets Scanning internal IP addresses orlocalhostwithout explicit authorization is highly discouraged and may be illegal. The tool will warn you if an internal target is detected.
β οΈ WARNING: Public CORS Proxy Risks Using public CORS proxies can expose your target URLs, headers, and response content to the proxy operators. For sensitive operations, consider setting up a self-hosted, trusted CORS proxy or using a direct fetch only mode. The security and reliability of these third-party services are not guaranteed.
Special thanks to the open-source community for empowering modern reconnaissance workflows.
| Component / Service | Purpose |
|---|---|
| React | Core UI library for the frontend. |
| Vite | Fast frontend bundling and development tooling. |
| Supabase | User authentication and database services. |
| crt.sh / CT logs | Certificate Transparency sources for passive subdomain discovery. |
| Google DNS-over-HTTPS | High-speed, secure DNS lookups. |
| Public WHOIS / RDAP APIs | Domain registration and ownership information. |
| jsPDF & jspdf-autotable | Client-side PDF report generation. |
| Lucide React | Beautiful and customizable SVG icons. |
| Tailwind CSS & shadcn/ui | Utility-first CSS framework and accessible UI components. |
| @tanstack/react-query | Powerful server state management. |
| React Hook Form & Zod | Robust form handling and validation. |
| Sonner | Modern toast notifications. |
Β© 2025 zanesense Β· Built for security professionals. π