A scan runs in two phases. The second phase only fires the tools that make sense for what the first phase found.Documentation Index
Fetch the complete documentation index at: https://docs.marshell.dev/llms.txt
Use this file to discover all available pages before exploring further.
Phase 1 — recon
Always runs. chifu probes the target, then runs a crawler, port scan, fingerprinting, fuzzing, and a fast in-process passive check (headers,robots.txt, .well-known/security.txt, exposed secrets,
anti-bot challenge detection).
If the target doesn’t respond, phase 2 is skipped.
Phase 2 — vulnerability scanning
Targeted at URLs and forms surfaced by recon — not “just hit the homepage.” Each tool has a gate; the gate is shown in the scan result when it skips.| Skip reason | Means |
|---|---|
target behind CDN | Port-scanning Cloudflare/Vercel is pointless. nmap skipped. |
static SPA | Modern frontend (Next.js, Nuxt, etc.) with no server-rendered backend. Legacy-stack tools skipped (nikto, joomscan, WordPress paths in ffuf, sqlmap, dalfox). |
needs param URL | No URL with query parameters found. sqlmap and dalfox skipped. |
needs CMS = joomla | joomscan only runs on Joomla. |
Tools
| Tool | Phase | What it does |
|---|---|---|
probe | recon | HTTP reachability check. |
chifu-crawler | recon | Crawls up to 300 pages, extracts URLs, forms, tech hints, JS endpoints. |
httpx | recon | Status, headers, title, tech detection. |
nmap | recon | Top-1000 TCP ports + service versions. |
katana | recon | Backup crawler for server-rendered apps. |
subfinder | recon | Subdomain enumeration via public sources. |
whatweb | recon | Tech / CMS fingerprinting. |
wafw00f | recon | WAF detection. |
ffuf | recon | Brute-forces ~50 high-value paths (admin, .env, swagger.json, …). |
nuclei | vuln | Runs thousands of templates against the top 50 surfaces. |
sqlmap | vuln | SQL injection — up to 3 param URLs + 3 POST forms per scan. |
dalfox | vuln | Reflected / stored XSS on the same surfaces. |
nikto | vuln | Classic CGI / PHP / Apache misconfig checks. |
joomscan | vuln | Joomla-specific. |
CVE lookup
Between phases, chifu matches recon’s tech versions (e.g.nginx 1.18.0, WordPress 6.4.2) against NVD, OSV.dev, and the
CISA KEV catalog. Matches appear under Known vulnerabilities
on the scan page.
Limits
- 15 minutes per scan, hard cap.
- 5 tools in parallel, max.
- Per-tool timeouts (typically 60–600s). A timed-out tool still contributes whatever it produced.