A toolbox of edge-focused fuzzers and scanners for reverse proxies, API gateways, CDNs, and load balancers.
Goal: help defenders and red teams map trust boundaries at the edge, find protocol gaps, and validate policy using small, composable tools.
Use only on systems you own or have explicit permission to test.
Modern edges are complex: HTTP/1.1 and HTTP/2, WebSockets, extended CONNECT, TLS termination and re-encryption, and smart L7 routing. Complexity creates protocol confusion and policy-bypass opportunities. This repo collects practical probes that exercise those seams.
The first public tool here is a CONNECT tunnel scanner. More scanners will be added over time.
What it does:
- Tests an HTTP proxy that supports CONNECT.
- Answers: will the proxy open a raw TCP tunnel to host:port.
- If yes, classifies the likely service using low-noise probes (HTTP head, minimal TLS, or heuristics for silent TCP).
- Reports time-to-first-byte, minimal fingerprints, and a simple OPEN or DENY outcome.
Why CONNECT matters and is growing at the edge:
- Reverse proxies increasingly support CONNECT for:
- WebSockets fallback and extended CONNECT over HTTP/2.
- TCP tunneling for developer access and zero-trust patterns.
- Passthrough features in vendors and CDNs.
- Mis-scoping CONNECT is easy. A narrow allowlist can drift into broad reachability, including internal ranges.
- A quick map of OPEN and DENY through the proxy shows what is actually reachable.
Red team and offensive security use (with authorization):
- Egress and boundary discovery: what internal or external ports are reachable through the edge.
- Low-noise service hints: HTTP, TLS, or silent custom services without heavy banner grabs.
- Pivot validation: can the proxy be abused as a TCP relay, and how does policy react.
- HTTP/1.1 CONNECT to the proxy
- Optional Basic proxy auth via Proxy-Authorization.
- In-tunnel probes (fast, low-noise):
- HTTP: send HEAD and parse status line.
- TLS: minimal ClientHello with optional SNI and ALPN; classify handshake or alert.
- No-banner heuristics:
- idle-open: write a byte and wait; if no data and no close, likely an open silent listener.
- closed-on-write: write a byte; if it closes immediately, listener present but rejects payload.
- Smart defaults, tunable:
- Concurrency, connect and read timeouts, jitter.
- TLS-first bias on common TLS ports (for example 443, 8443, 9443) or disable it.
- SNI and ALPN hints for better TLS classification on multi-tenant edges.
- Safe mode to skip active protocol probes and keep heuristics only.
- Randomizable idle ping byte to vary wire shape.
- Output:
- Human friendly lines per target.
- JSONL mode for pipelines.
edge-scanners/
├─ edgescan/
│ ├─ __init__.py
│ └─ cli.py # exposes: edgescan connect ...
├─ clients/
│ └─ connect_scanner.py # CONNECT tunnel scanner (public)
├─ tools/
│ ├─ lab_stack.sh # optional local helpers (no bundled examples)
│ └─ logs/ # runtime logs for helpers
└─ README.md
- WebSockets: handshake fuzzing, origin and subprotocol policy checks, PMCE handling.
- HTTP/2 protocol confusion: extended CONNECT, path and authority corner cases, policy drift between H1 and H2.
- HTTP/3: future work once dependencies are stable.
- Safer banner modules: optional SSH, SMTP, FTP greetings under safe mode.
- Enriched labeling: more service hints (ETag, Server header, TLS cert SAN) without heavy grabs.
- Only scan with authorization.
- Prefer safe mode for initial recon.
- Keep timeouts and concurrency reasonable.