HumanoidProbe is a command-line XSS WAF intelligence tool that probes how a WAF responds to payload variations — telling you what gets blocked, what passes through, and what gets reflected back.
Project description
HumanoidProbe
by CyberSafeLabs
Analyse WAF behaviour. Think like an attacker.
HumanoidProbe is a command-line XSS WAF intelligence tool that probes how a WAF responds to payload variations — telling you what gets blocked, what passes through, and what gets reflected back.
Built from real bug bounty research. Not theory.
What it does
- Fires categorised XSS payload variations at a target URL and parameter
- Detects WAF blocks via status codes, response body analysis, and response length changes
- Identifies reflected payloads — the highest value findings
- Summarises WAF behaviour and what it appears to be filtering
- Gives you actionable intelligence to craft smarter bypass payloads
Installation
1. Make sure Python 3 is installed
python3 --version
If not:
sudo apt update && sudo apt install python3 python3-pip -y
2. Install the dependency
pip3 install requests
Usage
python3 humanoidprobe.py -u <URL> -p <parameter>
Example:
python3 humanoidprobe.py -u https://example.com/search -p q
With options:
python3 humanoidprobe.py -u https://example.com/search -p q --delay 1 --timeout 15
Options
| Flag | Description | Default |
|---|---|---|
-u / --url |
Target URL | Required |
-p / --parameter |
GET parameter to test | Required |
--payloads |
Custom payload file path | payloads/xss.txt |
--delay |
Seconds between requests | 0.5 |
--timeout |
Request timeout in seconds | 10 |
Output verdicts
| Verdict | Meaning |
|---|---|
REFLECTED |
Payload passed AND appeared in the response — investigate in browser immediately |
PASSED |
WAF did not block — worth exploring further |
BLOCKED |
WAF caught this payload |
ERROR |
Request failed (timeout, connection error) |
Project structure
humanoidprobe/
├── humanoidprobe.py # Main entry point — what you run
├── payloads/
│ └── xss.txt # XSS payload list
├── core/
│ ├── requester.py # Sends HTTP requests
│ ├── detector.py # Analyses responses (blocked vs passed)
│ └── reporter.py # Terminal output and summary
└── README.md
Roadmap
- WAF memory — builds a profile of WAF behaviour across sessions
- Intelligent bypass suggestions — generates mutations based on what passed
- POST parameter support
- SQLi payload module
- Output to file (JSON / txt)
- Burp Suite integration
- Full recon and attack surface mapping modules
- Humanoid Intelligence — AI layer (coming in future versions)
Legal & ethical use
Only use HumanoidProbe against targets you have explicit permission to test. Unauthorised testing is illegal. This tool is built for legitimate security research and bug bounty programmes only.
About
HumanoidProbe is the first tool from CyberSafeLabs — an independent cybersecurity research initiative focused on protecting digital assets through offensive research, vulnerability discovery, and practical security tooling.
The long-term vision: Humanoid Intelligence — an AI-powered security research platform built from real hunting experience.
CyberSafeLabs — protecting digital assets through research
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file humanoidprobe-1.0.4.tar.gz.
File metadata
- Download URL: humanoidprobe-1.0.4.tar.gz
- Upload date:
- Size: 10.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
890d5c3db47f269e3c6afab4050f7de50edc3afe7f953336947d7a768368c22b
|
|
| MD5 |
93f8987b99c19988f14c2cf043a9dfee
|
|
| BLAKE2b-256 |
acd0d8066ea7fd6a1c7a047dfa9bfcf7ffb41d9398f6f978b4add963427ae942
|
File details
Details for the file humanoidprobe-1.0.4-py3-none-any.whl.
File metadata
- Download URL: humanoidprobe-1.0.4-py3-none-any.whl
- Upload date:
- Size: 10.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
71db7dd3d51cb197e1c6d11fd1c547206f49d13066e1712209223381cc1e412e
|
|
| MD5 |
6108ede5df148edf538b3ba3fdb4392c
|
|
| BLAKE2b-256 |
d4ce5f243c2de4b2348702fc2eddf6dc75942602f5cefaeacd251eec9ba09bd6
|