Passive scanner
The passive scanner inspects observed HTTP traffic and flags issues without sending any new requests. It runs over two sources:
- Flows captured by the intercepting proxy
- Responses already collected by active scan modules (dual-mode)
Rule set
Credential / secret leaks in bodies
- JWT tokens (
eyJ…) - AWS access keys (
AKIA…) - GitHub PATs (
ghp_…) - Private keys (
-----BEGIN RSA/EC/OPENSSH PRIVATE KEY-----)
Error / debug disclosure
- Stack traces, Python tracebacks
- Database errors (
ORA-…,PG::,SQLSTATE[…],Warning: mysql) - Credentials visible in JSON/body (
username,password,emailwith values)
Response header issues
X-Powered-By/Serverversion disclosureX-AspNet-Version- Symfony debug toolbar (
X-Debug-Token-Link) - Any
X-Debug-*/X-Debug
Transport / cookies
- Insecure HTTP traffic (non-localhost)
Set-CookiewithoutSecureon HTTPSSet-CookiewithoutHttpOnlySet-CookiewithoutSameSite
Run passively on captured traffic
# Start the proxy
start_proxy(session_id=sid, port=8888)
# … route your browser through it for a few minutes …
# Pull captured flows + run passive rules in one call
get_proxy_traffic(session_id=sid, include_passive_findings=True)
→ { count: 87, passive_findings_added: 5 }Run over active-scan responses
Every active scan module routes its responses through the passive rules automatically — no extra tool calls required. A single scan therefore produces both the active findings and any passive ones found during the active traffic.
Customising rules
Passive rules live in plugins/pencheff/pencheff/modules/web/passive_scan.py. Add
regex patterns to PATTERNS or header rules to HEADER_RULES and restart
the MCP server.
For fully custom rules, use the Plugin SDK
to drop a BaseTestModule subclass into ~/.pencheff/custom_modules/.