-
Notifications
You must be signed in to change notification settings - Fork 1
Configuration
v1.74: OmniStrike no longer has a target-scope field or include/exclude lists — scanning is right-click only, so the "scope" of a scan is simply the request you right-click. See Quick Start.
| Control | Description |
|---|---|
| Threads | Size of the shared scan thread pool (1-100). Applied immediately. |
| Throttle | None (fastest), Auto (backs off on WAF / rate-limit), Manual (fixed ms delay). |
| Time-Based Testing | Off by default. Gates all slow time-blind tests (SQLi SLEEP, CmdI sleep/ping). |
Static resources (.js, .css, images) automatically skip active injection; passive analyzers still run.
Passive analyzers can be enabled/disabled via the checkboxes in the OmniStrike sidebar. Active scanners are not listed there — they run on demand via right-click.
OmniStrike auto-detects rate limiting (429 responses) and backs off with exponential delay (500ms to 15s). Per-host delay is configurable per scanner via ModuleConfig:
-
sqli.perHostDelay— default 200ms -
elasticsearch.perHostDelay— default 500ms -
spring-actuator.perHostDelay— default 500ms -
odoo.perHostDelay— default 500ms - etc.
OmniStrike supports:
- Burp Collaborator (built-in)
- Custom OOB server (HTTP + DNS listeners, works air-gapped)
OOB payloads fire first for every applicable scanner.
Right-click a login/refresh request → Set as Session Login Request, then tick Session Keep-Alive. OmniStrike replays it on an interval and injects the fresh cookies (domain-scoped) into all outbound traffic — Burp's tools and OmniStrike's own scan modules.
Disabled by default. Supports Claude Code, Gemini CLI, Codex CLI, OpenCode CLI. No API keys needed — uses CLI tools directly. Enable in the OmniStrike tab.