// synaps

Synaps WASM modules

Pro tier

Extend the scanner without trusting the code — community modules compiled to WebAssembly and run in a hard sandbox.

Openness →the whole window →
// capabilities

What it does

WASM sandbox

Every module runs in Wasmtime with a 1-billion-instruction fuel cap and a 16 MB memory limit.

Rust guest SDK

Authors write Rust against hugin-scanner-guest and compile to wasm32 — the SDK is open source.

real capabilities

Modules get HTTP, raw TCP, DNS, TLS inspection, WebSocket, browser automation and Oastify via host imports.

install and run

Pull a community module and run it; the sandbox guarantee means untrusted code can't touch your system.

// detail

Extend the engine, safely

Caido's own security policy says it out loud: its JavaScript plugins have “unrestricted access” — they can read the files on your computer, reach the internet, and “install or execute additional programs,” and that “cannot be fully restricted at this time.” Synaps takes the opposite bet. Every module is WebAssembly in a Wasmtime sandbox with hard, metered limits, so running a stranger’s check can’t cost you your machine.

1-billion-instruction fuel cap

Wasmtime meters every guest opcode. A runaway or hostile loop traps as out-of-fuel — it can't pin a CPU core the way a free-running plugin can.

16 MiB memory ceiling

256 linear-memory pages, hard-capped at instantiation. A module can't balloon and starve the host of RAM.

100 ms epoch deadline

Defense-in-depth over fuel: a guest that burns wall-clock time inside a host call is still cut off, so it can't hang a scan.

Capability-gated host calls

A module reaches HTTP, DNS, TLS, WebSocket, Oastify or a scoped file read only through typed host imports. There is no ambient filesystem and no way to spawn a process.

// more

The rest of the toolkit

Intercepting proxy

Every request your browser makes, on your terms — pause it, rewrite it, release it. HTTP/1.1, HTTP/2, HTTP/3 and WebSocket, with on-the-fly TLS.

Vulnerability scanner

An active and passive scanner that ships free — OWASP and API Top 10, with blind out-of-band detection.

Repeater

Send it once. Change one field. Send it again. The careful, hand-driven probe — request and response side by side, over and over.

Intruder

Automated payload attacks at full speed — four modes, 21 generators, 32 processors, and a Turbo mode with raw-TCP batching.

AI agent & MCP

Set a budget, hit explore, and an autonomous agent drives every tool over 162 MCP tools — or wire Claude Code, Cursor or your own agent straight in.

Race conditions PRO

Beat check-then-act windows the proxy can't reach — single-packet attacks, last-byte sync and barrier coordination.

Or see every tool in one window →