Docs Guides & references

Documentation.

Everything from your first capture to self-hosted OAST, IDOR hunting, mobile interception, and agent-driven automation. New to Crusader? Start with the bug-hunting workflow or your first capture.

Start here

the methodology & the basics

★ Cornerstone field guide

A bug-hunting workflow with Crusader

The end-to-end methodology: get traffic in and scope it, map the attack surface, triage passively, hunt the highest-ROI authorization bugs, prove the blind ones with OAST, then write the report — with a vuln-class playbook linking every step to its deep dive.

Field guide · ~12 min · all tiers

Your first capture

Install, trust the CA (or skip it with the built-in test browser), route a browser, and read your first intercepted HTTPS request.

Guide · ~6 min · Free

Trust the Crusader CA

Per-OS certificate trust on macOS, Windows, and Linux — plus the zero-install test-browser fallback that works on HSTS sites.

Guide · ~8 min · Free

Finding bugs

triage, prove, report

Hunt IDOR & BOLA with Shadow Replay

Capture two accounts as identities, then diff how one request answers different actors — the highest-ROI bug class.

Guide · ~10 min · Hunter Pro

The Scanner: passive to active proof

Passive analysis over captured history (Free) and bounded active proof-replay (Pro) that refuses anything but safe reads.

Guide · ~9 min · Free / Pro

Blind SSRF → finding with Beacon

Plant an OAST payload in a suspected sink, catch the callback, read the proof chain, and promote it to an evidenced finding.

Guide · ~8 min · BYO Free / hosted Pro

Run your own private OAST server

Self-host Interactsh and point Beacon's Custom provider at it, so out-of-band callbacks stay on infrastructure you control.

Guide · ~12 min · Hunter Pro

Cache analysis

Spot web cache deception and cache-poisoning surface from traffic you already captured — read-only triage, zero probes.

Guide · ~6 min · Free

Core workflow

the daily tools

Repeater

Edit and replay requests across Raw, Headers, Params, Body, and GraphQL views — as any saved identity.

Guide · ~6 min · Free

Intruder (Attack Studio)

Insertion points, the four attack modes, payload lists and processors, and response grep.

Guide · ~8 min · Free Sniper / Pro

Match & Replace

Rewrite requests, responses, and even WebSocket frames in flight, with regex.

Guide · ~6 min · 10 rules Free / Pro

Decoder, Comparer & data tools

Encode/decode (URL, Base64, Hex, JSON, Protobuf), diff two items, and the protobuf/body/GraphQL/IDOR helpers.

Guide · ~6 min · Free

Target scope & safety

Define what's in your engagement and the safety model that keeps active testing on authorized, non-internal hosts.

Guide · ~7 min · Free

Mobile & Frida

android & ios interception

Kill cert pinning & intercept mobile

Stand up an Android sandbox in Easy Mode, install the CA into system trust, attach Frida, and run the pinning bypass.

Guide · ~12 min · Hunter Pro

Extract mTLS client certs

Capture an app's client certificate with Frida, import it as an identity, and replay the app's requests from Repeater.

Guide · ~10 min · Hunter Pro

Static app analysis (APK)

Pull an Android app apart without running it — manifest flags, permissions, exported components, deep links, and endpoints as leads.

Guide · ~7 min · Hunter Pro

Agent & automation

MCP · CLI · SQL

Drive Crusader from Claude Code

Connect the MCP server over stdio, use the Free read-only and Hunter Pro write tools, and run a scoped, passive-first hunt.

Guide · ~9 min · Free / Pro

The CLI & a CI pipeline

Every verb prints JSON to stdout — script captures, scans, history queries, and findings export, and wire a scan into CI.

Guide · ~10 min · Free / Pro

Query your history with SQL

Read-only SQLite over captured traffic: the exchanges schema, the safe-query guard, and example queries.

Guide · ~7 min · Free

AI-assisted analysis (BYO-AI)

Point Crusader at your own LLM to summarize diffs and triage findings — redacted evidence only, or export a prompt for any chat.

Guide · ~7 min · Hunter Pro

Importing & teams

bring your work, share it

Import a Burp, Caido, or HAR project

Turn a year of captured traffic into a live workspace — your original file is never modified.

Guide · ~6 min · Free

Share a workspace with Squad

Pool findings and redacted Repeater/Intruder tabs across a team — or self-host the team server yourself.

Guide · ~10 min · Squad

Extending & reference

plugins, plans, community

Write your first plugin

JavaScript registration hooks, the api.* surface, the capability manifest, and hot reload.

Guide · ~12 min · Free / Pro APIs

Browse the extension catalog

Hot-reload community plugins for JWTs, Frida, JA3 profiles, agent workflows, IDOR probes, and more.

Catalog

Plans & licensing

What's in Free, Hunter Pro, Squad, and Team Pro; the 14-day trial; and how to move your license between machines.

Reference · ~7 min

Community & resources

Where to learn web security, practice legally, find wordlists, and contribute to Crusader.

Resources · ~5 min

Want a guide that isn't here yet? Email hello@crusaderproxy.com and we'll prioritize it.