Skip to main content

GSoC 2026 Project Ideas

Explore exciting projects across ProjectDiscovery’s open source security tools. Choose a project that matches your interests and skills, or propose your own custom idea!

How to Use This Page

  1. Browse projects below to find ones that interest you
  2. Check required skills to see if you’re a good fit
  3. Read the tool documentation linked in each project
  4. Try the tool to understand how it works
  5. Discuss with mentors on Discord before applying
  6. Review application process when ready to apply
Custom proposals welcome! Have your own idea? Discuss it with mentors on Discord first to ensure it aligns with ProjectDiscovery’s goals.

Project Categories

Our projects span different difficulty levels and time commitments:
DifficultyHoursSuitable For
Easy175 hoursFirst-time contributors, focused features
Medium175-350 hoursModerate experience, substantial features
Hard350 hoursExperienced contributors, complex projects

Projects by Difficulty

CategoryProjects
Beginner-FriendlyProject 4 (Wappalyzer Detection)
IntermediateProjects 2, 3, 6 (XSS Analyzer, Honeypot, SDK)
AdvancedProjects 1, 5, 7 (DAST Engine, Auth Support, TLS Fingerprinting)

Available Projects

This year’s focus: Most projects center on Nuclei, our flagship vulnerability scanner. We’re looking for contributors to enhance its core scanning capabilities, authentication support, and integration features.

Project 1: Proxy-Driven DAST Engine

Community Contribution - This project idea was proposed by community member xhzeem in Discussion #6782. We welcome and credit community-proposed ideas!

Quick Overview

Tool: Nuclei Difficulty: Hard Size: 350 hours Mentors: To be assigned Reference: Discussion #6782

Description

Build a proxy-based Dynamic Application Security Testing (DAST) engine for Nuclei that bridges the gap between stateless template scanning and complex authenticated web application testing. This project implements traffic interception with session tracking, enabling Nuclei to test applications that require multi-step authentication flows, CSRF tokens, and stateful session handling. Currently, Nuclei excels at stateless vulnerability detection but struggles with modern web applications that require maintaining session state across requests. This DAST engine will intercept live traffic, track sessions, and apply template-driven attacks while preserving application state.

Goals & Deliverables

  • Proxy Infrastructure: Implement MITM proxy for traffic interception:
    • HTTP/HTTPS traffic interception
    • WebSocket support
    • Certificate generation and management
    • Request/response modification hooks
  • Dual Operation Modes:
    • Target Mode: Automated crawling with session preservation
    • Proxy Mode: Live traffic interception during manual browsing
  • Session Management:
    • Cookie and token tracking across requests
    • CSRF token extraction and replay
    • Authentication state preservation
    • Session invalidation detection
  • Template Integration:
    • DSL extensions for session-aware attacks
    • Stateful matcher and extractor support
    • Template chaining for multi-step attacks
    • Context injection from captured traffic
  • Documentation: Architecture docs, usage guides, and example templates
  • Testing: Comprehensive test suite with mock applications

Technical Skills Required

Required:
  • Strong Go programming skills
  • Deep understanding of HTTP/HTTPS protocols
  • Experience with proxy/MITM concepts
  • Knowledge of web authentication mechanisms
Preferred:
  • Experience with tools like Burp Suite, mitmproxy, or ZAP
  • Understanding of CSRF, session management vulnerabilities
  • Familiarity with Nuclei’s template DSL
  • TLS/certificate handling experience

Skills You’ll Learn

  • Building MITM proxy infrastructure
  • Web application security testing methodologies
  • Session management and authentication flows
  • Nuclei’s internal architecture and DSL
  • DAST tooling design patterns
  • Complex state management in security tools

Getting Started

  1. Read Documentation:
  2. Study DAST Tools:
    • Understand how Burp Suite and ZAP handle sessions
    • Learn about MITM proxy architecture
    • Study authentication flow testing
  3. Explore Codebase:
    • Review Nuclei’s HTTP protocol implementation
    • Understand template execution flow
    • Look at existing session handling code
  4. Make Contributions:
    • Fix “good-first-issue” bugs in Nuclei
    • Add tests or documentation
    • Contribute to discussions on the feature

Project 2: XSS Context Analyzer

Quick Overview

Tool: Nuclei Difficulty: Medium Size: 350 hours Mentors: To be assigned Reference: Issue #5838

Description

Build an intelligent XSS context analyzer for Nuclei that detects injection contexts and generates context-aware payloads. Instead of blindly throwing XSS payloads, this system will analyze where user input appears in the response and craft appropriate payloads for that specific context. Current XSS testing often relies on large payload lists that may not work in specific contexts. This analyzer will identify whether input lands in HTML content, JavaScript, attributes, URLs, or CSS, then suggest or generate payloads optimized for that context.

Goals & Deliverables

  • Context Detection:
    • HTML body context
    • HTML attribute context (quoted/unquoted)
    • JavaScript context (string, template literal, code)
    • URL context (href, src, etc.)
    • CSS context (style attributes, stylesheets)
    • Event handler context
  • Payload Generation:
    • Context-specific payload selection
    • Encoding-aware payload generation
    • Filter bypass suggestions
    • Payload mutation for WAF evasion
  • Template DSL Functions:
    • xss_context() - detect injection context
    • xss_payload() - generate appropriate payload
    • xss_encode() - context-aware encoding
    • Filter detection and bypass helpers
  • Analysis Features:
    • Reflection point identification
    • Character filtering detection
    • Encoding transformation analysis
    • Confidence scoring for contexts
  • Built-in Templates: Context-aware XSS detection templates
  • Documentation: Context analysis guide and examples

Technical Skills Required

Required:
  • Go programming (intermediate level)
  • Deep understanding of XSS vulnerabilities
  • HTML/JavaScript parsing knowledge
  • Web security testing experience
Preferred:
  • Experience with XSS filter bypass techniques
  • Knowledge of browser parsing quirks
  • Familiarity with Nuclei’s DSL
  • HTML parsing library experience

Skills You’ll Learn

  • Advanced XSS attack techniques
  • HTML/JavaScript parsing internals
  • Context-aware security testing
  • Nuclei DSL extension development
  • Browser security model understanding

Getting Started

  1. Read Documentation:
  2. Study XSS Contexts:
    • Learn about different injection contexts
    • Practice identifying contexts manually
    • Study XSS filter bypass techniques
  3. Explore Codebase:
    • Review Nuclei’s matcher and extractor code
    • Understand DSL function implementation
    • Look at existing helper functions
  4. Make Contributions:
    • Write XSS detection templates
    • Improve existing templates
    • Document XSS testing approaches

Project 3: Honeypot Detection System

Quick Overview

Tool: Nuclei Difficulty: Medium Size: 175 hours Mentors: To be assigned Reference: Issue #6403

Description

Implement a honeypot and tarpit detection system for Nuclei to reduce false positives and avoid wasting resources on decoy systems. Security scanners often encounter honeypots (like Shodan’s decoys) that respond positively to everything, generating misleading results. Honeypots can skew scan results and waste time during security assessments. This detection system will identify likely honeypots through behavioral analysis and response anomalies, allowing users to skip or tag suspicious targets.

Goals & Deliverables

  • Detection Techniques:
    • Response anomaly detection (too many open ports)
    • Banner inconsistency analysis
    • Service fingerprint mismatches
    • Suspicious response patterns
    • Known honeypot signatures
  • Scoring System:
    • Configurable confidence threshold
    • Multiple indicator aggregation
    • Weighted scoring algorithm
    • Confidence level reporting
  • Integration Options:
    • Pre-scan detection phase
    • Runtime detection during scanning
    • Post-scan result filtering
    • Tag-based result categorization
  • User Controls:
    • Skip honeypots automatically
    • Tag results for manual review
    • Configurable sensitivity levels
    • Whitelist/blacklist support
  • Detection Templates: Templates for common honeypot types
  • Documentation: Detection methodology and configuration guide

Technical Skills Required

Required:
  • Go programming (intermediate level)
  • Understanding of network protocols
  • Knowledge of how honeypots work
  • Basic statistics for anomaly detection
Preferred:
  • Experience with honeypot systems
  • Network fingerprinting knowledge
  • Familiarity with Nuclei internals
  • Security scanning experience

Skills You’ll Learn

  • Honeypot detection methodologies
  • Network fingerprinting techniques
  • Anomaly detection algorithms
  • Nuclei’s scanning pipeline
  • False positive reduction strategies

Getting Started

  1. Read Documentation:
  2. Study Honeypots:
    • Learn about common honeypot types
    • Understand detection techniques
    • Research existing honeypot detection tools
  3. Explore Codebase:
    • Review Nuclei’s target handling
    • Understand the scanning pipeline
    • Look at result processing code
  4. Make Contributions:
    • Document honeypot detection approaches
    • Create detection templates
    • Report false positives from honeypots

Project 4: Wappalyzer Technology Detection

Quick Overview

Tool: Nuclei Difficulty: Easy Size: 175 hours Mentors: To be assigned Reference: Issue #6336

Description

Integrate the wappalyzergo library into Nuclei for technology fingerprinting, enabling conditional template execution based on detected technologies. This allows templates to run only when relevant technologies are present, improving scan efficiency and accuracy. Currently, Nuclei runs all matching templates regardless of target technology. With Wappalyzer integration, WordPress-specific templates would only run on WordPress sites, reducing noise and improving performance.

Goals & Deliverables

  • Wappalyzer Integration:
    • Integrate wappalyzergo library
    • Technology detection during scanning
    • Version detection where possible
    • Category-based grouping
  • Template DSL Extensions:
    • tech_detected("wordpress") - check for technology
    • tech_version("php") - get detected version
    • tech_category("cms") - check technology category
    • Boolean operators for complex conditions
  • Conditional Execution:
    • Skip templates for non-matching technologies
    • Technology-based template chains
    • Automatic template selection
    • Technology metadata in results
  • Performance Optimization:
    • Cache detection results per target
    • Minimize additional requests
    • Efficient fingerprint matching
  • Documentation: Usage guide and template examples
  • Testing: Unit tests for detection and DSL functions

Technical Skills Required

Required:
  • Go programming (beginner to intermediate)
  • Understanding of HTTP responses
  • Basic web technology knowledge
  • Familiarity with fingerprinting concepts
Preferred:
  • Experience with wappalyzergo or similar
  • Knowledge of Nuclei’s DSL
  • Web application experience
  • Regex proficiency

Skills You’ll Learn

  • Technology fingerprinting techniques
  • Nuclei DSL development
  • Library integration in Go
  • Performance optimization
  • Conditional execution patterns

Getting Started

  1. Read Documentation:
  2. Understand Technology Detection:
    • Study how Wappalyzer works
    • Learn about fingerprinting techniques
    • Test wappalyzergo standalone
  3. Explore Codebase:
    • Review Nuclei’s DSL implementation
    • Understand template execution flow
    • Look at existing helper functions
  4. Make Contributions:
    • Write technology-specific templates
    • Improve documentation
    • Fix beginner-friendly issues

Project 5: Complete Auth Support for Protected Targets

Quick Overview

Tool: Nuclei Difficulty: Hard Size: 350 hours Mentors: To be assigned Reference: Issue #4793

Description

Implement comprehensive authentication support in Nuclei for scanning protected targets. This includes static credentials (API keys, tokens), dynamic authentication (login flows, token refresh), and integration with secrets management systems like HashiCorp Vault. Many real-world security assessments require scanning authenticated portions of applications. This project will enable Nuclei to handle various authentication mechanisms, from simple API keys to complex OAuth flows with token refresh.

Goals & Deliverables

  • Static Authentication:
    • Per-target credential configuration
    • API key injection (header, query, body)
    • Bearer token support
    • Basic/Digest authentication
    • Custom header authentication
  • Dynamic Authentication:
    • Login flow templates
    • Token extraction and reuse
    • Automatic token refresh
    • Session cookie management
    • OAuth2 flow support
  • Secrets Management Integration:
    • HashiCorp Vault integration
    • 1Password integration
    • Environment variable support
    • Encrypted credential storage
    • Credential rotation handling
  • Configuration:
    • Per-host credential mapping
    • Credential scope (template/global)
    • Credential priority rules
    • Secure credential storage
  • Documentation: Configuration guides and examples
  • Testing: Security tests for credential handling

Technical Skills Required

Required:
  • Strong Go programming skills
  • Deep understanding of authentication mechanisms
  • Security-conscious development practices
  • API design experience
Preferred:
  • Experience with OAuth2/OIDC
  • Knowledge of secrets management tools
  • Familiarity with Nuclei internals
  • Enterprise security experience

Skills You’ll Learn

  • Authentication protocol implementation
  • Secrets management integration
  • Secure credential handling
  • Nuclei’s request pipeline
  • Enterprise security patterns

Getting Started

  1. Read Documentation:
  2. Study Authentication:
    • Learn about various auth mechanisms
    • Understand OAuth2 flows
    • Study secrets management systems
  3. Explore Codebase:
    • Review Nuclei’s HTTP request handling
    • Understand current auth support
    • Look at configuration systems
  4. Make Contributions:
    • Improve existing auth documentation
    • Fix auth-related issues
    • Write authenticated templates

Project 6: Nuclei SDK & Concurrency Improvements

Quick Overview

Tool: Nuclei Difficulty: Medium Size: 175 hours Mentors: To be assigned Reference: Issue #5651 + PR #6322

Description

Improve Nuclei’s SDK to support better concurrency, per-execution callbacks, and reliable engine reuse. This enables developers building on Nuclei to run multiple scan engines concurrently, receive real-time results, and avoid memory leaks when reusing engines. As Nuclei is increasingly used as a library, the SDK needs improvements for production use cases. This project focuses on making Nuclei reliable and efficient when embedded in other applications.

Goals & Deliverables

  • Concurrency Support:
    • Multiple concurrent Nuclei engines in same process
    • Thread-safe template parsing
    • Isolated scan contexts
    • Resource sharing optimization
  • Callback System:
    • Per-execution result callbacks
    • Progress callbacks
    • Error callbacks
    • Streaming results support
  • Memory Management:
    • Fix memory leaks on engine reuse
    • Proper resource cleanup
    • Connection pool management
    • Template cache optimization
  • SDK Improvements:
    • Better error handling
    • Context cancellation support
    • Configuration validation
    • API documentation
  • Documentation: SDK usage guide with examples
  • Testing: Concurrent execution tests, leak detection

Technical Skills Required

Required:
  • Strong Go programming skills
  • Concurrent programming experience
  • Memory management understanding
  • API design skills
Preferred:
  • Experience with Go profiling tools
  • Library/SDK development experience
  • Familiarity with Nuclei codebase
  • Testing concurrent systems

Skills You’ll Learn

  • Go concurrency patterns
  • Memory profiling and leak detection
  • SDK/library design
  • Nuclei internals
  • Building reusable components

Getting Started

  1. Read Documentation:
  2. Understand Current SDK:
    • Use Nuclei as a library
    • Identify current limitations
    • Test concurrent execution
  3. Explore Codebase:
    • Review SDK implementation
    • Understand engine lifecycle
    • Identify shared state
  4. Make Contributions:
    • Fix SDK-related issues
    • Add SDK tests
    • Improve documentation

Project 7: Browser TLS Fingerprint Impersonation

Quick Overview

Tool: httpx Difficulty: Hard Size: 350 hours Mentors: To be assigned Reference: Issue #2044

Description

Implement browser TLS fingerprint impersonation in httpx to bypass WAF and bot detection systems that fingerprint TLS connections. This includes JA3/JA4 fingerprint spoofing and HTTP/2 fingerprinting to make httpx requests appear as legitimate browser traffic. Modern bot detection systems fingerprint TLS handshakes (JA3/JA4) and HTTP/2 settings to distinguish automated tools from real browsers. This project will allow httpx to impersonate Chrome, Firefox, Safari, and Edge fingerprints.

Goals & Deliverables

  • TLS Fingerprint Impersonation:
    • JA3 fingerprint spoofing
    • JA4 fingerprint spoofing
    • Cipher suite ordering
    • TLS extension configuration
    • ALPN protocol ordering
  • Browser Profiles:
    • Chrome (multiple versions)
    • Firefox (multiple versions)
    • Safari
    • Edge
    • Custom profile support
  • HTTP/2 Fingerprinting:
    • SETTINGS frame configuration
    • Header priority ordering
    • Window update behavior
    • Stream handling patterns
  • CLI Integration:
    • Browser profile selection flag
    • Custom fingerprint configuration
    • Fingerprint randomization option
    • Profile listing and info
  • Documentation: Usage guide and profile documentation
  • Testing: Fingerprint verification tests

Technical Skills Required

Required:
  • Strong Go programming skills
  • Deep understanding of TLS protocol
  • HTTP/2 protocol knowledge
  • Network programming experience
Preferred:
  • Experience with TLS fingerprinting
  • Knowledge of bot detection systems
  • Low-level networking experience
  • Familiarity with httpx codebase

Skills You’ll Learn

  • TLS protocol internals
  • Browser fingerprinting techniques
  • HTTP/2 protocol details
  • Bot detection evasion (for legitimate testing)
  • Low-level Go networking

Getting Started

  1. Read Documentation:
  2. Study TLS Fingerprinting:
    • Learn about JA3/JA4 fingerprints
    • Understand how fingerprinting works
    • Study browser TLS configurations
  3. Explore Codebase:
    • Review httpx’s TLS configuration
    • Understand HTTP client setup
    • Look at existing connection handling
  4. Make Contributions:
    • Fix httpx issues
    • Improve documentation
    • Add tests

Custom Project Proposals

Have your own idea for improving ProjectDiscovery’s tools? We welcome custom proposals!

Requirements for Custom Proposals

  1. Discuss First: Talk with mentors on Discord before applying
  2. Alignment: Ensure it aligns with ProjectDiscovery’s goals
  3. Scope: Size appropriately for 175 or 350 hours
  4. Value: Demonstrate clear benefit to users
  5. Feasibility: Show it’s technically achievable

Good Custom Project Ideas

  • New features for existing tools
  • Performance improvements with measurable impact
  • Integration between ProjectDiscovery tools
  • Developer experience improvements
  • Testing or CI/CD infrastructure

Ideas to Avoid

  • Complete rewrites of existing tools
  • Projects requiring proprietary APIs
  • Research-only projects without code deliverables
  • Projects outside security/scanning domain

How to Propose

  1. Join Discord and share your idea in #gsoc
  2. Describe the problem you want to solve
  3. Explain your approach at a high level
  4. Get feedback and refine your idea
  5. Follow proposal guidelines when applying

Application Process

Ready to apply for one of these projects?

Application Guide

Learn how to write your proposal

Proposal Template

Use our template

Getting Started

6-step participation guide

Join Discord

Connect with mentors

Tips for Choosing a Project

Match Your Skills

  • Choose a project where you have 60-70% of required skills
  • You should be able to learn the remaining 30-40%
  • Don’t choose projects where you have 0% of skills

Consider Your Interests

  • Pick something that excites you
  • You’ll spend 12-14 weeks on this
  • Passion matters for motivation

Think About Impact

  • Which project would help the most users?
  • What aligns with your career goals?
  • What showcases skills you want to develop?

Assess Difficulty Honestly

  • Are you comfortable with the complexity?
  • Do you have enough time?
  • Can you complete it in the given timeframe?

Questions?

Have questions about any project? Join our Discord community and ask in the #gsoc channel. Mentors are available to help you understand projects and choose the right one!