Scanner Agents Catalog

ThreatWeaver's AppSec Scanner deploys 58 specialized scanning agents, each targeting a specific vulnerability class or security concern. All agents run in parallel during Phase 3 (Attack) of the scanning pipeline, sharing a common blackboard for context exchange.

Agent Architecture

Every agent extends baseAttackAgent.ts and receives:

Shared Blackboard -- target profile, discovered endpoints, authentication tokens, and parameters
Budget Allocation -- time and request limits assigned by the budgetAllocator
Scan Context -- assessment mode (black/gray/white box), tech stack fingerprint, and credential sets

Agents return structured findings with evidence payloads, which then pass through the Finding Validation Pipeline before being reported.

Agents by OWASP Category

Injection (8 agents)

Agent	File	Vulnerability Class	Key Techniques
SQL Injection Prober	`sqliProber.agent.ts`	SQL Injection	Error-based, UNION-based, blind boolean/time probing across all parameter types
Advanced Injection	`advancedInjection.agent.ts`	SQLi, NoSQLi, LDAPi, XPATHi	Second-order injection, polyglot payloads, multi-database syntax
SQLMap Agent	`sqlmapAgent.agent.ts`	SQL Injection	Wraps SQLMap logic for automated exploitation and data extraction
SSTI Detector	`sstiDetector.agent.ts`	Server-Side Template Injection	Jinja2, Twig, Freemarker, Pebble, Velocity template expression probing
Deserialization	`deserializationAgent.agent.ts`	Insecure Deserialization	Java, PHP, Python, .NET serialization gadget chains
Email Injection	`emailInjectionAgent.agent.ts`	Email Header Injection	CRLF injection in email-sending endpoints, CC/BCC manipulation
Prompt Injection	`promptInjectionAgent.agent.ts`	LLM Prompt Injection	Direct/indirect prompt injection against AI-powered endpoints
LLM API Security	`llmApiSecurityAgent.agent.ts`	LLM API Abuse	Token leakage, model extraction, excessive agency in AI endpoints

Cross-Site Scripting (3 agents)

Agent	File	Vulnerability Class	Key Techniques
XSS Hunter	`xssHunter.agent.ts`	Reflected/Stored XSS	Context-aware payload generation, DOM context analysis, encoding bypass
Dalfox Agent	`dalfoxAgent.agent.ts`	Reflected XSS	Parameter analysis, WAF bypass, blind XSS via callback
DOM XSS	`domXssAgent.agent.ts`	DOM-based XSS	Source-to-sink tracing, JavaScript execution context analysis

Server-Side Request Forgery (2 agents)

Agent	File	Vulnerability Class	Key Techniques
SSRF Detector	`ssrfDetector.agent.ts`	SSRF	Cloud metadata probing (AWS/GCP/Azure), internal network scanning, protocol smuggling
SSRF Scout	`ssrfScout.agent.ts`	Blind SSRF	OOB callback detection, DNS rebinding, redirect chain exploitation

Authentication and Authorization (10 agents)

Agent	File	Vulnerability Class	Key Techniques
Auth Tester	`authTester.agent.ts`	Broken Authentication	Credential stuffing patterns, default credential testing, session fixation
Auth Breaker	`authBreaker.agent.ts`	Auth Bypass	Token manipulation, authentication flow bypass, privilege escalation
JWT Attacker	`jwtAttacker.agent.ts`	JWT Vulnerabilities	Algorithm confusion (none/HS256), weak secret dictionary attack, key injection
OAuth Tester	`oauthTester.agent.ts`	OAuth Flaws	PKCE bypass, redirect URI manipulation, scope escalation, state parameter abuse
BFLA Agent	`bflaAgent.agent.ts`	Broken Function-Level Auth	Horizontal/vertical privilege testing, admin endpoint access with user tokens
IDOR Finder	`idorFinder.agent.ts`	Insecure Direct Object Reference	UUID/integer enumeration, cross-user data access, parameter tampering
Tenant Isolation	`tenantIsolation.agent.ts`	Multi-Tenant Bypass	Cross-tenant data access, schema isolation testing, shared resource exploitation
Session Tester	`sessionTester.agent.ts`	Session Management	Session fixation, concurrent session handling, logout effectiveness
CSRF Tester	`csrfTester.agent.ts`	Cross-Site Request Forgery	Token absence/predictability, SameSite bypass, referer validation gaps
OTP Tester	`otpTester.agent.ts`	OTP Bypass	Brute force, rate limiting bypass, OTP reuse, response manipulation

API Security (8 agents)

Agent	File	Vulnerability Class	Key Techniques
API Security	`apiSecurityAgent.agent.ts`	API Misconfigurations	Mass assignment, excessive data exposure, lack of resource validation
OWASP API Top 10	`owaspApiTop10.agent.ts`	OWASP API Top 10	Comprehensive coverage of all 10 OWASP API Security categories
GraphQL Agent	`graphqlAgent.agent.ts`	GraphQL Vulnerabilities	Introspection abuse, query depth attacks, batch query exploitation
Spec Conformance	`specConformanceAgent.agent.ts`	API Spec Violations	OpenAPI contract testing, undocumented endpoint discovery, schema drift
Mass Assignment	`massAssignment.agent.ts`	Mass Assignment	Property injection, role escalation via hidden fields, prototype pollution
HPP Agent	`hppAgent.agent.ts`	HTTP Parameter Pollution	Duplicate parameter injection, parameter precedence exploitation
gRPC Tester	`grpcTester.agent.ts`	gRPC Vulnerabilities	Reflection abuse, message tampering, authentication bypass
SOAP Tester	`soapTester.agent.ts`	SOAP/XML-RPC	WSDL enumeration, XML injection, SOAPAction header manipulation

Infrastructure and Headers (11 agents)

Agent	File	Vulnerability Class	Key Techniques
Header Analyzer	`headerAnalyzer.agent.ts`	Security Headers	Missing CSP, HSTS, X-Frame-Options, X-Content-Type-Options analysis
CORS Checker	`corsChecker.agent.ts`	CORS Misconfiguration	Origin reflection, null origin, wildcard with credentials testing
Crypto Checker	`cryptoChecker.agent.ts`	Weak Cryptography	TLS version, cipher suite analysis, certificate validation
Nuclei Runner	`nucleiRunner.agent.ts`	Known CVEs	Template-based scanning for known vulnerabilities and misconfigurations
Host Header	`hostHeaderAgent.agent.ts`	Host Header Injection	Password reset poisoning, cache poisoning via Host header
HTTP Smuggling	`httpSmugglingAgent.agent.ts`	HTTP Request Smuggling	CL.TE, TE.CL, TE.TE smuggling variants
Cache Poison	`cachePoisonAgent.agent.ts`	Web Cache Poisoning	Unkeyed header injection, cache deception, response splitting
Subdomain Takeover	`subdomainTakeoverAgent.agent.ts`	Subdomain Takeover	Dangling DNS detection, unclaimed cloud resource identification
Protocol & Compliance	`protocolAndCompliance.agent.ts`	Protocol Security	HTTP/2, WebSocket security, protocol downgrade attacks
Redirect Tester	`redirectTester.agent.ts`	Open Redirect	URL parsing bypass, protocol-relative redirect, parameter-based redirect
Cloud Storage	`cloudStorageAgent.agent.ts`	Cloud Storage Exposure	S3 bucket enumeration, Azure blob access, GCS permission testing

Business Logic (8 agents)

Agent	File	Vulnerability Class	Key Techniques
Rate Limit Tester	`rateLimitTester.agent.ts`	Missing Rate Limiting	Rapid request flooding, rate limit bypass via header manipulation
Race Tester	`raceTester.agent.ts`	Race Conditions	Double-submit, TOCTOU, concurrent state manipulation
Logic Tester	`logicTester.agent.ts`	Business Logic Flaws	Workflow bypass, price manipulation, negative quantity abuse
File Upload	`fileUploadAgent.agent.ts`	Unrestricted File Upload	Extension bypass, content-type manipulation, polyglot files
Path Traversal	`pathTraversalAgent.agent.ts`	Path Traversal / LFI	Directory traversal, null byte injection, encoding bypass
Info Disclosure	`infoDisclosureAgent.agent.ts`	Information Disclosure	Stack traces, debug endpoints, sensitive file exposure
Enum Inversion	`enumInversionAgent.agent.ts`	Enumeration via Error	Username enumeration, resource existence disclosure via timing/response
Flow Attack	`flowAttackAgent.agent.ts`	Multi-Step Flow Abuse	Step skipping, state manipulation, workflow tampering

Cloud and Supply Chain (3 agents)

Agent	File	Vulnerability Class	Key Techniques
Serverless Security	`serverlessSecurityAgent.agent.ts`	Serverless Flaws	Event injection, cold start abuse, environment variable leakage
Dependency Confusion	`dependencyConfusionAgent.agent.ts`	Supply Chain	Internal package name squatting, registry confusion attacks
IAM Privilege Escalation	`iamPrivilegeEscalationAgent.agent.ts`	Cloud IAM	Role chaining, policy misconfiguration, cross-account trust abuse

Reconnaissance and Orchestration (5 agents)

Agent	File	Vulnerability Class	Key Techniques
OSINT Scanner	`osintScanner.agent.ts`	Reconnaissance	Domain intelligence, exposed credential search, technology profiling
WebSocket Tester	`websocketTester.agent.ts`	WebSocket Security	Origin validation, message injection, authentication bypass
Framework Agent	`frameworkAgent.agent.ts`	Framework-Specific	Framework fingerprinting, known default paths, admin panel discovery
Fast Scan	`fastScanAgent.agent.ts`	Quick Assessment	Lightweight scan for rapid triage of new targets
Bootstrap Orchestrator	`bootstrapOrchestrator.agent.ts`	Phase 0 Coordination	Target profiling, technology detection, scan strategy planning

Summary by Category

Category	Agent Count	Key Coverage
Injection	8	SQLi, NoSQLi, SSTI, deserialization, email, LLM prompt
Cross-Site Scripting	3	Reflected, stored, DOM-based XSS
SSRF	2	Direct and blind SSRF with OOB callbacks
Auth and Authz	10	JWT, OAuth, BOLA, BFLA, IDOR, session, CSRF, OTP
API Security	8	OWASP API Top 10, GraphQL, gRPC, SOAP, spec conformance
Infrastructure	11	Headers, CORS, TLS, HTTP smuggling, cache poisoning
Business Logic	8	Race conditions, file upload, path traversal, logic flaws
Cloud / Supply Chain	3	Serverless, dependency confusion, IAM escalation
Recon / Orchestration	5	OSINT, WebSocket, framework fingerprinting
Total	58

Phase Pipeline -- How agents are orchestrated across six phases
Findings Validation -- How agent findings are validated and filtered
AppSec Overview -- Module overview and architecture

Agent Architecture​

Agents by OWASP Category​

Injection (8 agents)​

Cross-Site Scripting (3 agents)​

Server-Side Request Forgery (2 agents)​

Authentication and Authorization (10 agents)​

API Security (8 agents)​

Infrastructure and Headers (11 agents)​

Business Logic (8 agents)​

Cloud and Supply Chain (3 agents)​

Reconnaissance and Orchestration (5 agents)​

Summary by Category​

Related Pages​