AppSec Scanner
The AppSec Scanner module provides automated penetration testing for web applications and APIs. It orchestrates 59 specialized scanning agents through a six-phase pipeline, validating every finding with AI-driven confidence scoring and multi-step chain replay.
Six-Phase Scanning Pipelineβ
| Phase | Name | Purpose |
|---|---|---|
| Phase 0 | Reconnaissance | Target profiling, technology fingerprinting, OSINT collection, sector intelligence, and intelligent endpoint discovery |
| Phase 1 | Discovery | API endpoint enumeration, authentication flow detection, crawling, and application model building |
| Phase 2 | Active Scanning | All 59 agents run in parallel with budget allocation. Each agent tests for specific vulnerability classes (SQLi, XSS, SSRF, BOLA, etc.) |
| Phase 3 | Deep Exploitation | Chain replay engine links related findings into multi-step exploit chains (e.g., JWT weakness leading to SSRF) |
| Phase 4 | Validation | Finding validator applies heuristic rules and AI confidence scoring. Delta scanner identifies new vs. known findings. Deduplication removes duplicates. |
| Phase 5 | Reporting | Results are persisted, webhook notifications sent, and compliance mappings applied |
Assessment Modesβ
- Black Box -- No credentials, no source code. Simulates an external attacker.
- Gray Box -- Authenticated with test user credentials. Tests authorization boundaries.
- White Box -- Full credentials plus test data hints (e.g., known UUIDs). Maximum coverage.
Scanner Agents (59 Total)β
The pentestCoordinator orchestrates all agents. Each agent is a self-contained service that receives a shared blackboard with target context and returns structured findings.
Injection Agents:
sqliProber, advancedInjectionAgent, sqlmapAgent, sstiDetector, deserializationAgent, emailInjectionAgent
Cross-Site Scripting:
xssHunter, dalfoxAgent, domXssAgent
Server-Side Request Forgery:
ssrfDetector, ssrfScout
Authentication and Authorization:
authTester, authBreaker, jwtAttacker, oauthTester, bflaAgent, idorFinder, tenantIsolation, sessionTester, csrfTester, otpTester
API Security:
apiSecurityAgent, owaspApiTop10Agent, graphqlAgent, specConformanceAgent, massAssignmentAgent, hppAgent, grpcTester, soapTester
Infrastructure:
headerAnalyzer, corsChecker, cryptoChecker, nucleiRunner, hostHeaderAgent, httpSmugglingAgent, cachePoisonAgent, subdomainTakeoverAgent, protocolAndComplianceAgent, redirectTester, cloudStorageAgent
Business Logic:
rateLimitTester, raceTester, logicTester, fileUploadAgent, pathTraversalAgent, infoDisclosureAgent, enumInversionAgent, flowAttackAgent
AI/LLM Security:
promptInjectionAgent, llmApiSecurityAgent
Cloud and Supply Chain:
serverlessSecurityAgent, dependencyConfusionAgent, iamPrivilegeEscalationAgent
Recon and Orchestration:
osintScanner, websocketTester, frameworkAgent, fastScanAgent, bootstrapOrchestratorAgent
Core Servicesβ
| Service | Role |
|---|---|
pentestCoordinator | Orchestrates the full 6-phase pipeline, manages agent lifecycle, and coordinates the shared blackboard |
targetProfiler | Fingerprints the target (tech stack, frameworks, authentication type) during Phase 0 |
sharedBlackboard | In-memory shared state for all agents during a scan -- endpoints, auth tokens, discovered parameters |
validationEngine | Computes confidence tiers for each finding based on evidence quality |
findingValidator | Applies heuristic rules (H1-H16) to reject false positives before AI validation (see diagram below) |
budgetAllocator | Distributes the scan time budget across agents based on target profile and priority |
findingDeduplicator | Removes duplicate findings across agents using semantic similarity |
intelligentDiscovery | AI-powered endpoint discovery that adapts based on observed API patterns |
chainReplayEngine | Links related findings into multi-step exploit chains |
oobCallbackServer | Out-of-band callback server for blind SSRF and blind XSS detection |
Finding Validation Pipelineβ
Raw findings from all agents pass through a multi-layered validation pipeline before being reported. This pipeline is responsible for the 94%+ true positive rate.
Each layer reduces the finding count:
- Heuristic Filters (H1-H16) -- deterministic rules that reject known FP patterns (e.g., H8 rejects SQLi on file upload endpoints, H4d filters credential exposure on auth-initiation endpoints)
- Multi-Probe Confirmation -- replays the attack with variations to confirm exploitability
- AI Validation -- uses Claude or GPT to analyze evidence payloads and assess severity
- Deduplication -- removes duplicates at both the APP_WIDE level (e.g., one missing security header finding per app) and endpoint level
API Surfaceβ
/api/appsec-- 113 endpoints for assessment CRUD, target management, finding lifecycle, agent configuration, compliance mapping, reporting, and credential management
License Gatingβ
All AppSec routes require the appsec module in the tenant license.
UI Pagesβ
The frontend provides: Overview dashboard, Assessments list, Targets management, Findings browser, Compliance mapping, Exceptions workflow, Reports, Templates, Sensors, Agents, Credentials, and Settings.
Limitationsβ
- No authenticated mobile app testing -- The scanner targets web applications and APIs only; native mobile app binaries are not analyzed
- No source code analysis (SAST) -- All scanning is dynamic (DAST). Static analysis of source code is not performed
- Single-target scans -- Each assessment targets one base URL. Multi-domain scanning requires separate assessments
- LLM dependency for validation -- AI validation requires a configured LLM provider (OpenAI or Anthropic). Without it, validation falls back to heuristic-only mode
- No internal network scanning -- The scanner tests endpoints reachable from the scan agent. Internal-only services require an on-premises scan sensor deployment
- Rate limiting awareness -- Aggressive scanning may trigger target-side rate limiting; budget allocation mitigates but does not eliminate this risk
Related Entitiesβ
| Entity / Table | Description |
|---|---|
Assessment | Represents a single scan run with configuration, status, and timing |
Target | The application URL and configuration being scanned |
Finding | Individual vulnerability discovered during a scan |
AuthProfile | Stored credentials for authenticated scanning |
ScanAgent | Configuration and status of each scanning agent |
ComplianceMapping | Links findings to OWASP, CWE, and other compliance frameworks |
Deep Divesβ
- Scanner Agents Catalog -- Complete catalog of all 58 scanning agents organized by OWASP category
- Phase Pipeline -- Detailed walkthrough of the six-phase scanning pipeline (Phase 0 through Phase 5)
- Findings Validation -- How findings are validated through heuristic rules (H3-H19), multi-probe confirmation, and AI scoring