AppSec Scanner
Coming in a future release
The AppSec Scanner module is under active development on the local and dev branches. It is not included in v1.0.1. Switch to the Dev or Local version of this KB to see the full documentation.
What It Doesβ
The AppSec Scanner is ThreatWeaver's active security testing engine. It runs automated penetration tests against APIs and web applications, identifying vulnerabilities that passive scanners miss.
Key Capabilities (in Dev/Local)β
| Capability | Description |
|---|---|
| 6-Phase Pipeline | Bootstrap β Discovery β Profiling β Attack β Validation β Report |
| 59 Attack Agents | Purpose-built agents for BOLA, SQLi, XSS, SSRF, JWT attacks, Race Conditions, and more |
| AI Validation | LLM-powered false positive filtering and finding enrichment |
| Black/Gray/White Box | Supports unauthenticated, authenticated, and fully-documented scans |
| Real-time SSE | Live scan progress streamed to the UI |
| Exploit Chains | Automatically discovers multi-step attack paths |
Supported Vulnerability Classes (in Dev/Local)β
BOLA/IDOR, SQL Injection, XSS, SSRF, Command Injection, JWT attacks (alg:none, weak key), BFLA, Race Conditions, Mass Assignment, Authentication Bypass, Path Traversal, XXE, Business Logic flaws, and more.
Where to Find Full Docsβ
Switch the version selector at the top of this page to Dev or Local to access:
- Full AppSec Scanner overview
- Assessment wizard setup guide
- Agent configuration reference
- Ground truth benchmarks