π AI-Powered Security Scanner
A security engineering tool for detecting high-impact authorization, logic, and configuration vulnerabilities in modern web applications and APIs.
π Overview
The AI-Powered Security Scanner is a purpose-built security engineering system designed to assist penetration testers and security teams in identifying real-world, high-impact vulnerabilities that are commonly missed by traditional automated scanners.
Unlike signature-based tools that prioritize breadth over accuracy, this project focuses on:
Behavioral analysis
Access-control validation
Context-aware vulnerability detection
The scanner combines deterministic security testing logic with AI-assisted analysis to produce findings that are:
Explainable
Reproducible
Suitable for professional security reports
π§ Design Principles
π Signal Over NoiseFocus on vulnerabilities that matter in real production systems.
βοΈ Deterministic Core, Assisted Intelligence
All scanning logic is transparent and reproducible
AI is used only for analysis and explanation
π‘οΈ Security-Engineer First
Findings are written the way a human security engineer would report them.
π Auditability
Every result is traceable to:
Specific request
Specific response
Clear decision path
𧩠Security Coverage
The scanner prioritizes high-risk vulnerability classes:
π Authorization bypasses (IDOR, missing access checks)
π Business logic flaws
π Authentication & token handling issues
π Insecure API behavior & exposure
These issues commonly lead to:
Account compromise
Data leakage
Privilege escalation
π€ Role of AI
AI is not used for blind vulnerability discovery.
Instead, it is used to:
Analyze behavioral differences in HTTP responses
Explain the root cause of issues
Assess technical and business impact
Generate developer-friendly remediation guidance
The scanning engine remains fully deterministic, ensuring all findings are verifiable.
π Architecture Overview
. βββ app.py # API entrypoint βββ scanner/ β βββ core.py # Request orchestration & scan flow β βββ ai_analyzer.py # AI-assisted analysis layer β βββ detectors/ β βββ auth.py # Authentication & authorization tests β βββ idor.py # IDOR detection logic β βββ jwt.py # Token & JWT analysis β βββ headers.py # Security header checks βββ reports/ β βββ generator.py # Structured report generation βββ requirements.txtβοΈ Installation
PrerequisitesPython 3.9+
Playwright (browser-level behavior analysis)
Install Dependencies pip install -r requirements.txt playwright install chromium
π§ Configuration
Optional: Enable AI-Assisted Analysis export OPENAI_API_KEY="your-api-key"If not set, the scanner runs using deterministic logic only.
βΆοΈ Running the Scanner
uvicorn app:app --reload --host 0.0.0.0 --port 8000
Service URL:
π‘ Example Scan Request
curl -X POST "http://localhost:8000/api/scan/url" \ -H "Content-Type: application/json" \ -d '{ "target": "https://httpbin.org", "scan_type": "full", "max_depth": 2 }'π Output
Each scan includes:
Affected endpoint
Vulnerability classification
Reproduction logic
Impact assessment
Severity estimation
Remediation guidance
Designed for:
JSON output
PDF reports
Professional pentest delivery
βοΈ Ethical Use
π¨ This tool is intended only for educational and authorized security testing.
Do NOT scan systems without explicit permission from the owner.
Unauthorized use may be illegal.