🔐 AI-Powered Security Scanner
A security engineering tool for detecting high-impact authorization, logic, and configuration vulnerabilities in modern web applications and APIs.
📌 Overview
The AI-Powered Security Scanner is a purpose-built security engineering system designed to assist penetration testers and security teams in identifying real-world, high-impact vulnerabilities that are commonly missed by traditional automated scanners.
Unlike signature-based tools that prioritize breadth over accuracy, this project focuses on:
Behavioral analysis
Access-control validation
Context-aware vulnerability detection
The scanner combines deterministic security testing logic with AI-assisted analysis to produce findings that are:
Explainable
Reproducible
Suitable for professional security reports
🧠 Design Principles
🔎 Signal Over NoiseFocus on vulnerabilities that matter in real production systems.
⚙️ Deterministic Core, Assisted Intelligence
All scanning logic is transparent and reproducible
AI is used only for analysis and explanation
🛡️ Security-Engineer First
Findings are written the way a human security engineer would report them.
📊 Auditability
Every result is traceable to:
Specific request
Specific response
Clear decision path
🧩 Security Coverage
The scanner prioritizes high-risk vulnerability classes:
🔓 Authorization bypasses (IDOR, missing access checks)
🔁 Business logic flaws
🔑 Authentication & token handling issues
🌐 Insecure API behavior & exposure
These issues commonly lead to:
Account compromise
Data leakage
Privilege escalation
🤖 Role of AI
AI is not used for blind vulnerability discovery.
Instead, it is used to:
Analyze behavioral differences in HTTP responses
Explain the root cause of issues
Assess technical and business impact
Generate developer-friendly remediation guidance
The scanning engine remains fully deterministic, ensuring all findings are verifiable.
🏗 Architecture Overview
. ├── app.py # API entrypoint ├── scanner/ │ ├── core.py # Request orchestration & scan flow │ ├── ai_analyzer.py # AI-assisted analysis layer │ └── detectors/ │ ├── auth.py # Authentication & authorization tests │ ├── idor.py # IDOR detection logic │ ├── jwt.py # Token & JWT analysis │ └── headers.py # Security header checks ├── reports/ │ └── generator.py # Structured report generation └── requirements.txt⚙️ Installation
PrerequisitesPython 3.9+
Playwright (browser-level behavior analysis)
Install Dependencies pip install -r requirements.txt playwright install chromium
🔧 Configuration
Optional: Enable AI-Assisted Analysis export OPENAI_API_KEY="your-api-key"If not set, the scanner runs using deterministic logic only.
▶️ Running the Scanner
uvicorn app:app --reload --host 0.0.0.0 --port 8000
Service URL:
📡 Example Scan Request
curl -X POST "http://localhost:8000/api/scan/url" \ -H "Content-Type: application/json" \ -d '{ "target": "https://httpbin.org", "scan_type": "full", "max_depth": 2 }'📄 Output
Each scan includes:
Affected endpoint
Vulnerability classification
Reproduction logic
Impact assessment
Severity estimation
Remediation guidance
Designed for:
JSON output
PDF reports
Professional pentest delivery
⚖️ Ethical Use
🚨 This tool is intended only for educational and authorized security testing.
Do NOT scan systems without explicit permission from the owner.
Unauthorized use may be illegal.