SCAN YOUR APP.SHIP SECURE.
Free Security Scanner for AI-Generated & Vibe-Coded Apps
// AI writes your code. We find what it missed.
// 65 scanners. Zero setup. Under 3 minutes.
AUTOMATED
COVERAGE.
CRITICAL · HIGH · MEDIUM — OWASP TOP 10 · 2021
SQL Injection
Error-based, blind, time-based, and UNION injection across all endpoints.
Scan for this
NoSQL Injection
MongoDB operator injection ($gt, $ne, $regex), auth bypass without credentials, and time-blind $where payloads.
Scan for this
Exposed Secrets
JS bundles scanned for leaked API keys — OpenAI, Stripe, AWS, Supabase & 20+ more.
Scan for this
SSRF Detection
Cloud metadata probes, internal service access, DNS rebinding — 30 payloads including AWS, GCP, Azure.
Scan for this
OS Command Injection
Detects RCE vectors via shell metacharacters and blind out-of-band payloads.
Scan for this
XXE Injection
XML External Entity attacks on XML, SOAP, SVG and file upload endpoints — reads /etc/passwd or triggers SSRF via DOCTYPE.
Scan for this
IDOR / Access Control
ID enumeration, missing auth on API endpoints, horizontal privilege escalation.
Scan for this
Database Exposure
TCP port scanning for MySQL, PostgreSQL, MongoDB, Redis. Default credential checks.
Scan for this
Dependency Audit
CVE checks via OSV database, typosquatting detection, outdated packages in JS bundles.
Scan for this
JWT Security
Weak HMAC secrets, alg:none bypasses, and sensitive data exposure in payloads.
Scan for this
Mass Assignment
Injects privilege fields (role, isAdmin) into JSON API requests to detect unauthorized modifications.
Scan for this
Subdomain Takeover
Detects dangling CNAME records pointing to unclaimed third-party services.
Scan for this
File Upload Security
Tests upload forms for dangerous extensions, MIME mismatches, path traversal, and stored XSS.
Scan for this
Cloud Misconfiguration
Open S3/GCS buckets, Vercel /_next/data leaks, Netlify Functions without auth, and Railway env var exposure.
Scan for this
MCP Server Security
Unauthenticated tool enumeration, tool poisoning via prompt injection, tool shadowing, and overly-permissive AI agent capabilities.
Scan for this
XSS Scanner
Reflected & stored cross-site scripting in forms, URL params, and API responses.
Scan for this
Template Injection
Finds SSTI vulnerabilities in modern and legacy rendering engines leading to RCE.
Scan for this
Race Condition
Fires 15 concurrent requests at payment, coupon and reward endpoints to detect TOCTOU vulnerabilities.
Scan for this
HTTP Request Smuggling
CL.TE and TE.CL desync attacks between frontend proxies and backends — WAF bypass, session hijacking.
Scan for this
Cache Poisoning
Injects canary values via X-Forwarded-Host and unkeyed headers to confirm web cache poisoning.
Scan for this
OAuth2 Security
Implicit Flow, missing PKCE, open redirect_uri, exposed client secrets, and missing state parameter.
Scan for this
Data Leakage
Scans API responses and error stacks for exposed PII, emails, credit cards, and SSNs.
Scan for this
CSRF Protection
Missing CSRF tokens in forms, no Origin validation, SameSite cookie analysis.
Scan for this
Supabase Auditing
Detects misconfigured RLS policies, exposed service keys, and unprotected buckets.
Scan for this
Firebase Security
Open Firestore rules, leaked configs, and publicly writable unauthenticated storage.
Scan for this
GraphQL Security
Introspection exposure, query depth DoS, unlimited batch queries, weak authorization.
Scan for this
Client-Side Auth
Detects JS-only admin checks, localStorage auth, route guards without server verification.
Scan for this
Info Disclosure
Exposed .env, .git, debug endpoints, stack traces, and verbose server version headers.
Scan for this
WebSocket Security
Unauthenticated access, origin spoofing, and insecure ws:// connections.
Scan for this
Rate Limit & WAF
Tests auth endpoints for missing rate limits using burst requests and WAF evasion.
Scan for this
AI / LLM Security
Prompt injection on chat endpoints and AI APIs. Detects leaked OpenAI, Anthropic and Gemini keys in JS bundles.
Scan for this
Insecure Deserialization
PHP unserialize, Java magic-bytes and Python pickle gadget chain detection — potential RCE vector.
Scan for this
DNS Intelligence
Zone Transfer attacks (AXFR), missing CAA records, DNS rebinding (TTL < 60s), missing DNSSEC, and TXT token enumeration across all nameservers.
Scan for this
Payment Security
PCI-DSS checks for Stripe/PayPal integrations — raw card inputs in DOM, missing 3DS/SCA, CVV autocomplete, unauthenticated webhooks, and client-side tokenization bypass.
Scan for this
Integer Overflow
Sends negative, zero, overflow (2^31) and type-juggling values (NaN, Infinity, null) to numeric fields — catches price manipulation and validation gaps.
Scan for this
LDAP Injection
Tests login forms for LDAP filter injection — wildcard enumeration, auth bypass via parenthesis injection, and error-based detection.
Scan for this
Web Cache Deception
Tricks CDNs into caching personal pages as static assets — tests /about/evil.css patterns on public endpoints only.
Scan for this
HTTP/2 Attacks
H2C cleartext upgrade smuggling and CONNECT method tunneling — bypasses proxy-layer auth and rate limits.
Scan for this
CORS Preflight Bypass
Sends cross-origin POST with simple content types (text/plain) to bypass browser preflight — CSRF via CORS misconfiguration.
Scan for this
Account Enumeration
Timing oracle and response differentials on login and password-reset endpoints reveal valid usernames.
Scan for this
Client Storage Exposure
Static JS analysis for tokens, passwords and API keys stored in localStorage or sessionStorage.
Scan for this
Email Security (SPF/DMARC/DKIM)
DNS-based checks for missing or weak SPF, DMARC and DKIM records — prevents email spoofing and phishing.
Scan for this
Subresource Integrity
Detects external scripts and stylesheets loaded without SRI — a compromised CDN can silently inject malicious code.
Scan for this
Open Redirect
Redirect parameter fuzzing with 10+ bypass techniques — phishing via your domain.
Scan for this
Transport & Headers
SSL/TLS weaknesses, missing CSP, missing HSTS, missing X-Frame, and CORS misconfigs.
Scan for this
HTTP Parameter Pollution
Duplicates query parameters to bypass WAFs and alter business logic — tests both URL and JSON body duplicate keys.
Scan for this
Client-Side Path Traversal
Zero-request JS analysis — detects fetch/axios calls built from unsanitized user input, enabling API path traversal from the browser.
Scan for this
GraphQL Complexity
Escalating depth (2→16), alias bombing (5→20), cost analysis, and circular fragment detection — finds missing query limits.
Scan for this
Dangling Markup
Injects unclosed <img> tags to exfiltrate page content — CSP bypass that works even when XSS is blocked.
Scan for this
security.txt Audit
RFC 9116 compliance check — missing contact, expired PGP keys, plus robots.txt sensitive path disclosure analysis.
Scan for this
Attack Chain Detection
Claude AI correlates individual findings into multi-step attack paths. A medium CORS + medium XSS becomes a Critical account takeover chain.
Scan for this
Browser Pass (CDP)
Headless Chromium session captures runtime JS console leaks, exposed source maps, dangerous eval() sinks, and trackers firing before consent.
Scan for this
Business Logic Abuse
Claude AI detects app-specific logic flaws: price manipulation, workflow bypass, and privilege escalation — invisible to pattern-based scanners.
Scan for this
Agentic Security Scan
Autonomous Claude AI pentester runs an OODA reasoning loop with up to 20 active probes — adapts to findings and chains novel hypotheses.
Scan for this
We attack from the outside — like a real adversary. No agent installation, no source code access required.
SQLi, NoSQL, XXE, SSRF, CSRF, IDOR, JWT, OAuth2, Race Conditions, Cache Poisoning, GraphQL, secrets, cloud storage misconfigs, DNS intelligence, MCP server security & more. Quick mode ~3 min. Deep mode ~10 min with business logic abuse detection and autonomous AI pentesting.
Claude AI correlates findings into named attack chains — ranked multi-step paths showing the real blast radius. Each finding includes a copy-paste fix prompt for Cursor, Claude, or ChatGPT. Export as PDF.
FREQUENTLY ASKED.
Is VibeWShield free to use?+
Yes. VibeWShield offers a free security scan for any deployed web application. No signup required.
What is vibe coding and why is it a security risk?+
Vibe coding means building apps with AI tools like Lovable, Bolt, Cursor, Replit, and v0. AI-generated code often skips security best practices, leaving applications exposed to common vulnerabilities like SQL injection, XSS, and exposed API keys.
What vulnerabilities does VibeWShield detect?+
65+ security checks including SQL & NoSQL Injection, XXE, XSS, SSRF, IDOR, exposed API keys, CSRF, JWT weaknesses, OAuth2, Race Conditions, HTTP Request Smuggling, Cache Poisoning, AI/LLM Prompt Injection, MCP Server Security (tool poisoning, unauthenticated access), Cloud Misconfiguration (open S3/GCS buckets, Vercel/Netlify leaks), DNS Intelligence (Zone Transfer, DNSSEC, CAA), Email Security, Subresource Integrity, Insecure Deserialization, GraphQL, Supabase/Firebase, subdomain takeover, business logic abuse, and more from the OWASP Top 10.
Does VibeWShield need access to my source code?+
No. VibeWShield performs black-box testing — scanning your deployed app from the outside exactly like a real attacker. No source code or agent installation needed.
How long does a security scan take?+
Quick mode completes in ~3 minutes — fast checks without heavy scanners. Deep mode takes ~10 minutes and runs the full pipeline: all 65+ scanners, browser runtime analysis, cloud/DNS/MCP infrastructure scanning, business logic testing, and optional agentic AI pentesting.
What happens after the scan?+
You get a detailed report with each vulnerability, its severity (Critical/High/Medium/Low), and a copy-paste AI fix prompt for Cursor, Claude, or ChatGPT. Claude AI also generates attack chains — correlated multi-step attack paths that show the real blast radius of combined findings. Export the full report as PDF.
What are Attack Chains?+
After the scan completes, Claude AI correlates your individual findings into multi-step attack chains. For example, a medium CORS misconfiguration combined with a medium XSS finding together create a Critical account takeover path. Attack chains show the real blast radius — not just isolated issues in a flat list.
What is Agentic Scan?+
Agentic Scan activates an autonomous Claude AI pentester that operates an OODA (Observe–Orient–Decide–Act) reasoning loop. It reads your scan results, forms hypotheses, sends targeted HTTP probes, and reports novel vulnerabilities beyond what the automated scanners found. Available in Deep scan mode — enable via the Agentic Scan checkbox before scanning.