Aggressive Mode: Testing What Others Won't Touch

Quick and Deep scans are read-only — they detect vulnerabilities by analyzing responses, not by exploiting them. That's great for safety, but it means they can't test an entire class of attacks that only reveal themselves when you actually try to do something malicious.

Aggressive Mode crosses that line. It uploads files, injects privilege fields, and poisons prototypes — because that's what a real attacker would do.

What Makes It "Aggressive"

Aggressive Mode enables state-changing tests that may modify data on your target. It writes to upload endpoints, sends POST requests with unauthorized fields, and manipulates object prototypes to detect vulnerabilities that passive scanning cannot find.

This is the kind of testing that professional pentesters run manually — automated and delivered in minutes.

What It Tests

File Upload RCE

Tests your upload endpoints with:

• Executable file types (PHP, JSP, ASPX) disguised with double extensions
• MIME type mismatches (image/png header with PHP payload)
• Path traversal in filenames (../../etc/test)
• SVG files with embedded JavaScript
• Oversized files to test size limit enforcement

If your app accepts file uploads, you need to know whether an attacker can upload a web shell.

Mass Assignment / Privilege Escalation

Sends API requests with unauthorized fields injected into the JSON body:

• role: "admin", isAdmin: true, permissions: ["*"]
• Tests whether your API blindly assigns all fields from the request body to the database model

This is one of the most common vulnerabilities in vibe-coded apps — frameworks like Express and FastAPI make it easy to accidentally expose model fields to user input.

Prototype Pollution

Injects __proto__ and constructor.prototype payloads into JSON bodies and query parameters, then uses confirmation techniques to verify if the pollution actually worked:

• JSON space injection (detects modified serialization)
• Status code override (checks if response codes can be manipulated)
• Canary reflection (verifies prototype chain modification)

A successful prototype pollution can lead to XSS, authentication bypass, or remote code execution depending on your framework.

Email Header Injection

Tests contact forms and email endpoints with CRLF payloads that attempt to inject additional email headers. If successful, an attacker could use your app's email system to send spam or phishing emails from your domain.

Aggressive Mode uses a full set of injection variants (vs the minimal safe set in Deep Scan).

Password Reset Poisoning

Sends password reset requests with modified Host headers to test whether your app includes the attacker's domain in the reset link. If vulnerable, an attacker can steal password reset tokens and take over accounts.

Extended JWT Testing

Tests JWT algorithm tampering on actual API endpoints — not just analyzing the token structure, but sending modified tokens to see if the server accepts them.

S3 Bucket Write Testing

For apps using AWS S3, tests whether buckets allow unauthorized write access — a common misconfiguration that lets attackers host malicious content on your domain.

Safety Architecture

Aggressive Mode sounds scary, but it's built with guardrails:

| Safety Measure | Detail | |---|---| | Rate limited | 30 req/s max to your target | | Scoped | Only tests the target domain you authorized | | No DELETE | HTTP DELETE method is never used, even in Aggressive Mode | | Request budget | Max ~5,000 requests per scan | | Authorization | You must confirm you own or are authorized to test the target | | Credit-gated | Requires 1 scan credit ($3) — prevents abuse |

Who It's For

• App owners before launch — test your own upload forms, API endpoints, and auth flows
• Security teams — automated coverage of OWASP categories that passive scanning misses
• After adding user input features — file uploads, JSON APIs, contact forms, password reset flows
• Compliance — demonstrate you've tested for state-changing attack vectors

How to Use It

1. Sign in to your VibeWShield account
2. Buy scan credits at /pricing ($3 per scan)
3. Go to /scan, paste your URL
4. Check the Aggressive Mode checkbox
5. Select Quick or Deep mode (Aggressive works with both)
6. Confirm authorization and execute

Combine with Agentic Scan

Aggressive Mode tests specific attack categories with predefined techniques. Agentic Scan deploys Claude AI as an autonomous pentester that reasons over your specific findings and adapts its probes based on what it discovers. Together, they provide the most comprehensive automated security test available.

Both can be enabled on the same scan for 1 credit total.

Frequently Asked Questions

Will Aggressive Mode break my app? It may create test files on upload endpoints or send POST requests with extra fields. Nothing is deleted. If you're concerned, run it on a staging environment first.

Do I need Aggressive Mode if I already ran Deep Scan? Deep Scan finds vulnerabilities through observation. Aggressive Mode finds vulnerabilities that only appear when you actually attempt the attack. If your app has file uploads, JSON APIs, or password reset flows, Aggressive Mode covers attack vectors that Deep Scan cannot test.

Can I combine Aggressive with Agentic Scan? Yes. Both can be enabled on the same scan and together cost 1 credit ($3). Aggressive expands the attack surface, Agentic reasons over all combined results.

---

Ready to test what others won't? Enable Aggressive Mode →