What VibeSec can find

User input reaches a SQL query unsanitized. Tested with a battery of error, boolean, and time-based payloads across MySQL, PostgreSQL, MSSQL, and Oracle, then confirmed differentially. Leads to full database compromise.

Input reaches a system shell. Confirmed by executing a benign arithmetic command or a measured time delay. Leads to full server takeover.

Input is rendered as a template; the server evaluates injected expressions. Often escalates directly to remote code execution.

Operator-object injection (e.g. {"$gt":""}) into a NoSQL query, bypassing authentication or extracting data.

Filter-syntax injection into an LDAP query to bypass authentication or enumerate directory users.

Injection into an XPath query over XML data, similar to SQLi but against XML stores.

Carriage-return/line-feed injection into the response, enabling header injection, cache poisoning, and response splitting.

Unescaped reflection of user input enabling JavaScript execution in victims' browsers. Probed across HTML, attribute, script, and title contexts with context-aware payloads.

A redirect parameter accepts arbitrary external URLs, used to make phishing links appear to come from your trusted domain.

State-changing forms without an anti-CSRF token, allowing other sites to submit actions as a logged-in user.

Origin reflection or wildcard with credentials, letting any site read authenticated responses on a victim's behalf.

Reading files outside the intended directory (confirmed by reading /etc/passwd). Often a path to config files and credentials.

Server includes a remote, attacker-supplied file, leading to remote code execution.

Server fetches an attacker-controlled URL; confirmed by reaching the cloud metadata service, which exposes IAM credentials.

23 key patterns (Stripe, AWS, OpenAI, private keys, JWTs…) plus high-entropy detection in JS bundles and inline scripts.

Publicly reachable environment files, Git repos, SQL dumps, configs, and cloud credential files.

Probes backup and editor copies of your real source and config files (config.php.bak, index.php~, .env.old, vim .swp). Served as text, they leak credentials and source code.

Accessible .js.map files reconstruct your original, unminified source code, revealing logic and hidden endpoints.

Directories with no index file return an auto-generated, browsable listing of every file inside.

Detailed error pages leak framework, file paths, versions, and code/query fragments that help attackers.

Reachable admin and login panels that are prime targets for brute-force and default-credential attacks.

Undocumented request parameters the server accepts but does not advertise, a common home for injection and access bugs.

Brute-forced unlinked paths: hidden APIs, backups, configs, and panels that expand the attack surface. Two engines (ffuf and dirsearch) with different wordlists are run so fewer hidden paths are missed.

Reflected Host header enabling password-reset poisoning, cache poisoning, and malicious link generation.

A GraphQL endpoint that hands out its full schema, including hidden and admin-only operations.

Missing or weak CSP, HSTS, X-Frame-Options, etc., plus deep CSP analysis (unsafe-inline/eval, wildcards).

Session cookies missing Secure / HttpOnly / SameSite, enabling theft via network sniffing, XSS, or CSRF.

Expired, self-signed, or soon-to-expire certificates and missing HTTP→HTTPS redirects.

Missing or weak email-authentication DNS records that let attackers send phishing as your domain.

Fingerprints frameworks/libraries and queries the live OSV.dev database for the exact version's known CVEs (not a static list). Severity varies by the specific CVE.

Detects the software and versions a site runs, then checks each against endoflife.date to flag releases that are End-of-Life (no more security patches) or behind the latest, with the exact safe version to upgrade to. The clearest 'you need to update this' signal.

Broad detection of servers, frameworks, CMS, JavaScript libraries, and analytics using the Wappalyzer fingerprint database (hundreds of technologies), capturing versions wherever the site exposes them.

Downloads the JavaScript a page loads and scans it with Retire.js to flag client-side libraries with known vulnerabilities and CVEs. Catches the outdated jQuery/Bootstrap/Angular-style libraries that run in every visitor's browser.

Template-driven checks for thousands of named CVEs, default credentials, exposures, and misconfigurations.

Sends a blatant attack payload raw, then under common encodings. If the WAF blocks the raw form but a mutation slips through, your WAF has an exploitable gap. Defensive: only blocked-vs-passed, no exploitation.

Flags database/management ports reachable from the internet (MySQL, Postgres, Mongo, Redis, Docker API), exposed metrics/debug endpoints, missing HTTPS redirect, and server-version disclosure.

Detects the conditions that let an attacker replace your pages: writable HTTP methods (PUT/DELETE), unrestricted file uploads, and exposed content editors / file managers. Never defaces anything.

Takes the software and versions detected on your site and checks Exploit-DB for ready-to-run public exploits matching them, so you know what an attacker could grab off the shelf.

Runs nmap's vuln script category against open services to flag known CVEs and exploitable misconfigurations on the host's network services.

Collects the contact and personnel intelligence a site publishes (staff and role email addresses, phone numbers, social profiles, postal address, author names) and reports it as social-engineering attack surface, with guidance to reduce exposure. VibeSec gathers this defensively and never performs social engineering.

A host rarely runs only a web server. Detects other internet-facing services on the same machine (SMTP/IMAP/POP3 mail, FTP, SSH, RDP, VNC, Telnet, DNS) and explains, per service, why each is a softer target than a hardened web server.

Infers the host operating system and network stack from how it responds to probes (nmap -O). The OS itself is an attack surface, and an exact match lets an attacker pick OS-level exploits.

Non-destructive checks for default and well-known credentials on detected login interfaces and admin panels, using Nuclei's default-login templates (single-attempt, no brute-forcing).

When a licensed Burp Suite Professional is connected (via its REST API), VibeSec drives its full crawl-and-audit active scan and ingests every issue Burp finds. If you load BApp-Store extensions, their checks run automatically inside that scan: ActiveScan++ (host-header attacks, edge-case injection, cache-poisoning hints), Backslash Powered Scanner (probe-then-confirm discovery of unknown and obfuscated injection points), J2EEScan and the Software Vulnerability Scanner (tech-specific payload sets). All layered on top of the native and OSS engines.

After each scan, visualizes your full external attack surface as an interactive graph: domain, subdomains, IPs, hosting/ASN, open ports, tech stack, WAF/CDN, and discovered endpoints.