BrokenApp

The Scanner

We don't read your source code. We use your app.

Static analysis reads code. BrokenApp uses your running application — crawling routes, submitting forms, replaying requests across user sessions. Runtime testing finds what source code scanning misses.

How it works

Five phases. One command.

1

Crawl

Discover every route, form, endpoint, and asset in your running app.

2

Map

Build the runtime app spec — views, API endpoints, form fields, state transitions.

3

Test

Run all 9 detection modules against the live application.

4

Evidence

Screenshot, request/response pairs, reproduction steps for every finding.

5

Report

findings.json, PDF, markdown — machine-readable and human-readable.

The output

The output IS the product.

Every scan produces a machine-readable application spec and structured findings. This is what AI agents consume via MCP — and what makes BrokenApp different from another "automated scanner."

spec.json — Runtime application spec

{
  "views": [
    { "path": "/", "title": "Home", "status": 200 },
    { "path": "/dashboard", "title": "Dashboard", "status": 200 },
    { "path": "/settings", "title": "Settings", "status": 200 },
    { "path": "/api/users", "method": "GET", "status": 200 },
    { "path": "/api/users/:id", "method": "GET", "status": 200 },
    { "path": "/api/checkout", "method": "POST", "status": 200 }
  ],
  "forms": [
    { "action": "/api/login", "fields": ["email", "password"] },
    { "action": "/api/checkout", "fields": ["amount", "token"] }
  ],
  "transitions": [
    { "from": "/login", "to": "/dashboard", "trigger": "auth" },
    { "from": "/cart", "to": "/checkout", "trigger": "click" }
  ],
  "auth": {
    "provider": "supabase",
    "flows": ["login", "refresh", "logout"]
  }
}

findings.json — Structured security results

{
  "findings": [
    {
      "id": "IDOR-001",
      "severity": "critical",
      "title": "User data accessible cross-session",
      "endpoint": "GET /api/users/:id",
      "cwe": "CWE-639",
      "owasp": "API1:2023",
      "evidence": {
        "request": "GET /api/users/42 (as user_b)",
        "response_status": 200,
        "body_similarity": 0.97
      },
      "remediation": "Add authorization check..."
    }
  ],
  "summary": {
    "critical": 3, "high": 8,
    "medium": 21, "low": 15
  }
}

Both files are consumed directly by AI coding agents via the MCP server. Your AI understands the app without reading source code.

Detection modules

What the scanner proves

Prove your auth works

IDOR / BOLA detection

Cross-user replay. Tests every endpoint with every user role. Body similarity scoring. Severity auto-classification.

Auth matrix

N roles, N×(N-1) pairs. Define roles in TOML, get a compliance heatmap showing where authorization breaks.

Auth flow testing

Login, session persistence, token refresh, logout invalidation. Native Supabase and Firebase support. Zero custom code.

Prove your data is safe

Exposure scanning

18 compiled regex patterns. 22 sensitive path probes. Passive analysis on every scan, active probing on demand. Secrets always masked.

CORS & header security

Misconfigured origins, missing security headers, HTTPS enforcement. Every misconfiguration mapped to CWE + OWASP.

GraphQL support

Per-operation endpoint detection. Splits POST /graphql into individual queries and mutations in spec.json.

Prove your logic holds

Business logic testing

Step-skip detection for multi-step flows. Replay attack detection for write endpoints. Automated.

Form validation

Submits invalid values — negative amounts, empty required fields, overlong strings. Reports what gets accepted.

Baseline & triage

Fingerprint findings. Mark accepted risk or false positive. Subsequent scans only surface new issues.

IDOR / BOLA Detection

The #1 bug bounty finding. Automated.

Insecure Direct Object Reference is the most common and highest-paying vulnerability class in bug bounty programs. BrokenApp detects it automatically by replaying requests across user sessions.

Cross-user replay

Scan as User A, then as User B. The IDOR module replays User A's requests with User B's credentials. If User B can access User A's data — confirmed IDOR.

$ brokenapp-mcp idor-scan \

--scan-a ./admin-scan \

--scan-b ./viewer-scan \

--config-b ./viewer.toml

Automatic classification

Every replayed request is classified automatically based on response status codes and body similarity analysis.

Confirmed200 + similar body → full unauthorized access
Likely200 but body differs → partial data leak
No Issue401/403/404 → properly denied
ErrorRequest failed → inconclusive

Auth bypass

Endpoints that return data regardless of who's asking.

Broken access control

User B accessing User A's profile, orders, settings, messages.

Write IDOR

POST/PUT/PATCH endpoints that modify another user's data.

Privilege escalation

Viewer-role user hitting admin-only API endpoints successfully.

Multi-role auth matrix

N roles. N×(N-1) pairs. One command.

Define admin, user, viewer, and unauthenticated roles in a single TOML. BrokenApp scans each role, then runs IDOR testing across every pair — generating a compliance heatmap that shows exactly where authorization breaks.

Define unlimited roles in roles.toml
Automatic N×(N-1) pair testing
Compliance heatmap report (JSON + Markdown)

Authorization Matrix — 4 roles, 12 pairs

Requests ↓ \ Auth →adminuserviewerunauth
admin0/00/00/0
user5/20/00/0
viewer8/33/10/0
unauth12/58/32/1

Cell format: confirmed / likely IDOR count

Exposure & Secrets Scanning

Your .env is showing.

Passive analysis of captured network traffic plus active probing for exposed files, debug endpoints, and leaked secrets. 18 compiled regex patterns with CWE mappings. Every finding is masked — BrokenApp never stores or transmits full secrets.

Passive scanning

Analyzes network.jsonl from any existing scan. Searches every response body, header, and URL for secret patterns — AWS keys, Stripe keys, JWTs, database URLs, private keys, and more.

$ brokenapp-mcp exposure-scan \

--scan-dir ./scan-results

Active probing

Probes ~30 sensitive paths against the live target: .env, .git/config, /actuator, /phpinfo, source maps, swagger docs, and more.

$ brokenapp-mcp exposure-scan \

--scan-dir ./scan-results --active

API key leaks

AWS, GCP, GitHub, Stripe, SendGrid, Twilio, Mailgun, Firebase, Heroku

Exposed files

.env, .git/config, .DS_Store, wp-config.php.bak

Connection strings

postgres://, mongodb://, redis:// in responses

Debug endpoints

/actuator, /phpinfo, /__debug__, /server-status

Private keys

RSA, EC private keys in responses or files

Source maps

.js.map files auto-discovered from traffic and probed

Server disclosure

Server version, X-Powered-By, framework headers

Verbose errors

Stack traces, SQL errors, Traceback, internal IPs leaked

The report

Make severity impossible to ignore.

brokenapp.io/reports/yourapp-2026-02-14

3

Critical

8

High

21

Medium

15

Low

Critical

Unauthenticated access to /api/admin/users

GET /api/admin/users

Admin endpoint returns full user list without authentication. 247 user records exposed including email addresses and hashed passwords.

High

Payment form accepts negative amounts

POST /api/checkout

Amount field accepts negative values. Submitting amount: -50.00 returns success response with status "paid".

Medium

LCP exceeds 4.2s on /dashboard

/dashboard

Largest Contentful Paint measured at 4,200ms. Render-blocking script (analytics.js, 340KB unminified) delays initial paint.

Reports are private by default. Only someone with the direct link can view it.

Your web app is probably broken. We don't guess. We prove it.

Runtime scanning. Evidence-backed findings. No source code required.

Scan your web app