Your app is broken.
We'll prove it.
Automated scanning finds bugs, security vulnerabilities, performance issues, and broken functionality in any deployed web app. Evidence-backed reports. No signup required.
What we find
Every system has a fault line.
Security vulnerabilities
CORS misconfigurations, injection vectors, missing headers, unauthenticated admin access. CWE + OWASP mapped.
IDOR / BOLA detection
Cross-user replay. N×N auth matrix tests every role pair. Body similarity scoring. Severity auto-classification.
Exposure & secrets
18 compiled regex patterns. 22 sensitive path probes. Runs automatically on every scan. Secrets always masked.
Business logic testing
Step-skip detection for multi-step flows. Replay attack detection for write endpoints. Automated.
Baseline & triage
Fingerprint findings. Mark accepted risk or false positive. Subsequent scans only surface new issues.
GitHub integration
Auto-create issues. Comment on PRs. SARIF export for Code Scanning. Close issues when findings resolve.
GraphQL support
Per-operation endpoint detection. Splits POST /graphql into individual queries and mutations in spec.json.
Supabase & Firebase auth
Native auth flow testing. Login, session persistence, token refresh, logout invalidation. Zero custom code.
Compliance mapping
Every finding tagged with CWE ID and OWASP Top 10 / API Top 10. SOC 2 and PCI DSS report generation.
The workflow
Find. Fix. Verify.
BrokenApp finds it
Automated scan crawls your entire app. Every route, form, endpoint, and asset. Structured report with evidence.
AI fixes it
Feed the bug report into Claude Code or Codex. Each issue has reproduction steps and a recommended fix.
BrokenApp verifies it
Re-scan confirms which issues are resolved. Diff reports show exactly what changed. Evidence, not guesswork.
9
Detection modules
18
Secret patterns
Auto
Scan & report
$2,000
In prizes