BrokenApp

Changelog

What's new.

Product updates, new detection modules, and improvements to BrokenApp. Shipped fast, shipped often.

v1.4.0FeatureCLIFeb 14, 2026

Business logic testing & export formats

  • New `brokenapp logic-test` command — step-skip detection via view-transition graphs and replay attack detection for write endpoints
  • New `brokenapp export` command — unified report from all scan artifacts (bugs, IDOR, exposure, auth matrix, security, endpoints)
  • PDF format: rendered via headless Chrome, A4 with cover page, TOC, severity chart, and finding cards. Supports `--branded` for custom header/footer
  • Markdown format: GitHub-flavored with YAML frontmatter, pipe tables for IDOR and auth matrix data. Ready for PR/issue/HackerOne
  • CSV format: UTF-8 with BOM, one row per finding. Columns: ID, Source, Severity, Category, Title, CWE, OWASP, Evidence. Import into Jira/Linear
  • Deterministic finding IDs via Blake3 fingerprinting (BA-001, BA-002, etc.) — same finding always gets the same ID
  • Section filtering: `--include` and `--exclude` flags control which report sections appear. Severity filter with `--severity`
  • Step-skip detection builds directed graphs of multi-step flows and tests every skip permutation
  • Replay detection sends duplicate POST/PUT/PATCH requests and compares responses for idempotency failures
v1.3.0FeatureIntegrationFeb 10, 2026

GitHub integration & SARIF export

  • New `brokenapp github sync` — auto-create GitHub issues from findings with fingerprint markers
  • New `brokenapp github sarif` — export SARIF 2.1.0 for GitHub Code Scanning
  • Issues auto-close when findings resolve on rescan
  • PR comment support — post new findings as review comments on pull requests
  • Fingerprint-based deduplication prevents duplicate issues across scans
v1.2.0FeatureSecurityFeb 5, 2026

Auth flow testing & GraphQL support

  • New `brokenapp auth-test` command with native Supabase (GoTrue) and Firebase (Identity Toolkit) support
  • Tests login flow, session persistence, token refresh, logout invalidation, and expired token rejection
  • GraphQL per-operation endpoint detection — splits POST /graphql into individual queries and mutations in spec.json
  • Cookie-based and Bearer token auth flows also supported with custom config
  • All auth failures mapped to CWE-613 (session expiration) and CWE-384 (session fixation)
v1.1.0FeatureCLIJan 28, 2026

Baseline & triage management

  • New `brokenapp baseline create` and `brokenapp baseline apply` commands
  • Blake3 fingerprinting for deterministic finding identification across scans
  • Triage statuses: accepted risk, triaged, false positive — persisted in baseline.json
  • Diff-aware rescans only surface new issues, filtering out baselined findings
  • Compliance mapping — every finding tagged with CWE ID and OWASP Top 10 / API Top 10
  • SOC 2 and PCI DSS report generation via compliance flag
v1.0.0ReleaseJan 22, 2026

BrokenApp v1.0 — public launch

  • Full-app scanning with headless browser crawling — every route, form, endpoint, and asset
  • IDOR / BOLA detection with cross-user replay and body similarity scoring
  • N×N auth matrix testing across unlimited role pairs
  • Exposure scanning — 18 compiled regex patterns and 22 active probes, runs automatically on every scan
  • Structured JSON output with evidence: screenshots, network traces, reproduction steps
  • Diff reports between scans to track exactly what changed
  • CI/CD integration with exit codes and JSON output for pipeline gates
  • MCP server for AI coding tool integration
v0.9.0BetaJan 10, 2026

Auth matrix & exposure scanning

  • N×N auth matrix scanning — test every role pair with automatic severity classification
  • Exposure scanning with passive regex matching and active path probing
  • 18 secret detection patterns including AWS, Stripe, GitHub, GCP, Slack, Firebase, and more
  • 22 sensitive path probes including .env, .git/config, debug endpoints, and admin panels
  • Secrets always masked in output — only partial values shown for verification
v0.8.0BetaDec 18, 2025

IDOR scanning & diff reports

  • IDOR / BOLA detection — capture two user sessions, replay every ID-bearing request cross-user
  • Body similarity scoring to classify true IDORs vs false positives
  • Automatic severity classification: Critical (write access), High (read PII), Medium (read non-sensitive)
  • Diff reports — compare two scans and see exactly which issues are new, resolved, or unchanged
  • JSON and human-readable output formats

Shipping every week.

Follow along as we build the inspection layer for the internet.

Install the CLIRead the blog