The Scanner

We crawl your app like a real user would.

BrokenApp tests every route, submits forms, evaluates load times, checks for console errors, probes for security misconfigurations, detects business logic flaws, and supports GraphQL natively. Everything documented with CWE + OWASP mappings.

Submit your URL

No signup. No code access. If your app is on the internet, we can scan it.

We scan everything

Routes, forms, endpoints, assets, API calls, security headers, performance metrics.

Get your report

Private URL with severity ratings, screenshots, network traces, and reproduction steps.

Detection coverage

What the scanner detects

Critical

— Security & Data Exposure

Unauthenticated access to admin or internal endpoints
Exposed API keys, tokens, or credentials in client-side code
Missing HTTPS or mixed content warnings
Password reset tokens that never expire
CORS misconfigurations allowing unauthorized cross-origin access
IDOR/BOLA — accessing other users' data via ID enumeration
Step-skip — bypassing checkout or verification steps
Replay attacks — duplicate charges or submissions
SQL injection and XSS vectors in form inputs

High

— Broken Functionality

Routes returning 500 errors
Failed API calls visible to end users
Forms that accept invalid input (negative amounts, empty required fields)
Authentication flows that fail silently on mobile
Broken OAuth or third-party integrations
Session invalidation failures after logout
Token refresh not working (Supabase/Firebase)

Medium

— Performance & UX

Page loads exceeding 3 seconds
Uncompressed images and unminified assets
Render-blocking scripts
Core Web Vitals failures (LCP, CLS, FID)
Broken links and 404 pages
Console errors on every page load

Low

— Standards & Accessibility

Missing alt text on images
Insufficient color contrast ratios
Missing semantic HTML structure
No meta descriptions or Open Graph tags
Deprecated library versions with known CVEs

New

IDOR / BOLA Detection

The #1 bug bounty finding. Automated.

Insecure Direct Object Reference is the most common and highest-paying vulnerability class in bug bounty programs. BrokenApp detects it automatically by replaying requests across user sessions.

Cross-user replay

Scan your app as User A (admin), then as User B (viewer). The IDOR module takes User A's requests and replays them with User B's credentials. If User B can access User A's data — that's a confirmed IDOR.

$ brokenapp idor-scan \

--scan-a ./admin-scan \

--scan-b ./viewer-scan \

--config-b ./viewer.toml

Automatic classification

Every replayed request is classified automatically based on response status codes and body similarity analysis.

Confirmed — 200 + similar body → full unauthorized access

Likely — 200 but body differs → partial data leak

No Issue — 401/403/404 → properly denied

Error — Request failed → inconclusive

Auth bypass

Endpoints that return data regardless of who's asking.

Broken access control

User B accessing User A's profile, orders, settings, messages.

Write IDOR

POST/PUT/PATCH endpoints that modify another user's data.

Privilege escalation

Viewer-role user hitting admin-only API endpoints successfully.

New

Multi-role auth matrix

N roles. N×(N-1) pairs. One command.

Define admin, user, viewer, and unauthenticated roles in a single TOML. BrokenApp scans each role, then runs IDOR testing across every pair — generating a compliance heatmap that shows exactly where authorization breaks.

Define unlimited roles in roles.toml

Automatic N×(N-1) pair testing

Compliance heatmap report (JSON + Markdown)

Authorization Matrix — 4 roles, 12 pairs

Requests ↓ \ Auth →	admin	user	viewer	unauth
admin	—	0/0	0/0	0/0
user	5/2	—	0/0	0/0
viewer	8/3	3/1	—	0/0
unauth	12/5	8/3	2/1	—

Cell format: confirmed / likely IDOR count

New

Exposure & Secrets Scanning

Your .env is showing.

Passive analysis of captured network traffic plus active probing for exposed files, debug endpoints, and leaked secrets. 18 compiled regex patterns with CWE mappings. Passive mode runs automatically on every scan — zero config. Every finding is masked — BrokenApp never stores or transmits full secrets.

Passive scanning

Analyzes network.jsonl from any existing scan. Searches every response body, header, and URL for secret patterns — AWS keys, Stripe keys, JWTs, database URLs, private keys, and more.

$ brokenapp exposure-scan \

--scan-dir ./scan-results

Active probing

Probes ~30 sensitive paths against the live target: .env, .git/config, /actuator, /phpinfo, source maps, swagger docs, and more. Combines with passive results for full coverage.

$ brokenapp exposure-scan \

--scan-dir ./scan-results --active

API key leaks

AWS, GCP, GitHub, Stripe, SendGrid, Twilio, Mailgun, Firebase, Heroku

Exposed files

.env, .git/config, .DS_Store, wp-config.php.bak

Connection strings

postgres://, mongodb://, redis:// in responses

Debug endpoints

/actuator, /phpinfo, /__debug__, /server-status

Private keys

RSA, EC private keys in responses or files

Source maps

.js.map files auto-discovered from traffic and probed

Server disclosure

Server version, X-Powered-By, framework headers

Verbose errors

Stack traces, SQL errors, Traceback, internal IPs leaked

The report

Make severity impossible to ignore.

brokenapp.io/reports/yourapp-2026-02-14

Critical

High

Medium

Low

Critical

Unauthenticated access to /api/admin/users

GET /api/admin/users

Admin endpoint returns full user list without authentication. 247 user records exposed including email addresses and hashed passwords.

High

Payment form accepts negative amounts

POST /api/checkout

Amount field accepts negative values. Submitting amount: -50.00 returns success response with status "paid".

Medium

LCP exceeds 4.2s on /dashboard

/dashboard

Largest Contentful Paint measured at 4,200ms. Render-blocking script (analytics.js, 340KB unminified) delays initial paint.

Reports are private by default. Only someone with the direct link can view it.

Signal over noise.

No signup required. No code access needed.

Scan your app