DOCUMENTATION

ScanexAI

Complete reference for the automated security intelligence platform — covering the scan pipeline, vulnerability detectors, attack chain engine, risk scoring, and API endpoints.

Launch Scanner

Getting Started

ScanexAI is an automated security intelligence platform. Point it at any live website you own or have permission to test, and it will crawl, detect vulnerabilities, build visual attack chains, and generate an executive PDF report.

How a Scan Works

Web Crawler

Guzzle HTTP client visits up to 25 pages within the target hostname. Maps page types, forms, query parameters, links, and headers. Subdomains are automatically enumerated.

Vulnerability Scanner

40+ rule-based detectors run across every crawled page, plus SSL inspection, API endpoint discovery, and domain-level checks (ports, DNS, reputation, default credentials).

Attack Graph Builder

Vulnerability combinations are matched against 14 chain templates. Matched chains produce Entry → Pivot → Impact → Crown Jewel node graphs with colour-coded steps.

Risk Scoring

A weighted composite score (0–100) is calculated from vulnerability density, attack chain severity, and critical exposure bonus.

AI Narrative

Optionally, Llama 3 via Groq writes an executive breach narrative explaining attack paths in plain English with remediation priorities.

PDF Report

DomPDF renders an executive-ready PDF with risk scores, attack chains, vulnerability table, and remediation steps.

Scan Comparison

Diff any two completed scans for the same domain: new issues, resolved findings, and unchanged vulnerabilities shown side-by-side.

Vulnerability Notes

Annotate findings with analyst status tags (Accepted Risk, False Positive, In Progress, Fixed) and free-text comments directly on the scan report.

Vulnerability Detectors

Type	Severity	CVSS	Trigger
IDOR	High	7.5	Query params matching id, user_id, account, order
XSS	High	6.1	Text / search / email input fields in forms
Brute Force	High	7.3	Login page with password field, no visible CAPTCHA
Admin Exposure	Critical	9.1	URL or title contains admin, dashboard, panel, manage
Missing Headers	Medium	5.3	2+ of: X-Frame-Options, CSP, X-Content-Type-Options, HSTS missing
API Exposure	Medium	6.5	URL matches /api/, .json, or graphql pattern
Open Redirect	Medium	4.7	Query params named redirect, return, next, url, goto
Sensitive Params	High	7.2	Query params named token, secret, key, pass, auth, session
CORS Misconfiguration	High	7.4	Access-Control-Allow-Origin: * with credentials header present
Clickjacking	Medium	5.4	X-Frame-Options or CSP frame-ancestors header missing
SSL/TLS Issues	Medium	5.9	Expired cert, weak cipher, or missing HSTS header
Directory Exposure	High	7.5	Probes 30+ paths: /admin, /.env, /backup, /phpinfo, /config
Exposed Secrets	Critical	9.8	Source code contains API keys, tokens, or private keys
Cookie Security	Medium	5.7	Cookies missing HttpOnly, Secure, or SameSite flags
Subdomain Enumeration	Medium	5.3	Enumerates common subdomains via DNS lookup
Subdomain Takeover	High	8.1	Subdomain CNAME points to unclaimed third-party service
Prompt Injection	High	7.6	Unguarded LLM input endpoint accepting user-controlled text
Jailbreak Threat	High	7.5	AI endpoint missing auth guardrails or system-prompt protection
AI Output Leakage	High	7.8	AI response contains PII, internal data, or system prompt
Unmonitored Retraining	Critical	9.0	Exposed /train or /fine-tune endpoint without authentication
Hazardous AI API	High	8.5	Public /generate, /chat, or /completions endpoint — no auth
Default Credentials	Critical	9.8	Login endpoint accepts admin/admin, admin/password combos
Open Port Exposure	High	7.5	Database or service ports (3306, 5432, 6379, 27017) reachable
Missing DMARC/SPF	Medium	5.3	Domain DNS missing DMARC or SPF record — email spoofing risk
Rate Limiting	Medium	6.2	Login or API endpoint returns no 429 under rapid request burst
Data Leakage	High	7.5	Response body contains PII, stack traces, or internal paths
Session Fixation	High	7.3	Session token unchanged after authentication
Insecure Cache Headers	Medium	5.4	Sensitive pages served with Cache-Control: public or no-store missing
Outdated Libraries	Medium	5.9	JS libraries with known CVEs detected in page source

Attack Chain Templates

Full Account Takeover

95/100

Brute Force IDOR

1. Brute-force login credentials

2. Authenticate as victim

3. Exploit IDOR to access other accounts

Data Exfiltration via API

91/100

API Exposure IDOR

1. Discover unauthenticated API endpoint

2. Enumerate via IDOR parameter

3. Extract sensitive data at scale

XSS → Session Hijack

82/100

XSS Sensitive Parameter

1. Inject stored XSS payload

2. Payload fires on victim visit

3. Session token stolen

Admin Panel Takeover

98/100

Admin Exposure Brute Force

1. Discover exposed admin panel

2. Brute-force credentials

3. Full admin access + RCE risk

Phishing via Open Redirect

72/100

Open Redirect Brute Force

1. Craft phishing URL via open redirect

2. Victim clicks trusted-looking link

3. Credentials harvested

Clickjacking + XSS

76/100

Missing Headers XSS

1. Embed site in iframe (no X-Frame-Options)

2. Overlay fake UI

3. Trigger XSS, steal session

Secrets Exfiltration

88/100

Exposed Secrets API Exposure

1. Source scan reveals hardcoded API key

2. Attacker calls third-party API

3. Data or billing abuse at scale

CORS Data Theft

80/100

CORS Misconfiguration Sensitive Params

1. Identify CORS wildcard origin

2. Craft cross-origin request from attacker page

3. Exfiltrate authenticated response data

Cookie Theft

78/100

Cookie Security XSS

1. Identify missing HttpOnly flag

2. Inject XSS payload

3. Read and exfiltrate session cookie

Directory Traversal + Secrets

85/100

Directory Exposure Exposed Secrets

1. Probe exposed /backup or /.env path

2. Download config file with DB credentials

3. Access production database directly

Insecure Cache Replay

68/100

Insecure Cache Headers Sensitive Params

1. Identify cached authenticated response

2. Replay cache from shared network or CDN

3. Access victim session data without auth

Subdomain Hijack

82/100

Subdomain Takeover CORS Misconfiguration

1. Find dangling CNAME to unclaimed service

2. Register attacker account on that service

3. Serve malicious content on legitimate subdomain

Default Credentials Takeover

96/100

Default Credentials Admin Exposure

1. Locate admin login panel

2. Submit default credential pairs

3. Full privileged access to application

AI Prompt Injection Chain

87/100

Prompt Injection AI Output Leakage

1. Inject adversarial prompt via user input field

2. Override system prompt instructions

3. Exfiltrate internal context or PII from AI response

API Reference

POST /api/scan

Start a new scan

REQUEST BODY

{ "url": "https://example.com" }

RESPONSE

{ "scanId": "uuid", "status": "running" }

GET /api/scan?id=<scanId>

Poll scan status

RESPONSE

{ "id": "...", "status": "completed", "overall_risk": 74 }

GET /api/vulnerabilities?scanId=<id>

Get all vulnerabilities for a scan

RESPONSE

Array of vulnerability objects ordered by CVSS

GET /api/attack-paths?scanId=<id>

Get attack graph and chains

RESPONSE

{ "graph": { nodes, edges }, "paths": [...] }

POST /api/ai-explain

Generate AI breach narrative

REQUEST BODY

{ "scanId": "uuid" }

RESPONSE

{ "narrative": "...", "source": "ai" }

GET /api/report?scanId=<id>

Download PDF security report

RESPONSE

application/pdf binary

⚠ Authorised Use Only

Only scan websites you own or have explicit written permission to test. Automated scanning of third-party sites without permission may violate computer fraud laws. This tool is for authorised penetration testing, bug bounty programs, and security research only.