VolPen

Passive vulnerability scanner for web apps. Detects OWASP Top 10, API security issues, and RLS (Row Level Security) problems.

VolPen is a local-first Chrome security scanner for developers building modern web apps. It watches your app's network traffic while you browse, flags risky endpoints, safely proves exploitable issues, and produces paste-ready fix briefs you can hand to Cursor, Copilot, Claude Code, or any AI coding assistant. It is built for the developers most traditional scanners miss: solo builders, AI-assisted teams, and anyone shipping a SaaS product faster than a formal pentest can keep up with. ── WHAT VOLPEN DETECTS (19 PASSIVE RULES) ────────────────────── Auth & Tenant Security • Cross-tenant data leakage between user accounts • Insecure Direct Object Reference (IDOR) via sequential IDs • Mass assignment via unchecked request fields • Broken object-level / function-level authorization • Inconsistent authorization checks across endpoints API Security • Rate limiting gaps on auth and write endpoints • CORS misconfiguration (reflected Origin, wildcard with credentials) • Weak JWT handling (none algorithm, weak secrets, missing claims) • Excessive data exposure in API responses • Missing OAuth flow validation (PKCE, state parameter) • JWT with insecure defaults or missing claims OWASP Top 10 & Web Basics • Reflected XSS — user-controlled input echoed in responses • DOM-based XSS — unsafe JavaScript sinks in page code • SQL injection signals — error-based and boolean-based patterns • Missing CSRF tokens on state-changing requests • Cookie flag hygiene — missing Secure, HttpOnly, SameSite flags • Sensitive data exposure in URLs and query strings • Open redirects — unvalidated redirect parameters • Mixed content on HTTPS pages • Error disclosure — stack traces and verbose error messages • Version disclosure — framework and server version leakage • Artifact exposure — .env files, backup files, and source maps left accessible • Secrets in client-side code — API keys, tokens, and credentials in JS bundles • Header leakage — overly verbose headers exposing server internals ── ACTIVE PROOF (8 CONSENT-GATED PROBES) ─────────────────────── When a passive finding is suspicious, VolPen can safely replay requests to confirm real exploitability. Every write-capable probe is locked behind explicit per-domain consent: • IDOR — Replays a request with an adjacent sequential ID to confirm access control gaps. • CROSS_TENANT — Substitutes a tenant identifier observed in another session to test isolation. • MASS_ASSIGNMENT — Injects escalation fields (is_admin, role, plan_tier) into request bodies. • AUTH_STRIP — Removes the Authorization header and checks whether the endpoint still responds with data. • HEADER_STRIP — Strips security headers and tests whether CORS or other protections collapse. • SWEEP_TENANT — Systematically tests multiple tenant IDs across endpoints. • SWEEP_IDOR — Bulk-probes sequential IDs across resource endpoints. • SWEEP_MASS_ASSIGN — Tests multiple escalation payloads against write-capable endpoints. All probes respect the domain-lock scope and require explicit opt-in before any request is replayed. ── OPTIONAL AI LAYER (BRING-YOUR-OWN KEY) ────────────────────── Plug in a Groq API key — or any OpenAI-compatible provider — to unlock: • validate-finding — Filters noisy passive detections by asking an LLM whether a finding is likely a true positive given the full context. • validate-active-result — Reads replay outcomes to confirm whether a mutation (e.g., mass assignment) was actually processed server-side. • generate-payload — Suggests targeted payloads based on endpoint profiling: path parameters, query strings, and observed request schemas. • remediate — Produces a clean, language- and framework-specific code fix pattern with before/after code snippets. • AI Fix Instructions — Generates a consolidated markdown brief covering all findings in one scan. Paste it into Cursor, Copilot, Claude Code, or Devin to apply fixes across your entire codebase. Secrets and request bodies are redacted client-side before any request. AI is OFF by default and requires your own API key — no credentials are bundled or shared. ── HOW IT WORKS ──────────────────────────────────────────────── VolPen drives a guided 5-step workflow inside the popup: Step 1 — CAPTURE Click "Start Scan" to lock onto the current tab. Browse your app normally — log in, navigate, submit forms, trigger API calls. VolPen passively observes every request and response, groups them by endpoint, and builds a route map of your application. Step 2 — REVIEW The popup automatically advances to show all passive findings grouped by severity (Critical, High, Medium, Low, Info). Each finding includes the affected endpoint, evidence snippets (specific header values, response fragments, or URL patterns), and reproduction context so you can understand and triage quickly. Step 3 — PROVE (optional) For findings where passive detection is uncertain, click "Verify" to replay the request with a targeted mutation. VolPen confirms whether the vulnerability is actually exploitable. Every write-capable probe requires an additional consent gate — read-only probes replay safely; write-capable ones are disabled by default and must be explicitly enabled per domain. Step 4 — AI (optional, skippable) If you've provided an API key, VolPen runs LLM-based validation and generates remediation guidance. You can skip this step entirely — all core functionality works without AI. Step 5 — OUTPUT Export your results as JSON or Markdown, copy a paste-ready AI coder prompt, or click "Start new scan" to reset and test a different application. ── ENDPOINT SWEEP (DOMAIN-WIDE RLS AUDIT) ───────────────────── Beyond the guided workflow, VolPen can systematically audit every endpoint your app exposes for Row Level Security (RLS) gaps: • Sweeps all discovered endpoints with cross-tenant and IDOR probes. • Groups results by endpoint, showing which ones leak data between tenants or users. • Exports a full-domain security posture report you can share with your team. This feature is ideal for SaaS developers who need to verify that tenant isolation holds across the entire API surface, not just the endpoints they happened to browse during a scan. ── OUTPUT & REPORTING ────────────────────────────────────────── VolPen produces actionable output, not just a list of findings: • JSON export — Machine-readable output for CI/CD integration or custom tooling. • Markdown / HTML executive report — Human-readable summary with severity counts, affected endpoints, and evidence. • AI coder prompt — A copy-ready block containing the endpoint URL, vulnerability description, evidence, root cause analysis, and a framework-specific patch pattern. Paste it directly into Cursor, Copilot, or any AI assistant to get an immediate fix. • AI Fix Instructions (multi-finding) — When you have multiple findings, generate a single consolidated brief that covers every issue in one scan, prioritized by severity and grouped by endpoint. ── PRIVACY & SAFETY ─────────────────────────────────────────── • Local-first — Detection runs entirely inside the extension. Raw traffic, headers, bodies, and tokens stay on your machine by default. • No telemetry — VolPen does not phone home. The developer has no analytics, tracking, or server-side collection. • Strict Manifest V3 posture — Content Security Policy enforced; no remote code execution; no eval; no unsafe-inline. All JavaScript is bundled and shipped inside the extension package. • Consent gates — Any replay or mutation that could change server state requires explicit confirmation for the current domain. • Tab-scoped capture — Scans are pinned to the exact tab and origin you start from to prevent accidental cross-site collection. • Sanitization — If you enable the optional AI layer, finding summaries are redacted before transmission: only rule IDs, URL paths, header names, and short evidence snippets leave the device. Raw request bodies, authentication tokens, and sensitive data are never transmitted. • Read-only observation — The passive scanner never modifies, blocks, or redirects any network request. ── WHO IT IS FOR ────────────────────────────────────────────── • Solo founders and indie developers shipping SaaS products who need a quick security check before going live. • AI-assisted development teams using Cursor, GitHub Copilot, Claude Code, or Devin who want vulnerability findings in a format their AI tools can immediately fix. • Security-minded developers who want a pre-flight check before engaging a professional penetration testing firm. • QA engineers and engineering leads hardening staging environments and verifying tenant isolation across API surfaces. • Bug bounty hunters looking for a fast first-pass scan to identify promising targets for deeper manual testing. ── WHO IT IS NOT FOR ────────────────────────────────────────── • VolPen is NOT a replacement for a professional penetration test. It catches obvious and business-logic issues early, but it does not replace a thorough, human-led security assessment. • VolPen is NOT a production monitoring tool. It is designed for development and staging environments. • VolPen does NOT perform destructive testing. Active probes are scoped and consent-gated to minimize risk. ── TECHNICAL DETAILS ────────────────────────────────────────── • Manifest V3 — Built on Chrome's latest extension architecture with strict content security policies. • Passive engine — 19 detection rules covering OWASP Top 10, API security, and Row Level Security (RLS) issues. • Active engine — 8 consent-gated probes that replay requests to confirm exploitability. • Endpoint profiling — Builds JSON schema snapshots from observed request/response bodies to generate context-aware payloads. • Multi-provider LLM routing — Supports Groq, OpenAI, and any OpenAI-compatible API endpoint. User-configurable model selection. • Rate limiting — Built-in rate limiter for LLM API calls to respect provider quotas. • Findings deduplication — Groups detections by endpoint and vulnerability type to avoid alert fatigue. • IndexedDB storage — Persisted findings survive popup closure and browser restarts; session state clears on browser close. • No remote code — All JavaScript is bundled; no eval, no dynamic imports, no external script loading. ── BEST PRACTICES ───────────────────────────────────────────── • Start on localhost or staging. Passive capture is low risk, but active replay should only be used on applications you own or have explicit permission to test. • Run a full scan after every major feature release to catch regressions in authorization logic or new data exposure issues. • Use the Endpoint Sweep feature to audit your entire API surface for RLS gaps before a major launch. • Export findings to JSON and integrate into your CI/CD pipeline for automated security gates. • Use the AI Fix Instructions feature to batch-remediate all findings in a single prompt to your AI coding assistant. • Never run active probes against production systems without explicit authorization and a rollback plan. ── PERMISSIONS EXPLAINED ────────────────────────────────────── • webRequest — Observes HTTP request/response metadata to detect vulnerabilities. Does NOT use webRequestBlocking; no requests are modified or blocked. • storage — Persists findings, settings, and session state locally in chrome.storage. No cloud sync. • activeTab — Identifies the current tab when you open the popup to establish the scan's domain lock. • tabs — Monitors tab lifecycle events to detect navigation and clean up scan state. • alarms — Keeps the background service worker alive during long scans (MV3 terminates idle workers after ~30 seconds). • scripting — Injects a bundled network interceptor to capture request/response bodies. No remote code is loaded. • Host permissions (http://*/*, https://*/*) — Required because the extension can scan any web application the user chooses. All scanning is domain-locked to the single tab you select — no other sites are inspected. ── SUPPORT & FEEDBACK ───────────────────────────────────────── VolPen is actively developed. If you encounter a bug, have a feature request, or want to report a false positive, please reach out through the support channel listed in the store listing. ── LICENSE ──────────────────────────────────────────────────── VolPen is open source under the Apache License 2.0