Loading repository data…
Loading repository data…
tmticsec / repository
Security scanner for applications built with vibe-coding platforms and AI agents. Performs automatic stack fingerprinting, JavaScript bundle static analysis, endpoint discovery, active security testing, and generates an interactive HTML report with finding validation.
Security scanner for applications built with vibe-coding platforms and AI agents. Performs automatic stack fingerprinting, JavaScript bundle static analysis, endpoint discovery, active security testing, and generates an interactive HTML report with finding validation.
Author: Thiago Muniz
LinkedIn: linkedin.com/in/tmtic
Instagram: @eutmtic
ACADILOVABLE detects and analyzes applications generated by the following platforms:
| Platform | Typical stack detected |
|---|---|
| Lovable | Supabase + React + Vite |
| v0.dev | Next.js + Vercel + Prisma/Drizzle |
| Bolt.new | Firebase/Supabase + React/Vue |
| Replit Agent | Flask/FastAPI or Node.js + PostgreSQL |
| Cursor | Any stack |
| Windsurf (Codeium) | Any stack |
| Claude Code | Any stack |
| GPT-Pilot | FastAPI + PostgreSQL |
| Devin (Cognition Labs) | Any stack |
| Aider | Any stack |
| GitHub Copilot Workspace | Any stack |
| Plandex | Any stack |
| Melty | Any stack |
| AllHands / OpenDevin | Python + Docker |
| Sourcegraph Cody | Any stack |
| Amazon Q Developer | AWS + any stack |
| Supermaven | Any stack |
Supabase · Firebase · Convex · PocketBase · Neon · PlanetScale · Express · FastAPI · Flask · Django · Hono · Elysia
Prisma · Drizzle · TypeORM · SQLAlchemy · tRPC
Supabase Auth · Firebase Auth · Clerk · Auth0 · NextAuth.js · Lucia · Better-Auth
Vercel · Netlify · Railway · Render · Fly.io · Cloudflare Pages · Replit
git clone https://github.com/tmtic/acadilovable.git
cd acadilovable
chmod +x acadilovable.sh
Check dependencies:
./acadilovable.sh --check-deps
Auto-install missing dependencies (detects OS automatically):
./acadilovable.sh --install-deps
| OS | Package manager used |
|---|---|
| Ubuntu / Debian | apt-get |
| CentOS / RHEL / Fedora | dnf or yum |
| Arch Linux | pacman |
| macOS | brew (requires Homebrew) |
| Alpine Linux | apk |
Required: bash 4+ · curl · python3 3.8+ · grep · sed · awk
Optional: jq · git
./acadilovable.sh -u <URL> [OPTIONS]
| Flag | Description |
|---|---|
-u, --url <URL> | Target application URL (required) |
| Flag | Behavior |
|---|---|
--quick | Passive analysis only — no active HTTP probing |
--full | Deep scan — crawl depth 5, 100 rows per table, full fuzzing |
| (default) | All phases with moderate depth and timeouts |
| Flag | Description |
|---|---|
--skip-download | Reuse previously downloaded JS assets (faster re-scan) |
--no-probe | Skip all active HTTP probing entirely |
--timeout <sec> | Per-request HTTP timeout (default: 12s) |
--detect | Only detect if the app was built with vibe-coding (fast, no full scan) |
Two modules are disabled by default to avoid generating noise in the target's WAF, SIEM and IDS:
| Flag | What it enables |
|---|---|
--enable-injection | SQLi, NoSQLi, SSTI, CMDi — tests parameters on dynamic endpoints |
--enable-ssrf | SSRF against cloud metadata (AWS IMDS, GCP, Azure) |
--aggressive | Enables injection + SSRF + full scan |
| Flag | Description |
|---|---|
-q, --quiet | Show only vulnerabilities and final summary |
-v, --verbose | Detailed debug output for each test |
--json | Write machine-readable summary to scan.json |
--out <dir> | Custom output directory |
| Flag | Description |
|---|---|
--validate [dir] | Generate validate_findings.sh from an existing scan output |
--check-deps | Check if all prerequisites are installed |
--install-deps | Auto-install missing prerequisites |
-h, --help | Show full help |
# Lovable app (Supabase + React)
./acadilovable.sh -u https://myapp.lovable.app
# v0.dev or Vercel app (Next.js)
./acadilovable.sh -u https://myapp.vercel.app
# Bolt.new app (Firebase)
./acadilovable.sh -u https://myapp.web.app
# Replit app (any stack)
./acadilovable.sh -u https://myapp.replit.app
# Detect only — is this a vibe-coding app?
./acadilovable.sh -u https://target.com --detect
# Passive scan only (no active requests)
./acadilovable.sh -u https://target.com --quick
# Full scan with all active tests enabled
./acadilovable.sh -u https://target.com --aggressive
# Re-scan reusing existing assets, JSON output
./acadilovable.sh -u https://target.com --skip-download --json
# Generate validator from a previous scan
./acadilovable.sh --validate output/myapp.lovable.app
# Check installed dependencies
./acadilovable.sh --check-deps
The scan runs in 6 sequential phases.
Locates and downloads the application's JavaScript bundle. First attempts via sw.js (service worker precache), then falls back to index.html script tag scraping. The bundle is the main compiled file containing all SPA code.
Statically analyzes the JavaScript bundle to extract:
.from(), RPCs via .rpc(), Edge Functions, Storage buckets, query chains with filter analysisfetch() and axios() calls found in the code with their HTTP methods.map files that expose the original pre-build source codeprocess.env.SECRET_KEY and similar server-only vars in the client bundleAny third-party API key found in the bundle is immediately reported as a finding.
Three tasks run in parallel:
Stack fingerprinting analyzes HTTP response headers, bundle content and URL patterns to identify the frontend framework, backend/BaaS, ORM, auth provider and hosting platform.
Web crawler recursively traverses the application (depth 3 on standard profile, 5 on --full), cataloging URLs, content-types, sizes and paths that appear interesting (admin, api, dashboard, config, debug, etc.).
Sensitive file scanner probes 70+ known sensitive paths — .env, .git/HEAD, backup.sql, swagger.json, actuator/env, phpinfo.php, docker-compose.yml, and many more — reporting any that are accessible with their content preview.
After discovery, the database schema is extracted via PostgREST OpenAPI (Supabase) or Swagger and a complete endpoint map is built.
The JWT anon key found in the bundle is decoded and analyzed:
anon vs service_role)alg=none, role escalation to service_role, null signatureThe most extensive phase. Tests run in the following order:
Headers & CORS
Verifies presence and quality of: CSP (with unsafe-inline and unsafe-eval analysis), HSTS (presence and max-age value), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
Tests CORS by sending Origin: https://evil.example.com and checking whether the server reflects the origin, returns a wildcard *, or properly restricts it.
Platform-specific scanners
Activated based on the detected stack:
Supabase: unauthenticated access sweep on all mapped endpoints; IDOR with alternative UUIDs; PostgREST OR filter bypass (?or=(id.gt.0)); CSV export without auth; JWT attacks (alg=none, role escalation); Storage bucket listing; rate limiting detection on login/signup/recover.
Firebase: unauthenticated Firestore read via REST API; Realtime Database with .json suffix; Storage bucket listing; weak password policy on signup; email enumeration via accounts:createAuthUri.
Next.js/Vercel: build ID extraction and /_next/data/{buildId}/*.json enumeration; exposed source maps; server-only env vars in client bundle; NextAuth /api/auth/session without authentication; unauthenticated tRPC endpoints.
GraphQL: introspection enabled in production; no query depth limit (DoS risk); batch query acceptance without limit (DoS risk); SQLi through GraphQL variables.
Intelligent endpoint classification
Before any active test runs, the classifier analyzes all endpoints and assigns scores per attack vector:
file-serving (high traversal score): routes like /download, /file, /doc, parameters ?file=, ?path=api-dynamic (high injection score): routes like /search, /users, /query with GET/POST parametersurl-fetching (high SSRF score): routes like /webhook, /proxy, /import, parameters ?url=, ?redirect=supabase-rest (score -100 for all active tests): handled by the dedicated Supabase scannerstatic (skip entirely): .js, .css, .png, etc.Each scanner only receives relevant candidates, with a time budget per test (60s traversal, 90s injection, 45s SSRF) and early-exit when consecutive misses accumulate on low-score endpoints.
OWASP Top 10 (A01–A10)
Systematically tests each category with CVSS score, MITRE ATT&CK technique ID and WSTG test ID mapped to every finding.
Covers: directory listing, .git/HEAD exposure, .env exposure, verbose error pages with stack traces, server version disclosure, cookies without HttpOnly/Secure/SameSite, external scripts without SRI, HTTP TRACE method, reflected XSS probe, open redirect (distinguishes server-side from client-side SPA behavior).
Injection tests (optional — --enable-injection)
SQLi via GET params and POST body (payloads: ' OR '1'='1, 1 UNION SELECT NULL--, single quote for error triggering); SSTI by detecting {{7*7}} reflected as 49; CMDi with ; id, $(id); NoSQLi with {"$ne": null}.
SSRF tests (optional — --enable-ssrf)
Probes URL-like parameters (url, redirect, webhook, proxy, image, src, feed) with cloud metadata targets: AWS IMDS 169.254.169.254/latest/meta-data/iam/, GCP metadata, Azure IMDS, localhost, 127.0.0.1.
Runs only when Supabase is detected:
Database query: performs SELECT on all discovered tables using the anon key, reporting how many rows return and detecting PII columns (email, phone, cpf, address, full_name, birth_date, etc.). Tests CSV export on each table.
User enumeration: probes the admin API (/auth/v1/admin/users), tables with user-related names (profiles, users, accounts, members), user enumeration via password reset (different responses for existing vs non-existing emails), exposed audit log.
RPC probing: tests 16 potentially dangerous RPC name patterns (exec_sql, run_query, pg_read_file, pg_ls_dir, etc.) and checks for direct access to information_schema via PostgREST.
All results are saved to output/<domain>/:
| File | Contents |
|---|---|
report.html | Full interactive dashboard — dark mode, filterable tables, OWASP findings, endpoint map, crawler results, database data |
findings.txt | Sequential log of all findings — VULN:, MISCONFIG:, extracted variables |
validate_findings.sh | Auto-generated script to validate each finding with real curl commands |
owasp.json | OWASP findings with CVSS score, MITRE ATT&CK ID and WSTG ID |
platform.json | Detected stack — platform, frontend, backend, auth, hosting, credentials found |
endpoints.txt | METHOD|URL|SOURCE|TAG for every mapped endpoint |
classified.json |