$npx vibeshield scan --url

Your vibe-coded
app has 0 critical
vulnerabilities.

Security scanner built for Lovable, Bolt, Cursor & Replit apps. Find. Fix. Ship safe.

TermsAcceptable Use PolicyPrivacy Policy
20scanner modules
OWASPTop 10 coverage
~89%*apps vulnerable
<3mintypical scan time
Attack Surface

20 scanners.
Broad automated coverage.

Critical

SQL & NoSQL Injection

Error-based, blind, time-based, and UNION injection across all endpoints. We test every parameter your AI generated — the ones you never reviewed.

scan output

CRITICAL SQLi in /api/users?id=

CRITICAL SSRF via /api/proxy?url=

HIGH IDOR in /api/orders/42

HIGH CVE-2024-1234 in lodash@4.17.20

Critical

Exposed Secrets

JS bundles scanned for leaked API keys — OpenAI, Stripe, AWS, Supabase & 20+ more.

Scan for this
Exposed Secrets
Critical

SSRF Detection

Cloud metadata probes, internal service access, DNS rebinding — 30 payloads including AWS, GCP, Azure.

Scan for this
SSRF Detection
Critical

OS Command Injection

Detects remote code execution vectors via shell metacharacters and blind out-of-band payloads.

Scan for this
OS Command Injection
Critical

IDOR / Access Control

ID enumeration, missing auth on API endpoints, horizontal privilege escalation.

Scan for this
Critical

Database Exposure

TCP port scanning for MySQL, PostgreSQL, MongoDB, Redis. Default credential checks.

Scan for this
Database Exposure
Critical

Dependency Audit

CVE checks via OSV database, typosquatting detection, outdated packages in JS bundles.

Scan for this
Dependency Audit
High

XSS Scanner

Reflected & stored cross-site scripting in forms, URL params, and API responses.

Scan for this
High

Template Injection

Finds SSTI vulnerabilities in modern and legacy rendering engines leading to code execution.

Scan for this
High

Data Leakage

Scans API responses and error stacks for exposed PII, emails, credit cards, and SSNs.

Scan for this
High

CSRF Protection

Missing CSRF tokens in forms, no Origin validation, SameSite cookie analysis.

Scan for this
High

Supabase Auditing

Detects misconfigured RLS policies, exposed service keys, and unprotected buckets.

Scan for this
High

Firebase Security

Identifies open Firestore rules, leaked Configs, and publicly writable, unauthenticated storage.

Scan for this
High

GraphQL Security

Introspection exposure, query depth DoS, unlimited batch queries, and weak authorization.

Scan for this
High

Client-Side Auth

Detects JS-only admin checks, localStorage auth, route guards without server verification.

Scan for this
High

Info Disclosure

Exposed .env, .git, debug endpoints, stack traces, and verbose server version headers.

Scan for this
Medium

Open Redirect

Redirect parameter fuzzing with 10+ bypass techniques — phishing via your domain.

Scan for this
Medium

Transport & Headers

SSL/TLS weaknesses, missing CSP, missing HSTS, missing X-Frame, and CORS misconfigurations.

Scan for this
Workflow

Paste. Scan. Fix.

Cyberpunk Hacker View
STEP 01

Enter URL

Paste your deployed app URL. We attack from the outside — like a real hacker.

STEP 02

Auto Scan

20 scanners run automatically. SQLi, SSRF, CSRF, IDOR, dependencies, GraphQL, secrets & more.

STEP 03

AI Fix Prompts

Each finding includes a copy-paste fix prompt for Cursor, Claude, or ChatGPT.

Pricing

Start free. No credit card.

Starter

$0Free plan
  • 3 scans / month
  • Full vulnerability report
  • Fix prompts
  • Community support
Start Scanning
Popular

Pro

$19/month
  • Unlimited scans
  • Priority scanning
  • PDF export
  • Slack alerts
  • Email support
Go Pro

Team

$49/month
  • Everything in Pro
  • 5 team members
  • CI/CD integration
  • API & webhooks
  • Dedicated support
Contact Us
~89% of vibe-coded apps have critical vulnerabilities*

Ship code,
not exploits.

60-second scan. AI-powered fix prompts. Zero configuration.

Scan Your App Free