Skip to content

Pirikara/vuln-chaser-core

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
frontend
frontend
 
 
services
services
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
main.py
main.py
 
 
requirements.txt
requirements.txt
 
 
run_server.py
run_server.py
 
 

Repository files navigation

vuln-chaser-core

Pattern-Free Interactive Application Security Testing (IAST) Analysis Engine

vuln-chaser-core is a revolutionary LLM-powered vulnerability analysis engine that performs creative, unrestricted security testing without predefined patterns or rules.

🌟 Key Features

  • Pattern-Free Analysis: No predefined vulnerability patterns - discovers novel attack vectors
  • Creative Security Intelligence: LLM-driven analysis that thinks like a creative attacker
  • Runtime-Based Discovery: Analyzes actual execution traces for real-world vulnerability detection
  • Novel Vulnerability Classification: Creates custom vulnerability categories as needed
  • Evidence-First Approach: Reports only vulnerabilities with clear execution evidence

🏗️ Architecture

Ultra-Simplified Design

vuln-chaser-core/
├── main.py                      # FastAPI server with /health, /api/traces/batch, /report endpoints
├── run_server.py               # Server startup script
├── requirements.txt            # Python dependencies
└── services/
    ├── vulnerability_analyzer.py   # Pattern-Free LLM analysis engine (347 lines)
    └── openrouter_client.py       # LLM communication via OpenRouter API

Pattern-Free Workflow

  1. Trace Collection: Receives execution traces from vuln-chaser-ruby agent
  2. Direct LLM Analysis: Sends traces directly to LLM for creative analysis
  3. Novel Classification: LLM creates custom vulnerability classifications
  4. Evidence-Based Results: Returns vulnerabilities with clear execution evidence

🚀 Quick Start

Prerequisites

  • Python 3.9+
  • OpenRouter API key for LLM access

Installation

# Clone and navigate
cd vuln-chaser-core

# Install dependencies
pip install -r requirements.txt

# Set API key
export OPENROUTER_API_KEY="your-api-key-here"

# Start server
python run_server.py

Server will be available at http://localhost:8000

Health Check

curl http://localhost:8000/health

View Vulnerability Report

Open http://localhost:8000/report in your browser

📡 API Endpoints

POST /api/traces/batch

Analyze execution traces for vulnerabilities

Request Format:

{
  "batch_id": "uuid",
  "timestamp": "2025-01-01T00:00:00Z",
  "traces": [
    {
      "trace_id": "trace-001",
      "request_info": {
        "method": "GET",
        "path": "/users/search",
        "params": {"name": "test"},
        "headers": {"cookie": "session_id=abc"}
      },
      "execution_trace": [
        {
          "method": "UserSearch#build_query",
          "file": "app/services/user_search.rb",
          "line": 15,
          "source": "SELECT * FROM users WHERE name LIKE '%#{params[:name]}%'",
          "context": "SQL query construction with direct parameter interpolation"
        }
      ]
    }
  ]
}

Response Format:

{
  "batch_id": "uuid",
  "results": [
    {
      "trace_id": "trace-001",
      "vulnerabilities": [
        {
          "vulnerability_classification": "Unsafe SQL Parameter Interpolation",
          "severity": "high",
          "confidence": 1.0,
          "affected_component": "UserSearch#build_query",
          "description": "Direct interpolation of user input into SQL query",
          "evidence": "Line 15 shows direct #{params[:name]} interpolation",
          "attack_scenario": "Attacker can inject SQL code via name parameter",
          "business_impact": "Complete database compromise possible",
          "remediation_strategy": "Use parameterized queries instead"
        }
      ],
      "analysis_metadata": {
        "model": "google/gemini-2.5-flash-lite-preview-06-17",
        "response_time_ms": 4318,
        "cost_usd": 0.0002,
        "pattern_free_analysis": true
      }
    }
  ],
  "analysis_time_ms": 4318,
  "cost_usd": 0.0002
}

GET /health

Server health check

GET /report

HTML vulnerability report dashboard

GET /metrics

Analysis performance metrics and cache statistics

🔧 Configuration

Environment Variables

  • OPENROUTER_API_KEY: Required for LLM analysis
  • OPENROUTER_MODEL: LLM model (default: google/gemini-2.5-flash-lite-preview-06-17)
  • LOG_LEVEL: Logging level (default: INFO)

Supported LLM Models

  • google/gemini-2.5-flash-lite-preview-06-17 (recommended for cost/performance)
  • google/gemma-2-27b-it (higher quality analysis)
  • anthropic/claude-3.5-sonnet (excellent for security analysis)

🎯 Pattern-Free Analysis Examples

Traditional Pattern-Based Tools

❌ Searches for: "SELECT * FROM users WHERE id = " + user_input
❌ Pattern: Known SQL injection signatures
❌ Result: Limited to predefined patterns

vuln-chaser Pattern-Free Analysis

✅ Analyzes: Actual execution trace with full context
✅ LLM Assessment: "Direct parameter interpolation without sanitization"  
✅ Creative Classification: "Unsafe SQL Parameter Interpolation"
✅ Novel Attack Scenarios: Context-specific exploitation methods

🔍 Real-World Detection Examples

SQL Injection Detection:

# Vulnerable Code in Trace
SELECT * FROM users WHERE name LIKE '%#{params[:name]}%'

# Pattern-Free Analysis Result
{
  "vulnerability_classification": "Unsafe SQL Parameter Interpolation",
  "severity": "high",
  "confidence": 1.0,
  "attack_scenario": "Attacker submits 'test' OR '1'='1 to bypass LIKE clause",
  "remediation_strategy": "Use User.where('name LIKE ?', \"%#{params[:name]}%\")"
}

📊 Performance

  • Analysis Speed: ~4 seconds per trace
  • Cost: ~$0.0002 per analysis
  • Cache Hit Rate: 60-80% (intelligent deduplication)
  • Memory Usage: <50MB additional overhead

🛡️ Security Features

  • Data Sanitization: Automatic PII and credential filtering
  • Rate Limiting: Built-in request throttling
  • CORS Protection: Configurable origin restrictions
  • Error Handling: Graceful failure modes

🔗 Integration

vuln-chaser-core is designed to work with:

  • vuln-chaser-ruby: Rails application instrumentation agent
  • Custom Agents: Any system that can send execution traces

🧪 Testing

# Basic functionality test
curl -X POST http://localhost:8000/api/traces/batch \
  -H "Content-Type: application/json" \
  -d @sample_trace.json

# Check vulnerability report
open http://localhost:8000/report

🚨 Important Notes

  • Development Use Only: Not intended for production security scanning
  • LLM Dependency: Requires external LLM API for analysis
  • Source Code Exposure: Traces contain actual source code sent to LLM
  • Cost Awareness: LLM usage incurs costs per analysis

📈 Advantages Over Traditional IAST

Feature Traditional IAST vuln-chaser Pattern-Free
Vulnerability Detection Pattern-based Creative LLM analysis
New Attack Vectors Limited to signatures Discovers novel patterns
False Positives High (pattern mismatches) Low (evidence-based)
Maintenance Constant pattern updates Self-improving LLM
Customization Fixed rules Dynamic classification
Context Understanding Limited Full execution context

🤝 Contributing

vuln-chaser-core is designed for simplicity and maintainability. When contributing:

  • Keep the Pattern-Free philosophy
  • Avoid adding predefined security rules
  • Focus on LLM analysis quality
  • Maintain the minimal architecture

📄 License

See parent project license for details.

Built with Pattern-Free philosophy for creative, unrestricted vulnerability discovery

About

IAST × LLM PoC

Topics

security ai iast

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages