Get started
Tools

flowpatrol_scan

Full security test with AI-powered crawling and attack simulation.

What it does

flowpatrol_scan runs a comprehensive security test against your running application. An AI agent explores your app — crawling routes, authenticating as test users, probing APIs, and trying to break access controls.

Cost: 5–8 credits depending on mode | Time: 15–30 minutes

Parameters

ParameterTypeRequiredDescription
target_urlstringYesThe URL of your deployed application
modestringNostandard (default) or deep

Scan modes

ModeCreditsTimeDescription
Standard5~15 minAuth testing, IDOR, injection, XSS, screenshot evidence
Deep8~30 minEverything in Standard plus multi-user IDOR, chained attacks, optional aggressive mode

Example

Dashboard: Go to Scans → New Scan, enter your URL, select a scan mode, and click Start Scan.

MCP: Ask your AI assistant:

Run a Flowpatrol scan on https://myapp.vercel.app
Run a deep Flowpatrol scan on https://myapp.vercel.app

Scans require domain verification for custom domains. Localhost URLs are always allowed without verification.

What it tests

Authentication & sessions

  • Login bypass through parameter manipulation
  • Weak or predictable session tokens
  • Missing brute-force protection
  • OAuth misconfiguration and token leakage
  • Password reset flow vulnerabilities

Access control

  • IDOR — accessing other users' data by changing an ID in the URL or API request
  • Missing Row Level Security on Supabase tables
  • Privilege escalation (user → admin)
  • Unauthenticated API endpoints
  • Horizontal privilege escalation between organizations
  • Multi-user IDOR (Deep mode) — testing cross-user access with multiple authenticated sessions

Business logic

  • Payment flow manipulation (price tampering, coupon abuse)
  • Unverified webhook endpoints (Stripe, etc.)
  • Feature flag bypass
  • Rate limit circumvention
  • State manipulation in multi-step workflows

Injection

  • SQL injection in search and filter parameters
  • Cross-site scripting (XSS) in user-generated content
  • Server-side request forgery (SSRF)
  • Command injection in file processing

Data exposure

  • API responses leaking internal fields
  • Verbose error messages with stack traces
  • Unprotected admin endpoints
  • Missing data filtering on list endpoints

How it works

  1. Reconnaissance — the agent discovers all routes, APIs, and auth flows
  2. Planning — an LLM analyzes the app's structure and generates targeted attack hypotheses
  3. Execution — each hypothesis is tested with real HTTP requests (and browser interactions when needed)
  4. Reporting — findings are validated, deduplicated, and ranked by severity

The scan runs in the background. When using the dashboard, the results page updates automatically when the scan completes. Via MCP, your AI assistant polls for completion and presents results when ready.

Results

When the scan completes, you get a structured report with:

  • Vulnerability category and severity (critical / high / medium / low)
  • Affected endpoint and HTTP method
  • CWE classification
  • Reproduction steps
  • Screenshot evidence (Standard and Deep modes)
  • Fix suggestions tailored to your stack

In the dashboard, results are displayed in an interactive view where you can filter, sort, and drill into individual findings. Via MCP, your AI assistant formats the same data inline in the chat.

Concurrency

Only one scan per account runs at a time. If you start a new scan while one is in progress, it will be queued.

flowpatrol_probe

Quick security surface check — secrets, headers, paths, and Supabase RLS.

flowpatrol_report

Retrieve and filter results from previous scans.

On this page

What it doesParametersScan modesExampleWhat it testsAuthentication & sessionsAccess controlBusiness logicInjectionData exposureHow it worksResultsConcurrency