frontpage.

Show HN: Berean Labs – Free AI-powered penetration testing for web apps

https://bereanlabs.com/

1•abliterationai•1h ago

Hey HN,

  I'm sharing Berean Labs (https://bereanlabs.com), a free, autonomous AI penetration testing tool designed to catch client-side vulnerabilities, exposed secrets, and misconfigurations in your web apps before attackers do.


  The Problem
  Traditional DAST/SAST tools are often expensive, hard to configure, or generate massive amounts of false positives. They also sometimes lack the semantic understanding to realize that an exposed <!--
  AWS_KEY=... --> comment or a specific combination of DOM sinks is actually a critical vulnerability. I wanted to build a tool that acts more like a junior red-teamer looking at your frontend code.


  How it works under the hood
   1. Domain Verification: To prevent abuse and random scanning, you first verify domain ownership via a DNS TXT record.
   2. Safe Fetching: The Node.js backend fetches your target's HTML. I implemented strict SSRF protections here—it resolves DNS and explicitly blocks private/local IPs and localhost routing before
      fetching.
   3. Attack Surface Extraction: Using Cheerio, the backend parses the DOM to extract a highly condensed "attack surface summary" to fit into the LLM context window. This includes forms, input fields, external script sources, suspicious inline scripts (e.g., eval, innerHTML), inline event handlers, and HTML comments.
   4. AI Analysis: This sanitized context is fed into a specialized model (powered by Abliteration.ai) via a strict red-team system prompt. 
   5. Structured Reporting: The model enforces a JSON schema to return vulnerabilities ranked by severity, complete with CVSS scores, affected code snippets, and remediation steps.


  It's completely free to use. I built this primarily to see how well current LLMs can perform context-aware security auditing on raw client-side output when given the right constraints.


  I'd love for you to try it on your own domains and let me know what you think. Does it catch things your standard linters/scanners miss? Are there false positives that annoy you? 


  Check it out at: https://bereanlabs.com


  Feedback, questions, and roasts of the architecture are highly welcome!

The Electric Tipping Point – Electric Aircraft

Show HN: Wc-template – create custom elements using template and link

Show HN: Fostrom, an IoT Cloud Platform built for developers

Show HN: Photobomb – cards against humanity but for your camera roll

Real Life Superpowers

Proof Assistants in the Age of AI

Show HN: Syne – AI agent that remembers everything, built on PostgreSQL

Edgequake-litellm – Rust-backed drop-in replacement for LiteLLM (v0.1)

Show HN: An e-ink air traffic monitor built with Cloudflare Workers

Show HN: Intentify – Point at your UI, describe a change, get a PR

A Guide to Which AI to Use in the Agentic Era

Show HN: Sinkai – Let AI agents hire humans for real-world tasks

Democracy Fails Without Trust

Who moved my cheese? [pdf]

Deceived – On Happiness

Designing and Creating a Game Engine for Use in the Classroom [pdf]

OpenAI and Paradigm Launches EVMbench to Test AIs on Smart Contract Security

Agentic Internet Protocol (AIP), an agent-only web built from small text pages

Russia Eyes Balloon Communications System After Losing Starlink

Amazon service was taken down by AI coding bot

Agentic AI and the Mythical Agent Month

LipoVive vs. Traditional Fat Burners: Which Is Safer for 2026?

The Israeli Government Installed and Maintained Security System at Epstein Apt

OpenClaw Partners with VirusTotal for Skill Security

Child's Play

The Lost Internet: Searching for Debian Woody Sources

West Virginia sues Apple for prioritizing user privacy over child safety

Japan's largest toilet maker is undervalued AI play, says activist investor

Reading the undocumented MEMS accelerometer on Apple Silicon MacBooks via iokit

Show HN: Prompt Indexing for ChatGPT Session

Show HN: Berean Labs – Free AI-powered penetration testing for web apps

The Electric Tipping Point – Electric Aircraft

Show HN: Wc-template – create custom elements using template and link

Show HN: Fostrom, an IoT Cloud Platform built for developers

Show HN: Photobomb – cards against humanity but for your camera roll

Real Life Superpowers

Proof Assistants in the Age of AI

Show HN: Syne – AI agent that remembers everything, built on PostgreSQL

Edgequake-litellm – Rust-backed drop-in replacement for LiteLLM (v0.1)

Show HN: An e-ink air traffic monitor built with Cloudflare Workers

Show HN: Intentify – Point at your UI, describe a change, get a PR

A Guide to Which AI to Use in the Agentic Era

Show HN: Sinkai – Let AI agents hire humans for real-world tasks

Democracy Fails Without Trust

Who moved my cheese? [pdf]

Deceived – On Happiness

Designing and Creating a Game Engine for Use in the Classroom [pdf]

OpenAI and Paradigm Launches EVMbench to Test AIs on Smart Contract Security

Agentic Internet Protocol (AIP), an agent-only web built from small text pages

Russia Eyes Balloon Communications System After Losing Starlink

Amazon service was taken down by AI coding bot

Agentic AI and the Mythical Agent Month

LipoVive vs. Traditional Fat Burners: Which Is Safer for 2026?

The Israeli Government Installed and Maintained Security System at Epstein Apt

OpenClaw Partners with VirusTotal for Skill Security

Child's Play

The Lost Internet: Searching for Debian Woody Sources

West Virginia sues Apple for prioritizing user privacy over child safety

Japan's largest toilet maker is undervalued AI play, says activist investor

Reading the undocumented MEMS accelerometer on Apple Silicon MacBooks via iokit

Show HN: Prompt Indexing for ChatGPT Session