frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Show HN: MCP App to play backgammon with your LLM

https://github.com/sam-mfb/backgammon-mcp
2•sam256•23m ago•0 comments

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

https://github.com/valdanylchuk/breezydemo
241•isitcontent•16h ago•26 comments

Show HN: I spent 4 years building a UI design tool with only the features I use

https://vecti.com
343•vecti•18h ago•153 comments

Show HN: If you lose your memory, how to regain access to your computer?

https://eljojo.github.io/rememory/
307•eljojo•19h ago•190 comments

Show HN: I'm 75, building an OSS Virtual Protest Protocol for digital activism

https://github.com/voice-of-japan/Virtual-Protest-Protocol/blob/main/README.md
5•sakanakana00•1h ago•1 comments

Show HN: I built Divvy to split restaurant bills from a photo

https://divvyai.app/
3•pieterdy•1h ago•0 comments

Show HN: R3forth, a ColorForth-inspired language with a tiny VM

https://github.com/phreda4/r3
77•phreda4•15h ago•14 comments

Show HN: Smooth CLI – Token-efficient browser for AI agents

https://docs.smooth.sh/cli/overview
93•antves•1d ago•69 comments

Show HN: ARM64 Android Dev Kit

https://github.com/denuoweb/ARM64-ADK
17•denuoweb•2d ago•2 comments

Show HN: BioTradingArena – Benchmark for LLMs to predict biotech stock movements

https://www.biotradingarena.com/hn
26•dchu17•20h ago•12 comments

Show HN: I Hacked My Family's Meal Planning with an App

https://mealjar.app
2•melvinzammit•3h ago•0 comments

Show HN: Artifact Keeper – Open-Source Artifactory/Nexus Alternative in Rust

https://github.com/artifact-keeper
152•bsgeraci•1d ago•64 comments

Show HN: Slack CLI for Agents

https://github.com/stablyai/agent-slack
47•nwparker•1d ago•11 comments

Show HN: I built a free UCP checker – see if AI agents can find your store

https://ucphub.ai/ucp-store-check/
2•vladeta•4h ago•2 comments

Show HN: Gigacode – Use OpenCode's UI with Claude Code/Codex/Amp

https://github.com/rivet-dev/sandbox-agent/tree/main/gigacode
18•NathanFlurry•1d ago•9 comments

Show HN: Compile-Time Vibe Coding

https://github.com/Michael-JB/vibecode
10•michaelchicory•5h ago•1 comments

Show HN: Slop News – HN front page now, but it's all slop

https://dosaygo-studio.github.io/hn-front-page-2035/slop-news
15•keepamovin•6h ago•5 comments

Show HN: Daily-updated database of malicious browser extensions

https://github.com/toborrm9/malicious_extension_sentry
14•toborrm9•21h ago•7 comments

Show HN: Horizons – OSS agent execution engine

https://github.com/synth-laboratories/Horizons
23•JoshPurtell•1d ago•5 comments

Show HN: Micropolis/SimCity Clone in Emacs Lisp

https://github.com/vkazanov/elcity
172•vkazanov•2d ago•49 comments

Show HN: Falcon's Eye (isometric NetHack) running in the browser via WebAssembly

https://rahuljaguste.github.io/Nethack_Falcons_Eye/
5•rahuljaguste•15h ago•1 comments

Show HN: Fitspire – a simple 5-minute workout app for busy people (iOS)

https://apps.apple.com/us/app/fitspire-5-minute-workout/id6758784938
2•devavinoth12•9h ago•0 comments

Show HN: I built a RAG engine to search Singaporean laws

https://github.com/adityaprasad-sudo/Explore-Singapore
4•ambitious_potat•9h ago•4 comments

Show HN: Local task classifier and dispatcher on RTX 3080

https://github.com/resilientworkflowsentinel/resilient-workflow-sentinel
25•Shubham_Amb•1d ago•2 comments

Show HN: Sem – Semantic diffs and patches for Git

https://ataraxy-labs.github.io/sem/
2•rs545837•10h ago•1 comments

Show HN: A password system with no database, no sync, and nothing to breach

https://bastion-enclave.vercel.app
12•KevinChasse•21h ago•16 comments

Show HN: FastLog: 1.4 GB/s text file analyzer with AVX2 SIMD

https://github.com/AGDNoob/FastLog
5•AGDNoob•12h ago•1 comments

Show HN: GitClaw – An AI assistant that runs in GitHub Actions

https://github.com/SawyerHood/gitclaw
9•sawyerjhood•21h ago•0 comments

Show HN: Gohpts tproxy with arp spoofing and sniffing got a new update

https://github.com/shadowy-pycoder/go-http-proxy-to-socks
2•shadowy-pycoder•13h ago•0 comments

Show HN: I built a directory of $1M+ in free credits for startups

https://startupperks.directory
4•osmansiddique•13h ago•0 comments
Open in hackernews

Show HN: SiteIQ – LLM and Web security testing tool (built by a high schooler)

https://github.com/sastrophy/siteiq
4•sastrophy•2mo ago
Hi HN! I'm an 11th grade student learning cybersecurity and web development. I built SiteIQ as a hands-on way to understand security vulnerabilities, SEO, and how to test them.

I used AI as my coding partner throughout this project – it helped me understand concepts, debug issues, and write code. Building with AI felt like having a patient tutor available 24/7. I learned way more than I would have just following tutorials.

What it does: - Security Testing: OWASP Top 10 (SQL injection, XSS, CSRF, etc.) - SEO Analysis: Meta tags, schema markup, Core Web Vitals - GEO Testing: Multi-region accessibility and latency - LLM Security: Prompt injection, jailbreaking, system prompt leakage, and "Denial of Wallet" attacks

The LLM security part was the most interesting to build. With everyone adding AI to their apps, I wanted to understand how prompt injection actually works and how to test for it.

Features: - Web UI with real-time console output - CLI for automation - Self-hosted (no data leaves your machine)

Tech: Python, Flask, pytest

GitHub: https://github.com/sastrophy/siteiq

I'd love feedback – are there vulnerabilities I'm missing? Any suggestions for the LLM attack payloads?

This is my first open source project, so any advice is welcome!

Comments

denuoweb•2mo ago
Have you tried running this against itself? I found critical security vulnerabilities:

1. Command Injection Risk (CRITICAL) The web application passes user-controlled input directly to subprocess commands without proper sanitization. An attacker could inject malicious commands through the target_url, wordpress_path, llm_endpoint, or tests parameters. app.py:232-264

2. No Authentication (CRITICAL) All API endpoints are completely unauthenticated. Anyone can start security scans against arbitrary URLs, potentially using your server to attack others. app.py:481-516

3. Server-Side Request Forgery (HIGH) Users can provide any URL as the scan target, allowing attackers to scan internal networks, localhost services, or use your server as a proxy for attacks. app.py:484-493

4. No CSRF Protection (HIGH) POST endpoints lack CSRF token validation, making them vulnerable to cross-site request forgery attacks. app.py:481-482 app.py:567-568

5. No Rate Limiting (MEDIUM) Endpoints lack rate limiting, allowing abuse and denial-of-service attacks.

sastrophy•2mo ago
Thank you so much for taking the time to review the code and pointing these out! I really appreciate it. To clarify: SiteIQ is designed to run locally on your own machine (localhost:5000) as a personal security testing tool - similar to how you'd run Burp Suite or OWASP ZAP locally. It's not meant to be deployed as a public-facing web service. That said, your points are absolutely valid and I'll definitely work on fixing these. This is my first open source project, so feedback like this helps me learn a lot. Thanks again!