Prototype of FAAST (Full Agentic Application Security Testing), FAAST = SAST + DAST + LLM agents
FAAST is an AI agent for security testing that combines SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) for web applications. It makes the link between both by providing the results of SAST to the DAST, by understanding how to reach each vulnerability.
Note : for now it's a POC that works in a few cases, the goal is to generalize the concept to detect many more vulns, understand how to reach them dynamically, and exploit them.
In the demo below, the agent will spot an sql injection and a command injection in source code (SAST), understand how to reach them, and finally exploit the two vulnerabilities in the live environment (DAST) with a browser :
Static Analysis (SAST): Uses LLM to identify vulnerabilities in the source code, but the architecture is modular so that it can use any traditional SAST tool. Saves the context of each vulnerability to know how to reach it later on with the DAST
Dynamic Analysis (DAST): Automatically exploits and verifies vulnerabilities in the running application
Vulnerability verification : Uses LLM to verify if the exploited vulnerability with the DAST agent is confirmed
- Simpler and direct App launcher
- Simpler and improved exploit verification
- Use open-source SAAST tool for detecting more vulnerabilities
- Improved vulnerability path tracing
- Vision capabilities
-
Clone this repository:
git clone https://github.com/yacwagh/FAAST cd FAAST -
Install dependencies:
pip install -r requirements.txt -
Set up your openrouter key in the
.envfile:OPENROUTER_API_KEY="your_key"
Run the FAAST security agent on a target application:
python3 main.py --target ./vulnerable_app --url http://localhost:3000This will:
- Run SAST analysis to identify potential vulnerabilities in the code
- Perform DAST analysis on the target url to confirm exploitable vulnerabilities
- Outputs a comprehensive security report
--target: Target application directory path (default: 'vulnerable_app')--url: Url of the application to test with the DAST--headless: Run browser in headless mode for DAST
Example with headless option :
python3 main.py --target ./vulnerable-app --url http://localhost:3000 --headlessFAAST/
├── main.py # Main entry point
├── agent/
│ ├── __init__.py
│ └── agent.py # SecurityAgent implementation
├── sast/
│ ├── __init__.py
│ └── sast_scan.py # Static analysis scanner
├── dast/
│ ├── __init__.py
│ ├── app_launcher.py # Application launcher
│ └── dast_act.py # Dynamic testing automation
├── llm/
│ ├── __init__.py
│ ├── llm_service.py # LLM API service
│ └── prompts/
│ ├── __init__.py
│ ├── prompts_sast.py # SAST-related prompts
│ └── prompts_dast.py # DAST-related prompts
├── requirements.txt # Dependencies
├── .env # Environment variables
└── README.md # Documentation
The SAST scanner analyzes your application code to identify potential security vulnerabilities:
- Scans files in chunks to handle large codebases
- Uses LLMs to identify vulnerabilities
- Detects context of the vulnerability like the endpoint information (routes, parameters) for dynamic testing
The DASTScan component:
- Uses information from SAST to generate precise exploitation strategies
- Automates a real browser to attempt exploitation
- Verifies successful exploits by analyzing application responses
- Provides confirmation of which vulnerabilities are actually exploitable
The FAAST agent is focused mainly on two vulnerabilities for the moment, but its modular architecture allows to generalize it easily ;
- SQL Injection: Detecting improper handling of SQL queries
- Command Injection: Finding OS command execution vulnerabilities