Point it at your app.
It tries to break it.
Point it at a web app or an APK. It finds the holes, proves them with the exact request, and hands you the fix.
pip install fyaA full scan of the bundled vulnerable app, start to seven high-severity findings.
Most scanners hedge. fya shows you where it broke, the request that did it, and the line that fixes it.
Why fya
One tool, three targets
A running web server, an Android .apk, or a source directory, same command. It works out which and runs only what fits.
It actually breaks things
Reflected XSS, SQLi, SSTI, IDOR, input fuzzing, a leaking .env, hardcoded secrets in your source, a debuggable APK. If it is there, you get the receipt that proves it.
Black, gray, and white box
58 checks across all three. Fuzz inputs from outside, probe access control with partial knowledge, or scan the source itself. Every finding maps to OWASP and a CWE.
It does not cry wolf
Baselines, context-aware reflection, and honest severity. A confident wrong finding is worse than a missed one, so it earns every flag.
Built for real apps
Authenticated scans, scoped crawls, request budgets, a CI baseline, and a headless browser for single-page apps.
Free for noncommercial use
Free for personal, hobby, research, and nonprofit use under PolyForm Noncommercial. Commercial use needs a license. No dashboard, no agent, no account.
No terminal? Tell Claude to break it.
fya ships as a Claude skill. Drop it into your setup and say what to scan. Claude confirms you own the target, runs the same non-destructive checks itself, and reports right in the chat.
git clone https://github.com/ayam04/fya
cp -r fya/skills/fya ~/.claude/skills/fyascan http://localhost:3000 for vulnerabilities
check ./app-release.apk for security issuesHow it works
- 01
Detect
Web server, .apk, or source directory. It decides, you do not configure it.
- 02
Fingerprint
Reads the stack, framework, cookies, and whether it is a JSON API from the first responses.
- 03
Plan
Picks only the checks that fit the target and the profile.
- 04
Break
Runs non-destructive probes and tunes pacing to what the target tolerates. No flooding, ever.
- 05
Prove
De-duplicates, maps each finding to OWASP and CWE, and keeps the receipts.
- 06
Report
Console, JSON, SARIF, Markdown, or a self-contained HTML page.
What it checks
Full catalog in the docsWeb active
Reflected XSS, error-based SQLi, open redirect, path traversal, CORS reflection, and advanced CORS bypasses (null origin, prefix and suffix match bugs).
Web advanced
Server-side template injection, CSRF, Host header injection, CRLF, forwarded-header cache poisoning, and X-Original-URL access-control bypass.
SSRF & injection
Signature-based SSRF (cloud metadata and file://), MongoDB-style NoSQL injection, and XPath, LDAP, and SSI injection.
Secrets & files
Secrets in client-side JavaScript, exposed source maps, dumpable .git/.svn repos, leaked config and credential files, and directory listing.
Web passive & hardening
Security headers, cookie flags and prefix misuse, CSP holes, COOP/CORP/Permissions-Policy, JWT weaknesses, and outdated JS libraries.
Black & gray box
Input fuzzing that surfaces crashes and stack traces, insecure direct object references, and protected routes reachable without auth.
White box (source)
Point it at a directory: hardcoded secrets, risky sinks, dangerous GitHub Actions workflows, and semgrep or bandit folded in.
API
OpenAPI and Swagger exposure, GraphQL introspection, plus GraphQL field-suggestion leakage, batching, and GET/CSRF execution.
Mobile (APK)
Hardcoded secrets, cleartext endpoints, manifest sins, insecure WebView bridges, unverified App Links, and weak custom permissions.
TLS & tools
Certificate trust and expiry, weak protocols, and Nuclei, Nikto, nmap, sqlmap, and testssl folded into one report when installed.
Break your app before someone else does.
Ship the fix, not the incident report. Start with your localhost right now.
--i-am-authorized flag. Test only what you own.