f*ck your app

Point it at your app.
It tries to break it.

Point it at a web app or an APK. It finds the holes, proves them with the exact request, and hands you the fix.

pip install fya
fya scanning a web app in the terminal and finding reflected XSS, SQL injection, SSRF, an exposed .git repo, and a CORS bypass, each mapped to OWASP and CWE

A full scan of the bundled vulnerable app, start to seven high-severity findings.

Most scanners hedge. fya shows you where it broke, the request that did it, and the line that fixes it.

Why fya

One tool, three targets

A running web server, an Android .apk, or a source directory, same command. It works out which and runs only what fits.

It actually breaks things

Reflected XSS, SQLi, SSTI, IDOR, input fuzzing, a leaking .env, hardcoded secrets in your source, a debuggable APK. If it is there, you get the receipt that proves it.

Black, gray, and white box

58 checks across all three. Fuzz inputs from outside, probe access control with partial knowledge, or scan the source itself. Every finding maps to OWASP and a CWE.

It does not cry wolf

Baselines, context-aware reflection, and honest severity. A confident wrong finding is worse than a missed one, so it earns every flag.

Built for real apps

Authenticated scans, scoped crawls, request budgets, a CI baseline, and a headless browser for single-page apps.

Free for noncommercial use

Free for personal, hobby, research, and nonprofit use under PolyForm Noncommercial. Commercial use needs a license. No dashboard, no agent, no account.

Run it inside Claude

No terminal? Tell Claude to break it.

fya ships as a Claude skill. Drop it into your setup and say what to scan. Claude confirms you own the target, runs the same non-destructive checks itself, and reports right in the chat.

1. Install the skill
git clone https://github.com/ayam04/fya
cp -r fya/skills/fya ~/.claude/skills/fya
2. Just ask
scan http://localhost:3000 for vulnerabilities
check ./app-release.apk for security issues
Full skill setup in the docs

How it works

  1. 01

    Detect

    Web server, .apk, or source directory. It decides, you do not configure it.

  2. 02

    Fingerprint

    Reads the stack, framework, cookies, and whether it is a JSON API from the first responses.

  3. 03

    Plan

    Picks only the checks that fit the target and the profile.

  4. 04

    Break

    Runs non-destructive probes and tunes pacing to what the target tolerates. No flooding, ever.

  5. 05

    Prove

    De-duplicates, maps each finding to OWASP and CWE, and keeps the receipts.

  6. 06

    Report

    Console, JSON, SARIF, Markdown, or a self-contained HTML page.

Web active

Reflected XSS, error-based SQLi, open redirect, path traversal, CORS reflection, and advanced CORS bypasses (null origin, prefix and suffix match bugs).

Web advanced

Server-side template injection, CSRF, Host header injection, CRLF, forwarded-header cache poisoning, and X-Original-URL access-control bypass.

SSRF & injection

Signature-based SSRF (cloud metadata and file://), MongoDB-style NoSQL injection, and XPath, LDAP, and SSI injection.

Secrets & files

Secrets in client-side JavaScript, exposed source maps, dumpable .git/.svn repos, leaked config and credential files, and directory listing.

Web passive & hardening

Security headers, cookie flags and prefix misuse, CSP holes, COOP/CORP/Permissions-Policy, JWT weaknesses, and outdated JS libraries.

Black & gray box

Input fuzzing that surfaces crashes and stack traces, insecure direct object references, and protected routes reachable without auth.

White box (source)

Point it at a directory: hardcoded secrets, risky sinks, dangerous GitHub Actions workflows, and semgrep or bandit folded in.

API

OpenAPI and Swagger exposure, GraphQL introspection, plus GraphQL field-suggestion leakage, batching, and GET/CSRF execution.

Mobile (APK)

Hardcoded secrets, cleartext endpoints, manifest sins, insecure WebView bridges, unverified App Links, and weak custom permissions.

TLS & tools

Certificate trust and expiry, weak protocols, and Nuclei, Nikto, nmap, sqlmap, and testssl folded into one report when installed.

Break your app before someone else does.

Ship the fix, not the incident report. Start with your localhost right now.

!
Non-destructive by default. Localhost is fair game; any remote target needs an explicit --i-am-authorized flag. Test only what you own.