AI-powered security scanner running on Cloudflare's edge. Paste a URL, get a full pentest report.
POST /api/scan → Queue → Durable Object → 51 checks + AI analysis
- You submit a URL
- A Worker validates and enqueues the scan job
- A Durable Object picks it up and runs all 51 security checks
- AI analyzes responses and generates findings in real-time
- The frontend polls for events and renders a live activity log
No access to your source code needed — it only scans what's publicly reachable.
| Cloudflare Primitive | What it does |
|---|---|
| Worker (Hono) | API + static frontend |
| Queue | Decouples request from scan execution |
| Durable Object | Runs long scans without Worker's 30s timeout |
| D1 | SQLite database for scans, findings, events |
| R2 | Screenshot storage |
| Browser Rendering | Headless Puppeteer on the edge |
SQL Injection, Cross-Site Scripting, Command Injection, CRLF Injection, NoSQL Injection, XXE, SSRF, Host Header Injection
Auth Bypass, IDOR, CORS Configuration, JWT Security, Clickjacking, Form Security Analysis
Information Disclosure, Sensitive File Discovery, JavaScript Analysis, Cookie Security, Privacy & Compliance
Security Headers, TLS/SSL, CSP Deep Analysis, DNS Security, Email Security, Error Handling, HTTP Methods
WAF Detection, Rate Limiting, Cache Poisoning, Request Smuggling, Subdomain Enumeration, Subdomain Takeover, SSL Certificate Analysis
Technology Fingerprint, Modern Framework Security, API Discovery, API Security, GraphQL Security, WebSocket Security, Third-Party Scripts, Known Vulnerabilities, Subresource Integrity
Prototype Pollution, HTTP Parameter Pollution, Race Condition, Mass Assignment, File Upload, Deserialization, Input Validation, Directory Traversal, Open Redirect
- Bun or Node.js
- Wrangler CLI
- Cloudflare account with D1, R2, Queues, Durable Objects, and Browser Rendering enabled
- OpenRouter API key (for AI analysis)
bun install# D1 database
wrangler d1 create aster-db
# Copy the database_id into wrangler.toml
# R2 bucket
wrangler r2 bucket create aster-screenshots
# Queue
wrangler queues create scan-queuewrangler secret put OPENROUTER_API_KEYFor local dev, create a .env file:
cp .env.example .env
# Edit .env with your OpenRouter key# Local
bun run db:migrate:local
# Remote
bun run db:migratebun run devOpens the Worker on localhost:3001 and Vite on localhost:3100.
bun run deploy- Backend: Hono on Cloudflare Workers
- Database: Drizzle ORM + D1 (SQLite)
- Frontend: React 19, React Router, Tailwind CSS v4
- AI: OpenRouter (Gemini 2.5 Flash)
- Browser: @cloudflare/puppeteer
This tool is provided as-is for educational and authorized security testing purposes only.
This is not a replacement for a professional penetration tester. The checks are basic, automated, and surface-level. A real pentest involves manual analysis, business logic testing, and context that no automated tool can replicate. Use Aster as a first pass or learning tool, not as your security strategy.
By using Aster, you agree that:
- You will only scan websites and applications you own or have explicit written authorization to test
- The authors are not responsible for any misuse, damage, legal consequences, or any other liability arising from the use of this tool
- Results are automated and may contain false positives or false negatives — always verify findings manually
- This does not replace a professional security audit
Use responsibly.
MIT