Skip to main content

Point it at your app, it tries to break it. A dynamic security scanner for localhost servers and Android APKs.

Project description

fya  F*ck Your App

fya

Point it at your app. It tries to break it.

A dynamic, target-adaptive security scanner for localhost servers and Android APKs.

CI PyPI Python License: MIT Ruff PRs welcome


fya breaking a vulnerable web app

[!WARNING] Authorized testing only. Only scan systems you own or are explicitly authorized in writing to test. Scanning a target that is not local requires the --i-am-authorized flag. Unauthorized scanning may be illegal. You are responsible for how you use this tool. See SECURITY.md.

Table of Contents

What it is

fya is an open-source, dynamic security scanner. Give it a running server (localhost or a URL) or an Android .apk, and it detects what the target is, fingerprints it, tunes its own scan parameters to fit, and runs a battery of security checks mapped to the OWASP Top 10 and OWASP MASVS. It ships its own fast, pure-Python checks and, when they are installed, orchestrates the best-in-class tools (Nuclei, Nikto, sqlmap, nmap, testssl, jadx, apkleaks) instead of reinventing them.

Highlights

  • One tool, two targets. Scan a running web server or an Android .apk with the same command.
  • Adaptive. Detects the stack, tunes payloads and request pacing, and runs only the checks that apply.
  • You pick the mode. Choose recon, web, api, mobile, or full (or an interactive menu), and watch a live per-category progress animation as it runs.
  • 29 checks, OWASP-mapped. Web, API, TLS, and APK static analysis, each tagged to OWASP Top 10 / MASVS and CWE.
  • Orchestrates, does not reinvent. Uses Nuclei, Nikto, sqlmap, nmap, and testssl when present; falls back to built-in checks when not.
  • Safe by default. Non-destructive, no flooding, request pacing that backs off on errors, localhost allowed, remote requires explicit authorization.
  • CI-ready reports. Console, JSON, SARIF, Markdown, and self-contained HTML, with --fail-on exit codes.
  • Tiny core. requests and rich only. APK analysis, a browser, and external tools are optional.

Install

pip install fya                 # from PyPI
pip install "fya[apk]"          # add Android APK manifest analysis (androguard)

From a clone, with test tooling:

git clone https://github.com/ayam04/fya
cd fya
pip install -e ".[dev]"

Python 3.9 or newer.

Quickstart

# scan a local dev server (no authorization flag needed for localhost)
fya scan http://127.0.0.1:8000

# read-only, then progressively heavier
fya scan http://127.0.0.1:8000 --profile passive
fya scan http://127.0.0.1:8000 --profile safe          # default
fya scan http://127.0.0.1:8000 --profile aggressive

# pick what to run, or choose from a menu
fya scan http://127.0.0.1:8000 --mode web              # web + tls + api
fya scan http://127.0.0.1:8000 --mode full             # everything, aggressive
fya scan http://127.0.0.1:8000 --interactive           # menu to pick mode + profile
fya modes                                               # list the modes

# analyze an Android app
fya scan ./app-release.apk

# write a shareable report (format inferred from the extension)
fya scan http://127.0.0.1:8000 -o report.html
fya scan http://127.0.0.1:8000 -o findings.sarif       # for CI code scanning

# fail a CI job if anything high or worse is found
fya scan http://127.0.0.1:8000 --fail-on high

# a non-local target requires explicit authorization
fya scan https://staging.example.com --i-am-authorized

# see which external tools fya can hand off to
fya tools

Try it right now against the bundled deliberately-vulnerable app:

python examples/vulnerable_app.py       # starts on http://127.0.0.1:5001
fya scan http://127.0.0.1:5001 --profile aggressive -o report.html

Scan profiles

Profile What it does
passive Read-only. Headers, TLS, cookies, disclosure, fingerprinting.
safe Non-destructive active probes. Reflection, error signatures, CORS.
aggressive Heavier probing and external-tool handoff. Still non-destructive.

fya never floods a target or runs denial-of-service payloads. Request pacing adapts automatically, slowing down on errors, timeouts, and slow responses.

What it checks

29 checks across the areas below, each mapped to OWASP Top 10 / MASVS and a CWE. Full catalog in docs/checks.md.

Area Checks
Web (passive) Security headers, server/version disclosure, insecure cookie flags
Web (active) Reflected XSS, error-based SQLi, open redirect, path traversal, CORS misconfiguration, dangerous HTTP methods, sensitive file exposure
Web (advanced) Server-side template injection (SSTI), missing CSRF token, Host header injection, CRLF/header injection
TLS Certificate validity and trust, weak protocol versions, missing HTTP to HTTPS upgrade
API OpenAPI/Swagger exposure, GraphQL introspection, verbose error disclosure, unauthenticated admin/debug endpoints
APK (static) Hardcoded secrets, cleartext HTTP endpoints, manifest issues (debuggable, backup, exported components, cleartext, minSdk, permissions)
Integrations Nuclei, Nikto, nmap, sqlmap, testssl/sslyze handoff, normalized into the same report
fya web scan report fya apk scan report

How it adapts per target

  1. Detect whether the target is a web server or an .apk.
  2. Fingerprint the tech stack (server, framework, cookies, whether it is a JSON API) from the first responses.
  3. Select only the checks that apply to that target kind and profile.
  4. Tune payloads, pacing, and concurrency to what the target tolerates.
  5. Normalize every finding to OWASP / CWE and de-duplicate.
  6. Report to console, JSON, SARIF, Markdown, or a self-contained HTML page.

External tools

If any of these are on your PATH, fya uses them and folds their results into one normalized report. If not, it silently falls back to built-in checks.

nuclei · nikto · sqlmap · nmap · testssl.sh · sslyze · jadx · apkleaks

Check what is detected with fya tools.

Reports

Format Use it for
console The default. A colored summary table in your terminal.
json Machine-readable output for pipelines and dashboards.
sarif Upload to GitHub code scanning and other SARIF consumers.
markdown Drop into issues, wikis, or pull requests.
html A self-contained, shareable page. See docs/sample-report.html.

Format is inferred from the -o file extension, or set it explicitly with --format. Use --fail-on {low,medium,high,critical} to return a non-zero exit code in CI.

Architecture

fya/
  models.py        finding, target, profile, scan-result data models
  detect.py        target-kind detection (web vs apk)
  fingerprint.py   web tech fingerprinting used to tune checks
  http.py          adaptive, self-throttling HTTP client
  registry.py      the Check base class and auto-discovery
  engine.py        orchestrator: fingerprint, plan, run in parallel, collect
  authorization.py the scope and consent gate
  tools.py         detection and safe subprocess handoff to external tools
  report.py        console / json / sarif / markdown / html reporters
  checks/          one file per area, auto-registered on import

Details in docs/architecture.md.

Contributing

Issues and PRs welcome. Adding a check is a single file dropped in fya/checks/, auto-discovered on import. Run pytest and ruff check . before submitting. See CONTRIBUTING.md for the walkthrough.

Acknowledgements

Built on the shoulders of OWASP (Top 10 and MASVS/MASTG), the tools it orchestrates (Nuclei, Nikto, sqlmap, Nmap, testssl.sh, androguard), and requests + rich.

License

MIT.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fya-0.2.1.tar.gz (424.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

fya-0.2.1-py3-none-any.whl (48.3 kB view details)

Uploaded Python 3

File details

Details for the file fya-0.2.1.tar.gz.

File metadata

  • Download URL: fya-0.2.1.tar.gz
  • Upload date:
  • Size: 424.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for fya-0.2.1.tar.gz
Algorithm Hash digest
SHA256 06fceebb25b2cb77faa6bf710b4f8d5aaa543e7602636c02ac725ef5c4d5d635
MD5 e9ee71eb0290cc4ff105d12f848228a1
BLAKE2b-256 f9ba89e53b8232cee97adc65ae30c7b3b13b4a3b24c61d26dca2a67ca4d0812d

See more details on using hashes here.

Provenance

The following attestation bundles were made for fya-0.2.1.tar.gz:

Publisher: publish.yml on ayam04/fya

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file fya-0.2.1-py3-none-any.whl.

File metadata

  • Download URL: fya-0.2.1-py3-none-any.whl
  • Upload date:
  • Size: 48.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for fya-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 781bd85990b8dc27a71a945fef6fb052b4b04db85a71ece222634eac3dd6a0c6
MD5 f39dd12b9da4cd71e55d8fc268ff0a9e
BLAKE2b-256 73a5ddacfcb971e09f000c586dd94b13be1074b0aa04467b76afd382afb3d573

See more details on using hashes here.

Provenance

The following attestation bundles were made for fya-0.2.1-py3-none-any.whl:

Publisher: publish.yml on ayam04/fya

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page