AutoPentest Agent

Autonomous AI agent that performs white-hat web penetration testing using real browser automation to handle modern JS logins and dynamically exploit vulnerabilities without hardcoded targets.

Comment

Inspiration

I worked with a startup creating AI Agents for penetration testing, and creating a generalized agent proved difficult when the agent needs to use a browser to render JavaScript in order to fetch the correct authentication for interacting with protected endpoints. Some security vulnerabilities are also only available through browser-based interaction.

What it does

The AutoPentest Agent is an AI Agent using tools to do penetration testing of web services. It has tools for sending HTTP requests, reporting findings, managing its context and, last but not least, Yutori for interacting through the browser. Automated AI agents using a browser as a tool is not uncommon, but creating a generalized automated AI agent is. That is, a pentester agent that can work on totally different websites without any hardcoding or target-specific instructions.

For the demo it is tested on the classic OWASP Juice Shop which is a website containing security vulnerabilities for hacking challenge purposes.

How I built it

Using Go, AWS Bedrock and the Yutori API. I created the logic and structure myself and used Claude Code and other AI tools to build on top of that (it is a 5 hour hackathon after all).

Challenges I ran into

The Yutori API cannot access endpoints locally hosted on my computer. I solved this by automatically replacing the target URL with an ngrok URL which is created dynamically when Yutori is called. This way, the logic is fully abstracted away from the agent, and the interaction is kept as minimal and light as possible for the agent.

Accomplishments that I am proud of

I am proud that I was able to deliver a working AI Agent on time, successfully utilizing Yutori which I have never used before. This project shows and verifies that Yutori can be used for generalized penetration testing purposes.

What I learned

I learned the Yutori API, while also extending my experience of creating AI Agents.

What's next for AutoPentest Agent

As this project directly addresses a pain point experienced by a startup I worked with earlier, the findings will be shared with them. For further work with the Yutori implementation specifically, I would like to make the browser interaction asynchronous, and let the agent test for example SQL injections or even other Yutori calls simultaneously, as waiting on Yutori calls can be time-consuming.

Built With

Share this project:

Updates