Web applications are evolving at an unprecedented pace, introducing new features that often come with new vulnerabilities. Relying solely on developers to identify these issues is no longer sustainable, highlighting the urgent need for automated tools to support the security process. Web application scanning is arguably the flagship testing technique capable of taking on this responsibility, yet significant challenges remain to achieve full automation.
In this talk, we briefly review the current state of web application scanning and outline its key challenges and limitations. We then introduce YuraScanner, one of the first autonomous, task-driven web scanners. YuraScanner approaches attack surface discovery as a goal-oriented agent: it dynamically generates testing objectives and executes actions to navigate complex web application workflows with no human intervention. Unlike traditional scanners, it leverages large language models (LLMs) to interpret and reason about the application’s state and behavior, enabling broad adaptability across diverse web applications. Our evaluation across 20 popular web applications demonstrates that YuraScanner uncovers deeper attack surfaces and identifies more XSS vulnerabilities than conventional tools.