Sparkworks

AutoSec Explorer is used for autonomous web security. It maps attack surfaces, detects vulnerabilities behind logins, and generates professional reports automatically.

Comment

Inspiration

Manual security audits are time-consuming and often miss hidden endpoints, especially those guarded by authentication. We wanted to build a tool that acts like a "security researcher in a box"—one that can autonomously navigate complex web applications, handle real user sessions, and identify vulnerabilities that traditional static scanners miss.

What it does

Sparkworks is an autonomous web security tester. Users provide a target URL and credentials; the system then uses Playwright-driven agents to crawl the site, discover sub-pages, and map the entire attack surface. It integrates Google Gemini to analyze discovered endpoints for security flaws like unauthenticated API access or data exposure, finally delivering a professional PDF report.

How we built it

Frontend: Built with React and Vite, using Tailwind CSS for a premium "cyber-terminal" aesthetic and D3.js for interactive network graph visualizations. Backend: A Node.js/Express server managing scan sessions and data persistence via Prisma and SQLite. Core Logic: Playwright handles the heavy lifting of browser automation and discovery, while Google Gemini provides the intelligent reasoning layer for vulnerability analysis. Challenges we ran into One major hurdle was maintaining session stability during deep, asynchronous crawls. We also faced technical challenges with PDF binary stream handling, where small errors in buffer collection would lead to "damaged" files—a problem we solved by refactoring our generator to use robust streaming promises.

Accomplishments that we're proud of

We successfully bridged the gap between raw automation and intelligent analysis. Creating a system that not only finds URLs but actually understands the security context of a page using AI is a significant milestone. The real-time D3 visualization of the attack surface is also a visual and functional highlight.

What we learned

We gained deep insights into the nuances of Node.js stream management and the complexities of authenticated web crawling. Most importantly, we learned how to effectively prompt-engineer LLMs to perform specialized security analysis on raw HTTP data.

What's next for Sparkworks

The next phase involves adding automated remediation suggestions directly into the code and supporting more complex authentication flows like OAuth and MFA. We also plan to implement "Passive Mode" for continuous monitoring of live production environments.

Built With

Share this project:

Updates