Open Source · Apache 2.0

Authentication recon+ for credentialed security testing

Point it at a login page. It figures out the auth flow, authenticates, captures the session, and exports to Burp, ZAP, Postman, Selenium, and more. Organizes and securely stores every artifact, credential, and session. Self-hosted. Runs in Docker.

View on GitHub Quick Start Guide
Features

What it does

A full security testing platform centered on authentication reconnaissance and session capture.

🔍

Auto-Detect Auth Flows

Give it a URL and credentials. It identifies form-based login, HTTP Basic, OAuth/SSO, LDAP, SAML/ADFS, Azure AD, Okta, and multi-step flows automatically.

🍪

Cookie & Session Analysis

Extracts and analyzes cookies — flags missing security attributes, checks entropy, decodes JWTs and Flask sessions, classifies session vs. persistent tokens.

🛡

Security Header Audit

Checks HSTS, CSP, X-Frame-Options, CORS, Referrer-Policy, and Permissions-Policy. Produces a scored summary with specific recommendations.

🔑

JavaScript Secrets Scanner

Scans JS files from captured traffic for hardcoded API keys, AWS credentials, database strings, tokens, and internal URLs. 24 pattern types with entropy-based filtering.

👥

Multi-Role Testing

Test multiple credential sets in a single run — admin, read-only, service accounts. Each role gets its own screenshots, exports, and artifacts.

🎬

Manual VNC Recording

For flows automation can't handle — CAPTCHAs, hardware tokens, custom widgets. Authenticate manually in a live browser streamed via noVNC. AuthRecon captures the session.

📸

Step-by-Step Screenshots

Captures screenshots throughout every auth flow. Browse them in a grid with lightbox navigation. Every step documented.

📊

HTTP Flow Visualizer

Interactive viewer showing every request and response — headers, cookies, response bodies. Plus a narrative summary of the entire authentication flow.

🧬

Tech Fingerprinting

Identifies frontend frameworks, CMS platforms, server technologies, and auth-related cookies from response headers and HTML content.

🤖

AI Security Assistant (Optional)

SecBot — a chatbot for querying security data with natural language. Pluggable LLM backend: local Ollama, OpenAI-compatible, or mock mode. No AI is required to use any feature in this suite. SecBot is a standalone add-on you can ignore entirely.

🛠

Web Scanner

Nuclei-powered vulnerability scanner that can inherit AuthRecon sessions for authenticated scanning. Plus a browser-based scanner for SQLi, XSS, CORS, and header checks. Experimental.

🧪

LoginLab Training Targets

Seven built-in auth scenarios running inside the Docker stack — form login, HTTP Basic, OAuth redirects, LDAP, multi-step, API auth. No external targets needed.

Exports

Works with your existing tools

Every successful auth run generates export artifacts ready to import into the tools you already use.

Selenium IDE (.side)
HAR Files
Burp Suite (HTTP + JSON)
curl Scripts
Postman Collections (v2.1)
OWASP ZAP (Context + Zest)
CLI & REST API

Built for automation

Submit runs, poll results, and manage API keys from the terminal. The CLI uses API keys for authentication and the REST API supports full JWT-based access. Pipe runs into CI/CD, script bulk testing, or integrate with your existing toolchain.

Python CLI (Click + Rich) REST API (FastAPI) API Key Auth (bcrypt-hashed) JWT Service Tokens
authrecon-cli — runs list
$ authrecon runs list AuthRecon Runs ╭──────────┬───────────────────────┬───────────╮ ID Target Status ├──────────┼───────────────────────┼───────────┤ RUN-4536 app.example.com succeeded RUN-A290 portal.corp.io succeeded RUN-E7FA staging.internal succeeded RUN-8335 admin.example.com succeeded RUN-EE78 dev.internal:8443 failed ╰──────────┴───────────────────────┴───────────╯
authrecon-cli — create run
$ authrecon runs create \ --target https://app.example.com/login \ --username pentest@client.com \ --password Password: ******** Run created: RUN-4536 Status: queued View details: authrecon runs show RUN-4536B096 $ authrecon runs show RUN-4536B096 Run RUN-4536 Target: https://app.example.com/login Status: succeeded Auth: form_based Final: https://app.example.com/dashboard Pattern: Welcome back, pentest!
REST API — curl
# Authenticate and list runs via REST API $ curl -s http://localhost:8000/api/v1/runs \ -H "X-API-Key: ak_live_*****" | jq '.[0]' { "id": "RUN-4536B096", "status": "succeeded", "target_url": "https://app.example.com/login", "auth_type": "form_based", "final_url": "https://app.example.com/dashboard", "duration_seconds": 8, "tech_fingerprint": { "server": "nginx", "js_frameworks": ["React", "jQuery"], "security_headers": ["HSTS", "CSP", "X-Frame-Options"] } }
REST API — submit & artifacts
# Submit a run via API $ curl -X POST http://localhost:8000/api/v1/runs \ -H "X-API-Key: ak_live_*****" \ -H "Content-Type: application/json" \ -d '{"target_url":"https://app.example.com/login", "username":"pentest@client.com", "password":"********"}' | jq { "id": "RUN-B7E2F1A3", "status": "queued" } # List artifacts after run completes $ curl -s .../runs/RUN-B7E2F1A3/artifacts \ -H "X-API-Key: ak_live_*****" | jq '.[].filename' "login.side" "network.har" "burp_request.txt" "auth_request.sh" "postman_collection.json" "zap_context.json" "pre_login.png" "post_login.png"
Demo & Architecture

See it in action

Watch a run, explore the architecture. *More demos coming soon.

AuthRecon detecting and capturing an authentication flow

System Architecture

graph TB subgraph "Frontend" UI["React UI — Port 5173"] end subgraph "API Gateway" Portal["Security Portal — Port 9000"] end subgraph "Services" AuthRecon["AuthRecon API — Port 8000"] Scanner["Web Scanner — Port 9400"] SecBot["SecBot AI — Port 8001"] LoginLab["LoginLab — Port 5500"] end subgraph "Worker Layer" RQ["Redis Queue"] Worker["AuthRecon Worker\nSelenium + Playwright"] end subgraph "Storage" PG[("PostgreSQL")] Redis[("Redis")] FS["Artifact Storage"] end UI --> Portal Portal --> AuthRecon Portal --> Scanner Portal --> SecBot Portal --> LoginLab AuthRecon --> RQ RQ --> Worker Worker --> PG Worker --> FS Portal --> PG AuthRecon --> PG AuthRecon --> Redis

Worker Execution Flow

flowchart TD Start["Run Queued"] --> Detect["detect_auth_type"] Detect --> Decision{"Auth Type?"} Decision -->|form_based| FormPath["Form Login"] Decision -->|oauth| OAuthPath["OAuth / SSO"] Decision -->|saml| SAMLPath["SAML / ADFS"] Decision -->|okta| OktaPath["Okta"] Decision -->|ldap| LDAPPath["LDAP"] Decision -->|azure_ad| AzurePath["Azure AD"] Decision -->|basic_auth| BasicPath["HTTP Basic"] Decision -->|manual| ManualPath["VNC Recording"] FormPath --> Engine{"Engine"} Engine -->|Playwright| PW["Playwright + HAR"] Engine -->|Selenium| SE["Selenium"] PW --> Capture["Capture Session\nScreenshots + Cookies\nHeaders + HAR"] SE --> Capture OAuthPath --> Capture SAMLPath --> Capture OktaPath --> Capture LDAPPath --> Capture AzurePath --> Capture BasicPath --> Capture ManualPath --> Capture Capture --> Exports["Generate Exports\nBurp / ZAP / Postman\ncurl / Selenium .side"] Exports --> Done["Run Complete"]
Built With

Technology stack

Self-hosted, no cloud dependencies. Works offline after initial build.

React 18 Vite Tailwind CSS FastAPI Python 3.11 PostgreSQL 15 Redis Selenium Playwright Docker Compose Nuclei noVNC
Contact

Get in touch

Questions, feedback, or just want to say hi.