In our previous blog post, we explored the core concepts of S4E Create with AI along with some basic usage examples.For more details, you can visit.
1-)What is S4E Create with Ai ?
Our AI-powered solution enables you to develop scans tailored to your specific needs and safely test them directly on your digital assets, allowing you to continuously improve your systems and enhance your readiness against potential threats.
You don’t need deep cybersecurity expertise to create effective scans tailored to your specific needs. Simply communicate your requirement clearly to our tool, and our platform will automatically generate the appropriate security scan. Once you create and approve the scan, our experienced cybersecurity team will promptly review it and make it available for your use.
2-)Scan Samples Designed Around Your Unique Needs with S4E Create with AI
2.1-) Swagger Endpoint Unauthorized Access Check
In modern applications, Swagger/OpenAPI documentation makes it easy to discover API endpoints. However, leaving this documentation publicly accessible and allowing sensitive endpoints to be reached without authentication poses a serious security risk.
Scenario: The Swagger documentation is publicly accessible over the internet. This means that anyone with external access can view all API endpoints. Therefore, it is critically important to identify which API endpoints can be accessed without authorization.
This risk can be tested using S4E Create with AI. With a simple command, all endpoints can be retrieved from swagger.json and each one can be tested accordingly.
Prompt:
Retrieve all endpoints from /swagger/v1/swagger.json. Send a request to each endpoint without authentication. If any endpoint responds with status code 200, generate an alarm. If none are accessible, do not generate an alarm (score 0).
Code:
from s4e.config import *
from s4e.task import Task
from s4e.utils.commons import http_or_https
class Job(Task):
def run(self):
self.output['detail'] = []
self.output['compact'] = []
self.output['video'] = []
self.headers = {}
unauthenticated_access = False
# Prepare the asset with HTTP/HTTPS
asset = http_or_https(asset=self.asset, _headers=self.headers, session=self.session)
try:
# Get endpoint list from swagger.json
swagger_json_url = f"{asset}/swagger/v1/swagger.json"
self.output['video'].append(f"Fetching {swagger_json_url} ...")
response = self.session.get(swagger_json_url, headers=self.headers)
if response.status_code == 200:
swagger_data = response.json()
paths = swagger_data.get('paths', {})
for endpoint in paths:
endpoint_url = f"{asset}{endpoint}"
self.output['video'].append(f"Checking unauthenticated access for {endpoint_url} ...")
endpoint_response = self.session.get(endpoint_url, headers=self.headers)
if endpoint_response.status_code == 200:
unauthenticated_access = True
self.output['detail'].append(f"Unauthenticated access allowed for: {endpoint_url}")
self.output['compact'].append(f"Unauthenticated endpoint: {endpoint}")
else:
self.output['video'].append("Error fetching /swagger/v1/swagger.json")
except Exception as e:
self.output['video'].append(f"Error occurred: {str(e)}")
# If no unauthenticated endpoints were found, clear the output
if not unauthenticated_access:
self.output['detail'] = []
self.output['compact'] = []
def calculate_score(self):
if self.output['detail']:
self.score = self.param['max_score'] * 0.8 # high score if unsupported access found
else:
self.score = 0 # no score if everything is secureEvaluation:
This scan checks whether the endpoints obtained from your application’s Swagger documentation are accessible without authorization. If any unauthorized access is detected, it generates a high score. This approach helps you identify potential misconfigurations that may otherwise remain unnoticed, and ensures that both API security and access control mechanisms are reviewed on a regular basis.
2.2-) Payment Id IDOR Check
In web applications, IDOR (Insecure Direct Object Reference) vulnerabilities occur when users, instead of being limited to accessing only their own data, are able to manipulate object values to gain access to other users’ information. This poses a critical security risk, particularly in payment systems.
Scenario: When a user accesses https://example.com/invoices?invoiceID=123, they can view information related to their own invoice. It is important to test for an IDOR vulnerability that could allow access to other users’ invoice data as well.
You can easily test this risk using S4E Create with AI. With a simple command, different ID values can be automatically attempted, and if unauthorized access is possible, it will be reported instantly. This way, you can quickly verify whether payment information is accessible only to the intended user.
Prompt:
When a user accesses https://example.com/invoices?invoiceID=123, they can view their own invoice information. Modify the value of the invoiceID parameter in the URL to send different requests and test the access control. If payment information belonging to other users can be accessed without authorization, generate an alarm. If access is denied, do not generate an alarm (score 0).
Code:
from s4e.config import *
from s4e.task import Task
from s4e.utils.commons import http_or_https
class Job(Task):
def run(self):
asset = http_or_https(asset=self.asset, _headers=self.headers, session=self.session)
self.output['compact'] = []
self.output['detail'] = []
self.output['video'] = []
initial_url = f"{asset}/invoices?invoiceID=123"
unauthorized_access = False
for id in range(100, 110): # Modify range as needed
url = f"{asset}/invoices?invoiceID={id}"
response = self.session.get(url, headers=self.headers)
if response.status_code == 200:
self.output['compact'].append(f"Unauthorized access possible to /invoices?invoiceID={id}")
self.output['detail'].append(f"Accessed: {url} with status 200")
unauthorized_access = True
elif response.status_code == 403:
self.output['detail'].append(f"Access denied to /Odemeler/{id} with status 403")
else:
self.output['detail'].append(f"Unexpected status {response.status_code} for /invoices?invoiceID={id}")
self.output['video'].append(f"Request to {url} resulted in status {response.status_code}")
if unauthorized_access:
break
def calculate_score(self):
if unauthorized_access==True:
self.score = self.param['max_score']
else:
self.score = 02.3-) Rate Limit Check
If a website does not implement rate limiting, numerous issues can arise. Malicious actors could send unlimited requests, consuming system resources and potentially slowing down or even crashing the service. In addition, bots or automated scripts can flood the system with heavy traffic, increasing server costs and negatively impacting the user experience for legitimate customers.
The absence of rate limiting also opens the door to brute-force attacks, where attackers can attempt unlimited password guesses and compromise account security. Furthermore, allowing uncontrolled use of APIs or services not only puts data security at risk but also significantly increases the likelihood of abuse. In short, the lack of rate limiting poses major risks in terms of performance, security, and cost.
Scenario: You can observe how your system responds when users repeatedly perform the same action in a way that could strain the system or create excessive load.
With S4E Create with AI, you can create scans tailored to your specific needs and test your assets accordingly. To demonstrate this clearly, let’s create a rate limit check scan using a prompt that incorporates specific arguments.
Prompt:
Send a total of 50 POST requests within 10 seconds to https://example.com/changePassword using the data userid=123 and password=Pass1w2e431. The requests should be sent one by one and stopped once the time limit is reached. No separate timeout should be applied to individual requests. If all requests return status code 200, generate an alarm; otherwise, keep the score at 0. Use a reasonable User-Agent header in the requests and include an Accept header that only allows HTML content.
Code:
from s4e.config import *
from s4e.task import Task
import requests
import time
class Job(Task):
def run(self):
asset = self.asset
url = f"{asset}/changePassword"
payload = {'userid': '123', 'password': 'Pass1w2e431'}
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3',
'Accept': 'text/html'
}
start_time = time.time()
success_count = 0
for _ in range(50):
if time.time() - start_time > 10:
self.output['video'].append("Time limit reached, stopping requests.")
break
response = requests.post(url, data=payload, headers=headers)
if response.status_code == 200:
success_count += 1
self.output['video'].append(f"POST request sent to {url}, status code: {response.status_code}")
if success_count == 50:
self.output['video'].append("Alarm triggered: All requests returned 200.")
self.output['detail'].append("All 50 requests returned HTTP 200 status.")
else:
self.output['video'].append("Not all requests returned 200.")
self.output['detail'].append(f"Requests returning 200: {success_count}/50")
self.output['compact'].append("Bulk POST request test completed.")
def calculate_score(self):
if "Alarm triggered" in self.output['video'][-1]:
self.score = self.param['max_score']
else:
self.score = 0Evaluation:
In this sample scan, a large number of requests are sent to the same asset within a specified timeframe to verify the presence of a rate limiting mechanism. If all requests succeed without restriction, it may indicate that the system lacks rate limit controls. Such a deficiency poses significant risks in terms of both performance and security. However, you can diversify the tests by adding parameters tailored to your needs in different scenarios. For example, by adjusting the number of requests, the duration, or the headers used, you can design scans specific to your environment and continuously evaluate the resilience of your system.
2.4-) Malicious File Upload Check
In modern web applications, file upload functionalities (e.g., profile pictures, document uploads) are frequently used. However, a misconfigured upload point can open the door to critical risks such as remote code execution (RCE), web shells, XSS, or the hosting of malicious binary files. Therefore, it is essential to verify that only permitted file types are accepted and that the server processes the files securely.
Scenario: The https://example.com/upload endpoint should be configured to accept only files with the .jpg extension. Therefore, by attempting to upload files such as .php, .exe, and other potentially malicious file types, you can test whether the system enforces the restriction to only permitted file types.
You can test this risk using S4E Create with AI. With a simple command, files with extensions such as .php, .exe, and other risky types can be uploaded. If the upload is unexpectedly accepted and the response does not contain indicators such as “wrong format” or “forbidden”, a finding can be generated.
Prompt:
The endpoint at https://example.com/upload is intended to allow only files with the .jpg extension. Attempt to upload several files with extensions such as .php, .exe, and other potentially malicious types. If the server responds with 200 OK and the response does not include the phrases “wrong format” or “forbidden”, generate an alarm. Otherwise, do not generate an alarm and keep the score at 0.
Code:
from s4e.config import *
from s4e.task import Task
from s4e.utils.commons import http_or_https
class Job(Task):
def run(self):
asset = http_or_https(asset=self.asset, _headers=self.headers, session=self.session)
upload_url = f"{asset}/upload"
malicious_files = {
'script.php': ('script.php', b'<?php echo "test"; ?>', 'application/x-httpd-php'),
'malware.exe': ('malware.exe', b'MZ\x90\x00\x03\x00\x00\x00', 'application/x-msdownload'),
'dangerous.bat': ('dangerous.bat', b'@echo off\necho Hello World', 'application/x-bat')
}
uploaded_files = []
for file_name, file_content in malicious_files.items():
response = self.session.post(upload_url, files={'file': file_content})
if response.status_code == 200 and ("wrong format" not in response.text.lower() and "forbidden" not in response.text.lower()):
uploaded_files.append(file_name)
self.output['compact'] = [f"Files accepted: {', '.join(uploaded_files)}"]
self.output['detail'] = [
f"Attempted file uploads: {', '.join(malicious_files.keys())}",
f"Accepted uploads: {', '.join(uploaded_files)}"
]
self.output['video'] = [
f"Uploading {filename} to {upload_url}..." for filename in malicious_files.keys()
]
if uploaded_files:
self.output['video'].append(f"Warning! Malicious files accepted without proper error: {', '.join(uploaded_files)}")
def calculate_score(self):
if self.output['compact'][0] == 'Files accepted: ':
self.score = self.param['max_score'] # critical risk if any malicious file is uploaded without proper error
else:
self.score = 0 # no risk if proper errors returned for all uploadsEvaluation:
This scan checks whether an upload point, which is expected to accept only .jpg files, also allows risky extensions such as .php, .exe, or .bat. If any of these files can be successfully uploaded, it means the validation is insufficient and a critical security vulnerability exists. If all attempts are rejected, or even if they are technically accepted but the response clearly indicates that the action was blocked, then the application’s basic file acceptance policies are working correctly.
2.5-) 403 Bypass Check
In web applications, critical areas are typically protected by 403 (Forbidden) responses or authentication mechanisms. However, in some cases, this protection can be unexpectedly bypassed due to path normalization, case sensitivity issues, URL encoding tricks, or proxy/WAF behavior.
For example, requests made with variations such as /SecreT or /SeCReT, or with small modifications, may be interpreted differently at various layers of the server, inadvertently making the resource accessible. This can allow attackers to gain unauthorized access to sensitive areas and perform critical actions.
Scenario: To ensure that a critical endpoint is truly protected, you should test whether access restrictions can be bypassed using various evasion techniques.
You can quickly and effectively test this risk using S4E Create with AI. With this tool, you can create tests that try various case-sensitive variations of the /secret endpoint and uncover unexpected access vulnerabilities.
Prompt:
When accessing https://example.com/secret, the server responds with HTTP status code 403. Write a scan to verify whether this configuration is correct by testing basic 403 bypass techniques. While scanning, try several case-sensitive variations of the word secret. If any of the requests return status code 200 and the response does not contain the word forbidden, generate an alarm. Otherwise, do not generate an alarm (score 0).
from s4e.config import *
from s4e.task import Task
from s4e.utils.commons import http_or_https
class Job(Task):
def run(self):
self.output['detail'] = []
self.output['compact'] = []
self.output['video'] = []
asset = http_or_https(asset=self.asset, _headers=self.headers, session=self.session)
variations = ['/secret', '/Secret', '/SECRET', '/sEcReT']
alarm_triggered = False
for variation in variations:
endpoint = f"{asset}{variation}"
self.output['video'].append(f"Attempting access to {endpoint}")
try:
response = self.session.get(endpoint, headers=self.headers)
if response.status_code == 200 and 'forbidden' not in response.text.lower():
self.output['detail'].append(f"200 OK for {endpoint}")
alarm_triggered = True
else:
self.output['video'].append(f"Received status {response.status_code} for {endpoint}")
except Exception as e:
self.output['video'].append(f"Request to {endpoint} failed: {str(e)}")
if alarm_triggered:
self.output['compact'].append("Alert: 403 bypass succeeded on at least one endpoint.")
else:
self.output['compact'].append("No 403 bypass vulnerability found.")
def calculate_score(self):
if 'Alert' in self.output['compact'][0]:
self.score = self.max_score
else:
self.score = 0Evaluation:
In this sample scan, common /secret variations and simple path or parameter modifications are tested to determine whether a 403 bypass is possible. If any attempt returns a 200 response and the body does not contain the term “forbidden,” it indicates that access control can be bypassed under certain conditions. Such a finding requires a review of the configurations to ensure that only expected paths and normalization rules are permitted.
2.6-) Waf Rule Check
Using a Web Application Firewall (WAF) is one of the most effective ways to prevent malicious attacks. Attackers often attempt to exploit common web application vulnerabilities such as SQL Injection (SQLi) or Cross-Site Scripting (XSS) to compromise systems. If the WAF fails to detect these requests, the risk of data leakage or endangering user security increases significantly.
Scenario: Your application has a Web Application Firewall (WAF) in place; however, you need to test the effectiveness of its rules. To do this, you should send requests containing malicious payloads and observe whether the firewall detects and blocks these attack attempts.
S4E Create with AI allows you to design tests tailored to your own scenarios to evaluate the effectiveness of your WAF. In this way, you can continuously verify whether your firewall is truly providing protection.
Prompt:
Create a scan to detect WAF rule enforcement. Append 2 simple SQLi and 2 XSS payloads to GET requests in sequence. If any response returns a status code other than 401, 403, 406, 418, or 429, generate an alarm. If all responses are within this set of codes, do not generate an alarm (score 0).
Code:
from s4e.config import *
from s4e.task import Task
from s4e.utils.commons import http_or_https
class Job(Task):
def run(self):
asset = http_or_https(asset=self.asset, _headers=self.headers, session=self.session)
sqli_payloads = ["' OR '1'='1", "' OR '1'='2"]
xss_payloads = ['"<script>alert(1)</script>', "'<img src=x onerror=alert(2)>"]
payloads = sqli_payloads + xss_payloads
alarm_codes = [401, 403, 406, 418, 429]
trigger_alarm = False
for payload in payloads:
response = self.session.get(f"{asset}?{payload}")
if response.status_code not in alarm_codes:
trigger_alarm = True
self.output['video'].append(f"Tried payload: {payload} - Status Code: {response.status_code}")
if trigger_alarm:
self.output['compact'].append("Potential WAF rule bypass detected.")
self.output['detail'].append("WAF rules might be bypassed with one of the payloads.")
else:
self.output['compact'].append("WAF rules are consistent.")
self.output['detail'].append("All responses were within expected status codes.")
def calculate_score(self):
self.score = self.param['max_score'] if "Potential WAF rule bypass detected." in self.output['compact'] else 0Evaluation:
In this sample scan, the effectiveness of the WAF in blocking basic attack attempts such as SQL Injection and XSS is tested. If any of the payloads result in an unexpected response, this indicates that certain attack types may be able to bypass the WAF rules and should be treated as a critical finding. If all responses return the expected error codes, it confirms that the WAF is correctly enforcing its rules and protecting the system against these common attacks.
This approach allows you not only to verify the presence of a firewall but also to regularly assess whether its rules are up to date and effective. By doing so, you can continuously test your system against newly emerging attack methods and strengthen your overall security posture.
2.7-) Endpoint Availability Check
In some cases, certain areas of your system must always remain accessible. However, misconfigurations, updates, or proxy/WAF behavior may cause interruptions in accessibility.
Scenario: https://example.com hosts an application that must remain continuously accessible. An HTTP GET request will be sent to this address every hour. If the response returns a status code other than 200 or a 3XX (including 301/302 redirects), an alarm will be generated.
You can fully automate this control using S4E Create with AI. You can define a scan that sends requests to the specified endpoint at hourly intervals and expects only valid responses. If a different response is received during the process, it will be reported immediately, allowing you to detect unexpected configuration changes at an early stage.
Prompt:
Send an HTTP GET request to https://example.com every hour. End the scan after 7 days. For each request, if the response status code is anything other than 200 or 3XX, generate an alarm; otherwise, do not generate an alarm (score 0). Treat network errors and timeouts as alarms as well.
Code:
from s4e.config import *
from s4e.task import Task
import requests
import time
class Job(Task):
def run(self):
asset = self.asset
alarm_triggered = False
start_time = time.time()
end_time = start_time + 7 * 24 * 60 * 60 # 7 days
while time.time() < end_time:
try:
response = requests.get(asset, timeout=10)
status_code = response.status_code
if not (status_code== 200 or 300 <= status_code < 400):
alarm_triggered = True
self.output['video'].append(f"Alarm! Non-200/3XX status code: {status_code}")
except (requests.ConnectionError, requests.Timeout) as e:
alarm_triggered = True
self.output['video'].append(f"Alarm! Network error or timeout: {str(e)}")
if alarm_triggered:
break
self.output['video'].append(f"GET request sent to {asset}, status code: {status_code}")
time.sleep(3600) # Wait for 1 hour
if alarm_triggered:
self.output['detail'].append("Alarm triggered due to unexpected status code or network error.")
else:
self.output['detail'].append("All requests returned expected status codes.")
self.output['compact'].append("Hourly GET request monitoring completed.")
def calculate_score(self):
if "Alarm!" in self.output['detail'][0]:
self.score = self.param['max_score']
else:
self.score = 0Evaluation:
This control monitors the application’s availability and expected HTTP behavior. With hourly checks, any response other than 200 (success) or 3XX (redirect), such as 4XX or 5XX, is considered anomalous and triggers an alarm. Network errors and timeouts are also treated as alarms, as they represent service interruptions from the user’s perspective. This allows you to quickly detect unplanned outages and unexpected configuration changes.
3-) General Evaluation
S4E Create with AI provides a smart platform that allows users to focus on scenarios tailored to their specific needs; we explored this through examples ranging from Swagger documentation checks to payment IDOR tests, from rate limit validation to malicious file upload attempts, from 403 bypass checks to testing the effectiveness of WAF rules.
This approach enables users to be prepared not only against common threats but also against security risks specific to their own business processes. Each scan is generated through AI-powered automation and reviewed by an expert security team before being reliably deployed. In this way, users can diversify their security tests quickly and effectively, without the need for deep technical expertise.
With the flexibility provided by S4E Create with AI, organizations can define environment-specific parameters, customize tests according to their business requirements, and ensure continuous system assessment. This approach not only strengthens overall security posture but also supports operational resilience and drives cost efficiency.