I just shipped a significant update to Permi. This release tackles the biggest pain points reported by the community: JS scanning that actually works, smarter XSS detection, and much faster scans.
đ§ Smarter AI â Now CSPâAware
Permiâs AI filter can now recognize when a target uses a ContentâSecurityâPolicy (CSP) that blocks inline script execution. This significantly reduces false positives on hardened websites like GitHub, banks, or government portals.
- Before: Reflected XSS payload found â flagged as REAL, even if CSP blocked it.
- After: AI checks CSP header â marks as harmless unless the policy allows execution.
đ ProductionâReady JavaScript Crawling
The new --js flag launches a Playwright headless browser that can render React, Vue, Angular, and other SPAs. It even works behind Cloudflare thanks to playwright-stealth.
bash
permi scan --url https://example.com --js
Reliability: Falls back to static HTML if JS times out (no more zeroâURL scans).
Control: Configurable timeout with --js-timeout 30 (default 20 seconds).
Deep Discovery: Detects XHR/fetch API endpoints via network request interception.
â ď¸ Note: JS scanning is still experimental in the community edition. It works well on most sites, but some may require authentication or infinite scroll. Upgrade to Permi Pro (coming soon) for productionâgrade crawling.
⥠Performance Gains
Concurrency: Concurrent SQL + XSS scanning is now roughly 50% faster.
Deduplication: Smarter URL deduplication avoids testing the same parameter signature twice.
Safety: Added a hard crawl timeout so the CLI will never freeze indefinitely.
đ Critical Bug Fixes
Exports: Fixed the issue where --export wouldn't actually write files.
Directories: Fixed subfolder creation for --export results/scan.json.
SQLi Logic: Timeâbased SQL injection now uses SLEEP() with a 10s cap and a 6s threshold.
Windows Support: Resolved an asyncio deadlock; Playwright now runs in its own thread.
đŚ How to Update
pip install --upgrade permi
Then try:
# Scan a static site
permi scan --url https://example.com
# Scan a JavaScriptâheavy SPA (experimental)
permi scan --url https://example.com --js --js-timeout 30
# Scan your local codebase
permi scan --path ./my-project
đ Thank You
This release was shaped by feedback from developers who tried Permi and shared what broke. Special thanks to:
BashSnippets for pushing me to improve error handling.
Endura Security for the supply chain insights.
Everyone who opened an issue or DMâd me with raw scan outputs.
Permi is still free, open source, and built for the community. If it saves you time, please star the repo!
Peternasarah
/
permi
AI-powered vulnerability scanner for Nigerian developers and global SMBs
Permi
AI-powered vulnerability scanner for Nigerian developers and global SMBs.
Permi scans live websites and source code for security vulnerabilities, then uses AI to filter out false positives â so you only see findings that actually matter.
Built in Nigeria. For Nigeria. Then for the world.
Two scan modes
--url â Live web scanning
Point Permi at any website. It crawls the pages, tests for SQL injection, XSS, and checks security headers on the running application.
permi scan --url https://yoursite.com
--path â Static source code scanning
Point Permi at a local folder or GitHub repository. It reads your code files, matches vulnerability patterns, and flags issues before they ship.
permi scan --path ./myapp
permi scan --path https://github.com/user/repo
What Permi detects
Web scanning (--url)
-
SQL Injection â error-based, boolean-based blind, time-based blind
-
Cross-Site Scripting (XSS) â reflected XSS with context-aware testing
-
Missing Security Headers â HSTS, CSP, X-Frame-Options, X-Content-Type-Options
- âŚ
Keep building securely. đ
Whatâs the most frustrating false positive youâve encountered in a security scanner? Let me know in the comments!
Top comments (2)
thanks to everyone that contributed
How does Playwright improve your JS crawling compared to other tools like Puppeteer or Selenium? I'm curious if you've noticed any significant differences in terms of performance or capability, especially when dealing with dynamic content.