What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Next.js API Security Vulnerabilities: The 10 Most Common Findings (2026)

Why Next.js APIs Are a Common Target

Next.js makes building APIs trivial — drop a file in app/api/ or pages/api/ and you have a public endpoint. That ease of use is the problem: routes ship to production with security implications nobody noticed at code review.

Below are the 10 most common Next.js API vulnerabilities SableOffensive finds in startup pentests, with concrete code examples and fixes. Roughly 80% of the Next.js apps we audit have at least 3 of these issues.

1. Missing Authentication on API Routes

The vulnerability: Any route in /api/* is publicly accessible by default. Without explicit auth checks, anyone can call it.

// VULNERABLE
export async function GET(req: Request) {
  const users = await db.user.findMany()
  return Response.json(users)  // Anyone can list all users
}

The fix: Add auth middleware or explicit checks in every route.

// FIXED
import { auth } from '@/lib/auth'

export async function GET(req: Request) {
  const session = await auth()
  if (!session?.user) {
    return Response.json({ error: 'Unauthorized' }, { status: 401 })
  }
  const users = await db.user.findMany()
  return Response.json(users)
}

Better: Use Next.js middleware (middleware.ts) to enforce auth across all routes by default, and explicitly mark public ones.

2. BOLA / IDOR (Broken Object Level Authorization)

The vulnerability: The most common API issue. The user is authenticated, but the route doesn't check if they own the requested resource.

// VULNERABLE
export async function GET(
  req: Request,
  { params }: { params: { id: string } }
) {
  const session = await auth()
  if (!session) return new Response('Unauthorized', { status: 401 })
  
  // Anyone authenticated can read ANY order by changing the URL
  const order = await db.order.findUnique({ where: { id: params.id } })
  return Response.json(order)
}

The fix: Always verify the authenticated user owns the resource.

// FIXED
export async function GET(
  req: Request,
  { params }: { params: { id: string } }
) {
  const session = await auth()
  if (!session) return new Response('Unauthorized', { status: 401 })
  
  const order = await db.order.findUnique({
    where: { id: params.id, userId: session.user.id }  // Ownership check
  })
  if (!order) return new Response('Not found', { status: 404 })
  return Response.json(order)
}

3. Exposed Environment Variables (NEXT_PUBLIC_ prefix)

The vulnerability: Any env var prefixed with NEXT_PUBLIC_ ships to the browser bundle. Developers accidentally expose backend secrets.

# VULNERABLE .env.local
NEXT_PUBLIC_API_KEY=sk_live_dangerous_key_in_browser
NEXT_PUBLIC_SUPABASE_SERVICE_KEY=admin_bypass_rls_key

The fix: Never use NEXT_PUBLIC_ for anything sensitive. Audit your bundle:

# Find any leaked secret in production bundle
npm run build
grep -r "sk_live\|sk_test\|service_role" .next/static/

Use Server Components or API routes to keep secrets server-side. Anything the browser doesn't strictly need should never have NEXT_PUBLIC_.

4. Server Actions Without CSRF Protection

The vulnerability: Next.js Server Actions are RPC-style endpoints. They include some CSRF protection by default (Origin header check), but custom action handlers or older versions are vulnerable.

// VULNERABLE pattern: action that performs sensitive change without origin verification
async function transferFunds(formData: FormData) {
  'use server'
  const session = await auth()
  await db.transfer({
    from: session.user.id,
    to: formData.get('to'),
    amount: formData.get('amount')
  })
}

The fix: Verify the request Origin matches your domain explicitly + add CSRF tokens for state-changing actions.

async function transferFunds(formData: FormData) {
  'use server'
  const headersList = headers()
  const origin = headersList.get('origin')
  if (origin !== process.env.NEXT_PUBLIC_APP_URL) {
    throw new Error('Invalid origin')
  }
  // ... continue
}

5. SSRF via Unvalidated URL Inputs

The vulnerability: Routes that fetch URLs based on user input can be exploited to scan internal infrastructure.

// VULNERABLE
export async function POST(req: Request) {
  const { url } = await req.json()
  const response = await fetch(url)  // Attacker can hit internal services
  return Response.json(await response.json())
}

Attacker payloads:

http://localhost:3000/api/admin — internal admin API
http://169.254.169.254/latest/meta-data/ — AWS instance metadata
http://192.168.1.1 — internal network scan

The fix: Validate URLs against an allowlist + block internal IP ranges.

const parsed = new URL(url)
if (
  parsed.hostname === 'localhost' ||
  parsed.hostname === '127.0.0.1' ||
  parsed.hostname.startsWith('192.168.') ||
  parsed.hostname.startsWith('10.') ||
  parsed.hostname.startsWith('169.254.') ||
  parsed.hostname.endsWith('.internal')
) {
  return Response.json({ error: 'Forbidden' }, { status: 403 })
}

6. No Rate Limiting on Auth Endpoints

The vulnerability: Login, signup, and password reset endpoints without rate limiting allow:

Credential stuffing attacks (testing leaked passwords)
Brute-force password guessing
Email enumeration via response timing differences
SMS bombing via password reset

The fix: Use Upstash Ratelimit, Vercel KV, or similar.

import { Ratelimit } from '@upstash/ratelimit'
import { Redis } from '@upstash/redis'

const ratelimit = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(5, '15 m')  // 5 attempts per 15 min
})

export async function POST(req: Request) {
  const ip = req.headers.get('x-forwarded-for') ?? 'anonymous'
  const { success } = await ratelimit.limit(`login_${ip}`)
  if (!success) {
    return Response.json({ error: 'Too many attempts' }, { status: 429 })
  }
  // ... login logic
}

7. Mass Assignment via Spread Operators

The vulnerability: Spreading user input directly into a database call lets attackers set fields they shouldn't control (like role, isAdmin, userId).

// VULNERABLE
export async function POST(req: Request) {
  const session = await auth()
  const body = await req.json()
  // Attacker sends { name: "x", role: "admin" }
  const user = await db.user.update({
    where: { id: session.user.id },
    data: { ...body }
  })
}

The fix: Validate with Zod/Yup and explicitly pick only allowed fields.

import { z } from 'zod'

const UpdateProfileSchema = z.object({
  name: z.string().max(100),
  bio: z.string().max(500).optional()
})

export async function POST(req: Request) {
  const session = await auth()
  const body = await req.json()
  const data = UpdateProfileSchema.parse(body)  // Throws on extra fields
  // ... only safe fields proceed
}

8. SQL Injection via Raw Queries

The vulnerability: Even with Prisma or Drizzle, dropping into raw queries with template literals reintroduces SQL injection.

// VULNERABLE
const orders = await db.$queryRawUnsafe(
  `SELECT * FROM orders WHERE user_id = '${userId}'`
)

The fix: Use parameterized queries.

// FIXED
const orders = await db.$queryRaw`
  SELECT * FROM orders WHERE user_id = ${userId}
`  // Prisma's tagged template safely parameterizes

9. Unsafe File Uploads

The vulnerability: Routes that accept file uploads without validation allow:

Path traversal (../../etc/passwd)
Executable upload (PHP, JSP files served from public bucket)
Storage exhaustion DoS
Polyglot files (image with embedded JavaScript)

The fix:

const ALLOWED_TYPES = ['image/jpeg', 'image/png', 'image/webp']
const MAX_SIZE = 5 * 1024 * 1024  // 5MB

export async function POST(req: Request) {
  const formData = await req.formData()
  const file = formData.get('file') as File
  
  if (!ALLOWED_TYPES.includes(file.type)) {
    return Response.json({ error: 'Invalid type' }, { status: 400 })
  }
  if (file.size > MAX_SIZE) {
    return Response.json({ error: 'File too large' }, { status: 400 })
  }
  
  // Use a UUID filename, never user-supplied
  const filename = `${crypto.randomUUID()}.${file.type.split('/')[1]}`
  // ... save to S3/Supabase Storage
}

10. Missing CORS Configuration

The vulnerability: Default Next.js doesn't set CORS headers — APIs are same-origin only. But developers often add Access-Control-Allow-Origin: * to "fix" CORS errors, opening the API to any origin.

// VULNERABLE
export async function GET(req: Request) {
  const data = await getSensitiveData()
  return new Response(JSON.stringify(data), {
    headers: {
      'Access-Control-Allow-Origin': '*',  // Any site can call this
      'Access-Control-Allow-Credentials': 'true'  // With user's cookies
    }
  })
}

The fix: Allow specific origins only.

const ALLOWED_ORIGINS = [
  'https://yourdomain.com',
  'https://app.yourdomain.com'
]

export async function GET(req: Request) {
  const origin = req.headers.get('origin')
  const allowOrigin = ALLOWED_ORIGINS.includes(origin || '') ? origin : ''
  
  return new Response(JSON.stringify(data), {
    headers: {
      'Access-Control-Allow-Origin': allowOrigin || ALLOWED_ORIGINS[0],
      'Access-Control-Allow-Credentials': 'true'
    }
  })
}

How to Find These in Your Codebase

Quick self-audit checklist:

# Find API routes without auth checks
grep -rL "auth()\|getSession\|getServerSession" src/app/api/

# Find NEXT_PUBLIC_ env vars (potential leaks)
grep -r "NEXT_PUBLIC_" .env* src/

# Find raw SQL queries
grep -rn "queryRawUnsafe\|\$queryRaw\`" src/

# Find spread into db calls (mass assignment risk)
grep -rn "\.\.\..*\(body\|formData\|req\)" src/app/api/

Pentesting Your Next.js App

This list catches the obvious patterns. Real vulnerabilities often hide in:

Middleware bypass via path normalization — middleware checks one path, route is reached via another.
Server Actions race conditions — concurrent calls bypass uniqueness checks.
Auth state confusion in App Router — RSC and Client Components have different access to session.
Edge Runtime constraints — limited Node API surface causes developers to skip security libraries.

To find these, you need a manual pentest. SableOffensive specializes in Next.js security audits:

Free headers check — validates your Next.js security headers in 3 seconds.
Pre-Launch Check ($29) — automated coverage of OWASP basics + Next.js-specific patterns.
Founder Shield ($79) — manual review of all /api routes + Server Actions + middleware.
Scale Secure ($199) — full code review + penetration testing + 30-day continuous monitoring.

Questions or need a custom engagement? Email [email protected].