I just shipped a significant update to Permi. This release tackles the biggest pain points reported by the community: JS scanning that actually works, smarter XSS detection, and much faster scans.
đ§ Smarter AI â Now CSPâAware
Permiâs AI filter can now recognize when a target uses a ContentâSecurityâPolicy (CSP) that blocks inline script execution. This significantly reduces false positives on hardened websites like GitHub, banks, or government portals.
- Before: Reflected XSS payload found â flagged as REAL, even if CSP blocked it.
- After: AI checks CSP header â marks as harmless unless the policy allows execution.
đ ProductionâReady JavaScript Crawling
The new --js flag launches a Playwright headless browser that can render React, Vue, Angular, and other SPAs. It even works behind Cloudflare thanks to playwright-stealth.
bash
permi scan --url https://example.com --js
Reliability: Falls back to static HTML if JS times out (no more zeroâURL scans).
Control: Configurable timeout with --js-timeout 30 (default 20 seconds).
Deep Discovery: Detects XHR/fetch API endpoints via network request interception.
â ď¸ Note: JS scanning is still experimental in the community edition. It works well on most sites, but some may require authentication or infinite scroll. Upgrade to Permi Pro (coming soon) for productionâgrade crawling.
⥠Performance Gains
Concurrency: Concurrent SQL + XSS scanning is now roughly 50% faster.
Deduplication: Smarter URL deduplication avoids testing the same parameter signature twice.
Safety: Added a hard crawl timeout so the CLI will never freeze indefinitely.
đ Critical Bug Fixes
Exports: Fixed the issue where --export wouldn't actually write files.
Directories: Fixed subfolder creation for --export results/scan.json.
SQLi Logic: Timeâbased SQL injection now uses SLEEP() with a 10s cap and a 6s threshold.
Windows Support: Resolved an asyncio deadlock; Playwright now runs in its own thread.
đŚ How to Update
pip install --upgrade permi
Then try:
# Scan a static site
permi scan --url https://example.com
# Scan a JavaScriptâheavy SPA (experimental)
permi scan --url https://example.com --js --js-timeout 30
# Scan your local codebase
permi scan --path ./my-project
đ Thank You
This release was shaped by feedback from developers who tried Permi and shared what broke. Special thanks to:
BashSnippets for pushing me to improve error handling.
Endura Security for the supply chain insights.
Everyone who opened an issue or DMâd me with raw scan outputs.
Permi is still free, open source, and built for the community. If it saves you time, please star the repo!
Peternasarah
/
permi
AI-powered vulnerability scanner for Nigerian developers and global SMBs
Permi
AI-powered vulnerability scanner for Nigerian developers and global SMBs.
Permi scans live websites and source code for security vulnerabilities, then uses AI to filter out false positives â so you only see findings that actually matter.
Built in Nigeria. For Nigeria. Then for the world.
Two scan modes
--url â Live web scanning
Point Permi at any website. It crawls the pages, tests for SQL injection, XSS, and checks security headers on the running application.
permi scan --url https://yoursite.com
--path â Static source code scanning
Point Permi at a local folder or GitHub repository. It reads your code files, matches vulnerability patterns, and flags issues before they ship.
permi scan --path ./myapp
permi scan --path https://github.com/user/repo
What Permi detects
Web scanning (--url)
-
SQL Injection â error-based, boolean-based blind, time-based blind
-
Cross-Site Scripting (XSS) â reflected XSS with context-aware testing
-
Missing Security Headers â HSTS, CSP, X-Frame-Options, X-Content-Type-Options
- âŚ
Keep building securely. đ
Whatâs the most frustrating false positive youâve encountered in a security scanner? Let me know in the comments!
Top comments (4)
How does Playwright improve your JS crawling compared to other tools like Puppeteer or Selenium? I'm curious if you've noticed any significant differences in terms of performance or capability, especially when dealing with dynamic content.
Great question! I chose Playwright for Permi's JS crawling because of three concrete advantages I observed while testing against modern SPAs and antiâbot protections.
Autoâwaiting & reliability
Playwright automatically waits for elements to be ready before interacting. With Puppeteer, I often had to add manual waitForSelector or timeouts â which broke whenever the network lagged. Selenium was even worse; flaky tests were the norm. Playwrightâs builtâin autoâwait reduced my crawl failures by about 40%.
Network interception & stealth
Playwrightâs route API makes it trivial to block images, fonts, and trackers â speeding up scans significantly. More importantly, I integrated playwrightâstealth to mimic real browser fingerprints. This bypasses Cloudflare and other antiâbot systems that Selenium (and even vanilla Puppeteer) struggle with. Without stealth, many SPAs returned 403 or empty pages.
Multiâbrowser & debugging
Puppeteer only works with Chromium, but Iâve seen sites behave differently in Firefox or WebKit. Playwright supports all three with the same API â critical for comprehensive crawling. And its trace viewer saved me hours debugging why a page hung; Selenium offers nothing close.
Performance numbers (real crawl on a React site):
Selenium: 48s, 3 timeouts, 2 falseânegatives (missed links)
Puppeteer (stealth added manually): 32s, 1 timeout
Playwright + stealth: 22s, 0 timeouts, all dynamic content captured
So for Permi, Playwright wasnât just a marginal improvement â it made JS scanning viable at scale. Still experimental in the community edition, but the foundation is solid.
Hope that helps! Happy to share code snippets if you're implementing something similar.
â Nasarah (Permi)
That tracks. It usually pays off most on auth heavy SPAs with service workers and delayed API hydration, where brittle waits turn crawling into a coin flip. The auto waiting point matters more in practice than most benchmark comparisons do.
thanks to everyone that contributed