Method, system and device for application vulnerability scanning based on browser agent

By employing a browser-based intelligent agent approach, combined with a large language model and a browser automation framework, network access data is captured and verified in real time. This addresses the issues of low coverage and high false positive rates in existing web application vulnerability scanning technologies within modern web application architectures, enabling efficient and accurate vulnerability identification and reporting.

CN122160150APending Publication Date: 2026-06-05BEIJING CREDIBLE HUATAI TECHNICAL SERVICE CO LTD +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING CREDIBLE HUATAI TECHNICAL SERVICE CO LTD
Filing Date
2026-03-23
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing web application vulnerability scanning technologies suffer from low coverage, high path omission rate, high false positive rate, and low efficiency when facing modern web application architectures. They are particularly difficult to deeply explore and accurately identify vulnerabilities in single-page applications and dynamic pages.

Method used

The method employs a browser-based intelligent agent approach, combining a large language model with a browser automation framework. It executes preset access operations through the browser intelligent agent, captures network access requests and response results in real time, and performs feature matching and verification using a vulnerability rule base to generate structured vulnerability scanning logs.

Benefits of technology

It achieves fully automated scanning of dynamic pages, significantly improving vulnerability coverage and the accuracy of scan results, reducing false positives, and improving the efficiency of the security team's response.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160150A_ABST
    Figure CN122160150A_ABST
Patent Text Reader

Abstract

The application discloses an application vulnerability scanning method, system and device based on a browser agent, relates to the technical field of network security, and comprises the following steps: driving a browser agent according to a request operation set, performing various preset access operations on the browser by means of the agent, constraining the access operation execution process of the agent by fixed instructions, capturing network access requests and response results in a target browser in real time, and structurally recording the response traffic data; forwarding all the network access requests and response traffic data to an application vulnerability scanning engine via a proxy monitoring service node, combining a vulnerability rule library, performing vulnerability feature matching and vulnerability verification operations on the response traffic data forwarded by the proxy monitoring service node by means of the application vulnerability scanning engine, and outputting traffic data analysis results and vulnerability scanning logs. The application solves the technical problem that the false positive rate of a Web application vulnerability tool is high in the prior art, and reduces the disposal efficiency of a security team.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network security technology or other related fields. Specifically, it relates to an application vulnerability scanning method, system, and apparatus based on browser intelligent agents. Background Technology

[0002] With the widespread adoption of web applications in key sectors such as finance and e-commerce, their security has become a core issue in ensuring the stable operation of digital infrastructure. Once exploited, web application vulnerabilities (such as SQL injection, unauthorized access, abuse of application programming interfaces (APIs), and logical vulnerabilities) can easily lead to data leaks, service paralysis, or economic losses.

[0003] In related technologies, web application vulnerability scanning techniques are mainly divided into two categories: active scanning (crawl-based) and passive scanning (proxy-based). However, both are difficult to adapt to the new challenges brought about by the evolution of modern web application architectures. The first category, active scanning technology, relies on static link extraction and path traversal strategies. It automatically discovers accessible pages by parsing webpage source code and injects pre-set vulnerability payloads into various interfaces for detection. However, this method heavily depends on the static structure of the page and performs extremely poorly when facing the current mainstream single-page application architecture: page content is dynamically rendered by JavaScript, there are no valid links in the initial page, and key functions rely on user interaction (such as button clicks, form submissions, pagination loading, asynchronous requests), making it unable to identify virtual paths generated by non-standard routes. Therefore, active scanners generally suffer from low coverage, high path omission rate, and inability to probe deep business logic, resulting in a large number of real vulnerabilities being missed because they cannot be crawled. The second category is passive scanning technology. Passive scanning relies on manual operation of the target website. It captures all network traffic between the browser and the server by deploying proxy tools, and then the scanning engine analyzes the traffic characteristics to identify vulnerabilities. It has the following drawbacks: 1. It is highly dependent on human experience. Security engineers need to manually complete operations such as login, navigation, and business process triggering, which is time-consuming and inefficient; 2. The coverage is limited. Manual operation is difficult to exhaustively count complex interaction paths, and it is easy to miss edge functions or hidden entry points; 3. Poor repeatability: The difference in operating habits of different people leads to unstable scanning results, which is difficult to deploy at scale.

[0004] In addition, whether it is active scanning or passive scanning, existing tools generally suffer from high false positive rates and weak verification capabilities. Scanning engines often judge vulnerabilities based solely on surface features such as response headers, status codes, and keyword matching, lacking an understanding of interaction context, user behavior paths, and session states, resulting in a large number of "false positive" results (such as misjudging ordinary error responses as SQL injection), which seriously reduces the handling efficiency of security teams.

[0005] There is currently no effective solution to the above problems. Summary of the Invention

[0006] This application provides a browser-based intelligent agent-based application vulnerability scanning method, system, and apparatus to at least address the technical problem in related technologies where web application vulnerability tools have a high false positive rate, reducing the processing efficiency of security teams.

[0007] To achieve the above objectives, according to one aspect of this application, an application vulnerability scanning method based on a browser agent is provided, comprising: responding to a vulnerability scanning request; driving a browser agent according to a request operation set; using the browser agent to perform various preset access operations on a target browser; wherein the browser agent integrates a large language model and a browser automation framework, and constrains the execution process of the browser agent's access operations through preset agent fixed instructions; the request operation set includes N preset access operations to be executed pre-configured on the user end, where N is a positive integer; capturing network access requests and response results corresponding to all preset access operations in the target browser in real time, and recording them in a structured manner as response traffic data; forwarding all the network access requests and the response traffic data to an application vulnerability scanning engine via a proxy listening service node, wherein the proxy listening service node is pre-configured in the execution environment of the target browser; and, in conjunction with a vulnerability rule base, using the application vulnerability scanning engine to perform vulnerability feature matching and vulnerability verification operations on the response traffic data forwarded by the proxy listening service node, and outputting traffic data analysis results and vulnerability scanning logs.

[0008] Optionally, the step of using the browser agent to perform various preset access operations on the target browser includes: using the browser agent to run a server component of the target protocol, wherein the server component serves as a unified control protocol layer within the browser agent, interfaces with multiple browser automation engines, and pre-encapsulates the underlying operation function modules of the browser automation framework; and using the server component to call a predefined standardized browser access interface to perform various preset access operations on a specified site of the target browser, wherein the target protocol is a protocol connecting the large language model and the browser's runtime environment.

[0009] Optionally, before using the browser agent to perform various preset access operations on the target browser, the method further includes: creating a scanning task for each preset access operation; creating a browser instance for each scanning task, performing sandbox operations and resource restrictions on the browser instance, and completing session isolation operations; injecting the proxy listening service node when the tab group of the target browser starts, configuring the proxy listening service node as a passive scanning proxy service of the application vulnerability scanning engine; registering a network listening hook in the target browser, and using the network listening hook to record key event records, operation screenshots, and timestamps of the application vulnerability scanning process to generate the vulnerability scanning log.

[0010] Optionally, the step of performing vulnerability feature matching and vulnerability verification operations on the response traffic data forwarded by the proxy monitoring service node using the application vulnerability scanning engine, in conjunction with a vulnerability rule base, includes: selecting a predetermined open-source scanning engine as the application vulnerability scanning engine based on the vulnerability detection requirements and completeness requirements in the vulnerability scanning request; calling the vulnerability rule base, using the application vulnerability scanning engine to match the response traffic data forwarded by the proxy monitoring service node with the vulnerability rule base, and performing vulnerability feature matching and vulnerability verification operations through the vulnerability rule base to obtain vulnerability scanning results.

[0011] Optionally, after performing vulnerability feature matching and vulnerability verification operations on the response traffic data forwarded by the proxy monitoring service node using the application vulnerability scanning engine, the method further includes: combining the response traffic data with page access operations, DOM summary, page screenshots, interaction order, and session association information collected during the vulnerability scanning process to obtain vulnerability scanning traffic data; preprocessing and formatting the vulnerability scanning traffic data, wherein the preprocessing includes at least one of the following: abnormal parameter deletion, large file digest extraction, abnormal data annotation, and key parameter annotation; inputting the formatted vulnerability scanning traffic data into a large language model, using the large language model to analyze the vulnerability scanning process, and outputting a structured report containing scanning risk points, abnormal operation behaviors, and interaction flow explanations.

[0012] Optionally, the browser agent includes: a session caching module, used to record the browser's current page structure snapshot, historical page access sequence, explored and unexplored paths, and maintain the multi-turn dialogue context between the large language model and the browser; an agent fixed instruction module, including at least one of the following: behavior restriction policy, prohibition of sensitive operations, restriction of access depth and branch number, timeout threshold configuration, exploration order, access policy, priority, and general task planning logic; and a traffic recording module, used to execute various preset access operations on the specified site of the target browser, create a browser instance, intercept and capture traffic at the browser level, capture all network access requests and response results corresponding to the preset access operations, and record them in a structured manner as response traffic data.

[0013] Optionally, after the browser agent performs various preset access operations on the target browser, the method further includes: during the execution process, the browser agent detects the completion status of each preset access operation within a predetermined time period; if the operation completion status indicates completion, the current path exploration is terminated and the process reverts to the previous safe node, wherein the previous safe node is a page state that has been confirmed to be risk-free, and the DOM structure and interactive element set of the previous safe node are marked as stable; if the operation completion status indicates that the number of consecutive failed attempts has reached a preset failure threshold, the current path exploration is terminated and the process reverts to the previous safe node.

[0014] According to another aspect of the embodiments of this application, an application vulnerability scanning system based on a browser agent is also provided, comprising: a browser agent, used to respond to externally input vulnerability scanning requests, drive the browser agent according to a set of request operations, integrate a large language model and a browser automation framework, and drive the target browser to execute various preset access operations, wherein the browser agent module has built-in preset agent fixed instructions, which constrain the access operation execution process of the browser agent to ensure that the access process is secure and controllable; and a browser execution environment module, used to host and run the target browser instance driven by the browser agent, and create an independent browser context at startup to achieve session isolation between scanning tasks. The browser execution environment module also integrates a network traffic interception hook, used to capture all network request and response data generated by the target browser during the execution of preset access operations in real time; a proxy listening service node, deployed in the network communication path of the browser execution environment module, is used to receive all network access requests and response results from the target browser, and encapsulate them into structured response traffic data, which is then forwarded to the downstream application vulnerability scanning engine; the application vulnerability scanning engine is used to receive the response traffic data forwarded by the proxy listening service node, combine it with a pre-set vulnerability rule base, perform vulnerability feature matching, payload injection and vulnerability verification operations, identify potential security vulnerabilities in the target application, and output structured vulnerability scanning logs and risk assessment results;

[0015] The session and log storage module is used to persistently store the access behavior logs of the browser agent, the raw traffic packets captured by the browser execution environment module, and the vulnerability scanning logs and risk assessment results generated by the application vulnerability scanning engine.

[0016] According to another aspect of the embodiments of this application, an application vulnerability scanning device based on a browser agent is also provided, comprising: an agent operation unit, configured to respond to vulnerability scanning requests, drive a browser agent according to a set of request operations, and use the browser agent to perform various preset access operations on a target browser, wherein the browser agent integrates a large language model and a browser automation framework, and constrains the execution process of the browser agent's access operations through preset agent fixed instructions, the set of request operations including N preset access operations to be executed pre-configured by the user, where N is a positive integer; a traffic capture unit, configured to capture in real time all network access requests and response results corresponding to the preset access operations in the target browser, and record them in a structured manner as response traffic data; a proxy forwarding unit, configured to forward all the network access requests and the response traffic data to an application vulnerability scanning engine via a proxy listening service node, wherein the proxy listening service node is pre-configured in the execution environment of the target browser; and a vulnerability verification unit, configured to combine a vulnerability rule base, use the application vulnerability scanning engine to perform vulnerability feature matching and vulnerability verification operations on the response traffic data forwarded by the proxy listening service node, and output traffic data analysis results and vulnerability scanning logs.

[0017] According to another aspect of the embodiments of this application, a computer-readable storage medium is also provided, the computer-readable storage medium including a stored computer program, wherein, when the computer program is executed, it controls the device where the computer-readable storage medium is located to execute the application vulnerability scanning method based on browser intelligent agents described above.

[0018] According to another aspect of the embodiments of this application, an electronic device is also provided, including one or more processors and a memory, the memory being used to store one or more programs, wherein when the one or more programs are executed by the one or more processors, the one or more processors cause the one or more processors to implement the browser-based intelligent agent-based application vulnerability scanning method described above.

[0019] According to another aspect of the embodiments of this application, a computer program product is also provided, including a computer program that, when executed by a processor, implements the steps of the application vulnerability scanning method based on browser agents described in any one of the above claims.

[0020] In this application, in response to a vulnerability scanning request, a browser agent is driven according to a set of requested operations. This browser agent performs various preset access operations on the target browser. The browser agent integrates a large language model and a browser automation framework, and its access operation execution process is constrained by preset fixed instructions. The set of requested operations includes N preset access operations to be executed pre-configured on the user side, where N is a positive integer. All network access requests and response results corresponding to the preset access operations are captured in real time in the target browser and recorded in a structured manner as response traffic data. All network access requests and response traffic data are forwarded to the application vulnerability scanning engine via a proxy listening service node, which is pre-configured in the target browser's execution environment. Combining a vulnerability rule base, the application vulnerability scanning engine performs vulnerability feature matching and vulnerability verification operations on the response traffic data forwarded by the proxy listening service node, outputting traffic data analysis results and vulnerability scanning logs.

[0021] Based on the aforementioned publicly available information, automated browser access operations can be achieved through a browser agent. This agent can capture complete network request and response data in real time, generating high-quality traffic that closely resembles actual business scenarios. By using pre-defined fixed instructions to constrain the browser agent's behavior, it ensures that the agent only performs non-destructive operations such as reading, browsing, and triggering, avoiding noisy traffic caused by abnormal or unexpected operations. The captured structured response traffic data is forwarded to the application vulnerability scanning engine via a proxy listening service node. After preliminary detection using a vulnerability rule base, fully automated application vulnerability scanning is achieved. This allows for in-depth exploration of dynamic page logic without manual intervention, significantly improving vulnerability coverage and traffic authenticity. It effectively reduces the false positive rate caused by the lack of contextual understanding in traditional tools, making the vulnerability reports received by the security team more credible and manageable, and improving the efficiency of subsequent response and remediation. This solves the technical problem of high false positive rates and reduced processing efficiency of web application vulnerability tools in related technologies. Attached Figure Description

[0022] The accompanying drawings, which are included to provide a further understanding of this application and form part of this application, illustrate exemplary embodiments and are used to explain this application, but do not constitute an undue limitation of this application. In the drawings:

[0023] Figure 1 A hardware structure block diagram of a computer terminal (or mobile device) for implementing an application vulnerability scanning method based on a browser-based intelligent agent is shown.

[0024] Figure 2 This is a flowchart of an optional application vulnerability scanning method based on a browser-based intelligent agent according to an embodiment of this application;

[0025] Figure 3 This is an architecture diagram of an optional automated scanning system based on an AI browser agent according to an embodiment of the present invention;

[0026] Figure 4 This is a flowchart of an optional web application vulnerability scanning method based on a browser agent agent according to an embodiment of the present invention;

[0027] Figure 5 This is a schematic diagram of an optional application vulnerability scanning device based on a browser-based intelligent agent according to an embodiment of this application;

[0028] Figure 6 This is a structural block diagram of an electronic device that performs an application vulnerability scanning method based on a browser agent, according to an embodiment of this application. Detailed Implementation

[0029] To enable those skilled in the art to better understand the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present application, and not all embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative effort should fall within the scope of protection of the present application.

[0030] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this application described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0031] To facilitate understanding of this application by those skilled in the art, the following explanations are provided for some terms or nouns involved in the various embodiments of this application:

[0032] AI Browser Automation Agent, also known as AIAgent, is an intelligent system that integrates large language models with browser automation frameworks. In this application, it can understand web semantics, identify interactive elements, and execute natural language instructions, simulate user behavior to complete operations such as page navigation, clicking, and input, and automatically generate real business traffic for vulnerability detection.

[0033] Model Context Protocol, abbreviated as MCP, is a standardized protocol used for decoupled communication between large language models and external tools (such as browsers and databases). It exposes capabilities through a unified interface for model calls to achieve secure and structured tool usage.

[0034] MCP Server, short for Model Context Protocol Server, is the server-side component that implements the MCP protocol. It is responsible for encapsulating and managing the capabilities of external tools such as browser automation, file systems, and network requests, and provides a standardized call interface to AIAgent, enabling the model to control external systems without caring about the underlying implementation.

[0035] System Prompt is a fixed set of instructions preset before the start of an AI Agent session, used to define the model's role, behavior boundaries, security rules, and output formats, ensuring that it strictly adheres to constraints such as "read-only access", "prohibited destructive operations", and "restricted loops" throughout the scanning process, and guaranteeing the security and controllability of the scanning.

[0036] The browser execution environment refers to the real browser instance that hosts browser operations, provides capabilities such as DOM parsing and network request interception, and is the physical carrier for generating real traffic.

[0037] Proxy Listening Service Node, deployed as an intermediate service between the browser and the target server, is used to capture, structurally record, and forward all network requests and response data generated during the browser execution process, enabling lossless traffic collection and linkage with the scanning engine.

[0038] Session cache is a lightweight state storage maintained within the browser agent, recording the current page DOM structure, accessed paths, list of interactive elements, and historical operation contexts, ensuring the coherence, traceability of the model's behavior, and avoiding repeated or lost operations.

[0039] Proof of Concept Validation (POC) involves constructing a minimal executable attack example for a suspected vulnerability identified by the scanning engine and verifying its actual exploitability through actual triggering, thereby reducing false positives and improving the credibility of vulnerability reports.

[0040] It should be noted that the application vulnerability scanning method and apparatus based on browser intelligent agents in this application can be used in the field of network security technology to implement application vulnerability scanning and analysis based on AI browser intelligent agents, and can also be used in any field other than network security technology to implement application vulnerability scanning and analysis based on AI browser intelligent agents. This application does not limit the application field of the application vulnerability scanning method and apparatus based on browser intelligent agents.

[0041] It should be noted that the information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, stored data, and displayed data, etc.) collected in this application are information and data authorized by the user or fully authorized by all parties. Furthermore, the collection, storage, use, processing, transmission, provision, disclosure, and application of related data are handled with corresponding access points, allowing users to choose to authorize or refuse. For example, this system has interfaces with relevant users or organizations. Before obtaining relevant information, a request to obtain the information needs to be sent to the aforementioned user or organization through the interface, and the relevant information is obtained only after receiving consent from the aforementioned user or organization.

[0042] It should be noted that in this application, customer information is collected and analyzed, and users are provided with corresponding operation entry points to choose whether to agree to or reject the automated decision-making results; if the user chooses to reject, the process proceeds to the expert decision-making process.

[0043] The embodiments described below can be applied to various systems / applications / devices based on browser-based intelligent agents for application vulnerability scanning. This application is applicable to web application security assessment and automated penetration testing scenarios in the field of network security technology, and is particularly suitable for security testing of single-page applications, complex front-end interactive systems, dynamic API-driven platforms, and sites with high anti-crawling protection.

[0044] This invention enables fully automated web application vulnerability scanning, allowing for in-depth exploration of dynamic page logic without manual intervention, significantly improving vulnerability coverage and traffic authenticity. It constrains AI behavior through system prompts, ensuring a secure and non-destructive scanning process. Combining AI-assisted analysis with Proof-of-Concept (POC) verification effectively reduces false positives and improves vulnerability identification accuracy. It forms a closed-loop mechanism of "AI access → traffic capture → scan verification → intelligent analysis," greatly enhancing scanning efficiency and scalable deployment capabilities.

[0045] The present application will now be described in detail with reference to various embodiments.

[0046] Example 1

[0047] According to an embodiment of this application, an embodiment of an application vulnerability scanning method based on a browser agent is provided. It should be noted that the steps shown in the flowchart in the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions. Furthermore, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be executed in a different order than that shown here.

[0048] The application vulnerability scanning method based on browser smart agents provided in Embodiment 1 of this application can be executed on a mobile terminal, computer terminal, or similar computing device. Figure 1 A hardware block diagram of a computer terminal (or mobile device) for implementing an application vulnerability scanning method based on a browser-based intelligent agent is shown. Figure 1 As shown, computer terminal 10 (or mobile device) may include one or more ( Figure 1 The processor 102 (which may include, but is not limited to, a microprocessor MCU (Microcontroller Unit) or a programmable gate array (FPGA)) is shown as 102a, 102b, ..., 102n. It also includes a memory 104 for storing data and a transmission device 106 for communication functions. In addition, it may include: a display, an input / output interface (I / O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of a BUS bus), a network interface, a power supply, and / or a camera. Those skilled in the art will understand that... Figure 1 The structure shown is for illustrative purposes only and does not limit the structure of the aforementioned electronic device. For example, computer terminal 10 may also include... Figure 1 The more or fewer components shown, or having the same Figure 1 The different configurations shown.

[0049] It should be noted that the aforementioned one or more processors 102 and / or other data processing circuits are generally referred to herein as "data processing circuits". These data processing circuits may be embodied, in whole or in part, in software, hardware, firmware, or any other combination thereof. Furthermore, the data processing circuits may be a single, independent processing module, or may be integrated, in whole or in part, into any other element within the computer terminal 10 (or mobile device). As involved in the embodiments of this application, the data processing circuits serve as a processor control mechanism (e.g., selection of a variable resistor termination path connected to an interface).

[0050] The memory 104 can be used to store software programs and modules of application software, such as the program instructions / data storage device corresponding to the application vulnerability scanning method based on browser intelligent agents in this embodiment. The processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, thereby realizing the above-mentioned application vulnerability scanning method based on browser intelligent agents. The memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, the memory 104 may further include memory remotely located relative to the processor 102, and these remote memories can be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.

[0051] The transmission device 106 is used to receive or send data via a network. Specific examples of the network described above may include a wireless network provided by the communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network Interface Controller (NIC), which can connect to other network devices via a base station to communicate with the Internet. In another example, the transmission device 106 may be a Radio Frequency (RF) module, used for wireless communication with the Internet.

[0052] The display can be, for example, a touchscreen liquid crystal display (LCD), which allows the user to interact with the user interface of the computer terminal 10 (or mobile device).

[0053] First, the system in which the application vulnerability scanning method of this application runs is illustrated. Optionally, this application provides an application vulnerability scanning system based on a browser agent, including: a browser agent, a browser execution environment module, a proxy listening service node, an application vulnerability scanning engine, and a session and log storage module. The following is an illustrated analysis of these modules.

[0054] The first part, the browser agent, is used to respond to externally inputted vulnerability scanning requests. Based on the set of requested operations, the browser agent is driven to perform various preset access operations by integrating a large language model and a browser automation framework. The browser agent module has built-in preset agent fixed instructions, which constrain the execution process of the browser agent's access operations to ensure that the access process is secure and controllable.

[0055] In this embodiment, the browser agent integrates a large language model with a browser automation framework. Responding to externally inputted vulnerability scanning requests, it drives the target browser to perform interactive behaviors such as navigation, clicking, input, and form submission based on a preset set of request operations. The browser agent has built-in preset fixed instructions, which constrain it to perform only non-destructive actions such as reading, browsing, and triggering during operation, avoiding high-risk instructions such as deletion, payment submission, and configuration modification. This helps guide the agent to autonomously explore deeper functional paths in unknown browser sites, while reducing unexpected behaviors caused by model misjudgments. It can generate diverse access sequences based on natural language instructions, adapting to the interaction modes of different front-end architectures.

[0056] In addition, the browser agent in this embodiment can understand web page content, identify interactive elements and perform natural language-driven operations, while recording access traffic and configuring proxy services to achieve behavior similar to manual testing.

[0057] The second part is the browser execution environment module, which is used to host and run the target browser instance driven by the browser agent. It creates an independent browser context at startup to achieve session isolation between various scanning tasks. The browser execution environment module also integrates a network traffic interception hook, which is used to capture all network request and response data generated by the target browser in real time during the execution of preset access operations.

[0058] Optionally, the browser execution environment module in this embodiment carries the target browser instance and creates an independent browser context for each scanning task at startup, achieving complete isolation between tasks. This helps prevent identity confusion or permission pollution between different scanning targets, allowing each task to run in an independent sandbox environment. It can also improve scanning throughput by combining a multi-context concurrency mechanism, while supporting simulated access to different user roles or authentication states.

[0059] Optionally, the browser execution environment module in this embodiment also integrates a network traffic interception hook, which captures all HTTP (Hypertext Transfer Protocol), HTTPS, and WebSocket requests (WebSocket is a protocol that enables full-duplex communication over a single TCP connection, allowing clients and servers to establish persistent connections and achieve bidirectional, low-latency data transmission) and response data in real time during page loading and interaction. This helps to completely record the network communication content dynamically generated by the front end, covering asynchronous interfaces and API calls that traditional crawlers cannot reach. It can also extract structured fields such as request parameters, response headers, status codes, and response bodies to form standardized traffic logs that can be used for subsequent analysis.

[0060] The third part is the proxy listening service node, which is deployed in the network communication path of the browser execution environment module. It is used to receive all network access requests and response results from the target browser, encapsulate them in a structured way as response traffic data, and forward them to the downstream application vulnerability scanning engine.

[0061] In this embodiment, the proxy listening service node is deployed in the network communication path of the browser execution environment. Acting as an intermediary proxy, it receives all requests and responses from the browser, helping to relay raw traffic losslessly to the application vulnerability scanning engine and avoiding encryption interruptions or certificate anomalies caused by direct packet capture. It should be noted that this proxy listening service node can be configured in transparent proxy mode, compatible with HTTPS bidirectional encrypted communication, and supports request rewriting or marking to distinguish the sources of different scanning tasks.

[0062] The fourth part applies a vulnerability scanning engine, which receives response traffic data forwarded by the proxy listening service node, combines it with a pre-built vulnerability rule base, performs vulnerability feature matching, payload injection, and vulnerability verification operations, identifies potential security vulnerabilities in the target application, and outputs structured vulnerability scanning logs and risk assessment results.

[0063] It should be noted that the application vulnerability scanning engine in this embodiment can receive structured response traffic data forwarded by proxy monitoring service nodes. Combined with a pre-built vulnerability rule base, it performs feature matching, payload injection, and vulnerability security verification operations, which helps identify common vulnerability types such as Structured Query Language (SQL) injection, cross-site scripting (XSS), path traversal, and insecure direct object references. It can generate preliminary risk assessment results based on clues such as abnormal patterns in response content, differences in response time, and leakage of error information, forming structured logs.

[0064] The fifth part is the session and log storage module, which is used to persistently store the access behavior logs of the browser agent, the raw traffic packets captured by the browser execution environment module, and the vulnerability scanning logs and risk assessment results generated by the application vulnerability scanning engine.

[0065] In this embodiment, the session and log storage module can persistently store the browser agent's access behavior logs, the raw traffic packets captured by the browser execution environment module, the vulnerability scanning logs and risk assessment results generated by the application vulnerability scanning engine, which helps to achieve complete backtracking and auditing of the scanning process, supports the reproduction and verification of specific vulnerability paths, and can organize data by dimensions such as timestamp, target domain name, and task ID, which is convenient for later analysis of model behavior patterns and optimization of scanning strategies.

[0066] Under the aforementioned operating environment, this application provides the following: Figure 2 The method shown is an application vulnerability scanning method based on browser agents. Figure 2 This is a flowchart of an optional application vulnerability scanning method based on a browser-based intelligent agent according to an embodiment of this application, such as... Figure 2 As shown, the method includes the following steps S201 to S204. The present invention will be described in detail below with reference to each implementation step.

[0067] Optionally, before using the browser agent to perform various preset access operations on the target browser, the process further includes: creating a scanning task for each preset access operation; creating a browser instance for each scanning task, sandboxing and resource limiting the browser instance, and completing session isolation operations; injecting a proxy listening service node when the target browser's tab group starts, configuring the proxy listening service node as a passive scanning proxy service for the application vulnerability scanning engine; registering a network listening hook in the target browser, and using the network listening hook to record key event records, operation screenshots, and timestamps during the application vulnerability scanning process to generate vulnerability scanning logs. In other words, a scanning task is created independently for each preset access operation, giving each task an independent configuration context and execution lifecycle. This facilitates parallel processing of multiple tasks, supports scanning different functional modules, user roles, or authentication states separately, and avoids interference between task states.

[0068] Furthermore, this embodiment creates an independent browser instance for each scanning task and implements sandbox operation and resource restrictions on the browser instance, including limiting CPU usage, memory usage limit, network bandwidth threshold and process lifecycle. At the same time, it enables the browser's built-in isolation mechanisms, such as an independent user data directory and disabling plugin extensions, which helps prevent abnormal behavior from affecting the host system. It supports stable operation in a containerized environment and can be combined with automatic restart and crash recovery strategies to improve the robustness of long-term scanning tasks.

[0069] It should be noted that this embodiment injects a proxy listening service node when the target browser's tab group starts, and configures this proxy service as a passive scanning proxy for the application vulnerability scanning engine, so that all network requests and responses from the browser are relayed through the proxy. This helps to capture dynamically generated communication traffic from the front end without loss, ensuring that the scanning engine obtains a complete data stream consistent with real user behavior. In addition, this embodiment registers a network listening hook in the target browser to continuously record key events during the application vulnerability scanning process, including but not limited to abnormal request / response status codes, long-delayed responses, abnormal redirection chains, exposure of sensitive parameters, and cross-domain request triggering; it also automatically triggers page screenshots and associates them with timestamps and operation sequences to form structured logs. This helps to build a traceable chain of scanning evidence and supports the replay and manual review of suspicious interactions.

[0070] Step S201: Respond to the vulnerability scanning request, drive the browser agent according to the request operation set, and use the browser agent to perform various preset access operations on the target browser. The browser agent integrates a large language model and a browser automation framework. The browser agent's access operation execution process is constrained by preset agent fixed instructions. The request operation set includes N preset access operations to be executed pre-configured by the user, where N is a positive integer.

[0071] The preset access operations can include, but are not limited to, fine-grained interactive instructions such as logging into a user account, entering a personal center, browsing web pages, clicking on an order list, filling in a search box and submitting, and switching tabs. These operations are defined in natural language or structured task descriptions, parsed by the browser agent, and transformed into underlying browser automation instructions to drive the target browser to complete the corresponding behaviors. This decomposes complex business processes into executable action sequences, enabling the agent to simulate the navigation paths of real users between different functional modules. Furthermore, the browser agent in this embodiment integrates a large language model with a browser automation framework, enabling the agent not only to identify interactive elements such as buttons, links, and input boxes on the page, but also to infer unmarked function entry points based on semantic understanding. For example, it can identify associated DOM (Document Object Model) nodes from the text description of viewing historical orders, which can overcome the limitations of traditional crawlers that rely on static DOM structures and adapt to the single-page application architecture with dynamic front-end rendering.

[0072] Optionally, the steps of using a browser agent to perform various preset access operations on the target browser include: using the browser agent to run a server component of the target protocol, wherein the server component serves as a unified control protocol layer within the browser agent, interfaces with multiple browser automation engines, and pre-encapsulates the underlying operation function modules of the browser automation framework; and calling a predefined standardized browser access interface through the server component to perform various preset access operations on a specified site of the target browser, wherein the target protocol is a protocol that connects the large language model and the browser's runtime environment.

[0073] When using a browser agent to perform various preset access operations on the target browser, the server component of the target protocol is run first. This server component acts as a unified control protocol layer within the browser agent, abstracting and encapsulating the underlying functions of various browser automation frameworks. Through this layer, browser clicks, input, page redirects, network interception, DOM queries, and other operations are uniformly transformed into standardized interface capabilities, eliminating the need for the upper-layer agent to be bound to a specific framework implementation and improving the system's adaptability and maintainability in different execution environments. Furthermore, in this embodiment, the target protocol is a protocol connecting the large language model and the browser runtime environment. This protocol defines the toolkit format, parameter structure, and response specifications that the model can call, enabling the large language model to request the browser to perform specific actions in a structured manner, such as finding and clicking a button containing 'Submit Order' or obtaining a list of URLs (Uniform Resource Locators) for all API requests on the current page. After receiving the call request from the model, the server component maps it to the underlying API of the corresponding browser automation framework to complete the actual operation. This helps to decouple the model's decision-making and execution capabilities, allowing the agent's logic layer to focus on semantic understanding and task planning, while the execution layer focuses on stable operation.

[0074] Furthermore, this embodiment can dynamically register or deregister browser capability interfaces based on server-side components. For example, it can enable form field recognition and CAPTCHA image analysis capabilities when scanning financial websites, and enable shopping cart status checks in e-commerce websites, thereby achieving adaptive expansion for different application scenarios. Simultaneously, the server-side components support fine-grained control over operation permissions, such as restricting certain interfaces to only be effective in specific page contexts, preventing the model from triggering dangerous operations in inappropriate scenarios.

[0075] It should be noted that this embodiment constrains the browser agent's access operation execution process through preset fixed instructions. These instructions are statically configured and do not change with the session. They include prohibiting high-risk operations such as deletion, payment submission, data modification, and file upload; limiting access depth and loop count; and requiring page state verification before each operation. This helps guide the agent to maintain a read-only and secure behavior mode throughout the exploration process, avoiding unexpected side effects caused by model inference bias. Furthermore, this embodiment can dynamically generate differentiated access paths based on the request operation set, supporting coverage of different permission roles and multi-state processes. For example, it can simulate the interaction trajectories of visitors, ordinary users, and administrators, thereby improving the scanning's ability to discover vulnerabilities in access control logic. Simultaneously, the operation set supports expansion and reuse, facilitating the reuse of the same behavior template across multiple target sites, improving the configurability and reproducibility of the scanning task.

[0076] It is necessary to explain the browser agent used in this embodiment. Optionally, the browser agent includes: a session caching module, used to record the browser's current page structure snapshot, historical page access sequence, explored and unexplored paths, and maintain the multi-turn dialogue context between the large language model and the browser; an agent fixed instruction module, including at least one of the following: behavior restriction policy, prohibition of sensitive operations, restriction of access depth and branch number, timeout threshold configuration, exploration order, access policy, priority, and general task planning logic; and a traffic recording module, used to perform various preset access operations on the specified site of the target browser, create a browser instance, intercept and capture traffic at the browser level, capture all network access requests and response results corresponding to the preset access operations, and record them in a structured manner as response traffic data. The session caching module is used to record the browser's current page structure snapshot, historical page access sequence, explored and unexplored paths, and maintain the multi-turn dialogue context between the large language model and the browser. After each browser state change, it updates the DOM summary, interactive element list, URL change record and key parameter context to form a lightweight state snapshot. This helps the agent maintain a coherent understanding of the page logic in multi-turn interactions and avoids repeated clicks, looping, or path loss due to the loss of model context.

[0077] Furthermore, the agent fixed instruction module in this embodiment includes at least one of the following: behavior restriction policy, prohibition of sensitive operations, restriction of access depth and branch number, timeout threshold configuration, exploration order, access policy, priority, and general task planning logic. This module is a static configuration layer that does not rely on external input. Its content covers clear operation boundaries, such as prohibiting form submission, disabling file upload, limiting the number of clicks per session, limiting page jump levels to no more than five levels, and setting the maximum execution time of a single task. This helps to embed behavioral constraints during model inference, so that even when faced with ambiguous instructions or abnormal page responses, the agent still follows the preset exploration boundaries and avoids performing unexpected or high-risk actions. It can be combined with access policy definitions to prioritize the exploration of high-risk functional areas such as login pages, API interface pages, and user center pages, guiding the agent to mine paths according to business logic priorities.

[0078] Step S202: Capture all network access requests and response results corresponding to preset access operations in real time in the target browser, and record them in a structured manner as response traffic data.

[0079] In step S202, all network access requests and response results corresponding to preset access operations are captured in real time in the target browser through browser-level network hooks. The capture process can be completed at the browser rendering engine level, without relying on front-end code injection or proxy middleware, ensuring the integrity and originality of the traffic. The captured content includes, but is not limited to, key fields such as request method, URL path, request header, request body, response status code, response header, response body, redirection chain, and timing information. It is then standardized, cleaned, and normalized according to a preset structure template to form structured response traffic data. This helps to completely preserve the communication behavior dynamically generated by the front end, and is especially suitable for API call scenarios triggered asynchronously by JavaScript in single-page applications, avoiding the omission of critical paths by traditional crawlers due to their inability to execute JS logic.

[0080] Step S203: Forward all network access request and response traffic data to the application vulnerability scanning engine via the proxy listening service node, wherein the proxy listening service node is pre-configured in the execution environment of the target browser.

[0081] In step S203 of this embodiment, all network access request and response traffic data is forwarded to the application vulnerability scanning engine via a proxy listening service node. This proxy listening service node has been pre-configured in the target browser's execution environment as a traffic relay channel. The proxy service can run in a transparent proxy mode within the browser instance's network stack, with all requests and responses automatically passing through this node without requiring modification of application code or manual configuration of proxy settings. This facilitates the seamless capture and continuous flow of scanning traffic, allowing the vulnerability scanning engine to passively receive traffic driven by real user behavior, rather than manually constructed or tool-simulated test requests.

[0082] Furthermore, this embodiment can combine the time-series tags and operational context of traffic data to provide the scanning engine with semantic information about the request source (such as a user information query request initiated after successful login), improving the accuracy of vulnerability feature matching and reducing false positives caused by isolated requests. Simultaneously, the proxy monitoring service node supports traffic compression, deduplication, and filtering rules, which can eliminate duplicate static resource requests (such as Cascading Style Sheets (CSS), JavaScript files (JS), and image resources), reducing the amount of invalid data transmission and improving scanning efficiency.

[0083] Step S204: Combining the vulnerability rule base, the application vulnerability scanning engine performs vulnerability feature matching and vulnerability verification operations on the response traffic data forwarded by the proxy listening service node, and outputs traffic data analysis results and vulnerability scanning logs.

[0084] In step S204 of this embodiment, pattern matching can be performed on dimensions such as request parameters, response structure, status codes, header fields, and error messages in structured traffic data based on a predefined rule set to identify typical vulnerability characteristics such as SQL injection, path traversal, insecure direct object references, and sensitive information leakage. Simultaneously, the vulnerability scanning engine can trigger secondary verification requests for suspected vulnerability points, such as inserting probing payloads and observing response changes, forming a preliminary verification loop. The output results can include vulnerability type, trigger path, request / response samples, contextual information, and timestamps, forming a traceable vulnerability scanning log.

[0085] Optionally, the steps of combining a vulnerability rule base and using an application vulnerability scanning engine to perform vulnerability feature matching and vulnerability verification operations on the response traffic data forwarded by the proxy listening service node include: selecting a predetermined open-source scanning engine as the application vulnerability scanning engine based on the vulnerability detection requirements and completeness requirements in the vulnerability scanning request; calling the vulnerability rule base, using the application vulnerability scanning engine to match the response traffic data forwarded by the proxy listening service node with the vulnerability rule base, and performing vulnerability feature matching and vulnerability verification operations through the vulnerability rule base to obtain vulnerability scanning results.

[0086] In this embodiment, when performing vulnerability feature matching and vulnerability verification operations in conjunction with a vulnerability rule base, a predetermined open-source scanning engine can be dynamically selected as the application vulnerability scanning engine based on the vulnerability detection requirements and completeness requirements carried in the vulnerability scanning request. For example, Xray can be selected when high-concurrency lightweight scanning is required. This helps adapt to the differentiated needs of different scanning scenarios for speed and rule breadth, avoiding detection blind spots caused by a fixed engine. In addition, this embodiment can automatically match the corresponding rule subset based on the semantic features of response traffic data, improving matching accuracy and reducing invalid scanning of irrelevant traffic. At the same time, in the vulnerability verification stage, the scanning engine can select an appropriate verification payload based on the traffic context. For example, for error messages found in the login interface response, the corresponding authentication bypass rules can be invoked for cross-verification, making the detection behavior closer to the real attack path. The vulnerability scanning log can record the rule ID, matching position, confidence score, and verification action for each match, forming an auditable detection trajectory.

[0087] Optionally, after performing vulnerability signature matching and vulnerability verification operations on the response traffic data forwarded by the proxy listening service node using the application vulnerability scanning engine, the process further includes: integrating the response traffic data with page access operations, DOM summaries, page screenshots, interaction sequences, and session association information collected during the vulnerability scanning process to obtain vulnerability scanning traffic data; preprocessing and formatting the vulnerability scanning traffic data, wherein the preprocessing includes at least one of the following: abnormal parameter deletion, large file digest extraction, abnormal data annotation, and key parameter annotation; inputting the formatted vulnerability scanning traffic data into a large language model, using the large language model to analyze the vulnerability scanning process, and outputting a structured report containing scanning risk points, abnormal operation behaviors, and interaction flow explanations.

[0088] This embodiment integrates response traffic data with page access operations, DOM summaries, page screenshots, interaction sequences, and session association information collected during vulnerability scanning to construct a complete vulnerability scanning traffic dataset. This dataset merges network layer communication content with front-end behavioral context, so that a single request is no longer isolated but embedded in the complete path of the user's simulated operation. This helps to reconstruct the real-world scenario of vulnerability triggering, facilitates the formation of semantically relevant analytical input, and improves the subsequent model's ability to identify complex logical vulnerabilities (such as unauthorized access and business process bypass).

[0089] Furthermore, the preprocessing operations performed on the vulnerability scanning traffic data in this embodiment include at least one of the following: abnormal parameter deletion, used to remove temporary parameters or debugging identifiers that have no business significance; large file digest extraction, used to compress the content of excessively long response bodies and extract key segments, retaining the semantic core; abnormal data annotation, used to mark suspicious behaviors such as abnormal response status codes, excessively long response times, and unexpected redirections; and key parameter annotation, used to identify and highlight request parameters containing sensitive fields and their contextual sources. The formatted vulnerability scanning traffic data can be input into a large language model, which performs semantic-level analysis of the vulnerability scanning process and outputs a structured report containing scanning risk points, abnormal operation behaviors, and explanations of the interaction flow. The model infers the attack surface distribution based on multimodal input (text traffic, operation sequences, screenshot semantics) and identifies hidden vulnerability clues, such as the ability to access the administrator interface after a user permission change or returning a 200 error instead of a 403 error after repeatedly clicking the unauthorized button. Optionally, the structured report provided in this embodiment may include, but is not limited to, an operation trajectory timeline, a risk path map, contextual evidence references, and natural language descriptions, forming highly readable and auditable analysis results to help security personnel quickly locate the root cause of the problem and verify false alarms.

[0090] Through the above steps, a vulnerability scanning request can be responded to. Based on the request operation set, a browser agent is driven to perform various preset access operations on the target browser. The browser agent integrates a large language model and a browser automation framework, and its access operation execution process is constrained by preset fixed instructions. The request operation set includes N preset access operations to be executed pre-configured on the user side, where N is a positive integer. All network access requests and response results corresponding to the preset access operations are captured in real time in the target browser and recorded in a structured manner as response traffic data. All network access requests and response traffic data are forwarded to the application vulnerability scanning engine via a proxy listening service node, which is pre-configured in the target browser's execution environment. Combining the vulnerability rule base, the application vulnerability scanning engine performs vulnerability feature matching and vulnerability verification operations on the response traffic data forwarded by the proxy listening service node, outputting traffic data analysis results and vulnerability scanning logs. In this embodiment, automated browser access operations can be achieved through a browser agent, capturing complete network request and response data in real time and generating high-quality traffic that closely resembles actual business scenarios. Pre-defined fixed instructions constrain the browser agent's behavior, ensuring it only performs non-destructive operations such as reading, browsing, and triggering, avoiding noisy traffic caused by abnormal or unexpected operations. The captured structured response traffic data is forwarded to the application vulnerability scanning engine via a proxy listening service node. After preliminary detection using a vulnerability rule base, fully automated application vulnerability scanning is achieved. This allows for in-depth exploration of dynamic page logic without manual intervention, significantly improving vulnerability coverage and traffic authenticity. It effectively reduces the false positive rate caused by the lack of contextual understanding in traditional tools, making vulnerability reports received by the security team more credible and manageable, and improving the efficiency of subsequent response and remediation. This solves the technical problem of high false positive rates and reduced processing efficiency of web application vulnerability tools in related technologies.

[0091] Optionally, after the browser agent performs various preset access operations on the target browser, the process further includes: during the execution of the browser agent, detecting the completion status of each preset access operation within a predetermined time period; if the operation completion status indicates completion, terminating the current path exploration and reverting to the previous safe node, wherein the previous safe node is a page state that has been confirmed to be risk-free, and the DOM structure and interactive element set of the previous safe node are marked as stable; if the operation completion status indicates that the number of consecutive failed attempts has reached a preset failure threshold, terminating the current path exploration and reverting to the previous safe node.

[0092] During execution, the browser agent continuously monitors the completion status of each preset access operation within a predetermined time. This status is determined by a comprehensive assessment of execution signals returned by the browser automation framework, DOM change events, page load completion flags, or stable network request cycles. This helps identify whether the operation failed to execute effectively due to page load delays, unrendered dynamic content, or unready interactive elements, preventing the agent from getting stuck in a blocked or invalid loop due to timeouts. Furthermore, in this embodiment, when the operation completion status indicates completion, the current path exploration is terminated and the process reverts to the previous safe node. The previous safe node is a page state that has been confirmed to be risk-free, whose DOM structure and set of interactive elements have been recorded and marked as stable, including a clear navigation entry point, a distribution of interactive controls, and no abnormal response characteristics. This revert mechanism is based on historical path snapshots maintained in the session cache, ensuring that the agent returns to a known state with predictable behavior and no potential risk of damage, avoiding irreversible business changes or state contamination caused by subsequent operations. If the number of consecutive failed attempts indicated by the operation completion status reaches a preset failure threshold, the current path exploration can be terminated and the system can roll back to the previous safe node. This threshold is dynamically configured based on the complexity of page interaction and the response characteristics of the target site. This helps prevent the agent from continuously consuming resources on invalid paths (such as infinite loop pagination, error redirection, and loading failure pop-ups), improving overall scanning efficiency and system stability. After the rollback is triggered, the agent restores the page context and interaction strategy of the previous safe node, re-evaluates explorable branches, and achieves fault tolerance and controllability in path exploration.

[0093] The following describes in detail another optional implementation method.

[0094] The implementation method of this application aims to solve the problem that traditional web application scanning technology cannot effectively cover modern front-end structures (such as single-page applications, dynamically loaded pages, and complex interactive logic). It proposes a web application vulnerability scanning method based on an AI Agent browser automated intelligent agent. By introducing a browser intelligent agent driven by a large language model, it enables the agent to autonomously access sites, understand page content, and perform interactive operations like a user, thereby generating real and rich business traffic and recording and forwarding it as input data for subsequent vulnerability detection and vulnerability analysis.

[0095] Figure 3 This is an architecture diagram of an optional automated scanning system based on an AI browser agent according to an embodiment of the present invention, such as... Figure 3 As shown, the scanning system mainly includes: an AI browser automated intelligent agent, an AI large model, a web application vulnerability scanning engine, an AI-assisted analysis module, and a log and data storage module. The following is an illustrative description of each module.

[0096] Part 1, AI Agent Browser Automated Intelligent Agent.

[0097] Built on a large language model and browser automation framework, this intelligent agent can understand web page content, identify interactive elements, and execute natural language-driven operations. It can also record access traffic and configure proxy services to achieve behavior similar to human testing.

[0098] The AI ​​Agent browser automation agent is a key module for the system's deep web exploration. Its core idea is to control business logic through a self-developed agent, manage browser automation operations through an MCP Server, and ultimately drive the browser to complete automated exploration and behavioral decisions using a large model, generating high-quality web traffic that traditional scanners cannot cover.

[0099] The overall structure consists of two parts: (1) MCP Server: Unified management service for browser automation operations. In order to realize browser automation, MCP (Model Context Protocol) can be used as the unified control protocol layer inside the Agent. The main responsibility of this layer is to encapsulate the underlying capabilities of the browser automation framework. The MCP Server connects to the mainstream browser automation engine, but it will not be strongly bound to any framework. Instead, it will abstract its underlying API into internal tools and expose them to the large model in the form of "capabilities", such as: page loading capability, DOM node search capability, element click / input capability, form submission capability, screenshot capability, page status reading capability, and network traffic hook capability. The purpose of unified abstraction is that the upper-layer Agent no longer depends on the specific browser framework, and the large model can directly call the corresponding "capabilities" through MCP, which significantly improves the maintainability and scalability of the entire system. The browser automation layer does not have decision-making capabilities. It is only responsible for executing the instructions from the browser automation agent, similar to a "robotic arm".

[0100] (2) The Agent layer is the core of the browser's automated intelligent agent. An Agent control layer is needed above the MCP Server. This layer encapsulates and constrains model session management, browsing behavior, access rules, browser session caching, model system prompts, traffic records, timeout configuration, etc.

[0101] The Agent consists of three core components: ① Session Memory: The Agent contains a lightweight session cache used to record: a snapshot of the current page structure (DOM summary, interactive elements), the sequence of historical visited pages, explored and unexplored paths, etc. It also maintains the multi-turn dialogue context between the model and the browser, ensures consistency in the execution of instructions in each call, and handles browsing behaviors triggered by the model (such as navigation, clicks, etc.). The session cache is the foundation for making browsing behavior controllable, traceable, and reversible, effectively preventing the model from making repeated clicks, looping, or confusing operations due to context memory. ② Behavior control and access strategies: A built-in system prompt word framework is provided, not exposed to the user. This framework includes: security rules that browsing behavior must follow, exploration order, strategies, priorities, general task planning logic, constraints to prevent unexpected deletion and modification, how to describe the browser's current state, and how to return structured action instructions. Through a combination of system prompt words, behavior rules, and session caching, browsing behavior is ensured to be "controllable, secure, and non-destructive," implementing a set of behavior control strategies, including: behavior restriction policies, prohibition of sensitive operations (such as deletion), restrictions on access depth and branch count, and timeout configurations to prevent the model from entering an infinite loop. ③ Traffic recording: The Agent operates the browser through the MCP Server to achieve fully automated access to the site. Simultaneously, when creating a browser instance, traffic can be directly intercepted and captured at the browser level, and the request traffic behind each operation is recorded in a standardized manner.

[0102] Part 2, Browser Execution Environment.

[0103] This environment hosts real browser instances, where the agent performs actions such as clicking, inputting, and redirecting. At the same time, it captures all requests and responses at the browser level, including but not limited to HTTP / HTTPS requests and WebSocket messages. This traffic is normalized and recorded by the agent for AI to perform auxiliary traffic analysis, and the traffic is forwarded to the scanner's proxy listening service through proxy configuration.

[0104] The browser execution environment is the platform through which the browser's automated agent initiates real interactions and generates detection traffic. It provides stable browser control capabilities, cross-browser support, and a rich set of network hooks, making it suitable for automated vulnerability scanning scenarios. For example, using Playwright, the approach is as follows: 1. Start a browser instance as the real browser runtime environment; 2. Create an independent browser context (or independent browser instance) for each scanning task to achieve session isolation; 3. Inject proxy configuration when the context starts, configuring it as a passive scanning proxy service for the web application vulnerability scanning tool, ensuring all browser traffic goes through the proxy layer and is forwarded to the web application vulnerability scanning tool for detection; 4. Register network listening hooks to collect question / response content, capture WebSockets, record key events, take screenshots, etc.; 5. Sandbox and limit resources for the browser instance (containerization, CPU / memory limits, automatic recycling and restart strategies) to ensure stability and security.

[0105] Part 3. Web Application Vulnerability Scanning Engine.

[0106] Start the monitoring service to listen for traffic forwarded from the browser, perform vulnerability signature matching and POC verification, and determine whether a vulnerability exists. The scanning engine can be a third-party scanner or a self-developed vulnerability scanning engine.

[0107] The web application vulnerability scanning engine is the foundational core module of the entire automated verification platform. It is responsible for identifying potential security risks in web applications through proactive probing, proxy crawling, vulnerability detection, and Proof-of-Concept (POC) verification. This scanning methodology supports two approaches: integrating an open-source scanning engine and building a self-developed scanning engine, to adapt to the deployment needs of enterprises at different stages and with varying resource conditions. Choosing an open-source scanning engine allows for the rapid implementation of usable and stable scanning capabilities. Mature open-source or commercial scanners can be selected as foundational components, such as the Xray scanning engine.

[0108] Part 4. AI-Assisted Analysis (Optional).

[0109] Traffic analysis is performed based on a large model, and the results of the scanning engine are penetrated and verified to improve accuracy and reduce false positives. The AI-assisted analysis module is an optional enhancement to the entire system, used to further improve analysis quality, verification efficiency, and understandability on the basis of traditional tool scanning.

[0110] This module can be divided into two parts: (1) Traffic analysis based on large models, which is used to further understand and interpret the standardized traffic recorded by the AI ​​Agent browser automated intelligent agent. Unlike traditional reporting rules or template engines, it enables the system to automatically generate clearer, easier-to-read, and more understandable analysis reports.

[0111] Implementation Approach: Input data consists of standardized traffic recorded by the browser's automated agent, including: structured information on requests and responses, page operation behaviors (clicks, inputs, redirects), DOM summaries, page screenshots, interaction sequences, and session-related information (such as cookies, redirect chains, etc.). Preprocessing and formatting are also required: Appropriate summarization of the aforementioned content is necessary; identification of key requests, parameters, characteristic patterns, and annotation of potential anomalies, such as abnormal responses, suspicious parameters, and redirect behaviors; summarization of large amounts of content (such as body text summaries and response fragment summaries). Large-Scale Model Analysis: Standardized traffic is input into a large model, which performs the following: overall summary of the interaction process; identification of potential risks or unusual behaviors; explanation of complex interaction flows; and provision of understandable analytical explanations. Output: a structured report (such as an overview, findings, evidence locations, potential risks, and recommendations). The output report is presented in a structured manner, including interaction trajectories, key data points, and analytical conclusions, and can be directly used for security audits or subsequent verification.

[0112] The second part of this module, (2) vulnerability verification based on a large model, is used to further judge the scanning results output by the Web vulnerability scanning engine and complete vulnerability verification in conjunction with the toolchain, forming an intelligent decision-making ability to understand the scenario and select the most suitable verification method. In terms of implementation, it can be used in conjunction with a variety of penetration testing tools. Finally, a closed-loop process is realized from scanning result input → large model judgment → tool calling strategy → verification output.

[0113] Part 5. Log and Data Storage Module.

[0114] The log and data storage module is used to fully record all kinds of data generated by the system during the entire process of traffic analysis and vulnerability verification, and supports auditing, tracking, report generation and model optimization.

[0115] The system can select the appropriate storage method according to actual needs:

[0116] Relational databases: suitable for structured task records and metadata management;

[0117] Document-oriented databases are suitable for storing complex request packets, verification evidence, etc.

[0118] File storage: Used to save large packet capture files, screenshots, and other auxiliary materials.

[0119] This invention provides a web application vulnerability scanning method based on AI browser proxy. The method demonstrates its specific workflow by scanning a website and presenting a complete scan test case in the scan result report.

[0120] Figure 4This is a flowchart of an optional web application vulnerability scanning method based on a browser agent agent according to an embodiment of the present invention, such as... Figure 4 As shown, from the user inputting the scanning site to the end of the scan, the entire process only requires the user to input the site and create the scanning task. The entire process does not require user intervention or operation, thus reducing labor costs.

[0121] like Figure 4 As shown, after the scan begins, the Web Application Vulnerability Scanning Tool and the browser agent illustrated by the AI ​​model serve as the two main supporting components to complete the operation. The Web Application Vulnerability Scanning Tool first initiates a traditional active scan while simultaneously creating a passive scan task. The passive scan's proxy service is also used by the Agent to create proxy services for retrieving website browser instances. All website access traffic from the Agent is automatically forwarded to the Web Application Vulnerability Scanning Tool as detection traffic for the passive scan task, improving vulnerability detection coverage. Simultaneously, the Agent records access traffic at the browser level and provides it to the AI ​​for auxiliary analysis. After vulnerability detection is completed, the AI ​​performs vulnerability verification to reduce the false positive rate. Finally, the system integrates the scan results and generates a scan report.

[0122] In this embodiment of the invention, a collaborative architecture of an AI browser automated agent and a vulnerability scanning engine can be constructed to achieve deep automated exploration and accurate vulnerability detection of modern web applications, forming a closed-loop scanning process of "AI-driven access - full traffic capture - intelligent analysis and verification". In terms of scanning coverage, the AI ​​browser agent autonomously executes page interactions based on natural language understanding, which can effectively identify and operate components dynamically rendered by JavaScript, asynchronously loaded API interfaces, and non-linked navigation paths in single-page applications, breaking through the blind spots of traditional crawlers in identifying dynamic content and significantly expanding the business logic coverage of the scan.

[0123] In terms of automation, site access, feature exploration, and traffic generation can be completed without manual operation, completely replacing the traditional passive scanning model that relies on penetration engineers clicking page by page. This achieves an end-to-end, uninterrupted process from task initiation to result output, reducing reliance on the experience of professional personnel. Regarding false positive control, AI-assisted analysis of scan results, combining page operation context, DOM structure, interaction sequence, and screenshot semantics, can effectively distinguish between real vulnerabilities and false alarm triggers (such as debugging information and non-sensitive abnormal responses), reducing misjudgments caused by isolated requests and improving report credibility.

[0124] The following is a detailed description with reference to another embodiment.

[0125] Example 2

[0126] The application vulnerability scanning device based on browser intelligent agents provided in this embodiment includes multiple implementation units, each of which corresponds to the implementation steps in the above embodiment one. The specific implementation method and beneficial effects can be referred to the foregoing method embodiment, and will not be repeated here.

[0127] Figure 5 This is a schematic diagram of an optional application vulnerability scanning device based on a browser-based intelligent agent according to an embodiment of this application, such as... Figure 5 As shown, the application vulnerability scanning device based on browser agents may include: agent operation unit 51, traffic capture unit 52, proxy forwarding unit 53, and vulnerability verification unit 54.

[0128] Among them, the intelligent agent operation unit 51 is used to respond to vulnerability scanning requests, drive the browser intelligent agent according to the request operation set, and use the browser intelligent agent to perform various preset access operations on the target browser. The browser intelligent agent integrates a large language model and a browser automation framework, and constrains the execution process of the browser intelligent agent's access operations through preset intelligent agent fixed instructions. The request operation set includes N preset access operations to be executed pre-configured by the user, where N is a positive integer.

[0129] The traffic capture unit 52 is used to capture all network access requests and response results corresponding to preset access operations in the target browser in real time, and record them in a structured manner as response traffic data.

[0130] The proxy forwarding unit 53 is used to forward all network access request and response traffic data to the application vulnerability scanning engine via the proxy listening service node, wherein the proxy listening service node is pre-configured in the execution environment of the target browser.

[0131] Vulnerability verification unit 54 is used to combine the vulnerability rule base and use the application vulnerability scanning engine to perform vulnerability feature matching and vulnerability verification operations on the response traffic data forwarded by the proxy listening service node, and output traffic data analysis results and vulnerability scanning logs.

[0132] The aforementioned application vulnerability scanning device based on browser agents can respond to vulnerability scanning requests through the agent operation unit 51, drive the browser agent according to the request operation set, and use the browser agent to perform various preset access operations on the target browser. The traffic capture unit 52 captures all network access requests and response results corresponding to the preset access operations in the target browser in real time and records them in a structured manner as response traffic data. The proxy forwarding unit 53 forwards all network access requests and response traffic data to the application vulnerability scanning engine through the proxy listening service node. The vulnerability verification unit 54 combines the vulnerability rule base and uses the application vulnerability scanning engine to perform vulnerability feature matching and vulnerability verification operations on the response traffic data forwarded by the proxy listening service node, and outputs traffic data analysis results and vulnerability scanning logs. In this embodiment, automated browser access operations can be achieved through a browser agent, capturing complete network request and response data in real time and generating high-quality traffic that closely resembles actual business scenarios. Pre-defined fixed instructions constrain the browser agent's behavior, ensuring it only performs non-destructive operations such as reading, browsing, and triggering, avoiding noisy traffic caused by abnormal or unexpected operations. The captured structured response traffic data is forwarded to the application vulnerability scanning engine via a proxy listening service node. After preliminary detection using a vulnerability rule base, fully automated application vulnerability scanning is achieved. This allows for in-depth exploration of dynamic page logic without manual intervention, significantly improving vulnerability coverage and traffic authenticity. It effectively reduces the false positive rate caused by the lack of contextual understanding in traditional tools, making vulnerability reports received by the security team more credible and manageable, and improving the efficiency of subsequent response and remediation. This solves the technical problem of high false positive rates and reduced processing efficiency of web application vulnerability tools in related technologies.

[0133] Optionally, the intelligent agent operation unit includes: a server-side component running module, used to run a server-side component of the target protocol using the browser intelligent agent, wherein the server-side component serves as a unified control protocol layer within the browser intelligent agent, interfaces with multiple browser automation engines, and pre-encapsulates the underlying operation function modules of the browser automation framework; and an access interface calling module, used to call a predefined standardized browser access interface through the server-side component to perform various preset access operations on a specified site of the target browser, wherein the target protocol is a protocol connecting the large language model and the browser's runtime environment.

[0134] Optionally, the application vulnerability scanning device based on browser agents further includes: a scanning task creation module, used to create a scanning task for each preset access operation before using the browser agent to perform various preset access operations on the target browser; a browser instance creation module, used to create a browser instance for each scanning task, perform sandboxing and resource restrictions on the browser instance, and complete session isolation operations; a listening service node injection module, used to inject a proxy listening service node when the target browser's tab group starts, and configure the proxy listening service node as a passive scanning proxy service of the application vulnerability scanning engine; and a network listening hook registration module, used to register network listening hooks in the target browser, and use network listening hooks to record key event records, operation screenshots, and timestamps during the application vulnerability scanning process to generate vulnerability scanning logs.

[0135] Optionally, the vulnerability verification unit includes: a scanning engine selection module, used to select a predetermined open-source scanning engine as the application vulnerability scanning engine based on the vulnerability detection requirements and completeness requirements in the vulnerability scanning request; and a vulnerability matching module, used to call the vulnerability rule base, use the application vulnerability scanning engine to match the response traffic data forwarded by the proxy listening service node with the vulnerability rule base, and perform vulnerability feature matching and vulnerability verification operations through the vulnerability rule base to obtain vulnerability scanning results.

[0136] Optionally, the browser-based application vulnerability scanning device further includes: a scanning traffic synthesis module, used to perform vulnerability feature matching and vulnerability verification operations on the response traffic data forwarded by the proxy listening service node using the application vulnerability scanning engine, and then synthesize the response traffic data with page access operations, DOM summary, page screenshots, interaction sequence, and session association information collected during the vulnerability scanning process to obtain vulnerability scanning traffic data; a preprocessing module, used to preprocess and format the vulnerability scanning traffic data, wherein the preprocessing includes at least one of the following: abnormal parameter deletion, large file digest extraction, abnormal data annotation, and key parameter annotation; and a large model vulnerability analysis module, used to input the formatted vulnerability scanning traffic data into a large language model, use the large language model to analyze the vulnerability scanning process, and output a structured report containing scanning risk points, abnormal operation behaviors, and interaction flow explanations.

[0137] Optionally, the browser agent includes: a session caching module, used to record the browser's current page structure snapshot, historical page access sequence, explored and unexplored paths, and maintain the multi-turn dialogue context between the large language model and the browser; an agent fixed instruction module, including at least one of the following: behavior restriction policy, prohibition of sensitive operations, restriction of access depth and branch number, timeout threshold configuration, exploration order, access policy, priority, and general task planning logic; and a traffic recording module, used to execute various preset access operations on the specified site of the target browser, create a browser instance, intercept and capture traffic at the browser level, capture all network access requests and response results corresponding to the preset access operations, and record them in a structured manner as response traffic data.

[0138] Optionally, the application vulnerability scanning device based on browser agents further includes: an operation status detection module, used to detect the completion status of each preset access operation within a predetermined time period after the browser agent performs various preset access operations on the target browser; a termination module, used to terminate the current path exploration and fall back to the previous safe node when the operation completion status indicates completion, wherein the previous safe node is a page state that has been confirmed to be risk-free, and the DOM structure and interactive element set of the previous safe node are marked as stable; and to terminate the current path exploration and fall back to the previous safe node when the number of consecutive failed attempts indicated by the operation completion status reaches a preset failure threshold.

[0139] The aforementioned application vulnerability scanning device based on browser agents may also include a processor and a memory. The aforementioned agent operation unit 51, traffic capture unit 52, proxy forwarding unit 53, vulnerability verification unit 54, etc., are all stored in the memory as program units, and the processor executes the aforementioned program units stored in the memory to realize the corresponding functions.

[0140] The aforementioned processor contains a kernel, which retrieves the corresponding program units from memory. One or more kernels can be configured, and by adjusting kernel parameters, application vulnerability scanning and analysis can be performed based on the AI ​​browser agent.

[0141] The aforementioned memory may include non-permanent memory in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM, and the memory includes at least one memory chip.

[0142] Example 3

[0143] Embodiments of this application may provide an electronic device. Figure 6This is a structural block diagram of an electronic device that performs an application vulnerability scanning method based on a browser-based intelligent agent, according to an embodiment of this application. Figure 6 As shown, the electronic device may include: one or more ( Figure 6 (Only one is shown) Processor 602, memory 604, memory controller, and peripheral interface, wherein the peripheral interface is connected to the radio frequency module, audio module and display.

[0144] The memory can be used to store software programs and modules, such as the program instructions / modules corresponding to the browser-based intelligent agent-based application vulnerability scanning method and apparatus in this application embodiment. The processor executes various functional applications and data processing by running the software programs and modules stored in the memory, thereby realizing the aforementioned browser-based intelligent agent-based application vulnerability scanning method. The memory may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, the memory may further include memory remotely located relative to the processor, and these remote memories can be connected to the terminal via a network. Examples of such networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.

[0145] The processor can access information and applications stored in memory via a transmission device to perform the following steps: responding to vulnerability scanning requests; driving a browser agent based on a set of requested operations; utilizing the browser agent to perform various preset access operations on the target browser; wherein the browser agent integrates a large language model and a browser automation framework, and constrains the execution process of the browser agent's access operations through preset fixed instructions; the set of requested operations includes N preset access operations to be executed pre-configured by the user, where N is a positive integer; capturing network access requests and response results corresponding to all preset access operations in real time in the target browser, and recording them in a structured manner as response traffic data; forwarding all network access requests and response traffic data to the application vulnerability scanning engine via a proxy listening service node, wherein the proxy listening service node is pre-configured in the execution environment of the target browser; combining a vulnerability rule base, using the application vulnerability scanning engine to perform vulnerability feature matching and vulnerability verification operations on the response traffic data forwarded by the proxy listening service node, and outputting traffic data analysis results and vulnerability scanning logs.

[0146] Those skilled in the art will understand that Figure 6 The structure shown is for illustrative purposes only. Electronic devices can also be smartphones, tablets, handheld computers, mobile internet devices (MIDs), PADs, and other terminal devices. Figure 6This does not limit the structure of the aforementioned electronic device. For example, electronic devices may also include components that are more... Figure 6 The more or fewer components shown (such as network interfaces, display devices, etc.), or having the same Figure 6 The different configurations shown.

[0147] Those skilled in the art will understand that all or part of the steps in the various browser-based intelligent agent-based application vulnerability scanning methods of the above embodiments can be implemented by a program instructing the hardware related to the terminal device. The program can be stored in a computer-readable storage medium, which may include: flash drive, read-only memory (ROM), random access memory (RAM), disk or optical disk, etc.

[0148] Example 4

[0149] Embodiments of this application also provide a storage medium. Optionally, in this embodiment, the storage medium can be used to store the program code executed by the browser-based intelligent agent-based application vulnerability scanning method provided in Embodiment 1.

[0150] According to another aspect of the embodiments of this application, a computer-readable storage medium is also provided, the computer-readable storage medium including a stored computer program, wherein, when the computer program is running, it controls the device where the computer-readable storage medium is located to execute the application vulnerability scanning method based on any one of the above embodiments.

[0151] Optionally, in this embodiment, the storage medium may be located in any computer terminal in a group of computer terminals in a computer network, or in any mobile terminal in a group of mobile terminals.

[0152] This application also provides a computer program product, including a computer program that, when executed by a processor, implements the steps of the application vulnerability scanning method based on a browser-based intelligent agent as described in various embodiments of this application.

[0153] This application also provides a computer program product, including a non-volatile computer-readable storage medium storing a computer program, which, when executed by a processor, implements the steps of the application vulnerability scanning method based on a browser-based intelligent agent described in various embodiments of this application.

[0154] The sequence numbers of the embodiments in this application are for descriptive purposes only and do not represent the superiority or inferiority of the embodiments.

[0155] In the above embodiments of this application, the descriptions of each embodiment have different focuses. For parts not described in detail in a certain embodiment, please refer to the relevant descriptions of other embodiments.

[0156] In the several embodiments provided in this application, it should be understood that the disclosed technical content can be implemented in other ways. The device embodiments described above are merely illustrative; for example, the division of units can be a logical functional division, and in actual implementation, there may be other division methods. For instance, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the displayed or discussed mutual coupling, direct coupling, or communication connection may be through some interfaces; the indirect coupling or communication connection between units or modules may be electrical or other forms.

[0157] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0158] Furthermore, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.

[0159] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as a USB flash drive, read-only memory (ROM), random access memory (RAM), portable hard drive, magnetic disk, or optical disk.

[0160] The above description is only a preferred embodiment of this application. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the principle of this application, and these improvements and modifications should also be considered within the scope of protection of this application.

Claims

1. A method for scanning application vulnerabilities based on browser-based intelligent agents, characterized in that, include: In response to a vulnerability scanning request, the browser agent is driven according to the request operation set. The browser agent is used to perform various preset access operations on the target browser. The browser agent integrates a large language model and a browser automation framework. The browser agent's access operation execution process is constrained by preset agent fixed instructions. The request operation set includes N preset access operations to be executed pre-configured by the user, where N is a positive integer. The system captures all network access requests and response results corresponding to preset access operations in real time in the target browser and records them in a structured manner as response traffic data. All network access requests and response traffic data are forwarded to the application vulnerability scanning engine via a proxy listening service node, wherein the proxy listening service node is pre-configured in the execution environment of the target browser; By combining the vulnerability rule base, the application vulnerability scanning engine performs vulnerability feature matching and vulnerability verification operations on the response traffic data forwarded by the proxy monitoring service node, and outputs traffic data analysis results and vulnerability scanning logs.

2. The application vulnerability scanning method according to claim 1, characterized in that, The steps of using the browser agent to perform various preset access operations on the target browser include: The browser agent runs a server component of the target protocol, wherein the server component serves as a unified control protocol layer within the browser agent, interfaces with multiple browser automation engines, and pre-encapsulates the underlying operation function modules of the browser automation framework. The server component calls a predefined standardized browser access interface to perform various preset access operations on a specified site of the target browser. The target protocol is a protocol that connects the large language model and the browser's runtime environment.

3. The application vulnerability scanning method according to claim 1, characterized in that, Before using the browser agent to perform various preset access operations on the target browser, the method further includes: For each of the aforementioned preset access operations, create a scan task; Create a browser instance for each scanning task, perform sandboxing and resource restrictions on the browser instances, and complete session isolation operations; When the tab group of the target browser is started, the proxy listening service node is injected, and the proxy listening service node is configured as a passive scanning proxy service of the application vulnerability scanning engine. Register a network listening hook in the target browser and use the network listening hook to record key event records, operation screenshots, and timestamps during the application vulnerability scanning process to generate the vulnerability scanning log.

4. The application vulnerability scanning method according to claim 1, characterized in that, The steps of performing vulnerability feature matching and vulnerability verification operations on the response traffic data forwarded by the proxy monitoring service node using the application vulnerability scanning engine, in conjunction with the vulnerability rule base, include: Based on the vulnerability detection requirements and completeness requirements in the vulnerability scanning request, a predetermined open-source scanning engine is selected as the application vulnerability scanning engine. The vulnerability rule base is invoked, and the application vulnerability scanning engine is used to match the response traffic data forwarded by the proxy listening service node with the vulnerability rule base. Vulnerability feature matching and vulnerability verification operations are performed through the vulnerability rule base to obtain vulnerability scanning results.

5. The application vulnerability scanning method according to claim 1, characterized in that, After performing vulnerability signature matching and vulnerability verification operations on the response traffic data forwarded by the proxy listening service node using the application vulnerability scanning engine, the process further includes: By combining the aforementioned response traffic data with page access operations, DOM summary, page screenshots, interaction sequence, and session association information collected during the vulnerability scanning process, vulnerability scanning traffic data is obtained. The vulnerability scan traffic data is preprocessed and formatted, wherein the preprocessing includes at least one of the following: abnormal parameter deletion, large file digest extraction, abnormal data annotation, and key parameter annotation; The formatted vulnerability scan traffic data is input into a large language model, which is then used to analyze the vulnerability scanning process and output a structured report containing scan risk points, abnormal operation behaviors, and explanations of the interaction process.

6. The application vulnerability scanning method according to claim 1, characterized in that, The browser agent includes: The session caching module is used to record the browser's current page structure snapshot, historical page access sequence, explored and unexplored paths, and maintain the multi-turn dialogue context between the large language model and the browser; The agent's fixed instruction module includes at least one of the following: behavior restriction policy, prohibition of sensitive operations, restriction of access depth and number of branches, timeout threshold configuration, exploration order, access policy, priority, and general task planning logic; The traffic recording module is used to perform various preset access operations on the specified site of the target browser, create a browser instance, intercept and capture traffic at the browser level, capture all network access requests and response results corresponding to the preset access operations, and record them in a structured manner as response traffic data.

7. The application vulnerability scanning method according to claim 1, characterized in that, After the browser agent performs various preset access operations on the target browser, the method further includes: During execution, the browser agent detects the completion status of each preset access operation within a predetermined time period. If the operation completion status indication has been completed, terminate the current path exploration and fall back to the previous safe node, wherein the previous safe node is a page state that has been confirmed to be risk-free, and the DOM structure and interactive element set of the previous safe node are marked as stable. If the number of consecutive failed attempts indicated by the operation completion status reaches a preset failure threshold, the current path exploration will be terminated and the path will be rolled back to the previous safe node.

8. An application vulnerability scanning system based on browser intelligent agents, characterized in that, include: The browser agent is used to respond to externally inputted vulnerability scanning requests. It drives the browser agent according to the request operation set, integrates a large language model and a browser automation framework, and drives the target browser to execute various preset access operations. The browser agent module has built-in preset agent fixed instructions, which constrain the execution process of the browser agent's access operations to ensure that the access process is secure and controllable. The browser execution environment module is used to host and run the target browser instance driven by the browser agent. It creates an independent browser context at startup to achieve session isolation between scanning tasks. The browser execution environment module also integrates a network traffic interception hook to capture all network request and response data generated by the target browser in real time during the execution of preset access operations. The proxy listening service node is deployed in the network communication path of the browser execution environment module. It is used to receive all network access requests and response results from the target browser, encapsulate them in a structured manner as response traffic data, and forward them to the downstream application vulnerability scanning engine. The application vulnerability scanning engine is used to receive response traffic data forwarded by the proxy listening service node, combine it with the pre-set vulnerability rule base, perform vulnerability feature matching, payload injection and vulnerability verification operations, identify potential security vulnerabilities in the target application, and output structured vulnerability scanning logs and risk assessment results. The session and log storage module is used to persistently store the access behavior logs of the browser agent, the raw traffic packets captured by the browser execution environment module, and the vulnerability scanning logs and risk assessment results generated by the application vulnerability scanning engine.

9. An application vulnerability scanning device based on a browser-based intelligent agent, characterized in that, include: The intelligent agent operation unit is used to respond to vulnerability scanning requests, drive the browser intelligent agent according to the request operation set, and use the browser intelligent agent to perform various preset access operations on the target browser. The browser intelligent agent integrates a large language model and a browser automation framework, and constrains the access operation execution process of the browser intelligent agent through preset intelligent agent fixed instructions. The request operation set includes N preset access operations to be executed pre-configured by the user, where N is a positive integer. The traffic capture unit is used to capture all network access requests and response results corresponding to preset access operations in the target browser in real time, and record them in a structured manner as response traffic data. The proxy forwarding unit is used to forward all network access requests and response traffic data to the application vulnerability scanning engine via the proxy listening service node, wherein the proxy listening service node is pre-configured in the execution environment of the target browser. The vulnerability verification unit is used to combine the vulnerability rule base and use the application vulnerability scanning engine to perform vulnerability feature matching and vulnerability verification operations on the response traffic data forwarded by the proxy monitoring service node, and output traffic data analysis results and vulnerability scanning logs.

10. An electronic device, characterized in that, The device includes one or more processors and a memory, the memory being used to store one or more programs, wherein when the one or more programs are executed by the one or more processors, the one or more processors cause the one or more processors to implement the application vulnerability scanning method based on browser agents as described in any one of claims 1 to 7.