TestForge Documentation

Everything you need to audit web applications with zero code access — from basic URL scanning to authenticated multi-step OTP flows.

Getting Started

TestForge audits any web application by pasting a URL. No SDK installation, no source code access, no browser extensions. The engine uses Playwright to drive a real browser (Chromium, Firefox, or WebKit) and runs 27+ automated tests across 5 categories.

  1. Go to /audit
  2. Paste your application URL
  3. Optionally provide login credentials for authenticated pages
  4. Click Run Audit — results arrive in 15-60 seconds
  5. Get the report in-browser and via email

Running an Audit

Audits run in 5 phases:

  1. Crawl: Discovers pages, forms, links, and API endpoints (up to 15 pages deep)
  2. Security: Tests for SQL injection, XSS, path traversal, admin exposure, API leaks, open redirects, and missing security headers
  3. Data Breach: Scans for exposed emails, Aadhaar/PAN numbers, credentials in source code, localStorage tokens, and cookie data leaks
  4. CRUD Testing: Finds forms and submit buttons, tests with sample data, verifies responses
  5. E2E Flows: Tests login → dashboard → logout flows, navigation links, and multi-page interactions

Credentials & Authenticated Audits

To audit password-protected areas, provide credentials in the audit form:

FieldPurpose
loginUrlURL of the login page (if different from app URL)
usernameEmail or username for login
passwordPassword for login
otpCodeOne-time password if the app uses 2FA (see below)

The engine automatically detects email/password fields and submit buttons. If your app uses custom field names, you can specify them via the API.

Multi-Step OTP Handling

For applications requiring two-factor authentication with OTP:

  1. Provide loginUrl, username, and password
  2. Include the otpCode (the engine waits for the OTP field to appear, fills it, and clicks Verify)
  3. The engine handles multi-step login flows — detects "Next", "Continue", "Proceed" buttons
  4. After successful authentication, the session cookies are reused for all subsequent audit tests

For apps with email-delivered OTPs, generate the code before starting the audit and paste it into the OTP field. The engine will detect the OTP input and fill it automatically.

Browser Support

TestForge supports three browser engines:

BrowserEngineUse Case
chromiumChromium (Chrome/Edge)Default — best compatibility
firefoxFirefoxCross-browser testing, privacy-focused apps
webkitWebKit (Safari)iOS/macOS compatibility testing

Compliance Checks

TestForge maps to 162+ compliance controls across:

CI/CD Integration

Trigger audits from your pipeline using the API:

curl -X POST https://testforge.kavachbrowser.com/api/audit/run \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://your-app.com",
    "credentialProfile": {
      "loginUrl": "https://your-app.com/login",
      "username": "test@example.com",
      "password": "your-password"
    },
    "reportEmail": "qa@your-company.com",
    "browser": "chromium"
  }'

The API returns { ok: true, reportUrl, results, emailSent }. Reports are saved at the returned URL and also emailed.

API Reference

POST /api/audit/run

Run a full audit suite.

ParameterTypeRequiredDescription
urlstringYesApplication URL to audit
emailstringNoLogin email
passwordstringNoLogin password
reportEmailstringNoWhere to send the report
browserstringNochromium, firefox, or webkit
credentialProfileobjectNoSee credential fields above

POST /api/meta-capi/events

Send server-side conversion events to Meta.

curl -X POST https://testforge.kavachbrowser.com/api/meta-capi/events \
  -H "Content-Type: application/json" \
  -d '{"event_name":"Lead","user_data":{"email":"user@testforge.com"}}'

GET /api/referral/my-code

Get your referral code and stats (requires auth).

POST /api/referral/convert

Record a referral conversion.

TestForge — AI-Powered Application Audit Platform · Home