Scanner Documentation

Analyzes HTTP response headers for security best practices including HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.

• Strict-Transport-Security (HSTS)
• Content-Security-Policy (CSP)
• X-Frame-Options
• X-Content-Type-Options
• +3 more

Validates SSL/TLS certificate chain, expiration, protocol versions, and cipher suite strength. Detects weak protocols like TLS 1.0/1.1 and insecure cipher configurations.

• Certificate validity and expiration
• Certificate chain completeness
• Protocol version (TLS 1.2/1.3)
• Cipher suite strength
• +2 more

Comprehensive DNS security audit covering email authentication, DNSSEC, certificate authority authorization, zone transfer protection, and certificate transparency monitoring.

• SPF record configuration
• DMARC policy enforcement
• DNSSEC validation
• CAA record presence
• +3 more

Identifies the technology stack powering your application and detects exposed API keys or sensitive tokens in the HTML source code.

• Frontend framework detection
• Server technology identification
• CMS and platform detection
• JavaScript library versions
• +2 more

TCP connect scan across 45 commonly targeted ports to identify exposed services that could be exploited by attackers.

• Database ports (3306, 5432, 27017)
• Admin panels (8080, 8443)
• SSH and remote access (22, 3389)
• Mail services (25, 587, 993)
• +2 more

Detects cloud misconfigurations including exposed S3 buckets, metadata endpoints, and insecure cloud service settings.

• S3 bucket exposure
• Cloud metadata endpoint access
• Storage permission misconfiguration
• Cloud service enumeration

Tests Docker and container orchestration security including exposed management interfaces and misconfigured container settings.

• Docker API exposure
• Kubernetes dashboard access
• Container escape vectors
• Registry authentication

Performs WHOIS domain lookup to gather registration details, expiration dates, and registrar information for the target domain.

• Domain registration details
• Expiration date monitoring
• Registrar information
• Name server configuration

Advanced subdomain enumeration using certificate transparency logs, DNS brute-forcing, and passive reconnaissance techniques.

• Certificate transparency search
• DNS brute-force enumeration
• Passive subdomain discovery
• Wildcard DNS detection

Deep SSL/TLS security analysis including full cipher suite enumeration, certificate chain validation, and protocol vulnerability testing.

• Full cipher suite analysis
• BEAST/POODLE/Heartbleed checks
• Certificate pinning detection
• Forward secrecy validation

Tests Cross-Origin Resource Sharing configuration for security weaknesses including wildcard origins, origin reflection, and credential exposure.

• Wildcard Access-Control-Allow-Origin
• Origin reflection vulnerabilities
• Credential exposure via CORS
• Preflight request handling
• +1 more

Inspects all cookies for security flags. Ensures session cookies are protected with Secure, HttpOnly, and SameSite attributes.

• Secure flag on HTTPS cookies
• HttpOnly flag on session cookies
• SameSite attribute configuration
• Cookie scope and path restrictions
• +1 more

Probes approximately 45 common exposed files and directories that should not be publicly accessible, including configuration files, backups, and version control data.

• .env and .env.local files
• .git directory exposure
• Backup files (.bak, .old, .sql)
• Configuration files (wp-config.php, web.config)
• +3 more

Detects information leakage through error messages, debug pages, stack traces, and verbose server responses.

• Detailed error messages
• Stack trace exposure
• Debug mode detection
• Server version disclosure

Detects publicly accessible JavaScript source maps that can reveal your entire source code, internal file structure, and implementation details.

• Production source map file access
• sourceMappingURL references
• Webpack/Next.js build artifact exposure

Scans JavaScript bundles for accidentally exposed API keys, tokens, and secrets that should only exist on the server side.

• API keys in client bundles
• Database connection strings
• Authentication secrets
• Third-party service credentials
• +1 more

Analyzes authentication implementation for common flaws in session management, token handling, and access control patterns.

• Session fixation vulnerabilities
• Token storage best practices
• Auth bypass patterns
• Password reset flow security

Tests for cross-site scripting vulnerabilities in React/Next.js applications, including dangerouslySetInnerHTML usage and unescaped user input rendering.

• dangerouslySetInnerHTML patterns
• Unescaped user input rendering
• DOM-based XSS vectors
• Reflected XSS in URL parameters

Identifies server-side request forgery risks in API routes and server components that could allow attackers to access internal services.

• Unrestricted URL fetching in API routes
• Server component URL handling
• Internal network access vectors
• Cloud metadata endpoint exposure

Tests for SQL injection vulnerabilities by probing input fields and URL parameters with SQL payloads to detect improper query handling.

• Error-based SQL injection
• Boolean-based blind injection
• Time-based blind injection
• Union-based injection
• +1 more

Active cross-site scripting testing with payload injection to detect reflected, stored, and DOM-based XSS vulnerabilities.

• Reflected XSS via URL parameters
• DOM-based XSS vectors
• Input sanitization bypass
• HTML context injection
• +1 more

Tests for OS command injection vulnerabilities where user input is passed to system shell commands without proper sanitization.

• Shell metacharacter injection
• Command chaining (;, &&, ||)
• Backtick and $() execution
• Out-of-band detection

Detects directory traversal vulnerabilities that allow attackers to read arbitrary files on the server through manipulated file paths.

• Dot-dot-slash traversal (../)
• Encoded traversal sequences
• Null byte injection
• Absolute path access

Tests for Server-Side Template Injection where user input is embedded into server-side templates, potentially leading to remote code execution.

• Template engine detection
• Expression evaluation probes
• Sandbox escape attempts
• Multi-engine payload testing

Active testing for Server-Side Request Forgery where attackers can force the server to make requests to internal or arbitrary external resources.

• Internal network access (127.0.0.1, 169.254.x.x)
• Cloud metadata endpoint exposure
• URL scheme bypass (file://, gopher://)
• DNS rebinding detection

Tests for XML External Entity injection that can lead to file disclosure, SSRF, and denial of service through crafted XML input.

• External entity declaration
• Parameter entity expansion
• Out-of-band data exfiltration
• Billion laughs DoS detection

Tests authentication mechanisms for weak credential handling including default passwords, brute-force protection, and secure transmission.

• Default credential detection
• Brute-force protection
• Password policy enforcement
• Credential transmission security

Analyzes session management implementation for vulnerabilities including fixation, hijacking, and improper timeout handling.

• Session fixation protection
• Session ID entropy
• Cookie security flags
• Idle and absolute timeout

Tests JSON Web Token implementation for common vulnerabilities including algorithm confusion, weak secrets, and missing validation.

• Algorithm confusion (none, HS256/RS256)
• Signature verification bypass
• Token expiration validation
• Key strength analysis

Evaluates OAuth 2.0 implementation security including redirect URI validation, state parameter usage, and token handling.

• Redirect URI validation
• State parameter enforcement
• PKCE implementation
• Token storage security

Tests for Insecure Direct Object Reference vulnerabilities where users can access resources belonging to other users by manipulating identifiers.

• Sequential ID enumeration
• Horizontal privilege escalation
• API endpoint authorization
• Object reference manipulation

Tests for vertical privilege escalation where lower-privilege users can gain access to admin or higher-level functionality.

• Role-based access control bypass
• Admin endpoint exposure
• Hidden parameter manipulation
• Function-level access control

Tests GraphQL endpoint security including introspection exposure, query depth limits, and authorization on resolvers.

• Introspection enabled in production
• Query depth and complexity limits
• Batch query abuse
• Field-level authorization

Tests Cross-Site Request Forgery protection on state-changing endpoints to ensure proper token validation and SameSite cookie policies.

• CSRF token presence and validation
• SameSite cookie enforcement
• Referer/Origin header checks
• State-changing GET requests

Tests file upload functionality for vulnerabilities including unrestricted file types, path traversal in filenames, and size limit bypass.

• File type validation bypass
• Malicious file extension upload
• Path traversal in filename
• File size limit enforcement

Tests for application-level business logic flaws including race conditions, parameter manipulation, and workflow bypass.

• Race condition detection
• Price/quantity manipulation
• Workflow step bypass
• Negative value handling