Website Scanner
About this tool
Finds common vulnerabilities which affect web applications: SQL Injection, XSS, OS Command Injection, Directory Traversal, and others. The scanner also identifies specific web server configuration issues.
The Website Vulnerability Scanner is a custom tool written by our team to quickly assess the security of a web application. It is a full-blown web application scanner, capable of performing comprehensive security assessments against any type of web application.
Here is the complete list of tests performed by this vulnerability scanner and the difference between Light and Deep scans.
List of tests performed
Light Scan | Deep Scan | Test performed |
|---|---|---|
✔️ | ✔️ | Fingerprint web server software |
✔️ | ✔️ | Analyze HTTP headers for security misconfiguration |
✔️ | ✔️ | Check the security of HTTP cookies |
✔️ | ✔️ | Check the SSL certificate of the server |
✔️ | ✔️ | Check if the server software is affected by known vulnerabilities |
✔️ | ✔️ | Analyze robots.txt for interesting URLs |
✔️ | ✔️ | Check whether a client access file exists, and if it contains a wildcard entry (clientaccesspolicy.xml, crossdomain.xml) |
✔️ | ✔️ | Discover server configuration problems such as Directory Listing |
✔️ | ✔️ | Check if HTTP TRACK/TRACE methods are enabled |
✔️ | ✔️ | Check if security.txt is missing on the server |
✔️ | ✔️ | Check if CORS is misconfigured |
✖️ | ✔️ | Crawl website |
✖️ | ✔️ | Check for SQL Injection |
✖️ | ✔️ | Check for Cross-Site Scripting |
✖️ | ✔️ | Check for Local File Inclusion and Remote File Inclusion |
✖️ | ✔️ | Check for OS Command Injection |
✖️ | ✔️ | Check for ASP Cookieless Cross-Site Scripting |
✖️ | ✔️ | Check for Server Side Request Forgery |
✖️ | ✔️ | Check for Open Redirect |
✖️ | ✔️ | Check for Broken Authentication |
✖️ | ✔️ | Check for PHP Code Injection |
✖️ | ✔️ | Check for JavaScript Code Injection |
✖️ | ✔️ | Check for Ruby Code Injection |
✖️ | ✔️ | Check for Python Code Injection |
✖️ | ✔️ | Check for Perl Code Injection |
✖️ | ✔️ | Check for Log4j Remote Code Execution |
✖️ | ✔️ | Check for Server-Side Template Injection |
✖️ | ✔️ | Check for ViewState Remote Code Execution |
✖️ | ✔️ | Check for Client-Side Prototype Pollution |
✖️ | ✔️ | Check for Exposed Backup Files |
✖️ | ✔️ | Check for Request URL Override |
✖️ | ✔️ | Check for Client-Side Template Injection |
✖️ | ✔️ | Check for HTTP/1.1 Request Smuggling |
✖️ | ✔️ | Check for Cross-Site Request Forgery |
✖️ | ✔️ | Check for outdated JavaScript libraries |
✖️ | ✔️ | Find administrative pages |
✖️ | ✔️ | Check for sensitive files (archives, backups, certificates, key stores) based on hostname and some common words |
✖️ | ✔️ | Attempt to find interesting files/functionality |
✖️ | ✔️ | Check for information disclosure issues |
✖️ | ✔️ | Weak Password Submission Method |
✖️ | ✔️ | Clear Text Submission of Credentials |
✖️ | ✔️ | Verify Domain Sources |
✖️ | ✔️ | Check for commented code/debug messages |
✖️ | ✔️ | Find Login Interfaces |
✖️ | ✔️ | Sensitive Data Crawl |
✖️ | ✔️ | Insecure Deserialization |
The Deep Scan generates a high amount of noise in the network. Most correctly configured IDSs will detect this scan as attack traffic. Do not use it if you don't have proper authorization from the target website owner.
Parameters
Target URL: This is the URL of the website that will be scanned. The tool does not follow any redirects so the exact URL will be scanned. If you want to scan only a certain directory or path, you can add it in the URL like http://www.mycompany.com/base_directory. All URLs must start with http or https
Light Scan: This is a fast, passive, and non-intrusive scan
Deep Scan: This is a complete assessment that covers a much broader range of security tests
Authentication - Recording: A recording of login sequence to be used in replaying authentication steps of a user in the browser
Authentication - User/Password: The credentials for the scanner to try authentication before starting the scan
Authentication - Cookie: A valid session cookie that will be used by the scanner to do authenticated scans
Authentication - Headers: Custom HTTP headers that can also be used for authentication (ex. JWT tokens, Basic Authentication, etc)
How it works
The Deep version of the scanner includes all the tests from the Light scan and adds more complex security tests. It first crawls the target application then it sends various inputs into the parameters of the pages and looks for specific web vulnerabilities such as SQL Injection, Cross-Site Scripting, Local File Inclusion, OS Command Injection, and many more.
Furthermore, the scanner also attempts to detect sensitive files from the server like backup files, old files, admin interfaces, archive files, etc.
While the Light Scan is passive and generates a maximum of 20 HTTP requests to the server, the Deep Scan is more aggressive and sends up to 10,000 HTTP requests. This may trigger alarms from IDS devices but you should know that it is not a destructive scan.
Since the Deep Scan does a comprehensive website assessment, it can take up to several hours to complete.
Authenticated Scanning
The Website Vulnerability Scanner can scan the target web application as an authenticated user or behind protected resources. Configuring the scanner to use authentication is detailed in our dedicated article and there are four main ways:
Recorded Authentication:
This method gives you the possibility to record the steps required to authenticate into the target. The scanner will use this recording by replaying the actions required to obtain a valid session. It is best used when the login sequence is complicated and involves multiple pages, redirects, and interactions with the browser.User/Password Authentication:
When this option is chosen, the scanner will first try to authenticate to the provided login URL and obtain a valid session cookie. This cookie will be used with all the HTTP requests done to the server, performing an authenticated scan. You have the option to check if the authentication was successful before actually starting the scan.Cookie Authentication:
With this option, you can specify an already valid session cookie (or multiple cookies) that will be sent with each HTTP request to the server. You have to first obtain the session cookie by manually logging in to your target application with a web browser and transferring the cookie from the browser to the scanner (copy/paste).Headers Authentication:
This option allows you to specify custom HTTP headers that will be sent with each request to the target application. These can be used for authentication (ex. JWT tokens, Basic Authentication, etc) or for other specific application functionality.