HomePentest-Tools.com Logo

Website Vulnerability Scanner

Scan for vulnerabilities in web applications and find SQL Injection, XSS, Server Side-Request Forgery, Directory Traversal, and others, plus web server configuration issues.

This web application security testing tool runs comprehensive website security checks that detect Log4Shell, OWASP Top 10, and more high-risk vulnerabilities.

Paid plans give you access to its full capabilities, plus other 20+ security testing tools and features.

Scan type
  • Light scan

Website Vulnerability Scanner

About this Website Vulnerability Scanner

Most popular free tool last year

The Website Vulnerability Scanner is a custom security testing tool that our team developed for more efficient and faster web application security assessments.

In its Full (paid) version, this mature web application scanner performs comprehensive website security tests against any type of web app (e.g. Static and Dynamic web apps, Single-Page applications, Multi-Page apps, eCommerce websites, Progressive apps, etc.).

This website security testing tool is ready-to-use on our cloud platform. With its easy to configure scan settings (e.g. authenticated website scans), security specialists can start auditing web apps in depth right away. Automatic Attack Surface mapping, scan templates, scheduled scans, API access, and other features amplify the capabilities of this Website Vulnerability Scanner, which gets better with every update.

Want to see the full specifications?

The Light version allows you to run a free website security scan which includes a limited set of tests and is non-intrusive. It previews how this web application scanner fingerprints web server software, finds misconfigured HTTP headers, uncovers server configurations issues, and more.

See the complete list of tests to compare capabilities and assess which version to choose when looking to test website security for issues. You can also review the scan report that paying customers get when they use the full-blown version of this website vulnerability scanner.


Sample Website Vulnerability Scanner report

Here is a sample report from our Website Vulnerability Scanner that gives you a taste of how our tools save you time and reduce repetitive manual work.

  • Vulnerability summary at a glance

    The report provides a summary of the findings and risk ratings, a helpful overview you can use to assess risk levels and number of findings.

  • Automatically confirmed findings

    The Website Scanner also validates some findings automatically by exploiting the identified vulnerabilities. They stand out in reports through their "Confirmed" tag and come with proof of exploitation and a Replay attack option.

  • Actionable remediation advice

    Each finding has a detailed risk description and classification by OWASP 2021, OWASP 2017 and CWE (where available). It also includes specific recommendations that give you a head start in fixing the identified issues.

  • Sorted by risk rating

    Vulnerabilities are sorted by their risk rating, starting from the highest one identified. This saves you manual work and time, freeing you up for other tasks.

  • Advanced pentest reporting options available

    Paid plans give you access to our pentest report generator tool which produces customizable .DOCX reports that you can automatically generate with ready-to-use or custom templates.

Website Vulnerability Scanner Report Sample

Better vulnerability discovery.Faster pentest reporting.

Get instant access to custom vulnerability scanners and automation features that simplify the pentesting process and produce valuable results. The platform helps you cover all the stages of an engagement, from information gathering to website scanning, network scanning, exploitation and reporting.

Pentest-Tools.com offers faster pentest reporting and better vulnerability discovery.

Use cases

How security pros use the Website Vulnerability Scanner

Run web application security scans to find known vulnerabilities and misconfigurations in server software, JavaScript libraries, SSL/TLS certifications, client access policies, and other elements.

  • Web App Penetration Testing

    Speed up your pentest with this online website security checker. It’s already set up and configured with optimal settings for best results and performance. Just start the scan and get a notification when results are ready.

  • Authenticated Web Security Scans

    A thorough security evaluation of a web app is not complete without authenticated scans. Our website security scanner supports any type of authentication your target may use, including single sign-on (SSO) and multi-factor authentication setups.

    Methods include:

    • Recording-based Authentication
    • Form-based authentication
    • Cookie-based authentication
    • Headers authentication.
  • Sensitive Data Exposure Detection

    Check for vulnerabilities and misconfigurations that expose sensitive data in your web app (email addresses, social security numbers, credit card numbers, etc.). Discover issues that affect data in transit and data at rest, including SSL/TLS problems, unprotected data backups, config files, and more.

  • Automatic Attack Surface Mapping

    Visualize and filter the web technologies your target is running to find exposure indicators and high-risk areas (e.g. outdated server software, vulnerable technology versions, etc.). Our online vulnerability scanner automatically feeds findings – including screenshots – into the Attack Surface view, along with other tools on the platform.

  • Security Self-Assessment

    Evaluate your own website’s security to detect security holes in your web application. Get clear, easy-to-follow recommendations after each site vulnerability check so you can fix web security issues before real attackers exploit them.

  • Third-Party Website Audit

    If you are a web development company, you can use this website security report to prove to your clients that you have implemented proper measures to keep their web application safe to use and to operate.

Try a free scan now!

The Website Vulnerability Scanner dialog in the logged in area of Pentest-Tools.com

Worth it!

Pentest-Tools helped me scan my home servers to identify security concerns with my deployments. Their continued development and growth has been great to watch.

They have an entire suite of tools to test my home environment. Some of my most used features were their Website and Network scanners, Sniper: Auto Exploiter, various login page tests, and their Subdomain finder to help me with subdomains I had forgotten about.

Website Vulnerability Scanner

Technical details

What is a Website Vulnerability Scanner?

A web vulnerability scanner is a website security testing tool that automatically detects security holes and misconfigurations in web apps and their components. Its language-independent capabilities make it an essential tool for detecting common vulnerabilities in web services, web servers, proxy servers, and web application servers.

Our team developed the Website Vulnerability Scanner on Pentest-Tools.com to provide security specialists with a reliable, full-fledged solution that offers both in-depth testing options and additional automation and reporting capabilities.

What makes our Website Vulnerability Scanner different

You can use our Website Vulnerability Scanner online, without spending time on manual configuration scripts. The list of tests it performs is public and the customization options put you in full control of its functionality.

Along with its strong reporting capabilities and powerful automation features, our Website Vulnerability Scanner is a powerful tool for dynamic application security testing (DAST) and static application security testing (SAST).

Customers also integrate our website scanner into their secure software development life cycle (SDLC) process, especially through our API, and also through scheduled and bulk scans.

Website Scanner findings which our scanner automatically validated are marked with the Confirmed tag. Results also include screenshots and scan statistics such as URLs spidered, the total number of HTTP requests, error count, and more helpful details.

How our Website Vulnerability Scanner works

When using a website vulnerability scanner online, the goal is to push as many routine tasks to the background as possible. You can use our Website Vulnerability Scanner standalone or to dig deeper into subdomains and virtual hosts, along with open ports the TCP Port scanner and UDP Port scan tool discovered during the reconnaissance stage.

Whatever tactic you prefer, this tool helps you minimize routine tasks and gain time to use your unique expertise to make connections only a skilled specialist can.

The Light Scan version – optimized for speed

You can use our tool as a free website vulnerability scanner without creating an account. This passive scan performs only a selection of legitimate requests against the target system and generates a maximum of 20 HTTP requests to the server.

Use the Light Scan if you don’t want to raise any alarms, but remember it only scratches the surface in terms of security testing.

The Full Scan version – proprietary detection

The Full scan goes into detail and attempts to map the entire attack surface of the target system by crawling the application, discovering hidden files, using more attack vectors to check for server configuration issues and outdated services, taking screenshots, and more.

This website security scan sends up to 10,000 HTTP requests, which may trigger alarms from IDS (Intrusion Detection System) devices. Not to worry though: this is not a destructive scan.

After it crawls the target application, the tool sends various inputs to the parameters of the pages and looks for specific web vulnerabilities such as: SQL Injection, Cross-Site Scripting, Local File Inclusion, OS Command Injection, and many more. The site security scanner also attempts to detect sensitive files from the server (e.g. backup files, old files, admin interfaces, archive files, etc.).

To minimize the number of false positives, the Website Vulnerability Scanner also incorporates a method for detecting 404 pages.

Rich customization options

Behind its simple interface, our Website Vulnerability Scanner hides a robust pre-configured and fine-tuned engine that runs in a distributed environment and that can perform multiple parallel scans.

To make each website security check count, combine scanning options for meticulous assessments. Customization options include the ability to:

  • set custom limits for the number of requests/second made to the target
  • choose from a strong list of initial tests that includes detection for HTTP Debug Methods and CORS misconfigurations
  • select the spidering approach that suits your needs, including spidering depth and excluded URLs
  • pick from a list of active and passive checks that incorporate detection for Log4Shell, PHP Code Injection, Python Code Injection, Perl Code Injection, Ruby Code Injection, Server-side template injection (SSTI), Broken Authentication, Mixed Encryptions Content, and many more.

Use this website scanner online with other features in our cloud platform to further boost its capabilities:

The security scanner also gets updates on a regular basis, consistently growing stronger with new features.

Authenticated scanning

The Website Vulnerability Scanner on Pentest-Tools.com also allows you to scan the target web application as an authenticated user. You can configure authentication in several ways:

  • User/Password Authentication, where the scanner first tries to authenticate to the provided login URL and get a valid session cookie. This cookie is used with all the HTTP requests done to the server, performing an authenticated scan. All you have to do is check if the authentication was successful before actually starting the scan.
  • Cookie Authentication, where you can specify an already valid session cookie (or multiple ones) that get sent with each HTTP request to the server. You have to first get the session cookie by manually logging into your target application with a web browser and copy/pasting the cookie from the browser to the scanner.
  • Headers Authentication, where you can specify custom HTTP headers that get sent with each request to the target application. You can use them for authentication (e.g. JWT tokens, Basic Authentication, etc.) or for other specific application functionality.
  • Recorded Authentication, where you can record the steps required to authenticate into the target. The scanner then uses this recording to automatically replay the actions to obtain a valid session every time it detects that logging in again is required.
How to Perform Authenticated Website Scans

Full list of Website Vulnerability Scanner tests

Light ScanFull ScanTests performed
IncludedIncludedFingerprint web server software
IncludedIncludedAnalyze HTTP headers for security misconfiguration
IncludedIncludedCheck the security of HTTP cookies
IncludedIncludedCheck the SSL certificate of the server
IncludedIncludedCheck if the server software is affected by known vulnerabilities
IncludedIncludedAnalyze robots.txt for interesting URLs
IncludedIncludedCheck whether a client access file exists, and if it contains a wildcard entry (clientaccesspolicy.xml, crossdomain.xml)
IncludedIncludedDiscover server configuration problems such as Directory Listing
IncludedIncludedCheck if HTTP TRACK/TRACE methods are enabled
IncludedIncludedCheck if security.txt is missing on the server
IncludedIncludedCheck if CORS is misconfigured
Not includedIncludedCrawl website
Not includedIncludedCheck for SQL Injection
Not includedIncludedCheck for Cross-Site Scripting
Not includedIncludedCheck for Local File Inclusion and Remote File Inclusion
Not includedIncludedCheck for OS Command Injection
Not includedIncludedCheck for ASP Cookieless Cross-Site Scripting
Not includedIncludedCheck for Server Side Request Forgery
Not includedIncludedCheck for Open Redirect
Not includedIncludedCheck for Broken Authentication
Not includedIncludedCheck for PHP Code Injection
Not includedIncludedCheck for JavaScript Code Injection
Not includedIncludedCheck for Ruby Code Injection
Not includedIncludedCheck for Python Code Injection
Not includedIncludedCheck for Perl Code Injection
Not includedIncludedCheck for Log4j Remote Code Execution
Not includedIncludedCheck for Server-Side Template Injection
Not includedIncludedCheck for ViewState Remote Code Execution
Not includedIncludedCheck for Client-Side Prototype Pollution
Not includedIncludedCheck for Exposed Backup Files
Not includedIncludedCheck for Request URL Override
Not includedIncludedCheck for Client-Side Template Injection
Not includedIncludedCheck for HTTP/1.1 Request Smuggling
Not includedIncludedCheck for outdated JavaScript libraries
Not includedIncludedFind administrative pages
Not includedIncludedCheck for sensitive files (archives, backups, certificates, key stores) based on hostname and some common words
Not includedIncludedAttempt to find interesting files / functionality
Not includedIncludedCheck for information disclosure issues
Not includedIncludedWeak Password Submission Method
Not includedIncludedClear Text Submission of Credentials
Not includedIncludedVerify Domain Sources
Not includedIncludedCheck for commented code/debug messages
Not includedIncludedFind Login Interfaces
Not includedIncludedSensitive Data Crawl


The Full Scan generates a high amount of noise in the network. A majority of the correctly configured IDSs will detect this scan as attack traffic. Do not use it if you don't have proper authorization from the target website’s owner.

Scanning parameters for paying customers

Target URL This is the URL of the website that will be scanned. The tool does not follow any redirects, so the exact URL will be scanned. If you want to scan only a certain directory or path, you can add it in the URL like: http://www.mycompany.com/base_directory. All URLs must start with http or https.
Light ScanThis is a fast, passive and non-intrusive scan.
Full ScanThis is a complete assessment which covers a much broader range of security tests.
Initial tests Fingerprint Website, Server Software Vulnerabilities, Robots.txt, JavaScript libraries, SSL/TLS Certificates, Client access policies, HTTP Debug Methods, Security.txt file missing, CORS Misconfiguration, Resource Discovery
Engine options
  • Classic Spider - Used to crawl classic websites
  • SPA Spider - Used to crawl single page application (JavaScript heavy) websites; This particular option is still in beta
  • Limits – Used to control Spidering depth and Requests per second
  • Excluded URLs – a list of URLs to ignore when scanning.
Attack options
  • Active checks: - XSS, SQL Injection, Local File Inclusion, OS Command Injection, Server Side Request Forgery, Open Redirect, Broken Authentication, PHP Code Injection, Server-Side JavaScript Code Injection, Ruby Code Injection, Python Code Injection, Perl Code Injection, Log4j Remote Code Execution, Server-Side Template Injection, ViewState Remote Code Execution;
  • Passive checks: Security Headers, Cookie Security, Directory Listing, Secure Communication, Weak Password Submission Method, Commented code/Error codes, Clear Text Submission of Credentials, Verify Domain Sources, Mixed Encryptions Content, Sensitive Data Crawl, Find Login Interfaces
  • Recording-based Authentication - A recording of the steps required to authenticate into the target which will be used to automatically replay the actions and obtain a valid session every time logging in is required
  • Form-based authentication - The credentials for the scanner to try authentication before starting the scan
  • Cookie-based authentication - A valid session cookie that will be used by the scanner to do authenticated scans
  • Headers authentication - Custom HTTP headers that can also be used for authentication (ex. JWT tokens, Basic Authentication etc.)
NotificationsGet notifications when the scan results match the conditions you set.

Learn how to configure the Website Scanner for best results.

What to do after running the Website Vulnerability Scanner

Besides the Website Vulnerability Scanner, you have a full arsenal of online website security testing tools on Pentest-Tools.com to carry out a thorough and effective website vulnerability assessment.

You can use the Subdomains Finder and the dedicated tools to Find Virtual Hosts for each web application. Running the TCP Port scanner and UDP Port scan tool will help you discover all open ports to achieve full coverage during your security evaluation.

Digging deeper, our various web CMS scanners help you uncover Wordpress, Drupal, Joomla, and SharePoint vulnerabilities. And you can further explore all of these with the URL Fuzzer and Password Auditor tools.

To save even more precious time, try out our ready-to-use scan templates and pentest robots which group multiple tools in one bundle, so you can launch them all at once. Both templates and pentest robots are customizable and offer the possibility to build your own reusable ones.

Tools to use after running the Website Vulnerability Scanner

Unmatched simplicity and ease

Pentest-Tools.com is my team's first go-to solution.

Anytime we are preparing to deploy a new version of our software, we run many tools to monitor and secure our environment, but the simplicity and ease we have with Pentest-Tools.com to run network and web server scans to highlight issues is unmatched.

Michael Dornan
Michael Dornan
CEO @ Tili Group


Latest updates

  • 25% faster Website scanner

    We added some caching to the Passive Scanner to avoid repeating some heavy computations. The overall scan duration can decrease by up to 25%, according to our testing.

  • XXE Detector

    The Website Scanner can now detect in-band file-inclusion vulnerabilities via XML External Entities and XInclude directives.

  • SSRF detector now looks for local services running

    We now search for locally available Docker and Elastic Search instances when trying to discover server-side request forgery vulnerabilities.

  • SQLI, OSCMDI, XSS bug fixing

    We've fixed some bugs: XSS and SQL scanner starting with auth enabled; SQLI time-based FPs; OSCMDI time-based FPs; CSRF token not renewing after the first form submission.

  • Detector for Server-side prototype pollution

    We've upgraded the Website Scanner with the ability to now detect prototype pollution in server-side javascript code.

  • Rescan support for the Website Scanner

    We've added new exploitation capabilities to our Website Scanner that allow you to read the cookies and localStorage of a web app vulnerable to XSS.


Common questions about the Website Vulnerability Scanner

Vulnerability scanning is the activity in which specialists proactively search for vulnerabilities in web applications and networks and recommend fixes to prevent attackers from taking advantage of them.

Security and IT specialists use automated testing software to identify security flaws and misconfigurations that expose web apps and networks to malicious hacking. Based on the findings these offensive security tools provide, they map all the entry points threat actors might use and prioritize them based on risk level and potential business impact.

Vulnerability scanning is one part of the vulnerability management cycle, which also includes applying remedial actions, evaluating how they are, and ongoing monitoring of the organization's assets.