The Light version of the Website Vulnerability Scanner performs a passive web security scan in order to detect issues like: outdated server software, insecure HTTP headers, insecure cookie settings and a few others (see the complete list of tests below).
We recommend doing a Full Scan for a comprehensive website assessment which includes detection of SQL Injection, XSS, Local File Inclusion, OS Command Injection and more.
Here is a Website Vulnerability Scanner sample report:
Finds common vulnerabilities which affect web applications: SQL Injection, XSS, OS Command Injection, Directory Traversal and others. The scanner also identifies specific web server configuration issues.
Speed-up your penetration test with this online scanner. It is already set-up and configured with the optimal settings for best results and performance. Just start the scan and come back later for results.
You can perform a self-security assessment in order to detect weaknesses in your own application. This will allow you to fix the vulnerabilities before being hit by real attackers.
If you are a web development company, you can also show this report to your clients and prove that you have implemented the proper security measures in the application.
|Light Scan||Full Scan||Test performed|
|Fingerprint web server software|
|Analyze HTTP headers for security misconfiguration|
|Check the security of HTTP cookies|
|Check the SSL certificate of the server|
|Check if the server software is affected by known vulnerabilities|
|Analyze robots.txt for interesting URLs|
|Check whether a client access file exists, and if it contains a wildcard entry (clientaccesspolicy.xml, crossdomain.xml)|
|Discover server configuration problems such as Directory Listing|
|Check for SQL Injection|
|Check for Cross-Site Scripting|
|Check for Local File Inclusion and Remote File Inclusion|
|Check for OS Command Injection|
|Find administrative pages|
|Check for sensitive files (archives, backups, certificates, key stores) based on hostname and some common words|
|Attempt to find interesting files/functionality|
|Check for information disclosure issues|
Warning: The Full Scan generates a high amount of noise in the network. Most correctly configured IDSs will detect this scan as attack traffic. Do not use it if you don't have proper authorization from the target website owner.
|Target URL||This is the url of the website that will be scanned. The tool does not follow any redirects so the exact url will be scanned. If you want to scan only a certain directory or path, you can add it in the url like: http://www.mycompany.com/base_directory/. All urls must start with http or https.|
|Light Scan||This is a fast, passive and non-intrusive scan.|
|Full Scan||This is a complete assessment which covers a much broader range of security tests.|
|Authentication - User/Password||The credentials for the scanner to try authentication before starting the scan|
|Authentication - Cookie||A valid session cookie that will be used by the scanner to do authenticated scans|
|Authentication - Headers||Custom HTTP headers that can also be used for authentication (ex. JWT tokens, Basic Authentication, etc)|