Free Sample

The free version of the Website Vulnerability Scanner performs a passive web security scan in order to detect issues like: insecure HTTP headers, insecure cookie settings and a few others (see the complete list of tests below).

We recommend doing a Full Scan for a comprehensive website assessment which includes detection of SQL Injection, XSS, Local File Inclusion, OS Command Injection and more.

Full Scan
Testing Areas Free Scan Full Scan
Website Fingerprinting
Version-based Vulnerability Detection
Commom Configuration Issues
SQL Injection
Cross-Site Scripting
Local/Remote File Inclusion
Remote Command Execution
Discovery of Sensitive Files

Technical Details


The Website Vulnerability Scanner is a custom tool written by our team in order to quickly assess the security of a web application. It is a full-blown web application scanner, capable of performing comprehensive security assessments against any type of web application.

The Free scan that you get scan basic vulnerabilities, while the Full Scan can only be used by paying customers. Here is the complete list of tests performed by this vulnerability scanner and the difference between Free and Full scans.

List of Test Performed

Testing Areas Light Scan Full Scan
Fingerprint Web Server Software
Analyze HTTP headers for security misconfiguration
Check the security of HTTP cookies
Check the SSL certificate of the server
Check if the server software is affected by known vulnerabilities
Analyze robots.txt for interesting URLs
Check whether a client access file exists, and if it contains a wildcard entry (clientaccesspolicy.xml, crossdomain.xml)
Discover server configuration problems such as Directory Listing
Crawl website
Check for SQL Injection
Check for Cross-Site Scripting
Check for Local File Inclusion and Remote File Inclusion
Check for OS Command Injection
Check for outdated JavaScript libraries
Find administrative pages
Check for information disclosure issues
Attempt to find interesting files/functionality
Check for sensitive files (archives, backups, certificates, key stores) based on hostname and some common words

Warning: The Full Scan generates a high amount of noise in the network. Most correctly configured IDSs will detect this scan as attack traffic. Do not use it if you don't have proper authorization from the target website owner.

How it Works