This section describes the checks used during application scanning.
For more precise vulnerability detection, the scanner can check addresses outside the scan scope. Some checks are performed only within the target address (specified by the user). Others will execute requests outside the specified address as well.
Besides, there are also checks that are performed only outside the scan scope: Version vulnerabilities of software components, Protocol checks, and Source map disclosure.
Check | Description | Category | Scan profile that includes the check |
|---|---|---|---|
Version vulnerabilities of software components | Detects versions of third-party components and checks them for possible vulnerabilities. The scan results report will list confirmed and unconfirmed vulnerabilities in the target system | Target address and check outside the scan area | Server security |
Optimal | |||
Passive | |||
Full | |||
Bitrix vulnerabilities | Detects 1C-Bitrix vulnerabilities used in massive attacks based on public exploits | Target address. Using the Path value in the Scan scope setting is not recommended | Server security |
Dangerous | |||
Optimal | |||
Full | |||
Cross-site | Detects HTTP vulnerabilities that can be exploited to attack application users using malicious websites and scripts | Specified scan scope | Full |
Directory | Notifies about open directories on the web server. If you use the Full scan profile, all found directories are checked regardless of the crawling type. In this case, scan duration is significantly increased | Target address. Using the Path value in the Scan scope setting is not recommended | Server security |
Dangerous | |||
Optimal | |||
Passive | |||
Full | |||
DNS rebinding | Checks how a web server processes HTTP requests with arbitrary | Target address | Server security |
Optimal | |||
Passive | |||
Full | |||
Checking the network perimeter | Searches for subdomains, open ports, and web services deployed on them | Specified scan scope | Server security |
Transport-layer security | |||
Optimal | |||
Full | |||
Perimeter scan | |||
File | Detects vulnerabilities that allow arbitrary local and deleted files and scripts with malicious code to be executed | Specified scan scope | Server security |
Dangerous | |||
Optimal | |||
Full | |||
Arbitrary file upload | Sends files with various extensions and content to the web server file system and attempts to run them. If during the check the scanner fails to access the uploaded file, the severity level decreases | Specified scan scope | Server security |
Dangerous | |||
Optimal | |||
Full | |||
HTML code injection | Checks an application for HTML code injection, for example, if the | Specified scan scope | Full |
HTTP header injection | Detects vulnerabilities that allow an attacker to control an HTTP response body and headers, run cross-site scripts, and conduct attacks on intermediate proxy servers | Specified scan scope | Server security |
Optimal | |||
Full | |||
Protocol | Checks that an application uses a secure protocol and redirects from HTTP to HTTPS | Target address and check outside the scan area | Server security |
Transport-layer | |||
Optimal | |||
Passive | |||
Full | |||
Information vulnerabilities | Checks the application for compliance with the information security guidelines and for the presence of sensitive information in the public domain | Specified scan scope | Server security |
Optimal | |||
Passive | |||
Full | |||
MS HTTP system vulnerabilities | Checks Microsoft systems for vulnerabilities that allow attackers to execute arbitrary code using a system account | Target address | Server security |
Dangerous | |||
Full | |||
Open | Checks an application for vulnerabilities that allow automatic user redirection to a malicious address | Specified scan scope. Using the Path scan scope is not recommended. (It does not guarantee correct vulnerability search.) | Full |
OS command | Detects vulnerabilities that allow an attacker to execute arbitrary operating system commands on a target | Specified scan scope | Server security |
Dangerous | |||
Optimal | |||
Full | |||
PHP configuration checks | Checks the PHP configuration file settings that affect application security and the presence of excessive sensitive information in public access | Specified scan scope | Server security |
Optimal | |||
Passive | |||
Full | |||
Arbitrary code execution | Detects vulnerabilities that allow attackers to execute arbitrary code (RCE) | Specified scan scope | Server security |
Dangerous | |||
Optimal | |||
Full | |||
Shellshock | Checks the operating system for the Bash interpreter vulnerability | Target address | Server security |
Dangerous | |||
Optimal | |||
Full | |||
Source map disclosure | Public access to .map files | Target address and check outside the scan area | Optimal |
Passive | |||
Full | |||
SQL | Checks if SQL queries can be injected via user input. During scanning, the following attack types are used: error-based, time-based, and boolean-based attacks. For a thorough check of the target system, you must use the SQL injection check together with the SQL injection or Full scan profile | Specified scan scope | Server security |
SQL | |||
Dangerous | |||
Optimal | |||
Full | |||
SSI | Checks if SSI commands can be injected via user input. An attacker may exploit this vulnerability to inject any content including malicious JavaScript code | Specified scan scope | Server security |
Optimal | |||
Full | |||
SSL configuration checks | Verifies the secure connection configuration (SSL/TLS), such as encryption algorithms | Target address | Server security |
Transport-layer security | |||
Optimal | |||
Full | |||
Server-side template injection | Checks if code can be injected into an application template via user input, passed, and executed on the server side (SSTI) | Specified scan scope | Server security |
Dangerous vulnerabilities | |||
Optimal | |||
Full scan | |||
Insecure HTTP method checks | Checks if the insecure HTTP methods ( | Target address | Full |
XPath injection | Checks if arbitrary operators can be injected into XPath queries due to incorrect validation of user input | Specified scan scope | Full |
Cross-site scripting | Checks if malicious scripts can be executed in the user's browser because of vulnerable GET parameters in the application | Specified scan scope | Cross-site scripting |
Optimal | |||
Full | |||
Stored cross-site scripting | Checks if malicious scripts can be executed in the user's browser because of vulnerable POST parameters in the application. The Stored cross-site scripting check cannot be performed without the Cross-site scripting check | Specified scan scope | Cross-site scripting |
Optimal | |||
Full | |||
XML | Checks if XML external entities can be injected (XXE attack). The vulnerability allows attackers to interfere with XML data processing in the application | Specified scan scope | Server security |
Dangerous | |||
Optimal | |||
Full |