Vulnerability Scan
Dynamic app security test
🌐 172.69.214.46
🔥 5 left
🔐 Sign‑in Required
Security scanning requires domain ownership verification.
Sign in, then register and verify your domain in the "Domains" tab in the sidebar.
OWASP ZAP Passive Scan — Non‑intrusive Security Analysis
Tool: OWASP ZAP (Zed Attack Proxy) — a widely used open‑source web security testing tool
Goals:
• Analyze HTTP responses to identify potential vulnerabilities
• Validate security header configuration (HSTS, X-Frame-Options, X-Content-Type-Options, etc.)
• Detect sensitive information exposure (cookies, debug info, server banners)
• Check session management weaknesses
• Identify potential injection points
• Detect technology stack in use
Method:
• Passive scan: analyzes HTTP requests/responses without active attacks
• Scope: main page of the specified URL (no crawling)
• Excludes: CSP warnings (covered in headers test)
• Time: ~10–20 seconds
• Domain verification: only verified domains can be scanned
Goals:
• Analyze HTTP responses to identify potential vulnerabilities
• Validate security header configuration (HSTS, X-Frame-Options, X-Content-Type-Options, etc.)
• Detect sensitive information exposure (cookies, debug info, server banners)
• Check session management weaknesses
• Identify potential injection points
• Detect technology stack in use
Method:
• Passive scan: analyzes HTTP requests/responses without active attacks
• Scope: main page of the specified URL (no crawling)
• Excludes: CSP warnings (covered in headers test)
• Time: ~10–20 seconds
• Domain verification: only verified domains can be scanned
| Grade | Score | Criteria |
|---|---|---|
| A+ | 90~100 | 0 High/Medium vulnerabilities Complete security headers (HTTPS, HSTS, X-Frame-Options etc.) No sensitive information exposure (cookies, comments, debug) Minimal server/framework version disclosure |
| A | 80–89 | High 0, Medium ≤ 1 Most security headers present, minor gaps No sensitive data exposure Minor info exposure (e.g., server type) |
| B | 70–79 | High ≤ 1, Medium ≤ 2 Some headers missing (HSTS, X‑XSS‑Protection) Session cookies missing Secure/HttpOnly Minor internal identifiers in comments/meta |
| C | 60–69 | High ≥ 2 or Medium ≥ 3 Key headers absent Sensitive parameters/tokens exposed in responses Weak session management (cookie attributes lacking) |
| D | 50–59 | Critical ≥ 1 or High ≥ 3 Severe auth/session attribute gaps Debug/dev info exposed (stack traces, internal IPs) Exposed admin consoles/config files |
| F | 0–49 | Widespread High vulnerabilities No HTTPS or effectively disabled Sensitive data in plaintext/exposed Lack of security headers/session controls overall |
No Results Yet
Run a test to view security vulnerability scan results.
No Results Yet
Run a test to view Raw JSON data.
Sign in to view test history.
Sign in to manage domains.