Web application security tests | GDPR/CCPA data leaks detection | ScanRepeat

Web App Security Tests

Web app security tests cover e.g. potential application bugs causing security issues, misconfiguration of application, internet protocols or web server, usage of third-party components with known vulnerabilities.

Once a scan project is configured new security scans are automatically scheduled and executed on a regular basis against your web application. The results of each scan are collected in a scan report which is then available in your dashboard and also delivered to your e-mail account and integrated applications.

You should always point a dev or test instance of your web application as a target of security scans as the crawler behind the scanner behaves just like a real user trying to explore the applications, so it may e.g. click links and buttons within your application that could modify and remove data.

Selected tests:

Anti-MIME-Sniffing header X-Content-Type-Options

Application Timestamp Disclosure

CSRF Vulnerability

Cache Control and Pragma Response Header Protection

Content Security Policy (CSP) Header Validation

Content Security Policy (CSP) Headers Misconfiguration

Content Type Charset Mismatch

Content Type Missing

Cookie Poisoning

Cookie Secure Flag

Cookie without SameSite

Cookies should be HttpOnly

Cross Domain Misconfiguration

Cross Domain Script Inclusion

Directory Browsing

Domain expiration date

HTTP Server Response Header Validation

HTTP Strict Transport Security (HSTS) Header Validation

HTTP to HTTPS Insecure Transition

Information Disclosure: Comments with Potentially Sensitive Information

Information Disclosure: Debug Errors

Insecure Authentication

Insecure JSF ViewState

Latest code: HashDisclosureScanner.java

Loosely Scoped Cookies

Mixed HTTP and HTTPS Content

Open Redirect

Password Hash Disclosure

Potential Sensitive Information Leak

Private Network Address Disclosure

Server Response Tests for Application Errors

Servlet Parameter Manipulation

Session ID Detection in URL

Shared Cache Retrieval

SSL certificate expiration date

Target Link Display Format Validation

Underlying Technology Information Disclosure

Usage of Components with Known Vulnerabilities

User Controllable Charset Validation

Username Hash Disclosure

VIEWSTATE Disclosure

X-AspNet-Version Response Header Validation

X-Debug-Token Information Leak

X-Frame-Options Header Validation

XSS Protection Header

Active Scan Tests

Active Scan option runs more aggressive penetration tests acting like a real attacker, running potentially harmful requests against your web application.

This tests can modify or remove your application data, so can only be run against a dedicated test instance due to the risk of causing a data corruption.

Selected tests:

Apache HTTP Server Information Leak (active scan)

Apache HTTP Server Range Header Denial of Service (active scan)

Backup Files Disclosure (active scan)

Buffer Overflow in the Application Code (active scan)

CRLF Special Characters Injection (active scan)

Cookie and Session Token Manipulation (active scan)

Cross Site Scripting (XSS) (active scan)

Cross-Domain Misconfiguration (active scan)

Directory Listing (active scan)

Error Logging Modules and Handlers HTTP Module Information Leak (active scan)

Executable Code Injection (active scan)

Expression Language Code Injection (active scan)

External Redirects (active scan)

Format String Handling Errors (active scan)

HTTP Parameter Pollution (HPP) (active scan)

HTTP Proxy Header Misconfiguration (active scan)

HTTPS Content Leak via HTTP (active scan)

Heartbleed OpenSSL Vulnerability (CVE-2014-0160) (active scan)

Insecure HTTP Method (active scan)

Integer Overflow Error in Compiled Code (active scan)

Missing HTTPS (active scan)

Operating System Command Injection (active scan)

Padding Oracle Vulnerability (active scan)

Presence of Anti-CSRF Tokens (active scan)

Proxy Server Disclosure (active scan)

Remote Code Execution in PHP-CGI based web server (CVE-2012-1823) (active scan)

Remote File Inclusion (active scan)

SQL Injection including Database Fingerprinting (active scan)

Server Side Inclusion (active scan)

Session Fixation (active scan)

ShellShock Vulnerability (CVE-2014-6271) (active scan)

Source Code Disclosure (active scan)

Substitutability of GET and POST (active scan)

Username Enumeration Test (active scan)

XML eXternal Entity (XXE) Vulnerability (active scan)

XPath Query Injection (active scan)

California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) Sensitive Information Tests

Whilst your web application is scanned we are looking for any occurrences of sensitive personal information that may be a sign of a California Consumer Privacy Act (CCPA) or General Data Protection Regulation (GDPR) data leak caused by a bug in the web application, a hacking attempt or a human error. As some of these alerts can be false alarms please review them carefully.

Selected tests:

Potential leak of Personal Names

Potential leak of Bank Account Numbers

Potential leak of Passport Numbers

Potential leak of Credit Card Numbers

Potential leak of E-mail Addresses

Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free