Attack your perimeter
before adversaries do.

HTTPS Enforcement

Verifies that all HTTP traffic is redirected to HTTPS and that TLS is properly configured. Unencrypted traffic can be intercepted and modified in transit.

HSTS (HTTP Strict Transport Security)

Checks that the Strict-Transport-Security header is present with a sufficient max-age. Without HSTS, browsers can be downgraded to HTTP by a network attacker.

TLS Certificate Validity

Validates certificate chain, expiry date, issuer trust, and domain match. Expired or misconfigured certs trigger browser warnings and can break encryption guarantees.

TLS Protocol & Cipher Strength

Detects support for deprecated protocols (SSLv3, TLS 1.0/1.1) and weak cipher suites. Weak TLS can be exploited to decrypt traffic or forge certificates.

Content Security Policy (CSP)

Evaluates the Content-Security-Policy header for completeness and bypass-prone directives. A strong CSP is the primary browser-side defense against cross-site scripting.

Clickjacking Protection

Checks for X-Frame-Options or frame-ancestors CSP directive. Without it, attackers can embed your site in an invisible iframe to trick users into unintended actions.

Secure Cookie Attributes

Verifies session and auth cookies carry Secure, HttpOnly, and SameSite flags. Missing flags allow cookies to be stolen via XSS or sent in cross-origin requests.

Sensitive File Exposure

Tests for accessible robots.txt leaks, .htaccess, web.config, phpinfo(), and error pages with stack traces. These files hand attackers a roadmap of your application's structure and secrets.

Referrer Policy

Checks the Referrer-Policy header to prevent sensitive URL data leaking to third parties. URLs containing tokens, IDs, or search terms can be harvested from referrer headers.

Permissions Policy

Validates the Permissions-Policy header to restrict access to browser APIs (camera, mic, geolocation). Overly permissive policies allow malicious scripts to access sensitive device features.

Cross-Origin Isolation (COEP/COOP)

Checks Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy headers. Required to protect against Spectre-class side-channel attacks in modern browsers.

DNS Security (DNSSEC)

Verifies whether DNSSEC is enabled for the target domain. Without DNSSEC, DNS responses can be spoofed, redirecting users to attacker-controlled servers.

Email Security (SPF / DKIM / DMARC)

Checks DNS records for email authentication policies. Missing or weak email security enables phishing attacks that impersonate your domain.

Subdomain Takeover Risk

Identifies DNS records pointing to deprovisioned cloud or SaaS services. Dangling DNS entries allow attackers to claim your subdomain and serve malicious content.

GraphQL Introspection Enabled

Checks whether the GraphQL schema can be fully queried by unauthenticated clients. Introspection exposes your entire API contract to attackers, making targeted exploitation trivial.

GraphQL Query Depth Limiting

Tests whether deeply nested queries are rejected before executing. Unbounded query depth enables "GraphQL bombs" that exhaust server resources in seconds.

GraphQL Batching Abuse

Sends batched query arrays to detect whether rate limiting and auth are enforced per-operation. Batching bypasses rate limits, enabling credential stuffing and enumeration at scale.

REST API Data Overexposure

Inspects API responses for fields that should not be returned to the client (internal IDs, hashes, PII). Overly verbose API responses leak data that attackers can chain into further attacks.

PII in API Responses

Scans API responses for patterns matching emails, phone numbers, SSNs, and payment data. Regulatory frameworks (GDPR, HIPAA, PCI-DSS) impose heavy penalties for PII leakage.

BOLA / IDOR via API

Tests object-level authorization by substituting IDs in API endpoints to access other users' resources. Broken object-level authorization is the #1 API vulnerability per the OWASP API Top 10.

Mass Assignment

Sends requests with extra body fields to test whether the API accepts unauthorized property updates. Attackers can elevate privileges or modify protected fields by adding unexpected parameters.

API Authentication Enforcement

Verifies that API endpoints return 401/403 when accessed without valid credentials. Unauthenticated API access is an immediate, high-severity finding.

API Rate Limiting

Tests whether endpoints enforce request throttling to prevent automated abuse. Without rate limiting, your API is open to credential stuffing, enumeration, and denial of service.

Reflected Cross-Site Scripting (XSS)

Injects payloads into URL parameters, form fields, and headers to test for unsanitized reflection. XSS enables session hijacking, credential theft, and malicious redirects targeting your users.

Stored XSS

Tests input fields that persist data (comments, profiles, messages) for stored script injection. Stored XSS is higher severity — one injection can attack every user who views the content.

DOM-Based XSS

Analyzes client-side JavaScript for unsafe DOM manipulation patterns. DOM XSS is invisible to server-side scanners and commonly missed in manual reviews.

SQL Injection (Time-Based)

Injects time-delay payloads into parameters to detect blind SQL injection without triggering errors. Time-based SQLi detects database vulnerabilities that produce no visible error output.

SQL Injection (Error-Based)

Injects payloads designed to trigger database error messages that confirm injectable parameters. Error-based SQLi provides attackers with database structure details to accelerate exploitation.

Server-Side Request Forgery (SSRF)

Tests URL input fields and webhooks for the ability to make the server issue internal network requests. SSRF can reach internal metadata APIs, internal databases, and AWS/GCP instance credentials.

Open Redirect

Tests redirect and next parameters for unvalidated URL forwarding. Open redirects are weaponized in phishing campaigns to borrow the trust of your domain.

Command Injection

Injects OS command separators into input fields that may pass data to shell functions. Remote code execution via command injection gives attackers full server control.

Path Traversal

Tests file path parameters with ../ sequences to reach files outside the web root. Path traversal can expose /etc/passwd, application config files, and private keys.

XML External Entity (XXE)

Sends crafted XML payloads to endpoints that parse XML, testing for entity injection. XXE can read local files, probe internal network services, and cause denial of service.

Server-Side Template Injection (SSTI)

Injects template syntax into input fields to detect unsafe template evaluation. SSTI typically leads directly to remote code execution on the web server.

Insecure Deserialization

Tests serialized object inputs for gadget-chain payloads that trigger code execution. Deserialization vulnerabilities are a direct path to RCE and are difficult to detect manually.

JavaScript Library CVE Matching

Identifies client-side JS library versions from responses and matches against the CVE database. Outdated jQuery, React, Angular, and other libraries carry exploitable known vulnerabilities.

Server Software CVE Matching

Fingerprints web server, CMS, and framework versions and checks for associated CVEs. Unpatched server software is the most common root cause of mass exploitation events.

CMS Plugin Vulnerability Detection

Identifies WordPress, Drupal, Joomla, and other CMS plugin versions and flags known-vulnerable versions. CMS plugin vulnerabilities account for the majority of successful website compromises.

Dependency Confusion Risk

Detects public package names that mirror private internal package names. Dependency confusion allows attackers to inject malicious code into your build pipeline.