How Invicti reports vulnerabilities
Invicti provides comprehensive vulnerability reporting by utilizing a wide range of security checks available in a scan policy.
A scan policy serves as a collection of web application security scan settings. By attaching a scan policy, you can specify the security tests to be run.
Invicti incorporates an extensive library of thousands of built-in security checks, which have been developed over the course of more than a decade of continuous security research and refinement. This ensures maximum coverage and accuracy in identifying potential vulnerabilities.
Within a scan policy, you can access these security checks. While the default security checks in the Default Scan Policy cannot be modified or removed, you have the flexibility to disable irrelevant security checks when configuring a new scan policy. This customization allows you to focus on the vulnerabilities that are most pertinent to your specific environment.
To aid in understanding the relationship between security checks and vulnerabilities, the following table provides a list of security checks and the corresponding vulnerabilities they report when selected.
Apache Struts RCE
Apache Struts S2-045 RCE
[Possible] Code Evaluation (Apache Struts) S2-045
Code Evaluation (Apache Struts) S2-045
Apache Struts S2-046 RCE
[Possible] Code Evaluation (Apache Struts) S2-046
Code Evaluation (Apache Struts) S2-046
Code Evaluation
Code Evaluation
[Possible] Code Evaluation (Apache Struts S02-53)
[Possible] Code Evaluation (Apache Struts)
[Possible] Code Evaluation (Apache Struts) S2-016
[Possible] Code Evaluation (ASP)
[Possible] Code Evaluation (Node.js)
[Possible] Code Evaluation (Perl)
[Possible] Code Evaluation (PHP)
[Possible] Code Evaluation (Python)
[Possible] Code Evaluation (Ruby)
Code Evaluation (Apache Struts S02-53)
Code Evaluation (Apache Struts)
Code Evaluation (Apache Struts) S2-016
Code Evaluation (ASP)
Code Evaluation (Node.js)
Code Evaluation (Perl)
Code Evaluation (PHP)
Code Evaluation (Python)
Code Evaluation (Ruby)
Code Evaluation (IAST)
Code Evaluation (PHP) – IAST
Code Evaluation (Out of Band)
[Possible] Out of Band Code Evaluation (Apache Struts 2)
[Possible] Out of Band Command Injection
Out of Band Code Evaluation (Apache Struts 2) S2-053
Out of Band Code Evaluation (ASP)
Out of Band Code Evaluation (Node.js)
Out of Band Code Evaluation (Perl)
Out of Band Code Evaluation (PHP)
Out of Band Code Evaluation (Python)
Out of Band Code Evaluation (RoR – JSON)
Out of Band Code Evaluation (RoR)
Out of Band Code Evaluation (Ruby)
Out of Band Code Execution via SSTI
Out of Band Code Execution via SSTI (Java FreeMarker)
Out of Band Code Execution via SSTI (Java Velocity)
Out of Band Code Execution via SSTI (Node.js Dot)
Out of Band Code Execution via SSTI (Node.js EJS)
Out of Band Code Execution via SSTI (Node.js Marko)
Out of Band Code Execution via SSTI (Node.js Nunjucks)
Out of Band Code Execution via SSTI (Node.js Pug (Jade))
Out of Band Code Execution via SSTI (PHP Smarty)
Out of Band Code Execution via SSTI (PHP Twig)
Out of Band Code Execution via SSTI (Python Jinja)
Out of Band Code Execution via SSTI (Python Mako)
Out of Band Code Execution via SSTI (Python Tornado)
Out of Band Command Injection
Text4Shell Remote Code Execution – (CVE-2022-42889)
Log4j Code Evaluation (Out of Band)
Out of Band Code Evaluation (Log4j)
Server-Side Template Injection
[Possible] Code Execution via SSTI
[Possible] Code Execution via SSTI (ASP.NET Razor)
[Possible] Code Execution via SSTI (Java FreeMarker)
[Possible] Code Execution via SSTI (Java Pebble)
[Possible] Code Execution via SSTI (Java Velocity)
[Possible] Code Execution via SSTI (JinJava)
[Possible] Code Execution via SSTI (Node.js Dot)
[Possible] Code Execution via SSTI (Node.js EJS)
[Possible] Code Execution via SSTI (Node.js Marko)
[Possible] Code Execution via SSTI (Node.js Nunjucks)
[Possible] Code Execution via SSTI (Node.js Pug (Jade))
[Possible] Code Execution via SSTI (PHP Smarty)
[Possible] Code Execution via SSTI (PHP Twig)
[Possible] Code Execution via SSTI (Python Jinja)
[Possible] Code Execution via SSTI (Python Mako)
[Possible] Code Execution via SSTI (Python Tornado)
[Possible] Code Execution via SSTI (Ruby ERB)
[Possible] Code Execution via SSTI (Ruby Slim)
[Possible] Server-Side Template Injection
[Possible] Server-Side Template Injection (ASP.NET Razor)
[Possible] Server-Side Template Injection (Java FreeMarker)
[Possible] Server-Side Template Injection (Java Pebble)
[Possible] Server-Side Template Injection (Java Velocity)
[Possible] Server-Side Template Injection (JinJava)
[Possible] Server-Side Template Injection (Node.js Dot)
[Possible] Server-Side Template Injection (Node.js EJS)
[Possible] Server-Side Template Injection (Ruby ERB)
Code Execution via SSTI
Code Execution via SSTI (ASP.NET Razor)
Code Execution via SSTI (Java FreeMarker)
Code Execution via SSTI (Java Pebble)
Code Execution via SSTI (Java Velocity)
Code Execution via SSTI (JinJava)
Code Execution via SSTI (Node.js Dot)
Code Execution via SSTI (Node.js EJS)
Code Execution via SSTI (Node.js Marko)
Code Execution via SSTI (Node.js Nunjucks)
Code Execution via SSTI (Node.js Pug (Jade))
Code Execution via SSTI (PHP Smarty)
Code Execution via SSTI (PHP Twig)
Code Execution via SSTI (Python Jinja)
Code Execution via SSTI (Python Mako)
Code Execution via SSTI (Python Tornado)
Code Execution via SSTI (Ruby ERB)
Code Execution via SSTI (Ruby Slim)
Server-Side Template Injection
Server-Side Template Injection (ASP.NET Razor)
Server-Side Template Injection (Java FreeMarker)
Server-Side Template Injection (Java Pebble)
Server-Side Template Injection (Java Velocity)
Server-Side Template Injection (JinJava)
Server-Side Template Injection (Node.js Dot)
Server-Side Template Injection (Node.js EJS)
Server-Side Template Injection (Ruby ERB)
Spring4Shell Remote Code Execution
[Possible] Remote Code Execution (Spring4Shell)
Command Injection (CI)
Command Injection
[Possible] Command Injection
Bash Command Injection Vulnerability (Shellshock Bug)
Command Injection
Command Injection (Blind)
Blind Command Injection
Command Injection (IAST)
Command Injection (IAST)
Cross Site Scripting (XSS)
Cross-site Scripting
[Possible] Cross-site Scripting
Cross-site Scripting
Stored Cross-site Scripting
Cross-site Scripting (Blind)
[Possible] Blind Cross-site Scripting
Blind Cross-site Scripting
Cross-site Scripting (DOM Based)
Base Tag Hijacking
Cross-site Scripting (DOM based)
Form Hijacking
Open Redirection (DOM based)
File Inclusion
Local File Inclusion
[Possible] F5 Big-IP Local File Inclusion (CVE-2020-5902)
[Possible] Local File Inclusion
[Probable] Local File Inclusion
Code Evaluation via Local File Inclusion (PHP)
F5 Big-IP Local File Inclusion (CVE-2020-5902)
Local File Inclusion
Ruby on Rails File Content Disclosure (CVE-2019-5418)
Local File Inclusion (IAST)
Local File Inclusion (IAST)
Remote File Inclusion
[Possible] Remote File Inclusion
Remote File Inclusion
Remote File Inclusion (Out of Band)
Out of Band Remote File Inclusion
Header Injection
HTTP Header Injection
HTTP Header Injection
HTTP Header Injection (IAST)
Mail Header Injection (IAST)
NoSQL Injection
MongoDB Injection (Blind)
Blind MongoDB Injection
PossibleBlindMongoDB
MongoDB Injection (Error Based)
[Possible] Error-Based MongoDB Injection
Error-Based MongoDB Injection
Server-Side Request Forgery (SSRF)
Server-Side Request Forgery (DNS)
[Possible] Server-Side Request Forgery
Server-Side Request Forgery (Pattern Based)
[Possible] Server-Side Request Forgery (AWS)
[Possible] Server-Side Request Forgery (elmah MVC)
[Possible] Server-Side Request Forgery (elmah)
[Possible] Server-Side Request Forgery (MySQL)
[Possible] Server-Side Request Forgery (Oracle Cloud)
[Possible] Server-Side Request Forgery (Packet Cloud)
[Possible] Server-Side Request Forgery (SSH)
[Possible] Server-Side Request Forgery (Time Based)
[Possible] Server-Side Request Forgery (trace.axd)
Server-Side Request Forgery (AWS)
Server-Side Request Forgery (elmah MVC)
Server-Side Request Forgery (elmah)
Server-Side Request Forgery (trace.axd)
SQL Injection
SQL Injection
[Possible] SQL Injection
[Probable] SQL Injection
Database Detected (HsqlDb)
Database Detected (Microsoft Access)
Database Detected (Microsoft SQL Server)
Database Detected (MongoDB)
Database Detected (MySQL)
Database Detected (Oracle)
Database Detected (PostgreSQL)
Database Detected (SQLite)
Out-of-date Version (Microsoft SQL Server)
Out-of-date Version (MySQL)
Out-of-date Version (Oracle)
Out-of-date Version (PostgreSQL)
Out-of-date Version (SQLite)
SQL Injection (Blind)
Blind SQL Injection
SQL Injection (Boolean)
Boolean Based SQL Injection
Database User Has Admin Privileges
SQL Injection (IAST)
SQL Injection (IAST)
SQL Injection (Out of Band)
Out of Band SQL Injection
Static Resources
Static Resources (All Paths)
.htaccess File Detected
[Possible] WS_FTP Log File Detected
Apache Multiple Choices Enabled
CVS Detected
GIT Detected
phpinfo() Output Detected
Security.txt Detected
Sugar CRM Identified
SVN Detected
swagger.json Detected
Trace.axd Detected
Travis CI Configuration File Detected
Version Disclosure (Jolokia)
ZSH History File Detected
Static Resources (Only Root Path)
[Possible] AWStats Detected
[Possible] Mint Detected
[Possible] WP Engine Configuration File Detected
Apache Server-Info Detected
Apache Server-Status Detected
Apple’s App-Site Association (AASA) Detected
Crossdomain.xml Detected
Default Page Detected (Tomcat)
Elmah.axd / Errorlog.axd Detected
Open Policy Crossdomain.xml Detected
Open Silverlight Client Access Policy
OpenSearch.xml Detected
phpMyAdmin Detected
Robots.txt Detected
RoR Development Mode Enabled
Silverlight Client Access Policy Detected
Sitemap Detected
Source Code Disclosure (Tomcat)
Webalizer Detected
XML External Entity (XXE)
XML External Entity
[Possible] XML External Entity Injection
XML External Entity Injection
XML External Entity (Out of Band)
Out of Band XML External Entity Injection
Arbitrary Files (IAST)
Arbitrary Files (IAST)
Arbitrary File Creation Detected
Arbitrary File Deletion Detected
BREACH Attack
BREACH Attack
[Possible] BREACH Attack Detected
Configuration Analyzer (IAST)
Configuration Analyzer (IAST)
ASP.NET Cookieless Authentication Is Enabled
ASP.NET Cookieless Session State Is Enabled
ASP.NET CustomErrors Is Disabled
ASP.NET Debugging Enabled
ASP.NET Login Credentials Stored In Plain Text
ASP.NET Tracing Is Enabled
ASP.NET ValidateRequest Is Globally Disabled
ASP.NET ViewStateUserKey Is Not Set
ASP.NET: Failure To Require SSL For Authentication Cookies
Axis Development Mode Enabled in WEB-INF/server-config.wsdd
Axis system configuration listing enabled in WEB-INF/server-config.wsdd
Custom Error Pages Are Not Configured in WEB-INF/web.xml
Express Development Mode Is Enabled
Express express-session Weak Secret Key Detected
Java Verb Tampering Via Misconfigured Security Constraint
Node.js Web Application does not handle uncaughtException
Node.js Web Application does not handle unhandledRejection
Overly Long Session Timeout
PHP allow_url_fopen Is Enabled
PHP allow_url_include Is Enabled
PHP display_errors Is Enabled
PHP enable_dl Is Enabled
PHP open_basedir Is Not Configured
PHP register_globals Is Enabled
PHP session.use_trans_sid Is Enabled
Spring Boot Misconfiguration: Actuator endpoint security disabled
Spring Boot Misconfiguration: Admin MBean enabled
Spring Boot Misconfiguration: All Spring Boot Actuator endpoints are web exposed
Spring Boot Misconfiguration: Datasource credentials stored in the properties file
Spring Boot Misconfiguration: Developer tools enabled on production
Spring Boot Misconfiguration: H2 console enabled
Spring Boot Misconfiguration: MongoDB credentials stored in the properties file
Spring Boot Misconfiguration: Overly long session timeout
Spring Boot Misconfiguration: Spring Boot Actuator shutdown endpoint is web exposed
Spring Boot Misconfiguration: Unsafe value for session tracking
Spring Misconfiguration: HTML Escaping disabled
Struts 2 Config Browser plugin enabled
Struts 2 Development Mode Enabled
Unsafe value for session tracking in WEB-INF/web.xml
ViewState MAC Disabled
Content Security Policy
Content Security Policy
An Unsafe Content Security Policy (CSP) Directive in Use
Content Security Policy (CSP) Contains Out of Scope report-uri Domain
Content Security Policy (CSP) Keywords Not Used Within Single Quotes
Content Security Policy (CSP) Nonce Value Not Used Within Single Quotes
Content Security Policy (CSP) Nonce Without Matching Script Block
Content Security Policy (CSP) Not Implemented
Content Security Policy (CSP) report-uri Uses HTTP
Content-Security-Policy-Report-Only Cannot Be Declared Between META Tags
Content-Security-Policy-Report-Only Cannot Be Declared Without report-uri Directive
data: Used in a Content Security Policy (CSP) Directive
default-src Used in Content Security Policy (CSP)
Deprecated Header Instruction Used to Implement Content Security Policy (CSP)
Incorrect Content Security Policy (CSP) Implementation
Insecure Protocol Detected in Content Security Policy (CSP)
Invalid Content Security Policy (CSP) Directive Identified in meta Elements
Missing object-src in CSP Declaration
Multiple Content Security Policy (CSP) Implementation Detected
No Script Block Detected with the Hash Value Declared in Content Security Policy (CSP)
Nonce Usage Detected in Content Security Policy (CSP) Directive
Scheme URI Detected in Content Security Policy (CSP) Directive
Static Nonce Identified in Content Security Policy (CSP)
Unsupported Hash Detected in Content Security Policy (CSP)
Weak Nonce Detected in Content Security Policy (CSP) Declaration
Wildcard Detected in Domain Portion of Content Security Policy (CSP) Directive
Wildcard Detected in Port Portion of Content Security Policy (CSP) Directive
Wildcard Detected in Scheme Portion of Content Security Policy (CSP) Directive
Content-Type Sniffing
Content-Type Sniffing
Missing Content-Type Header
Cookie
Cookie
Cookie Not Marked as HttpOnly
Cookie Not Marked as Secure
SameSite Cookie Not Implemented
SameSite None Cookie Not Marked as Secure
Session Cookie Not Marked as Secure
User Controllable Cookie
Cross Frame Options Security
Cross Frame Options Security
Misconfigured X-Frame-Options Header
Missing X-Frame-Options Header
Multiple Declarations in X-Frame-Options Header
Cross-Origin Resource Sharing (CORS)
Cross-Origin Resource Sharing (CORS)
Misconfigured Access-Control-Allow-Origin Header
Cross-Site Request Forgery
Cross-Site Request Forgery
[Possible] Cross-site Request Forgery
[Possible] Cross-site Request Forgery in Login Form
Cookie Values Used in Anti-CSRF Token
Drupal Remote Code Execution
Drupal Remote Code Execution
Drupal Core – Remote Code Execution (CVE-2019-6340)
Expression Language Injection
Expression Language Injection
[Possible] Expression Language Injection
Expression Language Injection
File Upload
File Upload
Code Execution via File Upload
Cross-site Scripting via File Upload
Unrestricted File Upload
GraphQL Library Detection
GraphQL Library Detection
GraphQL Endpoint Detected
GraphQL Library Detected (Apollo)
GraphQL Library Detected (Ariadne)
GraphQL Library Detected (Dgraph)
GraphQL Library Detected (Directus)
GraphQL Library Detected (GqlGen)
GraphQL Library Detected (Graphene)
GraphQL Library Detected (GraphQL API for WordPress)
GraphQL Library Detected (Graphql-Go)
GraphQL Library Detected (graphql-java)
GraphQL Library Detected (graphql-php)
GraphQL Library Detected (Hasura)
GraphQL Library Detected (Juniper)
GraphQL Library Detected (Ruby-graphql)
GraphQL Library Detected (Sangria)
GraphQL Library Detected (Tartiflette)
GraphQL Library Detected (WPGraphQL)
Header Analyzer
Header Analyzer
Missing X-XSS-Protection Header
HTTP Header Injection
HTTP Header Injection (IAST)
Mail Header Injection (IAST)
Heartbleed
Heartbleed
OpenSSL Heartbleed
HSTS
HSTS
HTTP Strict Transport Security (HSTS) Errors and Warnings
HTTP Strict Transport Security (HSTS) Max-Age Value Too Low
HTTP Strict Transport Security (HSTS) Policy Not Enabled
HTTP Strict Transport Security (HSTS) via HTTP
Insecure HTTP Usage
HTML Content
HTML Content
[Possible] Password Transmitted over Query String
[Possible] Phishing by Navigating Browser Tabs
Autocomplete Enabled (Password Field)
Autocomplete is Enabled
Critical Form Send to HTTP
Critical Form Served over HTTP
File Upload Functionality Detected
Password Transmitted over HTTP
Subresource Integrity (SRI) Hash Invalid
Subresource Integrity (SRI) Not Implemented
HTTP Methods
HTTP Methods
TRACE/TRACK Method Detected
HTTP Status
HTTP Status
Authorization Required
Basic Authorization over HTTP
Forbidden Resource
Internal Server Error
Unexpected Redirect Response Body (Too Large)
Unexpected Redirect Response Body (Two Responses)
Weak Basic Authentication Credentials
HTTP.sys (CVE-2015-1635)
HTTP.sys (CVE-2015-1635)
Remote Code Execution and DoS in HTTP.sys (IIS)
IFrame Security
IFrame Security
Insecure Frame (External)
Misconfigured Frame
Insecure JSONP Endpoint
Insecure JSONP Endpoint
[Possible] Insecure JSONP Endpoint
Insecure Reflected Content
Insecure Reflected Content
[Possible] Insecure Reflected Content
JavaScript Libraries
JavaScript Libraries
Out-of-date Version (AngularJS)
Out-of-date Version (axios)
Out-of-date Version (Backbone.js)
Out-of-date Version (bluebird)
Out-of-date Version (Bootbox.js)
Out-of-date Version (Bootstrap 3 Date/Time Picker)
Out-of-date Version (Bootstrap Toggle)
Out-of-date Version (Bootstrap)
Out-of-date Version (Chart.js)
Out-of-date Version (CKEditor)
Out-of-date Version (D3.js)
Out-of-date Version (DataTables)
Out-of-date Version (DOMPurify)
Out-of-date Version (DWR)
Out-of-date Version (easyXDM)
Out-of-date Version (ef.js)
Out-of-date Version (Ember.js)
Out-of-date Version (Ext JS)
Out-of-date Version (Fabric.js)
Out-of-date Version (FancyBox)
Out-of-date Version (Fingerprintjs2)
Out-of-date Version (Flickity)
Out-of-date Version (FooTable)
Out-of-date Version (Foundation)
Out-of-date Version (GSAP)
Out-of-date Version (Hammer.JS)
Out-of-date Version (Handlebars.js)
Out-of-date Version (Highcharts)
Out-of-date Version (HTML5 Shiv)
Out-of-date Version (ImagePicker)
Out-of-date Version (Inferno)
Out-of-date Version (Intro.js)
Out-of-date Version (Ion.RangeSlider)
Out-of-date Version (JavaScript Cookie)
Out-of-date Version (jPlayer)
Out-of-date Version (jQuery Mask)
Out-of-date Version (jQuery Migrate)
Out-of-date Version (jQuery Mobile)
Out-of-date Version (jQuery UI Autocomplete)
Out-of-date Version (jQuery UI Dialog)
Out-of-date Version (jQuery UI Tooltip)
Out-of-date Version (jQuery Validation)
Out-of-date Version (jQuery)
Out-of-date Version (jsTree)
Out-of-date Version (Knockout Mapping)
Out-of-date Version (Knockout)
Out-of-date Version (Lazy.js)
Out-of-date Version (Leaflet)
Out-of-date Version (Lightbox)
Out-of-date Version (List.js)
Out-of-date Version (Lodash)
Out-of-date Version (Marionette.js)
Out-of-date Version (Math.js)
Out-of-date Version (MathJax)
Out-of-date Version (Mithril)
Out-of-date Version (Modernizr)
Out-of-date Version (Moment.js)
Out-of-date Version (mustache.js)
Out-of-date Version (pdf.js)
Out-of-date Version (Phaser)
Out-of-date Version (Pixi.js)
Out-of-date Version (Plupload)
Out-of-date Version (Polymer)
Out-of-date Version (prettyPhoto)
Out-of-date Version (Prototype JS)
Out-of-date Version (Ramda)
Out-of-date Version (React)
Out-of-date Version (RequireJS)
Out-of-date Version (Respond.js)
Out-of-date Version (Reveal.js)
Out-of-date Version (Rickshaw)
Out-of-date Version (Riot.js)
Out-of-date Version (ScrollReveal)
Out-of-date Version (Select2)
Out-of-date Version (Semantic UI)
Out-of-date Version (slick)
Out-of-date Version (Snap.svg)
Out-of-date Version (Sortable)
Out-of-date Version (SweetAlert2)
Out-of-date Version (Three.js)
Out-of-date Version (typeahead.js)
Out-of-date Version (Underscore.js)
Out-of-date Version (Video.js)
Out-of-date Version (Vue.js)
Out-of-date Version (XRegExp)
Out-of-date Version (YUI)
Out-of-date Version (Zepto.js)
JSON Web Token
JSON Web Token
JWT Forgery via Chaining Jku Parameter with Open Redirect
JWT Forgery via Path Traversal
JWT Forgery via SQL Injection
JWT Forgery via unvalidated jku parameter
JWT Signature Bypass via None Algorithm
JWT Signature is not Verified
Weak Secret is Used to Sign JWT
Login Page Identifier
Login Page Identifier
[Possible] Login Page Identified
Malware Analyzer
Malware Analyzer
Malware Identified
Mixed Content
Mixed Content
Active Mixed Content over HTTPS
Passive Mixed Content over HTTPS
Open Redirection
Open Redirection
Frame Injection
Open Redirection
Open Redirection in POST method
Oracle WebLogic Remote Code Execution
Oracle WebLogic Remote Code Execution
Oracle WebLogic Authentication Bypass (CVE-2020-14883)
Oracle WebLogic Remote Code Execution (CVE-2020-14882)
Referrer Policy
Referrer Policy
Cross-site Referrer Leakage through usage of no-referrer-when-downgrade in Referrer-Policy
Cross-site Referrer Leakage through usage of origin-when-cross-origin in Referrer-Policy
Cross-site Referrer Leakage through usage of strict-origin in Referrer-Policy
Cross-site Referrer Leakage through usage of strict-origin-when-cross-origin in Referrer-Policy
Cross-site Referrer Leakage through usage of the origin keyword in Referrer-Policy
Cross-site Referrer Leakage through usage of unsafe-url in Referrer-Policy
Referrer-Policy Needs Proper Fallback
Referrer-Policy Not Implemented
Unknown Option Used In Referrer-Policy
Reflected File Download
Reflected File Download
[Possible] Reflected File Download
Signatures
Signatures
.DS_Store File Found
[Possible] Administration Page Detected
[Possible] Backup File Disclosure
[Possible] Configuration File Detected
[Possible] Credit Card Disclosure
[Possible] Database Connection String Detected
[Possible] HTTP Header Injection
[Possible] Internal IP Address Disclosure
[Possible] Internal Path Disclosure (*nix)
[Possible] Internal Path Disclosure (Windows)
[Possible] Laravel Debug Mode Enabled
[Possible] Laravel Environment Configuration File Detected
[Possible] Piwik Detected
[Possible] Source Code Disclosure (ASP.NET)
[Possible] Source Code Disclosure (ColdFusion)
[Possible] Source Code Disclosure (Generic)
[Possible] Source Code Disclosure (Java Servlet)
[Possible] Source Code Disclosure (Java)
[Possible] Source Code Disclosure (JSP)
[Possible] Source Code Disclosure (Perl)
[Possible] Source Code Disclosure (PHP)
[Possible] Source Code Disclosure (Python)
[Possible] Source Code Disclosure (Ruby)
[Possible] SQL File Detected
[Possible] Stored Cross-site Scripting
[Possible] Sublime SFTP Config File Detected
[Possible] Test File Detected
[Possible] UNC Server and Share Disclosure
[Possible] Windows Username Disclosure
aah Go Server Identified
Adminer Detected
Apache Coyote Identified
Apache Module Identified
Apache MultiViews Enabled
Apache Traffic Server Identified
Apache Web Server Identified
Artifactory DevOps Solution Identified
ASP.NET Identified
ASP.NET MVC Identified
Atlassian Confluence Identified
Atlassian Jira Identified
Atlassian Proxy Identified
Axway Secure Transport Detected
Axway SecureTransport Server Identified
Backup Source Code Detected
BitNinja Captcha Server Identified
Bomgar Remote Support Software Detected
Caddy Web Server Identified
CakePHP Framework Identified
CDN Detected (Airee)
CDN Detected (Akamai)
CDN Detected (Arvan Cloud)
CDN Detected (Azure CDN)
CDN Detected (CDN77)
CDN Detected (Fastly)
CDN Detected (Fireblade)
CDN Detected (Google Cloud CDN)
CDN Detected (Incapsula)
CDN Detected (KeyCDN)
CDN Detected (MaxCDN)
CDN Detected (Netlify)
CDN Detected (PowerCDN)
CDN Detected (Qrator)
CDN Detected (Sucuri)
CDN Detected (West263)
Cherokee Identified
CherryPy Identified
Code Execution via Local File Inclusion
Cowboy HTTP Server Identified
Craft CMS Identified
Cross-site Scripting via Remote File Inclusion
CrushFTP Server Detected
Daiquiri Detected
Database Error Message Disclosure
Database Name Disclosure (Microsoft SQL Server)
Database Name Disclosure (MySQL)
DataDome Identified
DbNinja Detected
Default Page Detected (Apache)
Default Page Detected (CakePHP Framework)
Default Page Detected (IIS 10.0)
Default Page Detected (IIS 6)
Default Page Detected (IIS 7.5)
Default Page Detected (IIS 7.X)
Default Page Detected (IIS 7)
Default Page Detected (IIS 8.5)
Default Page Detected (IIS 8)
Denial of Service (MySQL)
Directory Listing (Apache)
Directory Listing (ASP.NET Server)
Directory Listing (IIS)
Directory Listing (Lighttpd)
Directory Listing (LiteSpeed)
Directory Listing (Nginx)
Directory Listing (Tomcat)
Disabled X-XSS-Protection Header
Django Debug Mode Enabled
Django Identified
Email Address Disclosure
Exception Report Disclosure (Tomcat)
ExpressJS Identified
FrontPage Identified
Generic Email Address Disclosure
GlassFish Server Identified
Grafana Identified
Gunicorn Python WSGI HTTP Server Identified
Hiawatha Identified
HubSpot Identified
IBM Business Process Manager (BPM) Identified
IBM HTTP Server Identified
IBM Rational Team Concert (RTC) Identified
IBM Security Access Manager (WebSEAL) Identified
IIS Identified
Information Disclosure (Microsoft Office)
Java Identified
Java Servlet Identified
JBoss Application Server Identified
JBoss Core Services Identified
JBoss Enterprise Application Platform Identified
Jenkins Identified
Jetty Web Server Identified
Jolokia Identified
JSP Identified
JWT Detected
Kestrel Detected
Kong Identified
Liferay Digital Experience Platform Detected
Liferay Portal Detected
Lighthouse Identified
Lighttpd Identified
LiteSpeed Web Server Identified
Mashery Proxy Identified
Microsoft Access Database File Detected
Microsoft IIS Log File Detected
Microsoft Outlook Personal Folders File (.pst) Found
Mongrel Identified
Next.js React Framework Identified
Nexus Repository OSS Identified
Nginx Web Server Identified
NuSOAP Identified
OpenResty Web Platform Identified
OpenSSL Identified
OpenVPN Access Server Identified
Oracle Application Server Identified
Oracle HTTP Server Identified
Out-of-date Version (Next.js React Framework)
Pardot Server Identified
Passive Web Backdoor Detected
Perl Identified
PHP Identified
PHP session.use_only_cookies Is Disabled
phpLiteAdmin Detected
phpMoAdmin Detected
Phusion Passenger Identified
Play Web Framework Identified
Plesk (Linux) Identified
Plesk (Windows) Identified
Plone CMS Identified
Private Burp Collaborator Server Identified
Programming Error Message
Programming Error Message (Ruby)
Python Identified
Python WSGIserver Identified
Resin Application Server Identified
Restlet Framework Identified
RoR Database Configuration File Detected
RSA Private Key Detected
Ruby on Rails Identified
RubyGems Identified
SharePoint Identified
Shell Script Detected
Shopify Identified
Social Security Number Disclosure
SonicWall SSL-VPN Server Identified
SQL Injection
SQLite Database File Found
Squarespace Identified
Squid Identified
Stack Trace Disclosure (Apache MyFaces)
Stack Trace Disclosure (ASP.NET)
Stack Trace Disclosure (CakePHP Framework)
Stack Trace Disclosure (CherryPy)
Stack Trace Disclosure (ColdFusion)
Stack Trace Disclosure (Django)
Stack Trace Disclosure (Grails)
Stack Trace Disclosure (Java)
Stack Trace Disclosure (Laravel)
Stack Trace Disclosure (Python)
Stack Trace Disclosure (RoR)
Stack Trace Disclosure (Ruby-Sinatra Framework)
Struts2 Development Mode Enabled
Tableau Server Detected
Taleo Web Server Identified
Telerik Web UI Identified
Tomcat Identified
Tornado Web Server Identified
Trac Software Project Management Tool Identified
Tracy Debugging Identified
TS Web Access Identified
TwistedWeb HTTP Server Identified
Undertow Web Server Identified
Username Disclosure (Microsoft SQL Server)
Username Disclosure (MySQL)
Varnish HTTP Cache Server Identified
Vegur Identified
Version Disclosure (Apache Coyote)
Version Disclosure (Apache Module)
Version Disclosure (Apache Traffic Server)
Version Disclosure (Apache)
Version Disclosure (Artifactory DevOps Solution)
Version Disclosure (ASP.NET MVC)
Version Disclosure (ASP.NET)
Version Disclosure (Atlassian Confluence)
Version Disclosure (Atlassian Jira)
Version Disclosure (Atlassian Proxy)
Version Disclosure (Axway SecureTransport Server)
Version Disclosure (CakePHP Framework)
Version Disclosure (Cherokee)
Version Disclosure (CherryPy)
Version Disclosure (Cowboy HTTP Server)
Version Disclosure (Daiquiri)
Version Disclosure (Django)
Version Disclosure (FrontPage)
Version Disclosure (GlassFish)
Version Disclosure (Grafana)
Version Disclosure (Gunicorn Python WSGI HTTP Server)
Version Disclosure (Hiawatha)
Version Disclosure (IBM HTTP Server)
Version Disclosure (IBM Rational Team Concert (RTC))
Version Disclosure (IBM Security Access Manager (WebSEAL))
Version Disclosure (IIS)
Version Disclosure (Java Servlet)
Version Disclosure (Java)
Version Disclosure (JBoss)
Version Disclosure (Jenkins)
Version Disclosure (Jetty)
Version Disclosure (JSP)
Version Disclosure (Kong)
Version Disclosure (Liferay Digital Experience Platform)
Version Disclosure (Liferay Portal)
Version Disclosure (Lighttpd)
Version Disclosure (mod_ssl)
Version Disclosure (Mongrel Web Server)
Version Disclosure (Next.js React Framework)
Version Disclosure (Nexus Repository OSS)
Version Disclosure (Nginx)
Version Disclosure (NuSOAP)
Version Disclosure (OpenResty)
Version Disclosure (OpenSSL)
Version Disclosure (Oracle)
Version Disclosure (Perl)
Version Disclosure (PHP)
Version Disclosure (phpMyAdmin)
Version Disclosure (Phusion Passenger)
Version Disclosure (Plone CMS)
Version Disclosure (Python WSGIserver)
Version Disclosure (Python)
Version Disclosure (Resin Application Server)
Version Disclosure (Restlet Framework)
Version Disclosure (RoR)
Version Disclosure (Ruby)
Version Disclosure (RubyGems)
Version Disclosure (SharePoint)
Version Disclosure (Squid)
Version Disclosure (Sugar CRM)
Version Disclosure (Taleo Web Server)
Version Disclosure (Telerik Web UI)
Version Disclosure (Tomcat)
Version Disclosure (Tornado)
Version Disclosure (Trac Software Project Management Tool)
Version Disclosure (Tracy Debugging Tool)
Version Disclosure (TwistedWeb HTTP Server)
Version Disclosure (Undertow Web Server)
Version Disclosure (W3 Total Cache)
Version Disclosure (WebLogic)
Version Disclosure (WEBrick)
Version Disclosure (Werkzeug Python WSGI Library)
Version Disclosure (Zope)
ViewState is not Encrypted
W3 Total Cache Identified
Web Backdoor Detected
Web.config File Detected
WebLogic Identified
Werkzeug Python WSGI Library Identified
Whoops Error Handler Framework Detected
WildFly Application Server Identified
Windows Azure Web Server Identified
WordPress Setup Configuration File
Zope Web Server Identified
Software Composition Analysis (SCA)
Software Composition Analysis (SCA)
Out-of-date Component
SSL
SSL
Anonymous Ciphers Supported
Certificate is Signed Using a Weak Signature Algorithm
Expired SSL Certificate
Insecure Transportation Security Protocol Supported (SSLv2)
Insecure Transportation Security Protocol Supported (SSLv3)
Insecure Transportation Security Protocol Supported (TLS 1.0)
Insecure Transportation Security Protocol Supported (TLS 1.1)
Intermediate Certificate is Signed Using a Weak Signature Algorithm
Invalid SSL Certificate
Revoked SSL Certificate
ROBOT Attack Detected (Strong Oracle)
ROBOT Attack Detected (Weak Oracle)
SSL Certificate Is About To Expire
SSL Certificate Name Hostname Mismatch
SSL Untrusted Root Certificate
SSL/TLS Not Implemented
Weak Ciphers Enabled
Unicode Transformation (Best-Fit Mapping)
Unicode Transformation (Best-Fit Mapping)
Unicode Transformation (Best-Fit Mapping)
WAF Identifier
Reverse Proxy Detection
Reverse Proxy Detected (Apache Traffic Server)
Reverse Proxy Detected (Citrix Netscaler)
Reverse Proxy Detected (Envoy)
Reverse Proxy Detected (F5 BIG-IP)
Reverse Proxy Detected (HAProxy)
Reverse Proxy Detected (Skipper)
Web Application Firewall Detected
Web App Fingerprint
Web App Fingerprint
AbanteCart Detected
Ampache Detected
ATutor Detected
b2evolution Detected
Chamilo Detected
Claroline Detected
ClipBucket Detected
Collabtive Detected
Concrete5 Detected
contao Detected
Coppermine Detected
CubeCart Detected
Dolibarr Detected
Dolphin Detected
DotClear Detected
Drupal Detected
e107 Detected
Elgg Detected
EspoCRM Detected
Family Connections Detected
FluxBB Detected
Form Tools Detected
Front Accounting Detected
GibbonEdu Detected
Hesk Detected
Joomla Detected
LimeSurvey Detected
Magento Identified
MediaWiki Detected
Mibew Messenger Detected
MODX Detected
Moodle Detected
Movable Type Detected
MyBB Detected
Omeka Detected
OpenCart Detected
osClass Detected
osCommerce Detected
osTicket Detected
Out-of-date Version (AbanteCart)
Out-of-date Version (Ampache)
Out-of-date Version (ATutor)
Out-of-date Version (b2evolution)
Out-of-date Version (Chamilo)
Out-of-date Version (Claroline)
Out-of-date Version (ClipBucket)
Out-of-date Version (Collabtive)
Out-of-date Version (Concerte5)
Out-of-date Version (contao)
Out-of-date Version (Coppermine)
Out-of-date Version (CubeCart)
Out-of-date Version (Dolibarr)
Out-of-date Version (Dolphin)
Out-of-date Version (DotClear)
Out-of-date Version (Drupal)
Out-of-date Version (e107)
Out-of-date Version (Elgg)
Out-of-date Version (EspoCRM)
Out-of-date Version (Family Connections)
Out-of-date Version (FluxBB)
Out-of-date Version (Form Tools)
Out-of-date Version (Front Accounting)
Out-of-date Version (GibbonEdu)
Out-of-date Version (Hesk)
Out-of-date Version (Joomla)
Out-of-date Version (LimeSurvey)
Out-of-date Version (Magento)
Out-of-date Version (MediaWiki)
Out-of-date Version (Mibew Messenger)
Out-of-date Version (MODX)
Out-of-date Version (Moodle)
Out-of-date Version (Movable Type)
Out-of-date Version (MyBB)
Out-of-date Version (Omeka)
Out-of-date Version (OpenCart)
Out-of-date Version (osClass)
Out-of-date Version (osCommerce)
Out-of-date Version (osTicket)
Out-of-date Version (ownCloud)
Out-of-date Version (pH7CMS)
Out-of-date Version (Phorum)
Out-of-date Version (Php Address Book)
Out-of-date Version (phpBB)
Out-of-date Version (PhpFusion)
Out-of-date Version (phpList)
Out-of-date Version (PhpMyFAQ)
Out-of-date Version (Piwigo)
Out-of-date Version (PmWiki)
Out-of-date Version (Podcast Generator)
Out-of-date Version (PrestaShop)
Out-of-date Version (ProjectSend)
Out-of-date Version (qdPM)
Out-of-date Version (Question2Answer)
Out-of-date Version (Revive Adserver)
Out-of-date Version (Roundcube)
Out-of-date Version (Rukovoditel)
Out-of-date Version (SeoPanel)
Out-of-date Version (Serendipity)
Out-of-date Version (TCExam)
Out-of-date Version (Typo3)
Out-of-date Version (Vanilla Forums)
Out-of-date Version (webERP)
Out-of-date Version (WeBid)
Out-of-date Version (WordPress)
Out-of-date Version (XOOPS)
Out-of-date Version (YetiForce CRM)
Out-of-date Version (YOURLS)
Out-of-date Version (Zen Cart)
Out-of-date Version (ZenPhoto)
Out-of-date Version (Zikula)
ownCloud Detected
pH7CMS Detected
Phorum Detected
Php Address Book Detected
phpBB Detected
PhpFusion Detected
phpList Detected
PhpMyFAQ Detected
Piwigo Detected
PmWiki Detected
Podcast Generator Detected
PrestaShop Detected
ProjectSend Detected
qdPM Detected
Question2Answer Detected
Revive Adserver Detected
Roundcube Detected
Rukovoditel Detected
SeoPanel Detected
Serendipity Detected
TCExam Detected
Typo3 Identified
Vanilla Forums Detected
webERP Detected
WeBid Detected
WordPress Detected
XOOPS Detected
YetiForce CRM Detected
YOURLS Detected
Zen Cart Detected
ZenPhoto Detected
Zikula Detected
Web Cache Deception
Web Cache Deception
Web Cache Deception
WebDAV
WebDAV
Code Execution via WebDAV
Directory Listing (WebDAV)
OPTIONS Method Enabled
WebDAV Directory Has Write Permissions
WebDAV Enabled
Windows Short Filename
Windows Short Filename
Windows Short Filename