Website Vulnerability Scanner

Scan any website's HTML code for vulnerabilities and possible weak spots. Get best tips to protect your website against hackers.

How does it work?

Upon the scan request you make by submitting an URL of a website, the tool collects information by GET requests from the website for a total of up to 2 minutes (even if the target is bigger), and analyzes the gathered results. Then the report detailing the website’s vulnerabilities is generated in JSON format, and stored in our database for one week. You can access the generated report through a specific query and a reference name, which we provide in the initial response to your request for a scan.

Results accuracy

This tool is a remote scanner with limited access, thus, the results may include false positives in rare cases (i.e. harmless items detected as malicious). However, since this is a free of charge service for non-commercial use, we believe that it is fair.

Frequently asked questions

What is this scanner?

This free website vulnerability scanner tests a website for potential security flaws. It performs non-intrusive vulnerability detections for your website’s HTML code & your web-server’s headers, checks for common weak spots, and generates reports in JSON format. The tool is non-intrusive, as it checks website vulnerabilities by scanning the static content only. If a part of your website requires user interaction or input, it will not be scanned. This tool shall NOT be used for any unlawful, illicit, illegal, criminal, fraudulent, or any other similar activities as well as for any commercial use.

How accurate are the scanner’s results?

This website security checker offers good general-level knowledge about your website’s security and helps correct some of the most common vulnerabilities as well as major issues. However, this tool is a remote scanner with limited access. This means that results may include rare cases of false positives – some harmless items might be detected as malicious.

How does it work?

When you put a website’s URL into the website vulnerability scanner, it collects information by GET requests. It can take up to two minutes to analyze the gathered code and test website security. After that, a JSON file including your vulnerability report will be generated. The report will be stored in our database for one week, and you’ll be able to access it through a specific query and a reference name – both of which we will provide after you request a scan.

What information is used, how is it stored?

In order to provide you with the report and prevent abuse, we process this information:

  • The target URI (scanned website's address used for starting the scanning procedure, for spidering, and further requests on spidered links);
  • The IP address that requested the scan (in case of abuse, the respective IP address could be blacklisted from using our service);
  • Technical system-related data, allowing the backend to communicate with the visual interface (such as authorization tokens generated by API).

We store JSON reports of scanned websites containing all information gathered throughout the scanning process for one week so that we could handily provide you with the service. All the other data is stored for one year so that we could prevent abuse cases, and, if needed, establish a legal claim or defend ourselves from one.

Description of the scale

An alert is a potential vulnerability and is associated with a specific request. A request can have more than one alert. Alerts are shown in the UI with a flag indicating the risk.

Our app will crawl the target website with its spider, and it will passively scan each page it finds. This is meant for finding the active links on the page by examining the HTML and website headers – it might also reveal some possible weak spots.

  • Overall risk level: High
  • Overall risk level: Medium
  • Overall risk level: Low
  • Overall risk level: Info

What are we checking your website for:

  1. 1
    Cookies without “Secure” or “No HTTPOnly” flags, loosely scoped cookies, and insecure cookie storage, or transfer practices.
  2. 2
    Password autocomplete in the browser – input fields with autocomplete tags, that save previously answered passwords in plaintext format in your internet browser’s storage.
  3. 3
    Cross-domain Javascript source file inclusion – possible risk points, where you include 3rd party Javascript from domains other than your website.
  4. 4
    Status of HTTP security-enhancing headers (Content-Type header missing, CSP header missing, X-Frame-Options header not set, X-Content-Type-Options header not set), no or incomplete cache-control and pragma headers.
  5. 5
    Insecure JSF ViewState.
  6. 6
    Charset mismatches – declaration of one charset and actual implementation of another.
  7. 7
    The absence of ANTI-CSRF tokens in <head> or <form> tags, which are supposed to protect you against cross-site request forgery.
  8. 8
    Application error disclosure occurrences – possibly not working pages in your website, where you disclose errors to the public internet instead of logging them in the backend.
  9. 9
    Accidental information disclosure – sensitive information in the “HTTP referrer” header, sensitive information in URL, debug error messages, suspicious comments, private IP disclosure.