Application Scanning Features

Crawler

Unique crawler optimized for security testing

Crawling is an essential part of Application Scanning. It helps explore your website by navigating through the different pages and states, indexing them, and gathering data that serves as input for running tests. Basically creating a map of the website used to guide out assessment engines. This way you don’t have to manually configure how and where testing will be deployed.

We continuously update our crawler and how it interacts with web applications. It is built to handle websites using both traditional as well as modern web technologies. JavaScript heavy and single-page applications are of course supported. It is also efficient when faced with large websites as it dynamically adapts to the structure and asset types within.

Fuzzing

Fuzzing combined with ethical hacking research

Fuzz Testing, or fuzzing, is a security testing technique that relies on manipulating input data with special or even random values, called FUZZ, into a software system to discover coding errors and security loopholes.

To enable a DAST scanner to behave like an automated hacker, we have reimagined the way we do fuzzing, making it more creative in finding various vulnerabilities. Our fuzzing engine allows us to find new areas to detect new security-related bugs or other unexpected behaviors. Instead of doing static testing when a scanner checks for expected responses, the fuzzer performs increased exploratory testing to locate those more innovative and business-critical security vulnerabilities faster than before.

Read our blog article on our Fuzzing engine here.

Scan behind login

Authenticated testing

Most web applications have areas that everyone can access and areas that are only accessible to users with an account. Examples include: 

  • Users logged in to an e-commerce site 
  • A forum
  • A protected development
  • A pre-production environment

A user often has access to more functionality when logged in, including posting comments on a forum, uploading pictures to their profile, or completing a purchase. 

A comprehensive security evaluation of any web application needs to be able to test areas behind a login. Detectify offers three options for scanning behind login: recorded login, basic authentication, and session cookies. 

When we’re able to perform authenticated testing, we will find more vulnerabilities and will be able to access things that different users can access.

Large applications

Scanning vast web apps

While scanning vast apps, our crawler looks for common structures and can filter similar pages and assets, reducing scan time. We have been focusing on expanding our crawling capabilities by grouping assets by purpose, optimizing the mapping of customer assets, and making it possible to continue crawling from where a previous scan concluded. These improvements will not just mean our crawling is more efficient, but it will allow us to go even deeper into user assets by combining what we have learned through previous scans and the latest vulnerabilities we’ve crowdsourced from elite ethical hackers.

The Detectify crawler can:

  • Cover pages rendered by Javascript
  • Detect and collect dynamic pages much better than a regular crawler
  • Gather more extensive crawling data for more in-depth results

Fingerprinting

Fingerprinting for personalized security testing

During a scan, Application Scanning performs extended fingerprinting of your domains and the software they run, including resolving the CMS (if any), underlying technology stack, and the operating system. This then customizes the subsequent vulnerability scanning phase and activates additional tests applicable to the specific technology identified.

For greater scalability and to face ever-evolving security threats, fingerprinting allows us to expand our security tests without overloading with irrelevant tests to match your needs.

For example, suppose 80% of our customers work with WordPress. In that case, we can find more diverse WordPress vulnerabilities, benefiting a more extensive customer base.

Product Updates

Interested in the latest product updates and vulnerability tests?
These can be found here.

Get flexible, scalable, and easy scanning with Application Scanning

  • OWASP Top 10 view and beyond: Check your site's OWASP Top 10 score and test for less common and more critical, undocumented vulnerabilities.

  • API integration: Start, stop and check the status of scans. (Extensive API functionality and easy domain verification are available in our Enterprise package.)

  • 2FA: Two-factor authentication for all users in the team. (Extended authentication control with 2FA and SSO access is available in our Enterprise package.)

  • Up to 10 team members: Share scan profiles within your team with controlled user permissions. (Further multi-team set-up is available for flexible organizing of assets, access levels, and results in our Enterprise package.)

  • Export reports: Export the results from your latest scan (PDF, XML, JSON, plus more).

  • Multiple payment methods: Payment via invoice or credit card.

  • Customer support: We'll answer your unique questions and help you make web security as accessible and actionable as possible.

Go Hack Yourself!

Unlimited scanning free for 2 weeks

Get Started