OWASP ZAP Online Scan

Website and Web Application Vulnerability Scanner.

OWASP ZAP Highlights

  • Industry trusted web application vulnerability scanner.
  • Crawls websites and SPAs.
  • XSS and other OWASP top 10 security risks.
  • Discover vulnerable JavaScript libraries.
  • More thoroughly scan your APIs by providing an OpenAPI template.

Hosted Scan Security
HostedScan Benefits

  • Always up-to-date OWASP ZAP installation.
  • Risk management platform to track vulnerabilities and reduce noise.
  • Continuous monitoring with scheduled scans.
  • Automatic alerts for new vulnerabilities.
  • Authenticated web application scans using a recorded login.

OWASP Security Scan Details

HostedScan provides two OWASP security scans to meet the needs of every user. Both scans use the OWASP ZAP (Zaproxy) scanner, a leading open source project used by many large players in the security industry. These scans test websites and web apps for OWASP Top 10 risks and more.

The Passive Scan loads the pages of a website and checks for vulnerabilities such as cross-domain misconfigurations, insecure cookies, and vulnerable js dependencies (see table below for full list). This scan completes within several minutes.

The Active Scan submits forms and makes requests to the web application to test for vulnerabilities such as SQL injection, remote command execution, and cross-site scripting (see table below for full list). The active scan is not destructive, but it may send thousands of requests to a web application while thoroughly testing for all vulnerabilities. Make sure you have permission from the application owner to run this scan. This scan may take up to several hours, depending on the scanned target.

Scan CapabilityPassive ScanActive Scan
Application Error Disclosure
Big Redirect Detected (Potential Sensitive Information Leak)
Charset Mismatch
Content-Type Header Missing
Cookie No HttpOnly Flag
Cookie Poisoning
Cookie Without Secure Flag
Cross-Domain JavaScript Source File Inclusion
Cross-Domain Misconfiguration
Directory Browsing
HTTP Server Response Header
HTTP to HTTPS Insecure Transition in Form Post
HTTPS to HTTP Insecure Transition in Form Post
Hash Disclosure
Heartbleed OpenSSL Vulnerability (Indicative)
Information Disclosure - Debug Error Messages
Information Disclosure - Sensitive Information in HTTP Referrer Header
Information Disclosure - Sensitive Information in URL
Information Disclosure - Suspicious Comments
Insecure JSF ViewState
Loosely Scoped Cookie
Modern Web Application
Open Redirect
PII Disclosure
Private IP Disclosure
Re-examine Cache-control Directives
Retrieved from Cache
Reverse Tabnabbing
Script Passive Scan Rules
Secure Pages Include Mixed Content
Session ID in URL Rewrite
Stats Passive Scan Rule
Strict-Transport-Security Header
Timestamp Disclosure
User Controllable Charset
User Controllable HTML Element Attribute (Potential XSS)
User Controllable JavaScript Event (XSS)
Username Hash Found
Verification Request Identified
Viewstate
Vulnerable JS Library (Powered by Retire.js)
WSDL File Detection
Weak Authentication Method
X-AspNet-Version Response Header
X-Backend-Server Header Information Leak
X-ChromeLogger-Data (XCOLD) Header Information Leak
X-Debug-Token Information Leak
.env Information Leak
.htaccess Information Leak
Directory Browsing (Active mode only)
CRLF Injection
Cross Site Scripting (Persistent)
Cross Site Scripting (Persistent) - Prime
Cross Site Scripting (Persistent) - Spider
Cross Site Scripting (Reflected)
ELMAH Information Leak
External Redirect
GET for POST
Generic Padding Oracle
Heartbleed OpenSSL Vulnerability
Log4Shell
Parameter Tampering
Path Traversal
Remote Code Execution - CVE-2012-1823
Remote File Inclusion
Remote OS Command Injection
SQL Injection
SQL Injection - MsSQL
SQL Injection - MySQL
SQL Injection - Oracle
SQL Injection - PostgreSQL
Script Active Scan Rules
Server Side Code Injection
Server Side Template Injection
Server Side Template Injection (Blind)
Source Code Disclosure - /WEB-INF folder
Source Code Disclosure - CVE-2012-1823
Spring Actuator Information Leak
Spring4Shell
Trace.axd Information Leak
XML External Entity Attack
XPath Injection
XSLT Injection

Trusted by these companies and 1000s more

Sign up to get started

HostedScan is 100% read-only, and will never make any modifications to your servers.