OWASP ZAP Online Scan
Website and Web Application Vulnerability Scanner.
OWASP ZAP Highlights
- Industry trusted web application vulnerability scanner.
- Crawls websites and SPAs.
- XSS and other OWASP top 10 security risks.
- Discover vulnerable JavaScript libraries.
- More thoroughly scan your APIs by providing an OpenAPI template.
HostedScan Benefits
- Always up-to-date OWASP ZAP installation.
- Risk management platform to track vulnerabilities and reduce noise.
- Continuous monitoring with scheduled scans.
- Automatic alerts for new vulnerabilities.
- Authenticated web application scans using a recorded login.
OWASP Security Scan Details
HostedScan provides two OWASP security scans to meet the needs of every user. Both scans use the OWASP ZAP (Zaproxy) scanner, a leading open source project used by many large players in the security industry. These scans test websites and web apps for OWASP Top 10 risks and more.
The Passive Scan loads the pages of a website and checks for vulnerabilities such as cross-domain misconfigurations, insecure cookies, and vulnerable js dependencies (see table below for full list). This scan completes within several minutes.
The Active Scan submits forms and makes requests to the web application to test for vulnerabilities such as SQL injection, remote command execution, and cross-site scripting (see table below for full list). The active scan is not destructive, but it may send thousands of requests to a web application while thoroughly testing for all vulnerabilities. Make sure you have permission from the application owner to run this scan. This scan may take up to several hours, depending on the scanned target.
| Scan Capability | Passive Scan | Active Scan |
|---|---|---|
| Application Error Disclosure | ||
| Big Redirect Detected (Potential Sensitive Information Leak) | ||
| Charset Mismatch | ||
| Content-Type Header Missing | ||
| Cookie No HttpOnly Flag | ||
| Cookie Poisoning | ||
| Cookie Without Secure Flag | ||
| Cross-Domain JavaScript Source File Inclusion | ||
| Cross-Domain Misconfiguration | ||
| Directory Browsing | ||
| HTTP Server Response Header | ||
| HTTP to HTTPS Insecure Transition in Form Post | ||
| HTTPS to HTTP Insecure Transition in Form Post | ||
| Hash Disclosure | ||
| Heartbleed OpenSSL Vulnerability (Indicative) | ||
| Information Disclosure - Debug Error Messages | ||
| Information Disclosure - Sensitive Information in HTTP Referrer Header | ||
| Information Disclosure - Sensitive Information in URL | ||
| Information Disclosure - Suspicious Comments | ||
| Insecure JSF ViewState | ||
| Loosely Scoped Cookie | ||
| Modern Web Application | ||
| Open Redirect | ||
| PII Disclosure | ||
| Private IP Disclosure | ||
| Re-examine Cache-control Directives | ||
| Retrieved from Cache | ||
| Reverse Tabnabbing | ||
| Script Passive Scan Rules | ||
| Secure Pages Include Mixed Content | ||
| Session ID in URL Rewrite | ||
| Stats Passive Scan Rule | ||
| Strict-Transport-Security Header | ||
| Timestamp Disclosure | ||
| User Controllable Charset | ||
| User Controllable HTML Element Attribute (Potential XSS) | ||
| User Controllable JavaScript Event (XSS) | ||
| Username Hash Found | ||
| Verification Request Identified | ||
| Viewstate | ||
| Vulnerable JS Library (Powered by Retire.js) | ||
| WSDL File Detection | ||
| Weak Authentication Method | ||
| X-AspNet-Version Response Header | ||
| X-Backend-Server Header Information Leak | ||
| X-ChromeLogger-Data (XCOLD) Header Information Leak | ||
| X-Debug-Token Information Leak | ||
| .env Information Leak | ||
| .htaccess Information Leak | ||
| Directory Browsing (Active mode only) | ||
| CRLF Injection | ||
| Cross Site Scripting (Persistent) | ||
| Cross Site Scripting (Persistent) - Prime | ||
| Cross Site Scripting (Persistent) - Spider | ||
| Cross Site Scripting (Reflected) | ||
| ELMAH Information Leak | ||
| External Redirect | ||
| GET for POST | ||
| Generic Padding Oracle | ||
| Heartbleed OpenSSL Vulnerability | ||
| Log4Shell | ||
| Parameter Tampering | ||
| Path Traversal | ||
| Remote Code Execution - CVE-2012-1823 | ||
| Remote File Inclusion | ||
| Remote OS Command Injection | ||
| SQL Injection | ||
| SQL Injection - MsSQL | ||
| SQL Injection - MySQL | ||
| SQL Injection - Oracle | ||
| SQL Injection - PostgreSQL | ||
| Script Active Scan Rules | ||
| Server Side Code Injection | ||
| Server Side Template Injection | ||
| Server Side Template Injection (Blind) | ||
| Source Code Disclosure - /WEB-INF folder | ||
| Source Code Disclosure - CVE-2012-1823 | ||
| Spring Actuator Information Leak | ||
| Spring4Shell | ||
| Trace.axd Information Leak | ||
| XML External Entity Attack | ||
| XPath Injection | ||
| XSLT Injection |
Trusted by these companies and 1000s more
Sign up to get started
HostedScan is 100% read-only, and will never make any modifications to your servers.