Web Application Security Testing

Detectify Application Scanning is a Dynamic Application Security Testing (DAST) solution that crawls and fuzzes your custom web applications to identify real, exploitable vulnerabilities. It uses a headless Chrome browser to interact with your applications.

What is Application Scanning?

Application Scanning tests your running web applications by sending requests, analyzing responses, and injecting payloads to detect vulnerabilities. Unlike static analysis, DAST testing works against the live application, catching issues that only manifest at runtime.

Detectify’s scanner supports modern web applications, including single-page applications (SPAs), JavaScript-heavy frontends, and applications behind authentication.

Key Capabilities

Headless Chrome Crawling

The scanner uses a headless Chrome browser to render pages, execute JavaScript, and interact with dynamic content. This means it can test SPAs built with React, Angular, Vue, and other modern frameworks.

Graph-Based Crawling

Rather than following a simple link tree, the scanner builds a graph model of your application’s states and transitions, discovering functionality that requires specific sequences of interactions, such as multi-step forms and stateful workflows.

Page Deduplication

The crawler identifies pages that are structurally identical but have different content (e.g., product pages, user profiles) and tests a representative sample, preventing wasted scan time on redundant pages while still covering all unique page structures.

Payload-Based Fuzzing

After crawling, the scanner fuzzes discovered inputs with security payloads that trigger specific vulnerability classes. Each payload produces a verifiable response when a vulnerability exists, confirming true positives.

Crowdsource-Powered Modules

Detectify’s vulnerability testing is powered by 1,765+ modules built by Detectify’s internal security research team and a community of over 400 ethical hackers through the Crowdsource program.

Payload-Verified Findings

Application Scanning uses payload-based testing that requires confirmed exploitation indicators, achieving a 99.7% true positive rate. Each finding includes the HTTP request and response that demonstrated the vulnerability.

What Application Scanning Tests For

Application Scanning covers a broad range of vulnerability classes, including:

• SQL Injection (SQLi) — Tests for data extraction and database manipulation through input injection
• Cross-Site Scripting (XSS) — Detects reflected, stored, and DOM-based XSS
• Server-Side Request Forgery (SSRF) — Identifies endpoints that can be abused to make server-side requests
• Remote Code Execution (RCE) — Tests for command injection and code execution vulnerabilities
• SSL/TLS Misconfigurations — Checks for weak protocols, cipher suites, and certificate issues
• And more — Coverage extends well beyond OWASP Top 10 through continuously updated Crowdsource modules

Next Steps

• How It Works — Understand the scanning pipeline from crawling to reporting
• Getting Started — Set up your first scan
• Coverage — Detailed breakdown of vulnerability coverage
• Authentication — Configure scanning behind login pages