Web Application Security Testing

Detectify Application Scanning is a Dynamic Application Security Testing (DAST) solution that crawls and fuzzes your custom web applications to identify real, exploitable vulnerabilities. It uses a headless Chrome browser to interact with your applications the way a real attacker would.

What is Application Scanning?

Application Scanning tests your running web applications by sending requests, analyzing responses, and injecting payloads to detect vulnerabilities. Unlike static analysis, DAST testing works against the live application, catching issues that only manifest at runtime.

Detectify’s scanner is purpose-built for modern web applications, including single-page applications (SPAs), JavaScript-heavy frontends, and applications behind authentication.

Key Capabilities

Headless Chrome Crawling

The scanner uses a headless Chrome browser to render pages, execute JavaScript, and interact with dynamic content. This means it can test SPAs built with React, Angular, Vue, and other modern frameworks.

Graph-Based Crawling

Rather than following a simple link tree, the scanner builds a graph model of your application’s states and transitions. This allows it to discover functionality that requires specific sequences of interactions, such as multi-step forms and stateful workflows.

Page Deduplication

The crawler intelligently identifies pages that are structurally identical but have different content (e.g., product pages, user profiles). This prevents wasting scan time on redundant pages while ensuring all unique page structures are tested.

Payload-Based Fuzzing

After crawling, the scanner fuzzes discovered inputs with security payloads designed to trigger specific vulnerability classes. Each payload is crafted to produce a verifiable response when a vulnerability exists, confirming true positives.

Crowdsource-Powered Modules

Detectify’s vulnerability testing is powered by over 1,765 modules built by Detectify’s internal security research team and a community of approximately 400 ethical hackers through the Crowdsource program.

Payload-Verified Findings

Application Scanning uses payload-based testing that requires confirmed exploitation indicators, achieving an approximately 99.7% true positive rate. Each finding includes the HTTP request and response that demonstrated the vulnerability.

What Application Scanning Tests For

Application Scanning covers a broad range of vulnerability classes, including:

• SQL Injection (SQLi) — Tests for data extraction and database manipulation through input injection
• Cross-Site Scripting (XSS) — Detects reflected, stored, and DOM-based XSS
• Server-Side Request Forgery (SSRF) — Identifies endpoints that can be abused to make server-side requests
• Remote Code Execution (RCE) — Tests for command injection and code execution vulnerabilities
• SSL/TLS Misconfigurations — Checks for weak protocols, cipher suites, and certificate issues
• And more — Coverage extends well beyond OWASP Top 10 through continuously updated Crowdsource modules

Next Steps

• How It Works — Understand the scanning pipeline from crawling to reporting
• Getting Started — Set up your first scan
• Coverage — Detailed breakdown of vulnerability coverage
• Authentication — Configure scanning behind login pages