Skip to Content
Web Application Security TestingCoverage

Coverage

Application Scanning’s vulnerability detection is powered by over 1,765 security testing modules built by Detectify’s internal security research team, a community of approximately 400 ethical hackers through the Crowdsource program, and Alfred AI. Coverage evolves continuously as new vulnerability types emerge.

Crowdsource Modules

Each module is a targeted security test created by an ethical hacker, reviewed by Detectify’s security team, and deployed to all customers. Modules test for specific vulnerability types, technology-specific weaknesses, and emerging attack techniques.

How Modules Work

  1. An ethical hacker discovers a new vulnerability class or technique
  2. They create a module that tests for this specific issue using payload-based detection
  3. Detectify reviews the module for accuracy, safety, and false positive rate
  4. The module is deployed and runs automatically as part of Application Scanning
  5. When the module detects a vulnerability in your application, it generates a finding with proof-of-concept evidence

Module Update Frequency

New modules are added regularly as hackers contribute new techniques. Existing modules are updated when vulnerability detection methods improve or when new variations of known vulnerabilities are discovered. This means your coverage improves over time without any action on your part.

True Positive Rate

Application Scanning achieves an approximately 99.7% true positive rate. This means that nearly every finding the scanner reports represents a real, exploitable vulnerability.

This high accuracy is achieved through:

  • Payload-based testing: Each module uses specific payloads that produce verifiable responses when a vulnerability exists
  • Response validation: The scanner confirms exploitation indicators rather than relying on heuristics
  • Community review: Modules are reviewed for accuracy before deployment
  • Continuous refinement: Modules that produce false positives are updated or removed

Vulnerability Types

Application Scanning covers a comprehensive range of vulnerability classes:

Injection Vulnerabilities

  • SQL Injection (SQLi): Detects data extraction and manipulation through SQL injection in parameters, headers, and request bodies. Covers error-based, blind, and time-based techniques.
  • Cross-Site Scripting (XSS): Identifies reflected, stored, and DOM-based XSS across input vectors. Includes context-aware payload generation for different injection contexts (HTML, JavaScript, attributes).
  • Command Injection: Tests for OS command execution through application inputs.
  • Server-Side Template Injection (SSTI): Detects template engine injection in common frameworks.
  • LDAP Injection: Tests for injection in applications using LDAP directory queries.

Server-Side Vulnerabilities

  • Server-Side Request Forgery (SSRF): Identifies endpoints that can be manipulated to make server-side HTTP requests, including blind SSRF via out-of-band detection.
  • Remote Code Execution (RCE): Tests for code execution through deserialization flaws, expression language injection, and other vectors.
  • Path Traversal: Detects directory traversal and local file inclusion vulnerabilities.
  • XML External Entity (XXE): Tests for XXE injection in XML-parsing endpoints.

Authentication and Session

  • Broken Authentication: Detects weak session management, predictable session tokens, and missing authentication on sensitive endpoints.
  • Session Fixation: Identifies applications vulnerable to session fixation attacks.
  • Insecure Password Reset: Tests password reset flows for common weaknesses.

SSL/TLS and Transport Security

  • Weak Protocols: Detects support for deprecated SSL/TLS versions (SSLv3, TLS 1.0, TLS 1.1).
  • Weak Cipher Suites: Identifies cipher suites vulnerable to known attacks.
  • Certificate Issues: Checks for expired, self-signed, or incorrectly configured certificates.
  • Missing HSTS: Detects the absence of HTTP Strict Transport Security headers.

Configuration and Information Disclosure

  • Security Header Misconfigurations: Missing or misconfigured Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and other security headers.
  • Verbose Error Messages: Detects stack traces, debug output, and other information leakage.
  • Exposed Sensitive Files: Discovers backup files, configuration files, and other sensitive data left accessible.
  • Directory Listing: Identifies web servers exposing directory contents.

Beyond OWASP Top 10

While Application Scanning covers all OWASP Top 10 categories, its coverage extends well beyond this baseline:

  • Business logic vulnerabilities specific to common application patterns
  • Technology-specific vulnerabilities in popular frameworks and libraries
  • Emerging attack techniques contributed by active security researchers
  • Chained vulnerabilities where multiple lower-severity issues combine into higher-impact attacks

Technology-Specific Coverage

The scanner fingerprints your application’s technology stack and selects modules accordingly. This means applications running WordPress receive WordPress-specific tests, PHP applications receive PHP-specific tests, and so on. Technology-specific modules cover:

  • Content management systems (WordPress, Drupal, Joomla)
  • Web frameworks (Django, Rails, Express, Spring, Laravel)
  • Web servers (Apache, Nginx, IIS)
  • JavaScript frameworks and libraries
  • API frameworks and patterns

Next Steps

  • Results — Understanding findings and proof-of-concept data
  • How It Works — The scanning pipeline from crawl to report
  • Scan Profiles — Configure scans for your technology stack
Last updated on
Recorded LoginResults