Skip to Content
Web Application Security TestingHow It Works

How Application Scanning Works

Application Scanning follows a five-step pipeline to test your web applications: asset selection, scan profile configuration, crawling, fuzzing, and reporting.

Step 1: Asset Selection

Select the domain or subdomain you want to scan. The target must be a domain that has been added and verified in your Detectify account. You can scan specific paths within a domain by configuring the scope in your scan profile.

Step 2: Scan Profile Configuration

Create or select a scan profile that defines how the scan runs. A scan profile includes:

  • Target scope: Which URLs and paths to include or exclude
  • Authentication: Login credentials or recorded sessions for testing behind authentication
  • Schedule: When and how often the scan runs (manual, weekly, or API-triggered)
  • Throttling: Request rate limits to control scanner load on your application

Scan profiles are reusable, so you can configure once and run the same scan repeatedly.

Step 3: Crawling

The scanner discovers your application’s attack surface by crawling it with a headless Chrome browser.

Headless Chrome Rendering

The scanner launches a headless Chrome instance that loads each page, executes JavaScript, and interacts with the DOM. This allows it to discover content that is rendered client-side, including routes in single-page applications, dynamically loaded forms, and JavaScript-generated links.

Graph-Based State Modeling

Instead of treating the application as a tree of pages, the crawler models it as a graph of states and transitions. Each unique application state (combination of URL, DOM structure, and visible content) is a node. Actions that change the state (clicking buttons, submitting forms, navigating links) are edges.

This approach discovers functionality that requires specific interaction sequences, such as:

  • Multi-step checkout flows
  • Form wizards with conditional fields
  • Modal dialogs and dynamic panels
  • AJAX-loaded content triggered by user actions

Page Deduplication

Modern web applications often have many pages with identical structure but different data — product pages, blog posts, user profiles. The crawler identifies structurally identical pages and tests a representative sample rather than every instance. This dramatically reduces scan time without sacrificing coverage.

Step 4: Fuzzing

After crawling, the scanner tests discovered inputs for vulnerabilities using payload-based fuzzing.

Technology Fingerprinting

Before fuzzing, the scanner fingerprints the technologies running on your application (web server, framework, programming language, libraries). This information determines which vulnerability modules are relevant, focusing the scan on payloads that can actually affect your technology stack.

Module Selection

Based on fingerprinting results and the types of inputs discovered during crawling, the scanner selects from over 1,765 Crowdsource modules. Each module targets a specific vulnerability type or technology-specific weakness.

Payload Injection

The scanner injects payloads into discovered input vectors, including:

  • URL parameters and path segments
  • Form fields and request bodies
  • HTTP headers and cookies
  • JSON and XML payloads in API endpoints

Each payload is designed to produce a detectable response when a vulnerability exists. The scanner analyzes responses for exploitation indicators such as reflected payloads, error messages, timing differences, and out-of-band callbacks.

Step 5: Reporting

When a vulnerability is confirmed, the scanner generates a finding that includes:

  • Vulnerability details: Type, description, and technical explanation
  • Proof of concept: The exact request and response that confirmed the vulnerability
  • Severity rating: Based on the potential impact of exploitation
  • Remediation guidance: Specific steps to fix the issue
  • Affected URL and parameter: Exactly where the vulnerability exists

Findings are available in the Detectify dashboard immediately as they are discovered during the scan, and a complete report is generated when the scan finishes.

Next Steps

  • Scan Profiles — Configure scan scope, authentication, and scheduling
  • Coverage — What vulnerabilities the scanner tests for
  • Authentication — Set up authenticated scanning
Last updated on
OverviewUse Cases