Your browser does not support HTML5 video.
A vulnerability scanner for web applications is an automated security tool designed to identify potential vulnerabilities and security holes in web applications. Such scanners play an important role in website security testing by attempting to uncover vulnerabilities before malicious actors can exploit them.
You can use the scanner once per day free of charge. From 03/15/2024 the free use will be restricted and you will no longer see all results.To be able to use the scanner to its full extent from 01/15/2024, a license* is required.
*The licenses are user-related and cannot be transferred.
* Annual billing
The ratings will change if the operator(s) adjust their server and/or CMS configurations accordingly and rescan with our Web Surface Scanner.
For every piece of information that the server outputs when awebsite and is a security-relevant risk, a point is awarded in the scanner.point is awarded in the scanner. Some informationshould not be displayed, but does not directly represent a risk and israted with half a point. A maximum of 6.5 points is currently awarded for the server.
The page is accessible without https and so an unencrypted connection between user and user and server can be forced.
The site is without SSL certificate. Communication between the browser and the server is unprotected.
The server serves as an initial filter for attackers, but is not a high risk.
This is where the server plus version is displayed. This is a clear attack vector.
In addition the operating system is output in addition to the server application. Attackers now know enough about the server system to launch an effective attack.
The server outputs the script language used. This is not a directattack vector, but gives the attackers a hint.
The script name, the version is also displayed. With the information given above information above, attackers now have all the keys in their hands.
A look into the CVE now gives the attacker the opportunity to select the most promising attack vector.
In the If this setting is missing, hackers can easily carry out a Man in the Middle attack.
The server allows the files in some or all directories to be listed.This means that an attacker knows all the files and can initiate his attack accordingly.
The scanner distinguishes between the individual content managementsystems, which is why there are different maximum points depending on the CMS. It is noticeable that WordPress, a very popular CMS withwith a current share of approx. 63% of the scanned websites, receives the most points. This is not due to the distribution but because WordPress was developed as a blog system with a focus on API (Application Programming Interface).
With a little background knowledge and experience, anyone can figure out the CMS. But there are CMS that even display the version. This is highly risky because attackers can find the vulnerabilities, e.g. in the CVE.
The external URLs are not a risk at first. However, if linksare included that are very insecure, users can fall into a trap when they click on the link. click on the link, they may fall into a clickjacking trap. There may also be problems with the GDPR.
A manifest.js is nothing dangerous at first. The idea of manifest.js is to give users a better surfing experience by having the browser work directly with the operating system. Exactly this goal is highly risky.
Self-hostedCMS such as WordPress, TYPO3, Joomla, etc. are usually hosted on a server rented from an ISP. rented from an ISP. Some ISPs also offer to set up and maintenance, but these are separate instances. The backend login should not be accessible here without additional measures such as directory protection. be accessible. As the scanner does not perform a penetration test, it is not possible to assesswhether the login is still equipped with two-factor or multi-factor authentication. is equipped. For this reason, only half a point is awarded.
Activecity, Bitrix, Funnel, Hubspot, Pansite, Silverstripe, Wix and standard CMS from CMS hosters these systems use a central login. Here it is much more difficult to distinguish an incorrect login from an attack. In addition, an attacker can also gain access to other pages and data.
Information that suggests plugins gives attackers a good attack vector. If an info file (e.g. readme.txt orREADME.MD) is present and can be called up via URL, an attacker can read it and obtain further information such as the version of the plugin. This in turn allows conclusions to be drawn about the CMS version. an attacker can even find out the highest scripting language used. In combination with the CVE, an attacker can choose the best attack vectors.
The scanner can read the user (usually the admin user). Wortpress offers e.g. a JSON interface whose link is even displayed on every page. Even if there is an attack detection (e.g. after 5 incorrect logins the IP is blocked), attackers with botnets or hijacked cloud accounts can the password from a huge number of different IP addresses within a very short time determine the password.
This is a file that still originates from the original system and is very susceptible to attacks. The xmlrpc.php file is still delivered in the latest WordPress versions.
WPJSON is the newer API from WordPress. The URL to WPJSON is displayed directly in most pages directly and can be called by anyone. Here, in json format a lot of information about the system (plugin, user, etc). As an attacker, this is the first port of call.
The scanner has existed since the beginning of November 2023 and isconstantly optimized, the Web Surface Scanner is learning. For this reason, new CMS are constantly being addedand the detection of security-relevant information is improved. This means that the total number of points for the server and for the CMS can grow over time grow over time.