Vulnerability scanning API for web security automation

Scan web apps from your code.

Passive scan

Active scan

Recent scans

Updates every 10 seconds

URL	Age		Risk

Running scans: Finished scans:

A versatile scanner for mass web scanning

WAppScan.io is an API for web application vulnerability scanning which can be used to automate vulnerability detection in websites exposed to the Internet. It's perfectly suited to programmatically scan large attack surfaces using the passive scanning mode (which is very fast), but it can also be used to perform in-depth scans with the active scanning mode.

Simple API for scan automation

The powerful REST API of WAppScan.io is very easy to integrate into your workflow in order to automate web application scans. Each scan result is returned in JSON format, which can be easily parsed to extract the vulnerabilities for each target. Here is the API reference for a detailed documentation.

Two vulnerability scanning modes

Passive scanning

WAppScan.io is capable of detecting some web and infrastructure vulnerabilities passively, without sending attack payloads to the target website. In this scanning mode, the scanner interacts with the target as any regular user or crawling engine from the Internet would, by making a small number of benign HTTP requests. This mode is very lightweight and fast and it should not be detected as a scan by Web Application Firewalls. Furthermore, you do not need explicit permission to use this scan mode from the website owner.

With passive scanning you can detect vulnerabilities such as: outdated server-side software, old and vulnerable application components (ex. JavaScript libraries), directory listing, secrets and other sensitive information from the web page, misconfigured security headers and more.

Active scanning

You can perform a full scan of the web application using the active scanning mode. WAppScan.io's active scan first runs a crawler against the target website, which extracts a list of injection points where the application accepts user input. The scanner then injects attack payloads into each injection point in order to trigger and detect vulnerabilities such as Cross-Site Scripting (XSS), SQL injection, code injection, XXE, file inclusion and many more.

This scanning mode will probably raise alerts and security events on the server side and you need explicit permission from the website owner to run this scan. The active scanning mode also runs the passive checks.