VScanner's Knowledge Base
  • Welcome to VScanner Documentation
  • VScanner API
    • Introduction
      • Classification
    • Authentication
    • Vulnerability Scanner
      • Scans
        • Explorer Preferences
          • Features
        • Website Vulnerability Preferences
          • Features
        • Scan API Preferences
          • Features
        • Subdomain Finder
    • PDF Report Generation
  • FAQ (Frequently Asked Questions)
    • Account & Subscription
      • Can I change my subscription at any time?
      • Can I delete my account at any time?
      • Which payment methods does VScanner accept?
    • Scans & Reports
      • Can I export the scan result to PDF?
      • I fixed the vulnerabilities found on the last scan, how do I run a new one?
      • How often can I run a scan?
      • How long will it take for a scan to complete?
      • What is a target on VScanner?
      • How to scan a website on VScanner?
      • How does VScanner work?
    • Web Security Vulnerabilities
      • How to protect from cyber attacks?
      • List of OWASP TOP 10 vulnerabilities for 2021-2022
      • What are the most common vulnerabilities on websites?
      • How to fix - Broken Access Control
      • How to fix - Extension Vulnerabilities
      • How to fix - Plugin Vulnerabilities
      • How to fix - CMS Vulnerability
      • How to fix - Weak HTTPS Configurations
      • How to fix - Invalid HTTPS Certificates
      • How to fix - Session Failure
      • How to fix - Validation Failure
      • How to fix - Authorization Failure
      • How to fix - Weak Authentication
      • How to fix - Sensitive Data Exposure
      • How to fix - Cross-Site Request Forgery (CSRF)
      • How to fix - Local File Injection (LFI)
      • How to fix - Remote File Injection (RFI)
      • How to fix - Cross-Site Scripting (XSS)
      • How to fix - Command Injection
      • How to fix - SQL Injection
Powered by GitBook
On this page
  • scan_type
  • sqli
  • xss
  • crawler_options
  • Important Note:
  • cms_brute_force
  • web_brute_force
  • scan_speed
  • scan_deep
  • search_in_web_cache
  • csrf
  • leak_data_usage
  • crawler_options
  1. VScanner API
  2. Vulnerability Scanner
  3. Scans

Website Vulnerability Preferences

Scan jobs can be configured with the optional "preferences" object. If no "preferences" object is passed to a scanning job the default parameters are used.

The Vulnerability Website was designed and is constantly improving in terms of discovering vulnerabilities resulting from bad programming practices, misconfigurations in infrastructure and vulnerable software.

Counting on a wide range of data collected by individual tasks providing sufficient input to diagnose risks and failures that could possibly be exploited by malicious actors.

With sophistication and a generalist approach, Vulnerability Website is capable of providing data about the environment in which your website is running. In other words, it is possible that the results found generate correction recommendations in different scopes, be they front-end, back-end or infrastructure.

scan_type

Parameter type: string

Users can choose between two scan types, "full", "default" or "lite" scans. Lite scans fewer less features but are completed much faster than "full" scans. To view the full list of features for each scan type please visit: Features

Allowed parameters

full

default

lite

api

sqli

Parameter value: sqli

Parameter type: boolean

Activates SQL Injection vulnerability detection task. This task is disabled by default so as to not cause overload on production environments

Allowed Parameters
Description

false (default)

Disables SQL Injection vulnerability detection

true

Enables SQL Injection vulnerability detection

xss

Parameter value: xss

Parameter type: boolean

Activates XSS (Cross-site Scripting) vulnerability detection task. This task is disabled by default so as to not cause overload in production environments

Allowed Parameters
Description

false (default)

Disables XSS vulnerability detection

true

Enables XSS vulnerability detection

crawler_options

Parameter type: JSON

Specifies which tasks will be executed by VScanner's crawler

Field name
Description
Allowed parameters (Bool)

exposed_emails

Returns discovered emails found while crawling

Default: True

open_redirect

Discovers open redirect vulnerabilities

Default: True

exposed_apikeys

Returns discovered API Keys found while crawling

Default: True

open_directory

Discovers open directories while crawling

Default: False

exposed_information

Returns files and configurations found while crawling, such as .env files

Default: False

backdoor_detection

Discovers backdoors that may be present while crawling, such as malicious files left by hackers

Default: False

search_url_malware

Discovers URLs used by known malicious Javascript scripts

Default: False

Important Note:

Please note that enabling options that are disabled by default in the crawler might lead to a significant increase in requests to the target endpoint. Be mindful that setting these options to 'True' can generate a high volume of requests.

An example of a JSON that enables all crawler options:

{
    "url": "https://www.example.com",
    "preferences": {
        "scan_type": "full",
        "scan_speed": "fast",
        "scan_deep": 3,
        "search_in_web_cache": true,
        "crawler_options": {
            "exposed_emails": true,
            "open_redirect": true,
            "exposed_apikeys": true,
            "open_directory": true,
            "exposed_information": true,
            "backdoor_detection": true,
            "search_url_malware": true
        }
    }
}

cms_brute_force

Parameter type: integer

integer Initiates a brute force attack on identified CMS systems such, as WordPress.

Allowed parameters
Description

0 (default)

Disables CMS brute force

1

Enables CMS brute force

web_brute_force

Parameter type: integer

Initiates brute force attacks on Basic access HTTP authentication

Allowed parameters
Description

0 (default)

Disables Basic auth brute force

1

Enables Basic auth brute force

scan_speed

Parameter type: string

Determines the speed of the crawler.

Allow parameter
Proc. concurrency
Proc. parallelism
Max. req/sec

"sequencial"

1

1

1

"slow"

3

3

20

"moderate"

50

50

50

"fast"

200

200

150

Disclaimer: These values ​​serve as a basis for a better expectation of scan speed based on non-guaranteed computational resources. Task scheduling is mandatory and uncontrollable at the service level. In other words, the values ​​above are the expected expectation in accordance with what was programmed, and there may be variations depending on the executing hardware.

scan_deep

Parameter type: integer

Considering the value "4", VScanner will crawl up to the third path level, counting the root of the URL as level "0". Default value: 3

search_in_web_cache

Parameter type: boolean

Indicate whether VScanner should scan for the target's web pages that are cached but not currently indexed on the live site. Due to the large number of web pages included in the scan, it will naturally take longer to complete.

Allowed parameters
Description

false (default)

Disables searching in cached pages

frue

Enables searching in cached pages

csrf

Parameter type: boolean

Set this option to check for Cross-site Request Forgery vulnerabilities. The default for this check is true.

leak_data_usage

Parameter type: integer

If enabled, VScanner will check whether any discovered emails are listed in data breach databases.

Allowed parameters
Description

0 (default)

Disables leak data usage

1

Enables leak data usage

crawler_options

The crawler_options object configures specific checks for the vulnerability scan, including options to detect exposed emails, API keys, open redirects, and more. It allows fine-tuning of the crawler's behavior to focus on relevant security aspects.

Parameter type: Object

parameter
type
Description

open_directory

Boolean

Determines whether the crawler checks for open directories on the target.

exposed_information

Boolean

Indicates if the crawler should search for exposed sensitive information such as server configurations or hidden files.

backdoor_detection

Boolean

Specifies whether the crawler looks for potential backdoor vulnerabilities on the target

exposed_emails

Boolean

Determines if the crawler scans for exposed email addresses on the target.

search_url_malware

Boolean

Indicates whether the crawler checks for malware hosted in URLs on the target.

open_redirect

Boolean

Specifies if the crawler should test for open redirect vulnerabilities.

exposed_apikeys

Boolean

Determines if the crawler scans for exposed API keys in the target system.

PreviousFeaturesNextFeatures

Last updated 3 days ago