Monitoring (Web App Scanning) Overview

What is a web app? And why scan them?

Web apps are just like apps on your phone or laptop - they’re programs that do something (usually related to storing, processing, and retrieving information). The only difference is that they run inside your web browser rather than on a specific device! 

In the Cyber Safety Monitoring module, the web app scanner identifies vulnerabilities in your company's web apps - problems or weaknesses that a hacker could exploit. The goal of running a scan is to find these vulnerabilities before the bad guys do, and make sure you get them fixed. 

It’s important to do scans on a regular, continual basis. New vulnerabilities are constantly being discovered, and many web apps get new features added on a regular basis (new features can introduce new vulnerabilities). Make sure you’re running a scan frequently enough to stay ahead of the hackers.

Scan configuration options and recommendations

To help you achieve a useful monitoring cadence, we recommend setting a scanning frequency of no more than once a month, but no less than quarterly. You will need to take into account your company’s schedule to make sure the scan runs at an appropriate time (we suggest outside of normal business hours), and you may want to look to schedule scans after upgrades or releases of your web app (e.g., if you release updates every second Tuesday, try scheduling the scan for every second Wednesday).

The Cyber Safety scanner has two modes, which run an increasing number of tests. It’s a balancing act to get it right - the more tests, the better chance of discovering a vulnerability, but the longer the scan will take. The scan modes are described below, along with our recommendations:


The lightning scan tests for just a few basic security configuration items on a web page, such as weak SSL encryption or security settings missing for cookies. 

  • Time: Fastest
  • Depth of Scan: Minimal


The recommended setting, this mode tests for a broad set of vulnerabilities with a variety of settings and  payloads (data used to test the application). The additional activity from the scanner causes this scan to take a little longer.

  • Time: Slow
  • Depth of Scan: Deep

Using the scan report

Cyber Safety scan reports are designed to be easy to read, however they do assume a basic knowledge of web app and cybersecurity terminology. If words like POST, PUT, and SQL Injection mean nothing to you, we recommend adding an appropriate member of your team to Cyber Safety, such as a CTO, Engineering Lead, etc.

You can also download a copy of the scan reports as a PDF, and send them to an engineering, IT, or other team responsible for maintaining your web app. This report contains all the details they need to verify the vulnerability exists, and has recommendations for fixing it. As all web apps are unique, this is guidance first and foremost - your IT team may need to do some additional research and testing to identify how to fix the vulnerability.

Once a vulnerability has been fixed, the scanner will identify this issue as fixed the next time it runs, and remove it from future reports. If the issue appears again in the future, our scanner will note that it was previously identified as an issue and re-open it; this helps your team to pinpoint the cause of a recurring vulnerability and speeds up the time to fix it.


Types of Vulnerabilities Detected

Please refer to this page periodically for an updated list. Keep in mind that some vulnerabilities are grouped together.

  • Reflected cross-site scripting
  • Stored cross-site scripting
  • Operating system command injection
  • XML external entity injection
  • ASP.NET debugging enabled
  • Insecure crossdomain.xml policy
  • Insecure Silverlight clientaccesspolicy.xml policy
  • SQL Injection
  • SQL injection (second order)
  • Cross Origin Resource Sharing: Arbitrary Origin Trusted
  • Unencrypted communications
  • Mixed content
  • Expired TLS certificate
  • TLS certificate about to expire
  • Certificate without revocation information
  • Insecure SSL protocol version 2 supported
  • Insecure SSL protocol version 3 supported
  • Outdated TLS protocol version 1.0 supported
  • Secure TLS protocol version 1.2 not supported
  • Weak cipher suites enabled
  • Server Cipher Order not configured
  • Untrusted TLS certificate (invalid CN, SAN, issuer or chain)
  • Heartbleed
  • Potential DoS on TLS Client Renegotiation
  • Secure Renegotiation is not supported
  • TLS Downgrade attack prevention not supported
  • WordPress version with known vulnerabilities
  • WordPress plugin with known vulnerabilities
  • Joomla! version with known vulnerabilities
  • Log file disclosure
  • Backup file disclosure
  • Full path disclosure
  • HSTS header not enforced
  • HSTS header set in HTTP
  • HSTS header with low duration and no subdomain protection
  • HSTS header with low duration
  • HSTS header does not protect subdomains
  • Inclusion of cryptocurrency mining script (around 12000 domains)
  • Browser XSS protection disabled
  • Browser content sniffing allowed
  • Referrer policy not defined
  • Insecure referrer policy
  • Missing Content Security Policy header (CSP)
  • Insecure Content Security Policy (CSP)
  • HTTP TRACE method enabled
  • JQuery library with known vulnerabilities
  • AngularJS library with known vulnerabilities
  • Bootstrap library with known vulnerabilities
  • JQuery Mobile library with known vulnerabilities
  • JQuery Migrate library with known vulnerabilities
  • Moment.js library with known vulnerabilities
  • Prototype library with known vulnerabilities
  • React library with known vulnerabilities
  • SWFObject library with known vulnerabilities
  • TinyMCE library with known vulnerabilities
  • Backbone library with known vulnerabilities
  • Mustache library with known vulnerabilities
  • Handlebars library with known vulnerabilities
  • Dojo library with known vulnerabilities
  • jPlayer library with known vulnerabilities
  • CKEditor library with known vulnerabilities
  • DWR library with known vulnerabilities
  • Flowplayer library with known vulnerabilities
  • DOMPurify library with known vulnerabilities
  • Plupload library with known vulnerabilities
  • easyXDM library with known vulnerabilities
  • Ember library with known vulnerabilities
  • YUI library with known vulnerabilities
  • Sessvars library with known vulnerabilities
  • jQuery UI library with known vulnerabilities
  • Cookie without HttpOnly flag
  • SSL cookie without Secure flag
  • Open redirection
  • Stored Open redirection
  • Directory Listing
  • HTTP response header injection
  • ASP.NET tracing enabled
  • Path traversal
  • Missing cross-site request forgery protection
  • Missing clickjacking protection
  • ASP.NET ViewState without MAC
  • Session Token in URL
  • Application error message
  • Private IP addresses disclosed
  • Server-side template injection
  • Server-side JavaScript injection
  • Insecure PHP Object deserialization
  • PHP code injection (also known as Local File Inclusion)
Have more questions? Submit a request