Web application scan

The default and most comprehensive scan type. Covers the OWASP Top 10 plus 30+ adjacent classes. Runs against any URL reachable over HTTP/HTTPS.

What it checks

Class	Tools
Injection	SQLi (union/blind/time/second-order/NoSQL), OS command, LDAP, XPath, NoSQL, SSTI, header injection, email header
XSS	Reflected, stored, DOM, polyglot, filter-bypass payloads
Broken access control	IDOR, BFLA, mass assignment, authorization probing, method scanning
Authentication	Default creds, weak passwords, session fixation, JWT weaknesses (alg=none, weak secret, JWK injection)
Cryptographic failures	TLS config, insecure crypto (RC4, 3DES, MD5), predictable secrets, weak random
Insecure design	Race conditions, business logic abuse (mass email, price manipulation, quota bypass)
Security misconfig	Missing headers, CORS, CSP weakness, directory listing, default error pages
Vulnerable components	Dependency scanner (Retire.js-style JS lib detection + server headers), version exploit lookup
Identification + auth failures	Brute-force rate limits, session management, credential stuffing paths
SSRF + XXE	External resource inclusion, file URL reads, cloud metadata endpoints
File operations	Unrestricted upload, path traversal, arbitrary file read, file inclusion
Open redirects	Reflected + stored URL redirects
Web cache	Cache deception, cache poisoning
HTTP smuggling	TE-CL / CL-TE / CL-CL variants
Prototype pollution	Client-side JSON merge attacks, server-side Node.js prototype abuse
Unsafe deserialisation	Python object deserialisers, Java `Serializable`, .NET `BinaryFormatter`, Node.js `node-serialize`
WebSockets	Unauth, origin bypass, message injection
GraphQL	Introspection, batching DoS, recursive queries, field suggestion leaks
Clickjacking	Missing `X-Frame-Options` / `frame-ancestors`

All of these fire in parallel (bounded concurrency) against endpoints the crawler discovered.

Coverage-expansion detectors (May 2026)

Pentestas continuously expands the detector mix. Recent additions you'll see firing on every web scan:

Detector	What it catches	Confirmation
SensitiveEndpoints	Werkzeug debugger (`/console`), Spring Actuator (`/actuator/env`), `/debug/users`, `.env`, `.git/config`, `/latest/meta-data/`, Swagger UI, OpenAPI specs	Content-fingerprint regex per path; never flags on a generic 404
CredentialDump	Endpoints that return plaintext passwords, AWS HMAC blobs, JWT swarms, GitHub PATs, Stripe / Anthropic / Slack tokens, private keys	JSON-aware key walk + filler-value rejection; multiple-occurrence threshold
UnauthIDOR	Unauthenticated id-walk on numeric path segments (`/check_balance/<acct>`, `/users/<id>`) with auth-shape body confirmation + negative oracle	≥2 distinct auth-shaped responses, negative id (99999999) doesn't match
NumericFuzz	Business-logic flaws on numeric body fields: negative `amount`, zero, overflow, `NaN`, scientific notation	State-diff oracle: balance read before vs after; only flags when state moved in the wrong direction
GraphQLProbe	GraphQL endpoint discovery (`/graphql`, `/api/graphql`, `/query`) + introspection + resolver SQLi + 25-deep DoS	JSON envelope shape, `__schema` field, DBMS error in errors[]
BodySSRF	JSON-body fields with URL-shaped names (`image_url`, `webhook`, `callback_url`, `avatar`, `profile_picture_url`, `import_url`)	OAST canary callback OR IMDS string in response OR private-IP banner
LLMProbe	LLM/AI endpoints (`/api/ai/chat`, `/v1/chat/completions`, etc.) — discovery + prompt injection + system-prompt leak	Per-request nonce echoed back AND credential-shaped data in reply
EntropySampler	Predictable identifiers in responses: 3-digit reset PINs, time-seeded auth codes, sequential reference numbers, hash-of-short-input API keys	Shannon entropy + monotonic-pattern detection across captured samples
AuthRecovery	Forgot/reset-password endpoints — PIN echoed in response, advertised PIN length too short, no rate-limit on PIN attempts, username enumeration	Synthetic body probe + 12-attempt burst against known-bad PINs
MassAssignment (hardened)	JSON POST endpoints that accept `is_admin: true` / `role: admin` / `balance: 99999` via mass binding	Echo-blocklist (ignores `raw_data`/`raw_request` reflections) + JWT-claim decode for token-bearing responses

Cross-references: Exploitation chains consume the outputs of these detectors and walk them into demonstrated impact (admin login, AWS-credential extraction, money movement, RCE).

Live Ops attack visualization

While a scan is running, the scan-detail page renders a real-time canvas showing the engine's activity — hex nodes for the WEB / API / AUTH / DB / ADMIN / CLOUD services, animated packets representing in-flight probes, finding pings as they emit, and a phase badge that flips between RECON / VULN-DISC / EXPLOITATION / DEFERRED / INFRASTRUCTURE. It's the cyberpunk ops-HUD you'd expect from a real pentest engagement, not the "Scanning… 47% complete" bar of a typical scanner. The viz auto-tears-down once the scan transitions to complete so the canvas + RAF loop don't leak on navigation.

How the crawl works

Normalise the target — if you pasted example.com without a scheme, Pentestas auto-prepends https:// (and falls back to http:// only if HTTPS doesn't respond). The error you used to see — "Scheme '(empty)' is not allowed" — is gone.
Auto-login (if configured) — credentials supplied via the Authentication panel are exercised before the crawl, not after. The crawler then walks the app with a logged-in session from the start, so admin/user-only pages are part of the initial attack surface, not a second-pass discovery.
Fetch the root — follow redirects, harvest cookies.
Fingerprint — detect CMS / framework (WordPress, Drupal, Joomla, Symfony, Laravel, Django, Rails, Next.js, …) and load CMS-specific attack-surface modules (admin paths, plugin enumeration, framework debug endpoints).
Parse + extract — links, forms, fetch()/axios/XHR calls in JS bundles, <script src>, <img src>, iframes, WebSocket endpoints, JSON-RPC endpoints.
Render — headless Chromium (via Playwright) for SPA routes and anything hidden behind client-side routing. Fires hover/click heuristics on discovered interactive elements.
Parameter discovery — the fuzzer tries common parameter names against each endpoint (id, user, token, search, callback, and a few hundred more). Reflected-parameter endpoints make it into the attack-surface list even if the original page didn't reveal them.
Recurse — every new URL feeds back into the queue, up to the configured depth (default 3).

Framework-specific support

Beyond generic OWASP coverage, Pentestas runs framework-aware attack chains when it fingerprints:

WordPress — plugin / theme enumeration, REST API user disclosure, xmlrpc abuse.
Drupal / Joomla — version-pinned CVE checks, admin-path probing.
Symfony — _profiler/, _wdt/, app_dev.php debug surfaces; CVE-2019-18889 fragment RCE; secret leakage from exposed dev configs; user enumeration via timing on the login endpoint.
Laravel — .env exposure, debug-mode RCE.
Rails / Django / Next.js — framework-specific admin paths, SSTI variants, deserialisation chains.

If your framework is detected, you'll see a [FINGERPRINT] line in the live feed naming it.

Authentication

If you supply credentials (see Authenticated scans), Pentestas logs in first, preserves the session, and crawls authenticated from the start — usually doubling the attack surface since admin/user-only pages become visible immediately rather than only after an unauthenticated pass.

Payload selection

Payloads are picked from a curated list of ~5,000 across the tool modules. The payload encoder tries common transformations (URL encode, double URL encode, Unicode, HTML entity, base64, case-flip) so a WAF that blocks ' alone doesn't block %27 or %EF%BC%87.

Rate limits and speed presets

The scan dialog's Advanced Options panel exposes three speed presets:

Gentle (prod-safe) — low concurrency, longer delays, conservative payload selection. Use against production targets.
Normal — the default. Balanced for staging environments and modern web apps.
Aggressive (dev) — high concurrency, no delays. Use only on dev/staging targets you own.

Each preset sets concurrent connections per host, request spacing, and the size of the payload set tried per parameter. Switching presets after a scan starts has no effect — the values are read at scan-start.

New-scan form — every option

The full reference for every field on the New scan → Web tab. Hidden fields under collapsed sections are documented in the same order they appear in the dialog.

Basics

Field	What it controls
Target URL	Root URL of the app to scan. Pentestas auto-prepends `https://` when no scheme is given and falls back to `http://` only if HTTPS doesn't respond. Must be a verified domain.
Scan types	36 toggleable test classes (SQLi, XSS, IDOR, SSRF, RCE, JWT, CORS, CSRF, mass-assignment, GraphQL, business logic, race conditions, file upload, email injection, header injection, deserialisation, prototype pollution, session puzzling, WebSocket, cache deception, dirbusting, subdomain enumeration, parameter discovery, dependency, fingerprint, clickjacking, insecure crypto, …). All on by default.
Scan mode	`heuristic` = deterministic engine, no AI calls. `hybrid` = engine + LLM (Claude or DeepSeek) for custom payload generation, chained exploitation, false-positive review, and the AI-narrated Attack chains.
AI provider override	Per-scan-only. Choose `Anthropic` or `DeepSeek` to override the account default for this single scan. Doesn't change Settings.
AI model override	Free-text identifier accepted by the chosen provider's API (e.g. `claude-sonnet-4-20250514`, `deepseek-v4-pro`). Common values appear in the suggestion dropdown.
Use scan planner	Lets the LLM observe what each phase has discovered and steer which testers run next. Skips testers that don't apply to the detected stack; prioritises follow-up probes on confirmed findings. Adds 2 LLM calls per scan; results visible in the scan-detail "Planner trace" tab. See AI specialist agents.

Attack Strength

Setting	Payloads per input	When to use
Low	25%	Fragile production systems where the smallest blast radius matters more than recall.
Medium	50% (default)	Most production scans. Balanced.
High	75%	Staging / pre-production. Pulls in extended payload variants the standard set drops.
Insane	100%	Dev environments under your direct control. Long scan, maximum recall — every payload in every corpus is tried.

Target Authentication (7 methods)

Pick whichever shape matches the target. Each method's secret is encrypted per-tenant and never written to a scan row in plaintext; a has_credentials: true breadcrumb is the only persisted fact. See Authenticated scans for the full flow.

Method	What you provide	How Pentestas uses it
Username & Password	Username (or email), password, optional Login URL.	POSTs the credentials to the auto-detected (or supplied) login endpoint before the crawl. Captures the session cookie or bearer token, attaches it to every subsequent request. The crawler walks logged-in surface from the start.
Session Cookies	Paste cookies as `name=value; name2=value2` OR a full curl command from DevTools → Network → Copy as cURL OR a JSON object.	Use this when MFA / CAPTCHA / SSO blocks programmatic login. Pentestas also accepts the entire `curl` blob — it auto-extracts the `Cookie` header (including `HttpOnly` cookies that `document.cookie` can't see).
Session (HAR)	Upload a `.har` file recorded from your authenticated session.	HAR is parsed in your browser; only cookies whose domain matches the scan target plus `Authorization`, `X-CSRF-Token`, `X-API-Key`, and `X-Auth-Token` headers are extracted. Encrypted per tenant; raw HAR never leaves your machine.
OAuth 2.0 / Bearer	Access token. Optional refresh-token block: token URL + refresh_token + client_id / client_secret.	Sent as `Authorization: Bearer <token>` on every request. Auto-refresh hits the token URL with `grant_type=refresh_token` before each scheduled scan and uses the fresh access token in-memory only.
HTTP Basic Auth	Username + password.	For sites that pop the native browser sign-in dialog (HTTP `401` + `WWW-Authenticate: Basic`). Worker base64-encodes the credentials and attaches `Authorization: Basic …` to every request. Persisted in the per-target Fernet vault for rescans.
Custom Header	Header name + value (e.g. `X-API-Key: key123`).	Attached to every request. Use for proprietary auth schemes or "secret URL" header gates.
Agent Capture Session	Pick an agent-recorded session from the dropdown.	Reuses the cookies + auth header captured by a previous Pentestas agent browser capture. The cleanest way to scan SSO-protected internal apps from inside the corp network.

Advanced Options

Field	Range / values	Effect
Scan Depth	1–10 (default 3)	Maximum link-distance the crawler walks from the seed URL. 1 = root page only. 10 = exhaustive. Most apps surface their full attack surface at 3-5.
Request Delay	0–5000 ms (default 500)	Pause between consecutive HTTP requests on the same connection. Higher = safer for production targets. 0 ms is fine for dev, where you'll find limits with concurrency instead.
Concurrency	1–50 (default 5)	Parallel in-flight requests against the target. Drops to 1 for "Gentle" preset; the engine still pipelines the work across modules.
Request Timeout	5–120 s (default 30)	Hard cap per HTTP request. Bump to 60 s+ for slow apps; drop to 10 s for sites where any >5-second response means the test triggered a real slowdown.
Custom Headers (JSON)	JSON object	Headers attached to every request beyond the auth method's own headers. Use for things like `X-Tenant: foo`, custom CSRF tokens, or A/B-test pinning headers.
Cookies (JSON)	JSON object	Cookies attached to every request beyond what the auth method captured. Use to pin feature flags or session-region cookies.

Active Exploitation

The "Active Exploitation" panel is what turns Pentestas from "vulnerability scanner" into "demonstrated impact." Every checkbox here gates a layer of follow-up automation.

Toggle	What it enables
Run verification engine (GREEN + YELLOW)	Default ON. After candidate findings emerge, the engine attempts to prove exploitation: extract a DB row via SQLi, read `/etc/passwd` via LFI, replay a forged JWT, walk default credentials against discovered admin panels. Ships only verified findings; the unverified ones are demoted by the Accuracy Gate.
Allow RED-tier modules	Enterprise plan only. Permits real exploitation for command-injection, SSTI, SQLi data extraction, XXE file reads, JWT replay against admin endpoints. Use only on authorised pentest engagements.
Behind Cloudflare (or similar CDN / WAF)	Discovers the real origin IP via cert-transparency, common subdomains, AAAA / SPF leaks, and pins requests to it (Host header + TLS SNI preserved). Falls back to a realistic browser fingerprint when no origin is found.
Demonstrate destructive impact	Off by default. Enables three additional exploitation chains that mutate application state: register synthetic admin via mass-assignment, $0.01 negative-amount transfer, Werkzeug debugger PIN crack. Use only when the customer has explicitly authorised proof-of-impact for these classes.

When any of these run successfully, the chain emits a single CRITICAL EXPLOIT_CHAIN finding with a numbered playbook. See Exploitation chains.

Bulk Domain Scan

One target per line; all must be verified. Same scan-types are applied to every target. Useful for verified-tenant fleets where every subdomain should be tested on the same cadence. The bulk panel exposes its own AI provider/model override that applies to every scan in the batch.

Output

Findings flow into the standard list + exported to reports. Each finding carries:

Endpoint, method, parameter
Exact payload used
Request + response evidence
CVSS score + vector
CWE + OWASP category
Validation steps
Exploit-DB matches (if applicable)
AI-generated impact narrative + remediation (Pro+)

Common questions

Does it find 0-days? Sometimes. Pentestas doesn't ship with CVE-specific signatures — it runs behaviour-based tests. If your app has a novel auth bypass that matches the BFLA model, it gets caught.

Will it break production? By default, destructive verbs (DELETE requests, state-changing mutations) are annotated-but-not-executed — the tool reports "this endpoint looks like it accepts arbitrary user IDs but we didn't delete anything to confirm". Stick to the Gentle preset for production targets to keep request volume low.

Does it support WAFs? Yes. The scanner adapts: detects WAF fingerprints (Cloudflare, Akamai, AWS WAF, Imperva, F5, Sucuri) and switches to a low-noise payload distribution tuned to slip past generic rules.