Web application scan
The default and most comprehensive scan type. Covers the OWASP Top 10 plus 30+ adjacent classes. Runs against any URL reachable over HTTP/HTTPS.
What it checks
| Class | Tools |
|---|---|
| Injection | SQLi (union/blind/time/second-order/NoSQL), OS command, LDAP, XPath, NoSQL, SSTI, header injection, email header |
| XSS | Reflected, stored, DOM, polyglot, filter-bypass payloads |
| Broken access control | IDOR, BFLA, mass assignment, authorization probing, method scanning |
| Authentication | Default creds, weak passwords, session fixation, JWT weaknesses (alg=none, weak secret, JWK injection) |
| Cryptographic failures | TLS config, insecure crypto (RC4, 3DES, MD5), predictable secrets, weak random |
| Insecure design | Race conditions, business logic abuse (mass email, price manipulation, quota bypass) |
| Security misconfig | Missing headers, CORS, CSP weakness, directory listing, default error pages |
| Vulnerable components | Dependency scanner (Retire.js-style JS lib detection + server headers), version exploit lookup |
| Identification + auth failures | Brute-force rate limits, session management, credential stuffing paths |
| SSRF + XXE | External resource inclusion, file URL reads, cloud metadata endpoints |
| File operations | Unrestricted upload, path traversal, arbitrary file read, file inclusion |
| Open redirects | Reflected + stored URL redirects |
| Web cache | Cache deception, cache poisoning |
| HTTP smuggling | TE-CL / CL-TE / CL-CL variants |
| Prototype pollution | Client-side JSON merge attacks, server-side Node.js prototype abuse |
| Unsafe deserialisation | Python object deserialisers, Java Serializable, .NET BinaryFormatter, Node.js node-serialize |
| WebSockets | Unauth, origin bypass, message injection |
| GraphQL | Introspection, batching DoS, recursive queries, field suggestion leaks |
| Clickjacking | Missing X-Frame-Options / frame-ancestors |
All of these fire in parallel (bounded concurrency) against endpoints the crawler discovered.
How the crawl works
- Fetch the root β follow redirects, harvest cookies.
- Parse + extract β links, forms,
fetch()/axios/XHR calls in JS bundles,<script src>,<img src>, iframes, WebSocket endpoints, JSON-RPC endpoints. - Render β headless Chromium (via Playwright) for SPA routes and anything hidden behind client-side routing. Fires hover/click heuristics on discovered interactive elements.
- Parameter discovery β the fuzzer tries common parameter names against each endpoint (
id,user,token,search,callback, and a few hundred more). Reflected-parameter endpoints make it into the attack-surface list even if the original page didn't reveal them. - Recurse β every new URL feeds back into the queue, up to the configured depth (default 3).
Authentication
If you supply credentials (see Authenticated scans), the crawler logs in, preserves the session, and re-crawls β usually doubling the attack surface since admin/user-only pages become visible.
Payload selection
Payloads are picked from a curated list of ~5,000 across the tool modules. The payload encoder tries common transformations (URL encode, double URL encode, Unicode, HTML entity, base64, case-flip) so a WAF that blocks ' alone doesn't block %27 or %EF%BC%87.
Rate limits
By default, Pentestas caps:
- 8 concurrent connections to any single host
- 30 requests/second per host after warmup
- 200 requests/second globally across all modules
Pro+ plans can raise these for scans on their own infrastructure. See Advanced β Max concurrent requests when starting a scan.
Output
Findings flow into the standard list + exported to reports. Each finding carries:
- Endpoint, method, parameter
- Exact payload used
- Request + response evidence
- CVSS score + vector
- CWE + OWASP category
- Validation steps
- Exploit-DB matches (if applicable)
- AI-generated impact narrative + remediation (Pro+)
Common questions
Does it find 0-days? Sometimes. Pentestas doesn't ship with CVE-specific signatures β it runs behaviour-based tests. If your app has a novel auth bypass that matches the BFLA model, it gets caught.
Will it break production? By default, destructive verbs (DELETE requests, state-changing mutations) are annotated-but-not-executed β the tool reports "this endpoint looks like it accepts arbitrary user IDs but we didn't delete anything to confirm". Pro+ supports a --active-verify mode that confirms with destructive probes against test data only.
Does it support WAFs? Yes. The scanner adapts: detects WAF fingerprints (Cloudflare, Akamai, AWS WAF, Imperva, F5, Sucuri) and switches to a low-noise payload distribution tuned to slip past generic rules.
See also
- API scan β when the target is primarily an API.
- Authenticated scans β hand over credentials so Pentestas scans logged-in UX.
- Browser capture β scan-as-you-browse from inside your corp network.