What vulnerabilities does the Cyber Safety website scan detect?

This is the list of vulnerabilities that the Cyber Safety website scan is able to check for. The specific set of checks perform on a given scan depends on that scan's selected scan level.

Please refer to this page periodically for updates, we are always adding new checks as new vulnerabilities are discovered. Keep in mind that some vulnerabilities are grouped together.

  • Reflected cross-site scripting

  • Stored cross-site scripting

  • Operating system command injection

  • XML external entity injection

  • ASP.NET debugging enabled

  • Insecure crossdomain.xml policy

  • Insecure Silverlight clientaccesspolicy.xml policy

  • SQL Injection

  • Cross-Origin Resource Sharing: Arbitrary Origin Trusted

  • Unencrypted communications

  • Mixed content

  • Expired TLS certificate

  • TLS certificate about to expire

  • Certificate without revocation information

  • Insecure SSL protocol version 2 supported

  • Insecure SSL protocol version 3 supported

  • Deprecated TLS protocol version 1.0 supported

  • Deprecated TLS protocol version 1.1 supported

  • Secure TLS protocol version 1.2 not supported

  • Weak cipher suites enabled

  • Server Cipher Order not configured

  • Untrusted TLS certificate (invalid CN, SAN, issuer or chain)

  • Heartbleed

  • Potential DoS on TLS Client Renegotiation

  • Secure Renegotiation is not supported

  • TLS Downgrade attack prevention not supported

  • WordPress version with known vulnerabilities

  • WordPress plugin with known vulnerabilities

  • Joomla! version with known vulnerabilities

  • Log file disclosure

  • Backup file disclosure

  • Full path disclosure

  • HSTS header not enforced

  • HSTS header set in HTTP

  • HSTS header with low duration and no subdomain protection

  • HSTS header with low duration

  • HSTS header does not protect subdomains

  • Inclusion of cryptocurrency mining script

  • Browser content sniffing allowed

  • Referrer policy not defined

  • Insecure referrer policy

  • Missing Content Security Policy header (CSP)

  • Insecure Content Security Policy (CSP)

  • HTTP TRACE method enabled

  • JQuery library with known vulnerabilities

  • AngularJS library with known vulnerabilities

  • Bootstrap library with known vulnerabilities

  • JQuery Mobile library with known vulnerabilities

  • JQuery Migrate library with known vulnerabilities

  • Moment.js library with known vulnerabilities

  • Prototype library with known vulnerabilities

  • React library with known vulnerabilities

  • SWFObject library with known vulnerabilities

  • TinyMCE library with known vulnerabilities

  • Backbone library with known vulnerabilities

  • Mustache library with known vulnerabilities

  • Handlebars library with known vulnerabilities

  • Dojo library with known vulnerabilities

  • jPlayer library with known vulnerabilities

  • CKEditor library with known vulnerabilities

  • DWR library with known vulnerabilities

  • Flowplayer library with known vulnerabilities

  • DOMPurify library with known vulnerabilities

  • Plupload library with known vulnerabilities

  • easyXDM library with known vulnerabilities

  • Ember library with known vulnerabilities

  • YUI library with known vulnerabilities

  • Sessvars library with known vulnerabilities

  • jQuery UI library with known vulnerabilities

  • prettyPhoto library with known vulnerabilities

  • Vue.js library with known vulnerabilities

  • Knockout library with known vulnerabilities

  • Next.js library with known vulnerabilities

  • Underscore.js library with known vulnerabilities

  • Chart.js library with known vulnerabilities

  • JSZip library with known vulnerabilities

  • Svelte library with known vulnerabilities

  • Axios library with known vulnerabilities

  • Froala library with known vulnerabilities

  • Highcharts library with known vulnerabilities

  • Cookie without HttpOnly flag

  • SSL cookie without Secure flag

  • Cookie with SameSite attribute set to None

  • Open redirection

  • Directory Listing

  • HTTP response header injection

  • ASP.NET tracing enabled

  • Path traversal

  • Remote File Inclusion

  • Missing cross-site request forgery protection

  • Missing clickjacking protection

  • ASP.NET ViewState without MAC

  • Session Token in URL

  • Application error message

  • Private IP addresses disclosed

  • Server-side template injection

  • Server-side JavaScript injection

  • Insecure PHP Object deserialization

  • PHP code injection (also known as Local File Inclusion)

  • GraphQL Introspection enabled

  • Log4Shell (CVE-2021-42287)

  • Spring Cloud SPEL Code Injection (CVE-2022-22963)

  • Spring4Shell (CVE-2022-22965)

  • Weak JWT HMAC secret

  • Using jwk parameter to verify JWTs

  • JWT signature is not being verified

  • JWT accepting none algorithm

  • JWT algorithm confusion

  • Python code injection

  • MongoDB Injection

  • Insecure browser XSS protection enabled

  • Hidden file found

  • Server-side request forgery

  • Drupal version with known vulnerabilities

  • XPath Injection

This deprecated vulnerability is no longer part of our test:

  • Browser XSS protection disabled

 
Have more questions? Submit a request