CYBERDOC DOCS
Back to CyberDoc

Scan Modules

CyberDoc uses two categories of scan modules: browser-side checks that run entirely in the user's browser, and server-side tools that execute on the backend scanner against a target domain.

Severity Levels

All findings are rated on a five-level severity scale:

SeverityScoreMeaning
INFO0Informational — no action needed, configuration is secure
LOW1Minor concern — best-practice improvement recommended
MEDIUM2Moderate risk — should be addressed within 30 days
HIGH3Significant risk — address within 7 days
CRITICAL4Immediate action required — actively exploitable or fully exposed

The overall risk score is calculated as the sum of all finding severity scores divided by the maximum possible score (number of checks x 4).

Browser-Side Checks (8)

These checks run in the user's browser after explicit consent. They do not probe external systems — only the user's own browser environment.

1. Browser Fingerprint Analysis

PropertyDetail
IDfingerprint
CategoryExposure
What it checksCanvas fingerprint uniqueness, screen resolution, GPU renderer, installed fonts, plugin list, timezone, language, and other browser attributes that create a trackable fingerprint.
Why it mattersA unique fingerprint allows websites to track you across sessions without cookies. The more unique your fingerprint, the easier you are to identify.

Example findings by severity:

  • INFO — Browser fingerprint is partially masked
  • LOW — Canvas fingerprint is unique but common attributes hidden
  • MEDIUM — Browser is uniquely identifiable across 94% of tested configurations
  • HIGH — Full fingerprint exposed — screen, GPU, fonts, plugins all visible
  • CRITICAL — Zero fingerprint protection — you are fully trackable across sites

2. WebRTC Leak Detection

PropertyDetail
IDwebrtc
CategoryNetwork
What it checksWhether WebRTC (used for video calls, file sharing) is leaking your local or public IP address, even when using a VPN.
Why it mattersWebRTC can bypass VPN tunnels and expose your real IP address to any website that requests it, defeating the purpose of VPN protection.

Example findings by severity:

  • INFO — WebRTC disabled — no leak possible
  • LOW — WebRTC active but IP properly masked by VPN
  • MEDIUM — Local IP address leaking via WebRTC
  • HIGH — Public IP exposed through WebRTC despite VPN being active
  • CRITICAL — Both local and public IPs fully exposed through WebRTC

3. HTTP Header Analysis

PropertyDetail
IDheaders
CategoryExposure
What it checksPresence and configuration of security headers: Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security (HSTS), Referrer-Policy, and Permissions-Policy.
Why it mattersMissing security headers leave the browser vulnerable to clickjacking, XSS, MIME sniffing, and other injection attacks.

Example findings by severity:

  • INFO — Security headers properly configured
  • LOW — Minor header optimizations recommended
  • MEDIUM — X-Frame-Options and CSP headers missing
  • HIGH — Multiple critical security headers absent
  • CRITICAL — No security headers detected — fully exposed to injection attacks

4. Cookie & Storage Audit

PropertyDetail
IDcookies
CategoryPrivacy
What it checksNumber of cookies (first-party vs third-party), tracking pixels, localStorage usage, sessionStorage, and IndexedDB entries. Identifies known tracker domains.
Why it mattersExcessive third-party cookies and tracking storage indicate surveillance by ad networks and data brokers building a profile of your browsing habits.

Example findings by severity:

  • INFO — Minimal cookies, all first-party
  • LOW — Some third-party cookies detected
  • MEDIUM — 12 tracking cookies from 8 domains detected
  • HIGH — Persistent supercookies and tracking pixels identified
  • CRITICAL — 28 trackers active — complete browsing profile being built

5. TLS/SSL Configuration Check

PropertyDetail
IDtls
CategoryEncryption
What it checksTLS protocol version in use, cipher suite strength, certificate validity, and whether deprecated protocols (TLS 1.0/1.1, SSLv3) are accepted.
Why it mattersWeak TLS configuration can allow man-in-the-middle attacks, protocol downgrade attacks, and interception of encrypted traffic.

Example findings by severity:

  • INFO — TLS 1.3 with strong cipher suite
  • LOW — TLS 1.2 — functional but upgrade recommended
  • MEDIUM — Weak cipher suites accepted alongside strong ones
  • HIGH — TLS 1.0/1.1 still accepted — vulnerable to downgrade attacks
  • CRITICAL — SSL/TLS misconfigured — connection can be intercepted

6. DNS Leak Test

PropertyDetail
IDdns
CategoryNetwork
What it checksWhether DNS queries are routed through the VPN tunnel or leaking to the ISP's DNS resolver. Checks for DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) usage.
Why it mattersDNS leaks expose every website you visit to your ISP, even when using a VPN. This defeats a primary privacy benefit of VPN usage.

Example findings by severity:

  • INFO — DNS queries encrypted via DoH
  • LOW — DNS properly routed through VPN tunnel
  • MEDIUM — Some DNS queries leaking outside VPN tunnel
  • HIGH — Primary DNS queries exposed to ISP
  • CRITICAL — Full DNS leak — all browsing activity visible to ISP

7. Common Port Exposure Scan

PropertyDetail
IDports
CategoryNetwork
What it checksProbes common service ports (22/SSH, 80/HTTP, 443/HTTPS, 445/SMB, 3306/MySQL, 3389/RDP, 5432/PostgreSQL, 8080/alt-HTTP) to determine which are accessible from the browser's network context.
Why it mattersOpen ports on your network indicate running services that may be vulnerable. SSH and RDP exposed to the internet are common attack vectors.

Example findings by severity:

  • INFO — No unexpected open ports detected
  • LOW — Standard ports only (80, 443) — expected
  • MEDIUM — Port 8080 open — possible dev server exposed
  • HIGH — Ports 22, 3389 open — SSH and RDP accessible
  • CRITICAL — Multiple high-risk ports open including 445 (SMB), 3306 (MySQL)

8. Data Breach Exposure Check

PropertyDetail
IDbreach
CategoryCredentials
What it checksChecks the user's email against known data breach databases. Reports the number of breaches found, whether passwords were exposed in plaintext, and if credentials are circulating on dark web markets.
Why it mattersBreached credentials are the #1 source of account takeover attacks. If your password was exposed in a breach and you reuse it, all accounts with that password are compromised.

Example findings by severity:

  • INFO — No breached credentials found
  • LOW — 1 old breach found — already remediated
  • MEDIUM — 3 breaches found — password changes recommended
  • HIGH — Email found in 7 breaches — several with plaintext passwords
  • CRITICAL — 12+ breaches detected — credentials actively circulating on dark web

Scan Lab Tools (17)

These tools run on the backend scanner and require a target domain. They are triggered via the /api/deepscan endpoint and execute as a chain. Each tool's output can inform subsequent tools (e.g., discovered subdomains feed into further scans).

Authorization required. Lab scans should only be run against domains you own or have explicit written authorization to test. Unauthorized scanning may violate computer misuse laws.

1. Nmap (Port & Service Scanner)

PropertyDetail
Toolnmap
What it doesTCP SYN scan of top 1000 ports. Service version detection (-sV). OS fingerprinting (-O). Script scanning for known vulnerabilities (--script vuln).
Example findingHIGH Port 22 (OpenSSH 7.4) open — outdated version with known CVEs

2. Nuclei (Vulnerability Scanner)

PropertyDetail
Toolnuclei
What it doesTemplate-based vulnerability scanning. Checks for CVEs, misconfigurations, exposed panels, default credentials, and technology-specific vulnerabilities. Uses the nuclei-templates community library.
Example findingCRITICAL CVE-2024-1234 — Remote code execution in WordPress plugin Contact Form 7 v5.8.3

3. Nikto (Web Server Scanner)

PropertyDetail
Toolnikto
What it doesWeb server misconfiguration scanner. Checks for dangerous files, outdated server software, directory listing, server header leaks, and known vulnerable CGI scripts.
Example findingMEDIUM Directory listing enabled on /backup/ — may expose sensitive files

4. testssl.sh (TLS/SSL Analyser)

PropertyDetail
Tooltestssl
What it doesComprehensive TLS/SSL testing. Checks protocol versions, cipher suites, certificate chain, HSTS, OCSP stapling, key exchange strength, and known vulnerabilities (BEAST, CRIME, POODLE, Heartbleed, ROBOT).
Example findingHIGH TLS 1.0 enabled — vulnerable to BEAST and POODLE attacks

5. httpx (HTTP Probe)

PropertyDetail
Toolhttpx
What it doesHTTP/HTTPS probing. Captures status codes, response headers, content length, page title, tech stack detection (via Wappalyzer signatures), redirect chains, and response times.
Example findingLOW Server header reveals Apache/2.4.41 — consider removing version disclosure

6. ffuf (Web Fuzzer)

PropertyDetail
Toolffuf
What it doesFast web fuzzer for directory and file discovery. Uses curated wordlists to find hidden endpoints, backup files, configuration files, and admin panels.
Example findingHIGH /wp-admin/ accessible without IP restriction — admin panel exposed

7. DNS Enumeration

PropertyDetail
Tooldig
What it doesFull DNS record enumeration: A, AAAA, MX, TXT, NS, SOA, CNAME, CAA, DMARC, SPF. Checks for DNSSEC, zone transfer vulnerability, and DNS configuration issues.
Example findingMEDIUM No DMARC record — domain is vulnerable to email spoofing

8. Subdomain Discovery

PropertyDetail
Toolsubfinder
What it doesPassive subdomain enumeration using certificate transparency logs, DNS datasets, search engines, and public API sources. Identifies all known subdomains of the target.
Example findingMEDIUM 47 subdomains discovered — staging.example.com resolves to unprotected server

9. WHOIS Lookup

PropertyDetail
Toolwhois
What it doesDomain registration information. Checks registrar, creation/expiry dates, nameservers, registrant privacy (WHOIS guard), and domain age.
Example findingLOW Domain expires in 30 days — renewal recommended to prevent hijacking

10. Origin IP Bypass Detection

PropertyDetail
Toolorigin-bypass
What it doesAttempts to discover the origin server IP behind CDN/WAF providers (Cloudflare, Akamai, AWS CloudFront). Checks DNS history, certificate transparency, common subdomains (mail, ftp, direct), and IP range scanning.
Example findingCRITICAL Origin IP 203.0.113.42 discovered via mail subdomain — CDN/WAF can be bypassed

11. Security Headers Check (Server-Side)

PropertyDetail
Toolheaders-check
What it doesServer-side verification of all security-related HTTP response headers. Validates CSP directives, HSTS max-age and preload, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin headers (CORP, COEP, COOP).
Example findingMEDIUM CSP allows unsafe-inline — XSS protection significantly weakened

12. Technology Fingerprinting

PropertyDetail
Tooltech-detect
What it doesIdentifies the technology stack: CMS (WordPress, Drupal, Joomla), frameworks (React, Angular, Vue), server software (Apache, Nginx, IIS), CDN provider, analytics tools, and third-party scripts.
Example findingLOW WordPress 6.4.2 detected — current version, no known critical CVEs

13. WAF Analysis & Bypass

PropertyDetail
Toolwaf
What it doesDetects 14 WAF vendors (Cloudflare, Akamai, AWS WAF, Imperva, Sucuri, F5, Barracuda, etc.) and tests 10 bypass techniques including XSS payloads, SQL injection variants, path traversal sequences, and encoding tricks (double-encode, Unicode, null-byte). Runs nuclei WAF-specific templates and tests 8 IP override headers (X-Forwarded-For, X-Real-IP, X-Originating-IP, X-Client-IP, CF-Connecting-IP, True-Client-IP, X-Custom-IP-Authorization, Forwarded).
Example findingCRITICAL WAF bypass via double-encoded path traversal — origin server accessible without WAF filtering

Checks performed:

  • WAF vendor fingerprinting (14 vendors via response headers, error pages, and cookie signatures)
  • XSS bypass payloads (script tag variations, event handlers, SVG injection)
  • SQL injection bypass (UNION variants, comment injection, encoding tricks)
  • Path traversal sequences (../, double-encoded, Unicode normalization)
  • Header spoofing with 8 IP override headers to test WAF IP-based rules
  • Nuclei WAF-specific templates for known bypass CVEs

14. Web App Vulnerabilities

PropertyDetail
Toolwebapp
What it doesPerforms 14 OWASP-aligned web application vulnerability checks targeting the most common and dangerous web security flaws. Tests for injection, authentication, and session management weaknesses.
Example findingCRITICAL JWT accepts "none" algorithm — authentication can be bypassed entirely

Checks performed (14 OWASP checks):

#CheckWhat it tests
1Header InjectionCRLF injection in HTTP headers via user-controlled input
2Open RedirectUnvalidated redirects that can be abused for phishing
3Session in URLSession tokens exposed in URL query parameters
4Unsafe CSPContent-Security-Policy misconfigurations that weaken XSS protection
5CSRFMissing or weak cross-site request forgery protections on state-changing endpoints
6SQL InjectionClassic SQL injection via error-based and blind detection
7NoSQL InjectionMongoDB/NoSQL operator injection ($gt, $ne, $regex)
8SSTIServer-side template injection in Jinja2, Twig, Freemarker, and other engines
9JWT Flaws (none alg)JWT tokens accepting the "none" algorithm, allowing forged tokens
10JWT Flaws (weak key)JWT signed with weak or default secret keys
11HTTP/2 SmugglingRequest smuggling via HTTP/2 downgrade and header manipulation
12DeserializationUnsafe deserialization in Java (ObjectInputStream), PHP (unserialize), and Python (pickle)
13Password in URLCredentials transmitted in URL query strings
14Session Fixation / IDORSession fixation attacks and insecure direct object references

15. OWASP Extended

PropertyDetail
Toolowasp
What it doesExtended OWASP checks that complement the core web app vulnerability scanner. Focuses on cross-origin, server-side request forgery, subdomain takeover, rate limiting, and HTTP method security.
Example findingHIGH CORS misconfigured — Access-Control-Allow-Origin reflects arbitrary origin with credentials

Checks performed:

#CheckWhat it tests
1CORS MisconfigurationOverly permissive Access-Control-Allow-Origin, reflected origins, wildcard with credentials
2SSRF ProbesServer-side request forgery targeting AWS metadata (169.254.169.254), internal services, and cloud provider endpoints
3Subdomain TakeoverDangling DNS records pointing to deprovisioned services (12 service signatures: GitHub Pages, Heroku, S3, Azure, Shopify, Fastly, Pantheon, Tumblr, WordPress.com, Ghost, Surge.sh, Fly.io)
4Rate LimitingTests login and authentication endpoints for missing rate limits (brute-force protection)
5HTTP Method TamperingTests for dangerous HTTP methods enabled on the server (PUT, DELETE, TRACE, CONNECT)

16. API Security

PropertyDetail
Toolapi
What it doesTests for the OWASP API Security Top 10. Discovers API endpoints, checks authentication and authorization, and probes for data exposure and configuration issues.
Example findingCRITICAL Swagger UI exposed at /swagger-ui.html — full API schema publicly accessible with internal endpoints

Checks performed (OWASP API Top 10):

#CheckWhat it tests
1API DiscoveryProbes 20+ common API paths (/api/v1, /graphql, /rest, /swagger.json, /openapi.yaml, etc.)
2Broken AuthenticationAPI endpoints accessible without authentication tokens
3Excessive Data ExposureAPI responses returning more data than necessary (internal IDs, debug info, stack traces)
4Admin EndpointsAdministrative API routes accessible without proper authorization (/admin, /internal, /debug)
5Old API VersionsDeprecated API versions still accessible (/api/v1 when /api/v3 is current)
6GraphQL IntrospectionGraphQL introspection enabled in production, exposing the full schema
7Swagger/OpenAPI ExposedAPI documentation endpoints publicly accessible (swagger.json, openapi.yaml, redoc)
8Verbose ErrorsAPI returning detailed error messages with stack traces, database queries, or internal paths
OWASP API Security Top 10. The API security scanner covers the OWASP API Security Top 10 (2023 edition), which addresses the most critical API-specific risks. This complements the traditional OWASP Top 10 Web Application checks covered by the webapp and owasp tools.

17. AI/LLM Security

PropertyDetail
Toolai
What it doesTests for the OWASP LLM Top 10. Detects AI platform usage across 22 platforms, discovers AI-related endpoints, and probes for prompt injection, data leakage, and configuration exposure.
Example findingCRITICAL Prompt injection successful — AI assistant returned system prompt contents including API keys

Checks performed (OWASP LLM Top 10):

#CheckWhat it tests
1AI Platform DetectionIdentifies usage of 22 AI platforms (OpenAI, Anthropic, Google AI, Cohere, Hugging Face, Replicate, etc.) via headers, scripts, and API calls
2Endpoint DiscoveryFinds AI-related endpoints (/chat, /completions, /predict, /inference, /ai, /llm, /assistant)
3Prompt InjectionTests 5 jailbreak payloads: instruction override, role-play escape, system prompt extraction, delimiter confusion, and multi-turn manipulation
4XSS via AITests whether AI-generated output is rendered without sanitization, allowing stored XSS through crafted prompts
5Model DoSTests for missing input length limits that could cause resource exhaustion on the AI backend
6Information DisclosureProbes AI endpoints for leaking training data, system prompts, or internal configuration
7Tool/Plugin DisclosureTests whether AI assistants reveal available tools, plugins, or function-calling capabilities
8Config ExposureChecks for exposed AI configuration files (.env with API keys, model config, prompt templates)
OWASP LLM Top 10. The AI/LLM scanner covers the OWASP Top 10 for Large Language Model Applications (2025 edition). As AI adoption grows, these checks help identify risks specific to applications that integrate LLMs, chatbots, and AI assistants.

Scan Chain

When a Lab scan is initiated, the tools execute in a specific order where earlier results feed into later tools:

1. DNS Enumeration (dig)
   |
   +--> 2. Subdomain Discovery (subfinder)
   |       |
   |       +--> 3. httpx probe on all discovered hosts
   |
   +--> 4. WHOIS lookup
   |
   +--> 5. Origin IP Bypass detection
          |
          +--> 6. Nmap scan (target + any discovered origin IPs)
          |
          +--> 7. testssl.sh (TLS analysis)
          |
          +--> 8. Nikto (web server scan)
          |
          +--> 9. Nuclei (vulnerability scan)
          |
          +--> 10. ffuf (directory fuzzing)
          |
          +--> 11. Security Headers check
          |
          +--> 12. Technology Fingerprinting
          |
          +--> 13. WAF Analysis & Bypass
          |
          +--> 14. Web App Vulnerabilities (OWASP checks)
          |
          +--> 15. OWASP Extended (CORS, SSRF, takeover)
          |
          +--> 16. API Security (OWASP API Top 10)
          |
          +--> 17. AI/LLM Security (OWASP LLM Top 10)

If the origin bypass tool discovers the real server IP behind a CDN, subsequent scans (nmap, nikto, nuclei) are re-run against the origin IP to test the unprotected server directly.