or new
)
| Logo | Vulnerability Scanner | O U N T | Q L i | S Q L i | S J S i | X S S | X S S | X S S | S O N h | F I | F I | M D E x e c | P L O A D | E D I R E C T | R L F i | D A P i | P A P H i | X i | S I | O R M A T i | O D E i | M L i | L i | U F F E R o | N T E G E R o | O D E D i s c | A C K U P f | A D D I N G | U T H b | R I V e | X E | E S S I O N | I X A T I O N | S R F | D o S | ||
 | IBM AppScan | 30 |  | |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ||
 | Acunetix WVS | 29 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ||
 | WebInspect | 29 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ||
 | Tinfoil Security | 24 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ||
 | Burp Suite Professional | 23 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ||
 | AppSpider | 19 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ||
 | Netsparker Cloud | 18 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ||
| Netsparker | 18 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ||
 | QualysGuard WAS | 16 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ||
 | Syhunt Dynamic | 16 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ||
| Logo | Vulnerability Scanner | O U N T | Q L i | S Q L i | S J S i | X S S | X S S | X S S | S O N h | F I | F I | M D E x e c | P L O A D | E D I R E C T | R L F i | D A P i | P A P H i | X i | S I | O R M A T i | O D E i | M L i | L i | U F F E R o | N T E G E R o | O D E D i s c | A C K U P f | A D D I N G | U T H b | R I V e | X E | E S S I O N | I X A T I O N | S R F | D o S | ||
 | JSky (Commercial Edition) | 13 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ||
 | N-Stalker | 10 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ||
 | Ammonite | 9 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ||
 | ParosPro | 8 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ||
| WebCruiser Enterprise Edition | 4 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Q L i | S Q L i | S J S i | X S S | X S S | X S S | S O N h | F I | F I | M D E x e c | P L O A D | E D I R E C T | R L F i | D A P i | P A P H i | X i | S I | O R M A T i | O D E i | M L i | L i | U F F E R o | N T E G E R o | O D E D i s c | A C K U P f | A D D I N G | U T H b | R I V e | X E | E S S I O N | I X A T I O N | S R F | D o S | |
| Scanners: | 15 | 15 | 5 | 15 | 10 | 9 | 5 | 14 | 12 | 13 | 8 | 12 | 13 | 7 | 8 | 3 | 6 | 4 | 7 | 5 | 4 | 7 | 1 | 11 | 13 | 4 | 4 | 7 | 4 | 7 | 7 | 9 | 5 |
| Alias | Audit Feature | Description | References |
| SQLi | Error Based SQL Injection | Syntax injection attack that can affect the structure of database queries | 1, 2, 3, 4, 5 |
| BSQLi | Blind/Time-Based SQL Injection | Syntax injection attack that can affect the structure of database queries | 1, 2 |
| SSJSi | Server Side Java Script (SSJS/NoSQL) Injection | Syntax injection attack that can affect the structure of server side javascript in AJAX Servers/NoSQL DBs | 1, 2, 3, 4, 5 |
| RXSS | Reflected Cross Site Scripting | Browser-output targeted attack that can execute HTML, JS and VBS code on other browsers | 1, 2, 3, 4, 5 |
| PXSS | Persistent Cross Site Scripting | Browser-output targeted attack that can execute HTML, JS and VBS code on other browsers | 1, 2, 3 |
| DXSS | DOM Based Cross Site Scripting | Browser-output targeted attack that can execute HTML, JS and VBS code on other browsers | 1, 2, 3 |
| JSONh | JSON Hijacking | JSON Hijacking (Javascript Hijacking) is an attack in which a 3rd party website abuses the beheviour of script tags and JSON to gain private data | 1, 2, 3, 4 |
| LFI | Path Traversal & Local File Inclusion | Attacks that can affect the application file & directory access/inclusion | 1, 2, 3, 4, 5, 6, 7 |
| RFI | Remote File Inclusion | Attacks that can include (and potentially execute) remote code in the application | 1, 2 |
| CMDExec | Command Injection | Syntax injection attack that can execute system commands in the target host | 1, 2, 3, 4, 5, 6 |
| UPLOAD | Unrestricted File Upload | A vulnerability that can enable attackers to upload malicious files to the server | 1, 2 |
| REDIRECT | Open Redirect | Browser-output targeted attack that can misled users and redirect them to spoofed content | 1, 2, 3, 4 |
| CRLFi | HTTP Header Injection & HTTP Response Splitting | Browser-output targeted attack that affect the browser through header/response injection | 1, 2, 3, 4 |
| LDAPi | LDAP Injection | Syntax injection attack that can affect the structure of LDAP queries | 1, 2, 3, 4 |
| XPATHi | XPath/XQuery Injection | Syntax injection attack that can affect the structure of XPath queries | 1, 2, 3, 4, 5, 6, 7 |
| MXi | SMTP/IMAP/Email Injection | Syntax injection attack that can spoof semi-legitimate emails and execute mail commands | 1, 2, 3, 4 |
| SSI | Server-Side Includes Injection | Syntax injection attack that can execute scripts on the web server | 1, 2, 3, 4, 5 |
| FORMATi | Format String Attack | An attack that can abuse formatting functions to crash programs or execute harmful code | 1, 2, 3, 4, 5 |
| CODEi | Code Injection | Syntax injection attack that can execute technology-specific code on the server | 1, 2, 3, 4, 5 |
| XMLi | XML Injection | An injection attack that can manipulate the logic of XML dependant services | 1, 2 |
| ELi | EL Injection | Expression Language Injection is an injection attack that can execute limited rogue code in platforms that are using "double evaluation". | 1, 2 |
| BUFFERo | Buffer Overflow | A memory corruption attack that can crash services and execute malicious code | 1, 2, 3, 4, 5, 6, 7, 8, 9 |
| INTEGERo | Integer Overflow | A memory corruption attack that can wraparound numeric values, and indirectly affect resources | 1, 2, 3, 4, 5 |
| CODEDisc | Source Code Disclosure | A collection of vulnerabilities that be used to disclose the server source code | 1 |
| BACKUPf | Backup Files | A dictionary attack that attempts to locate unrestricted access to obsolete & sensitive files | 1 |
| PADDING | Padding Oracle | A cryptography attack on the CBC mode of operation that can decrypt messages without the encryption key | 1, 2 |
| AUTHb | Forceful Browsing / Authentication Bypass | An attack that can bypass the authentication enforcement using direct resource access | 1, 2, 3, 4, 5 |
| PRIVe | Privilege Escalation | An attack that can enable access to restricted/private content (via parameter tampering / direct access) | 1, 2, 3, 4, 5, 6, 7 |
| XXE | Xml External Entity | An attack that abuses the XML dynamic processing features of webservices by introducing xml structures with links to content outside of the sphere of control. | 1, 2, 3, 4 |
| SESSION | Weak Session Identifier | A vulnerability that can be exploited to impersonate application users | 1, 2, 3, 4, 5, 6 |
| FIXATION | Session Fixation | A vulnerability that can fixate (set) another person's session identifier in order to elevate further attacks | 1, 2, 3, 4, 5, 6 |
| CSRF | Cross Site Request Forgery | A vulnerability that can enable malicious 3rd parties to perform operations on behalf of users | 1, 2, 3, 4, 5, 6 |
| ADoS | Application Denial of Service | An attack that can deny services from legitimate users via application-level issues | 1, 2, 3, 4, 5, 6, 7 |