Website Scanner

Discover vulnerabilities in web applications, including SQL Injection, and XSS.

Access Website Scanner via the Navigation Menu

note

Users can scan using VAPT Tools via the "VAPT Tools" navigation menu. By clicking on the "VAPT Tools" menu, various tools will appear, then click Website Scanner tool.

To scan using the Website Scanner, users can follow the steps below.

1. Enter the task name in the Task Name textbox
2. Input the target value in the form of domain/URL/IPs
3. Input the path in the Path textbox (optional)
4. Select one of the scan options, namely Full Scan or Basic Scan
5. Click Authentication to Enabled Authentication (optional)
6. Click Scheduled to Enabled Schedule Scan (optional)
7. Click Multiples Scans to Enabled Multiple Scans (optional)
8. Click the agree Terms of Service checkbox
9. Click the Apply button to start the scan

Access Website Scanner Via Targets Page

note

The selected target will be scanned with the available tools. Select Website Scanner Tool

To scan using the Website Scanner, users can follow the steps below.

1. Enter the task name in the Task Name textbox
2. Input the path in the Path textbox (optional)
3. Click Enabled to enable Multiple Scan (optional)
4. Select one of the scan options, namely Full Scan or Basic Scan
5. Click Enabled to enable Authentication (optional)
6. Click Enabled to activate Schedule Scan (optional)
7. Click the agree Terms of Service checkbox
8. Click the Start Scan button to start the scan, and click Cancel if you want to cancel

Authenticated Scan

Authenticated Scan is a feature that facilitates security scanning of applications requiring authentication by leveraging cookies and forms. It is compatible with both monolith and microservice architectures, ensuring comprehensive coverage of protected application areas.

Running an Authenticated Scan with Website Scanner

Users can follow the following steps.

1. After enabling the authentication feature, select the desired authentication method
2. If using the Cookie-Based authentication method
3. Enter the URL After Login, this is the page that appears after a successful login (e.g., https://vulnlib.vulnapp.id)
4. Enter the Logout Form URL, the URL used to log out of the application (e.g., https://vulnlib.vulnapp.id/logout).
5. Enter the Login Success Indicator, a text or pattern that appears only after a successful login (e.g., "Logout").
6. Enter the Cookies, copy the session cookies from a logged-in user session (e.g., sessionid=abcd1234efgh5678ijkl91011).
7. Check the box "I am authorized to scan this target and I agree to the Terms of Service."
8. Click APPLY to start the authenticated scan
9. If using the Form-Based authentication method
10. Enter the Login Page URL, the URL of the login form page (e.g., https://vulnlib.vulnapp.id/login)
11. Enter the URL After Login, the page that appears after a successful login (e.g., https://vulnlib.vulnapp.id).
12. Enter the Login Payload, the login credentials in application/x-www-form-urlencoded format
    note

    Helium does not store any data/credentials on this feature, requests are handled in real-time.

13. Enter the Logout Form URL — the URL used to log out from the application (e.g., https://vulnlib.vulnapp.id/logout)
14. Enter the Login Success Indicator — a text or pattern that indicates a successful login (e.g., Logout)
15. Check the box "I am authorized to scan this target and I agree to the Terms of Service."
16. Click APPLY to start the authenticated scan

note

If the authentication feature is enabled, the Scan option will switch to Full Scan, and the Schedule Scan will be disabled.