Scanner Reference
Features
Scanner Reference
BoringSec publishes 20 base URL modules plus 3 verified-owner background engines. The 20 applicable base modules produce the base report; Nuclei, ZAP, and Medusa are separate background engines with a stricter authorization boundary. Findings use five severities — CRITICAL, HIGH, MEDIUM, LOW, INFO — and evidence-gated critical or high findings are downgraded when the required proof is missing.
Legal and authentication coverage boundary
Coverage is explicit by surface. Conditional or not-assessed work is never converted into a pass, and framework mapping is not presented as certification. Per-scan evidence uses distinct found, missing, not_observed, not_applicable, unavailable, and needs_auth states.
| Capability | State | Evidence surface | Limit |
|---|---|---|---|
| Privacy, consent, and data rights signals | implemented | Initial URL response plus bounded same-origin privacy-policy fetches. Consent controls, first-response cookies, trackers, controller/DPO language, legal basis, recipients, retention, deletion/export rights, complaints, transfers, and safeguards are recorded with matched evidence. | JavaScript-rendered controls and later browser interactions are not executed in this pass; missing evidence is partial or not observed, not proof of non-compliance. |
| Terms, WCAG basics, and public notices | implemented | Initial HTML plus a bounded same-origin fetch of an explicitly linked terms page. Terms availability, licensing/IP language, document language, page title, image alt attributes, main landmark, form-control names, button names, copyright notice, and licensing/attribution links are recorded independently. | This is not a full WCAG audit, legal opinion, intellectual-property clearance, or proof that a document is enforceable in every jurisdiction. |
| Public authentication signals | implemented | Public response headers, cookies, shipped JavaScript, login links, entry-page forms, and at most one bounded same-origin login-page fetch. Session-cookie flags, client-side token storage signals, exposed auth artifacts, CORS, login-surface applicability, and static anti-CSRF token signals are assessed when observable. | MFA, enumeration, IDOR, server-side CSRF enforcement, and JWT claim/lifetime checks remain not assessed by a public scan. A public scan does not log in, create accounts, submit state-changing forms, modify tokens, or replay object identifiers. |
| Authenticated application surface | conditional | Verified-owner domains with an explicitly configured, expiring credential profile. The credential is attached only inside the isolated ZAP deep-scan boundary and is scoped to the verified hostname/origin. The test path validates access and the form-login path establishes a bounded session; neither is a ZAP path allowlist, so ZAP may spider other same-host paths. The public report exposes authentication status, never credential names or values. | The current single-credential ZAP flow has no scenario DSL or second identity and does not support MFA, enumeration, IDOR/tenant-isolation, or transaction-authorization verification; those controls remain not assessed and require dedicated authorized testing or manual review. CSRF or JWT findings may surface opportunistically, but their absence is not a pass. |
| Repository auth and authorization patterns | conditional | User-authorized repository or archive scan. Selected OAuth linking, token storage, cookie configuration, JWT verification, middleware coverage, secret, dependency, and webhook patterns are checked against the submitted source. | Source patterns are evidence leads, not runtime proof. Business-object ownership and role policy still require dedicated authorized tests or manual review. |
| Formal legal or accessibility certification | not assessed | Outside automated product scope. BoringSec links each automated observation to its evidence and applicable reference. | The report is not legal advice, a penetration-test attestation, or certification of GDPR, CCPA, WCAG, SOC 2, ISO 27001, or licensing compliance. |
Security Headers
Applicable base moduleGrades 10 modern security headers and flags 4 version-disclosure headers (15 checks).
- Content-Security-Policy analyzed per directive: unsafe-inline without nonce/hash, unsafe-eval, wildcard / data: / http: script sources, missing base-uri, frame-ancestors, object-src
- Strict-Transport-Security graduated by max-age; includeSubDomains and preload eligibility checked
- X-Frame-Options (auto-satisfied by CSP frame-ancestors), X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, COEP, deprecated X-XSS-Protection
- Version disclosure: Server, X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version
- Fixes are copy-paste header snippets. References: MDN, csp-evaluator.withgoogle.com, hstspreload.org
SSL/TLS
Applicable base moduleReal handshake plus active cipher probing (~13 checks), aligned with Mozilla Server-Side TLS.
- Certificate validity, trust chain, hostname/SAN match, key strength, signature algorithm (SHA-1/MD5 flagged)
- Graduated expiry alerts: critical expired, high under 30 days, medium under 60
- Certificate Transparency, TLS 1.3/1.2 availability, TLS 1.0 enabled (critical), TLS 1.1 enabled (high)
- Weak cipher suites via active probing: RC4, 3DES, CBC-era, export, NULL
- HTTP to HTTPS redirect
DNS & Email Authentication
Applicable base module11 record families, RFC-based, raw records captured as evidence.
- SPF, DMARC (including malformed and partial-enforcement policies), DKIM (including revoked keys)
- CAA (including issuance-blocking records), MTA-STS, SMTP TLS-RPT, BIMI, DANE/TLSA
- MX posture, DNSSEC (including broken chains), nameserver configuration
Exposure
Applicable base module34 sensitive-path probes plus directory listing and robots.txt hygiene (36 checks).
- Source & secrets: .git/config, .git/HEAD, .env, .env.local, .env.production — all critical
- Config files, database dumps and backups (backup.sql, dump.sql, backup.zip — critical)
- Info disclosure (phpinfo.php, server-status), logs, admin panels, API schemas, source maps, IDE files
- Every hit verified against content signatures so SPA app-shells do not create false positives
Cookies
Applicable base module5 checks per cookie. Cookie values are never stored — only attribute observations.
- Secure flag (high over HTTPS), HttpOnly on session-like cookies (high)
- SameSite including the None-without-Secure trap
- __Host- / __Secure- prefix compliance, overly broad Domain scope on session cookies
CORS
Applicable base moduleActive cross-origin testing (~9 outcomes) with request/response evidence.
- Wildcard-with-credentials, origin reflection with credentials (high)
- Wildcard on any origin, null origin trusted
- Dangerous methods exposed, sensitive response headers exposed, confirmed-healthy states
Platform Detection
Applicable base moduleFingerprints the hosting / AI-generation platform. Informational; used to tailor fixes.
- Lovable, Bolt.new, v0, Replit, Cursor, Windsurf, Vercel, Netlify, Supabase, Firebase signatures
Technology & Live CVEs
Extended base moduleStack fingerprinting enriched in real time from the OSV.dev vulnerability feed.
- Live CVE enrichment across npm, PyPI and Packagist ecosystems, CVSS vectors parsed into severities
- Outdated component detection, server version disclosure
Injection
Extended base moduleSQL and command injection with proof-or-downgrade discipline.
- Error-based SQLi requires an unambiguous DBMS error introduced by the probe
- Boolean-blind SQLi requires a reproducible true/false differential against baseline
- Command injection requires high-signal output; anything less is reported as inconclusive
XSS
Extended base moduleReflected and DOM-based cross-site scripting detection.
- Reflected XSS per parameter with context-aware reflection analysis
- DOM-based XSS patterns flagged for manual review
- Dynamic code execution (eval / Function) reported informationally
Subdomains
Extended base moduleEnumeration plus takeover-risk analysis.
- Dangling-CNAME takeover fingerprints of known cloud services
- Unverified candidates flagged separately (evidence-first)
- Sensitive-looking subdomains, subdomains served without HTTPS
WAF
Extended base moduleDetects 16 WAF vendors and probes coverage.
- Cloudflare, AWS WAF, Akamai, Imperva, Sucuri, ModSecurity, F5, Barracuda, Wordfence, DDoS-Guard, FortiWeb, Reblaze, StackPath, Radware, Palo Alto, Wallarm
- Missing WAF, incomplete coverage, possible-bypass indicators
Ports
Extended base moduleTCP-connect checks for risky services with connect evidence recorded.
- Publicly reachable databases (critical), high-risk service ports (high), Telnet (critical)
GDPR / ePrivacy
Extended base moduleEvidence-bounded privacy, consent, public legal-surface, and WCAG-basic signals (informational for the Security Score).
- Consent controls, first-response cookies, tracker disclosure, transfer destinations and documented safeguards
- Privacy-policy controller/DPO, legal basis, recipients, retention, deletion/export rights and complaint path
- Bounded same-origin Terms availability plus initial-HTML language, title, image-alt, landmark, form-label and button-name checks
- Entry-page and one bounded same-origin login-page fetch for static CSRF signals; the current single-credential ZAP flow has no scenario DSL or second identity, so MFA, enumeration, IDOR/tenant isolation and transaction authorization remain not assessed
- Copyright and licensing/attribution links are recorded as observations, never as proof of infringement or legal compliance
Bundle Secrets
Extended base moduleShipped-JavaScript scanning with 21 secret detectors. Heaviest Boring Score category.
- Supabase anon/service_role keys and URL, Firebase API key/config, Stripe secret/publishable
- OpenAI (2 formats), Anthropic, AWS access key ID/secret, GitHub, Slack, Google OAuth client secret
- SendGrid, HuggingFace, Twilio, Mailgun, private keys, generic API keys
Supabase
Extended base moduleLive backend exposure checks — actual REST requests, not guesses.
- service_role key exposed in frontend (critical), anon key usage
- Tables readable without auth (live RLS verification), storage bucket exposure
- Honest inconclusive states when verification is not possible
Firebase
Extended base moduleRealtime Database, Firestore and Storage rules actually tested.
- Config exposure, RTDB/Firestore/Storage read access tested live, Firebase Auth posture
Reputation
Extended base moduleGoogle Safe Browsing + DNS blocklists. A listed domain caps the Security Score at 20.
- Google Safe Browsing, Spamhaus DBL, SURBL
Client-Side Threats
Extended base module11 heuristics plus Subresource Integrity and mixed-content checks.
- Magecart-class skimmer patterns, crypto-miner signatures (including WASM workers)
- Malicious redirect patterns, obfuscation markers (eval+atob chains, hex-array unpackers)
- Cross-origin scripts/styles without SRI, active and passive mixed content, hidden off-site iframes
VirusTotal
Extended base moduleMulti-vendor URL/domain verdicts with single-vendor noise filtering.
- Tiered score caps for multi-vendor malicious verdicts, community-reputation signals
Nuclei
Verified-owner background engineEligible verified-owner background engine, wrapped as a hardened ProjectDiscovery subprocess.
- Curated templates, severity-filtered (critical/high/medium)
- DoS, bruteforce, intrusive and fuzz tags excluded; local-network access restricted; rate-limited
OWASP ZAP
Verified-owner background engineEligible verified-owner background engine for passive baseline analysis and configured API scanning.
- Safe-mode default; active scanning gated behind explicit acknowledgement
Medusa
Verified-owner background engineEligible verified-owner background engine that checks the code a site actually ships.
- Collects external and inline scripts, source maps and config artifacts under strict budgets
- Scans them as code; normalized findings with rule IDs, file/line references and recommendations
GitHub Repository Scanner
Repository module50+ SAST-style rules for connected repositories.
- Committed secret files (.env*, private keys, cloud credentials) and hardcoded secrets in code
- 27 dependency rules with pinned CVEs (lodash, jsonwebtoken, axios, next, django, pyyaml and more)
- Framework patterns: unsafe JWT handling, dangerouslySetInnerHTML, server env in client code, Stripe webhooks without signature verification, SSRF-prone fetches, raw SQL interpolation, unguarded mutation routes
- Docker hardening (4 rules), GitHub Actions hardening (4 rules), repo hygiene
Orchestration & safety
- Applicable base and extended-base modules run concurrently and publish the base report when their required work is terminal.
- Public and anonymous scans run base modules only. Nuclei, ZAP, and Medusa require a signed-in, non-anonymous scan of a domain owned by that user or team and marked
VERIFIED. - Without that authorization, a requested background engine is
authorization_required; a module that was not requested isnot_requested. Neither state is presented as queued or running. - On eligible scans, Nuclei, ZAP, and Medusa run independently in the background, do not block the base report, and update it when each result is ready.
- Per-scanner timeouts and a per-category circuit breaker (3 failures, 5-minute cooldown) keep scans predictable.
- All scanning is bounded and non-destructive: no exploit payloads, no DoS-class tests, SSRF-defended fetches, rate limits throughout.