Scan any platform — we scan them all
We crawl and fingerprint your entire attack surface — REST and GraphQL endpoints, frontend flows, authentication layers, admin panels, and everything in between.
Your file upload endpoint accepts any file type with no validation. An attacker can upload a malicious script and execute commands directly on your server.
// Validate file type before saving
const ALLOWED = ['.jpg', '.png', '.pdf'];
const ext = path.extname(file.name).toLowerCase();
if (!ALLOWED.includes(ext)) {
throw new Error('File type not permitted');
}
// Rename to prevent path traversal
const safe = `${crypto.randomUUID()}${ext}`;No security degree needed. Every issue comes with plain English explanations and exact steps to fix it. Most fixes take less than an hour.
Every time you update your app, new security holes can appear. We keep checking and alert you instantly when something needs attention.
Hardcoded API Key in Client Bundle
Broken Access Control — Admin Panel Exposed
JWT Secret Leaked — Admin Tokens Forgeable
Sensitive User Data in API Response
Missing Rate Limiting on Login Endpoint
Pick a shield that matches your deployment speed.
vulnr is an automated vulnerability scanner for web applications. Paste your URL, and we run a full security assessment — checking for open ports, known CVEs, injection vulnerabilities, misconfigurations, exposed secrets, and more. You get a prioritized report with plain-English explanations and copy-paste fixes.
No. If you can paste a URL, you can use vulnr. Every finding is explained in plain English with step-by-step fix instructions. You don't need a security background.
No. Our scans are non-destructive and carefully rate-limited. We probe for vulnerabilities the same way a real attacker would — but without causing damage or service disruption.
AI-built apps often ship with common vulnerabilities because the AI doesn't always follow security best practices. vulnr is especially useful for catching those — SQL injection, XSS, hardcoded secrets, and broken access control are among the most common findings in AI-generated code.
The free scan gives you a taste — severity breakdown and a couple of findings. Pro and Max unlock the full finding details, CVSS scores, proof-of-concept evidence, AI-generated fix instructions, and PDF reports. Without those, you know something's wrong but not how to fix it.
Yes. By submitting a domain you confirm you own it or have explicit permission to scan it. Scanning systems you don't own is illegal under the CFAA and equivalent laws worldwide. We take authorization seriously.
Absolutely. Your findings, domain, and scan data are private to your account. We never share vulnerability details with third parties, and raw scan data is purged after 30 days.
Zero implementation time · 100% offensive security methodology