Scanning Templates Catalog
ASM uses a template-based scanning engine to actively test your assets for security vulnerabilities. Each template targets a specific category of risk and operates at a defined intrusiveness level.
Quick Reference
| Template | Category | Intrusiveness | Example Finding |
|---|---|---|---|
| CVE Vulnerability Scan | Application | Low | Log4Shell RCE in Apache Log4j |
| Default Credentials | Application | Moderate | phpMyAdmin accessible with root/root |
| Exposed Admin Panels | Application | Low | FortiGate SSL VPN login panel exposed |
| Information Disclosure | Application | Low | .env file leaking database passwords |
| HTTP Misconfiguration | Application | Low | Laravel debug mode enabled in production |
| DAST (Web Fuzzing) | Application | High | SQL injection in login form |
| Browser-Based Scanning | Application | Moderate | DOM-based XSS in OAuth flow |
| SSL/TLS Analysis | Infrastructure | Low | Heartbleed vulnerability on HTTPS service |
| Technology Detection | Reconnaissance | Low | WordPress 6.3.1 detected with outdated PHP |
| Passive CVE Identification | Network | Low | OpenSSH 7.4 with known auth bypass |
| Active Network Vuln Scan | Network | Moderate | Redis exposed without authentication |
| DNS & Email Security | DNS | Low | Domain fully spoofable — no DMARC record |
Severity Scale
| Severity | CVSS Range | Meaning |
|---|---|---|
| Critical | 9.0–10.0 | Immediate exploitation risk. Attackers can take full control of systems or exfiltrate data with minimal effort. |
| High | 7.0–8.9 | Serious vulnerability that can lead to significant data breach, unauthorized access, or system compromise. |
| Medium | 4.0–6.9 | Exploitable under certain conditions. May require user interaction or specific configurations. |
| Low | 0.1–3.9 | Minor issue with limited direct impact. May aid attackers in reconnaissance or chained attacks. |
| Info | 0.0 | Informational observation. No direct security impact but useful for inventory, compliance, or hardening. |
Application Scanning Templates
These templates scan websites and web applications by sending HTTP requests and analyzing responses for known vulnerability signatures.
CVE Vulnerability Scan
Detects known, publicly disclosed vulnerabilities (CVEs) in web applications, frameworks, CMS platforms, and server software. Covers CVEs from 2010 through the present.
CVEs are the most common entry point for real-world attacks. Threat actors actively scan the internet for unpatched systems using the same CVE databases, often within hours of a new disclosure.
Detection examples:
| Finding | Severity | What it means |
|---|---|---|
| Apache Log4j2 Remote Code Execution (CVE-2021-44228) | Critical (CVSS 10.0) | The "Log4Shell" vulnerability. An attacker can execute arbitrary commands on the server by sending a specially crafted string in any HTTP header that gets logged. This was one of the most exploited vulnerabilities in history, affecting millions of servers worldwide. |
| Spring Framework Remote Code Execution (CVE-2022-22965) | Critical (CVSS 9.8) | Known as "Spring4Shell." An attacker can gain full server control by manipulating class loader parameters in Spring applications running on JDK 9+. Affects a large portion of Java enterprise applications. |
| Microsoft Exchange Server Pre-Auth RCE (CVE-2021-34473) | Critical (CVSS 9.8) | Part of the "ProxyShell" attack chain. Allows unauthenticated attackers to execute code on Exchange servers by exploiting a path confusion bug in the Autodiscover service. Used extensively by ransomware groups. |
| Roundcube Webmail Command Injection (CVE-2020-12681) | Critical | An attacker can execute system commands on the mail server through the Roundcube web interface, compromising the server and all email data. |
Default Credentials Detection
Tests administrative interfaces for factory-default or commonly used username/password combinations across popular enterprise software, network appliances, databases, and monitoring tools.
Default credentials require zero technical skill to exploit. Automated botnets continuously scan the internet for them, and a successful login can give an attacker full access to databases, configurations, or network infrastructure.
Detection examples:
| Finding | Severity | What it means |
|---|---|---|
| phpMyAdmin Default Login (root/root) | High (CVSS 9.8) | The database management interface is accessible with default credentials. An attacker gains full read/write access to all databases, can exfiltrate customer data, modify records, or drop entire databases. |
| Splunk Default Password | High (CVSS 9.8) | The Splunk monitoring platform is accessible with default admin credentials. An attacker can read all indexed log data (which often contains credentials, API keys, and sensitive business data) and execute arbitrary search queries. |
| Zabbix Default Login (Admin/zabbix) | High (CVSS 8.3) | The infrastructure monitoring system accepts default credentials. An attacker gains visibility into the entire network topology, server health data, and can execute commands on monitored hosts through Zabbix agent. |
| Oracle WebLogic Default Login | High (CVSS 8.3) | The WebLogic application server console is accessible with default credentials (weblogic/welcome1). An attacker can deploy malicious applications, access enterprise data, and pivot to internal systems. |
Exposed Admin Panels
Identifies administrative interfaces and management consoles that are publicly accessible on the internet, covering web applications, network devices, cloud services, and infrastructure tools.
Exposed admin panels increase the attack surface even when they require authentication—they reveal software in use, enable targeted brute-force attacks, and may themselves carry critical CVEs.
Detection examples:
| Finding | Severity | What it means |
|---|---|---|
| Citrix ADC Gateway Login Panel | Info | A Citrix NetScaler/ADC VPN login panel is publicly accessible. These panels have been targeted by critical vulnerabilities including CVE-2023-3519 (unauthenticated RCE) and CVE-2023-4966 ("Citrix Bleed" session hijacking). Their exposure signals high-value infrastructure visible to attackers. |
| Fortinet FortiGate SSL VPN Login Panel | Info | A FortiGate firewall VPN portal is exposed. FortiOS has been repeatedly targeted (CVE-2024-47575 "FortiJump," CVE-2022-42475 RCE). The scanner also extracts the firmware build date from the ETag header, revealing the exact firmware version and whether it is patched. |
| Proxmox Virtual Environment Panel | Info | A Proxmox virtualization management interface is exposed. Proxmox panels have been affected by file disclosure (CVE-2024-21545) and XSS vulnerabilities. Access to a hypervisor management panel could give an attacker control over all hosted virtual machines. |
| phpMyAdmin Panel | Info | A database management interface is exposed to the internet. Even without valid credentials, its presence reveals that a MySQL/MariaDB database exists and may be targeted for brute-force or CVE-based attacks. |
Information Disclosure
Finds sensitive data accidentally exposed through misconfigured web servers: configuration files, backup files, credentials, API keys, internal documentation, and debug information.
A single exposed .env file can reveal database credentials, API secrets, and encryption keys. These findings frequently enable attackers to escalate from reconnaissance to full compromise without exploiting any vulnerability.
Detection examples:
| Finding | Severity | What it means |
|---|---|---|
| Exposed Environment Configuration File (.env) | Medium | A .env file is publicly accessible, typically containing database connection strings, API keys, third-party service credentials, and encryption secrets. This single file can give an attacker access to databases, cloud services, payment processors, and email systems. |
| GitHub OAuth Access Token Exposed | High (CVSS 9.8) | A valid GitHub OAuth token is present in an HTTP response body. An attacker can use this token to access private repositories, read source code, steal secrets, and potentially push malicious code. |
| AWS Session Token Exposed | High (CVSS 9.8) | AWS credentials are present in an HTTP response. An attacker can use these to access S3 buckets, EC2 instances, databases, and any other AWS resources the token has permissions for. |
| Spring Boot Actuator /env Endpoint Exposed | Low (CVSS 5.3) | A Spring Boot application's actuator endpoint is publicly accessible, revealing environment variables, configuration properties, and potentially database credentials or API keys. |
HTTP Misconfiguration
Detects security misconfigurations in web servers and applications—debug modes, directory listings, insecure CORS policies, missing security headers, and exposed internal endpoints.
Misconfigurations are often invisible to the teams that deployed the application. A debug mode left enabled in production can leak stack traces, database queries, and environment variables.
Detection examples:
| Finding | Severity | What it means |
|---|---|---|
| Laravel Debug Mode Enabled | Medium (CVSS 5.3) | Laravel's Ignition debug handler is accessible in production, exposing environment variables, database credentials, and application internals. Ignition itself has been vulnerable to RCE (CVE-2021-3129), making this both a data leak and a potential entry point for full server compromise. |
| Docker Registry Unauthenticated Access | Medium (CVSS 5.3) | A Docker container registry API is publicly accessible without authentication. An attacker can list and pull all container images, which often contain application source code, embedded credentials, and infrastructure secrets. |
| CORS Misconfiguration | High (CVSS 8.1) | The server reflects arbitrary origins in its CORS headers with credentials allowed. An attacker can create a malicious website that makes authenticated API requests on behalf of any user who visits it, stealing session data and performing actions as that user. |
| Missing Security Headers (CSP, HSTS, X-Content-Type-Options) | Info | The application is missing standard security headers. Without Content-Security-Policy, the application is more vulnerable to XSS. Without Strict-Transport-Security, users can be downgraded to unencrypted HTTP. |
DAST — Dynamic Application Security Testing
Actively tests input validation by sending crafted payloads covering SQL injection, cross-site scripting (XSS), local file inclusion (LFI), remote code execution (RCE), and server-side request forgery (SSRF).
Unlike other scan types that check for known issues, DAST discovers vulnerabilities in the target application's own custom code. This is the most intrusive scan type—it sends attack payloads and may trigger WAFs and security alerts that resemble real attacks.
Detection examples:
| Finding | Severity | What it means |
|---|---|---|
| Reflected Cross-Site Scripting (XSS) | Medium | User input is reflected in the HTML response without sanitization. An attacker can craft a URL that, when clicked by a victim, executes JavaScript in their browser—stealing session cookies, credentials, or performing actions on their behalf. |
| SQL Injection | High | User input is passed directly into database queries without parameterization. An attacker can read, modify, or delete any data in the database, bypass authentication, and potentially execute operating system commands. |
| XML External Entity Injection (XXE) | Medium | The application parses XML input without disabling external entities. An attacker can read files from the server (e.g., /etc/passwd, application config), perform SSRF to access internal services, or cause denial of service. |
| Server-Side Request Forgery (SSRF) | High | The application can be tricked into making HTTP requests to arbitrary internal or external URLs. An attacker can access internal services, bypass firewalls, and potentially steal cloud credentials from metadata services (e.g., AWS IMDSv1). |
Browser-Based Scanning
Detects client-side vulnerabilities that only manifest when JavaScript is executed in a real browser: DOM-based XSS, insecure postMessage handlers, JavaScript prototype pollution, and client-side logic flaws. Uses a headless Chrome instance.
Modern web applications run significant logic in the browser. Server-side scanners cannot detect vulnerabilities in client-side JavaScript, single-page applications, or dynamically rendered content.
Detection examples:
| Finding | Severity | What it means |
|---|---|---|
| Retool DOM-Based XSS (CVE-2024-29882) | High (CVSS 8.2) | A DOM-based XSS vulnerability in Retool's OAuth authorization flow. An attacker can craft a URL that executes JavaScript when a user clicks it, enabling session hijacking of the internal tooling platform. This type of vulnerability is invisible to server-side scanners because the payload never reaches the server. |
| JSONP Callback XSS in SRS | High (CVSS 7.2) | The Simple Realtime Server's HTTP API reflects unsanitized input in JSONP callback responses, allowing JavaScript execution. An attacker can steal authentication tokens or perform actions in the context of the streaming service. |
| Exposed Webpack Source Maps | Low | JavaScript source maps are publicly accessible, revealing the original unminified source code of the application. An attacker can study the full application logic, identify vulnerable code paths, and discover hardcoded secrets or API endpoints. |
SSL/TLS Analysis
Analyzes SSL/TLS configuration for expired certificates, deprecated protocols (TLS 1.0/1.1), weak cipher suites, and known cryptographic vulnerabilities. Uses SSLyze for deep analysis.
SSL/TLS protects every HTTPS connection. A weak configuration can allow attackers to intercept or decrypt data in transit. Compliance frameworks (PCI DSS, HIPAA, SOC 2) have specific requirements for TLS configuration.
Detection examples:
| Finding | Severity | What it means |
|---|---|---|
| Heartbleed (CVE-2014-0160) | High | The server is vulnerable to Heartbleed, allowing an attacker to read server memory per request. This memory may contain private keys, session tokens, usernames, and passwords. Despite being disclosed in 2014, vulnerable servers still exist. |
| ROBOT Attack (CVE-2017-13099) | High | The server is vulnerable to a Bleichenbacher-style RSA padding oracle attack. An attacker can passively record encrypted TLS sessions and decrypt them offline. |
| Expired SSL Certificate | High | The server's SSL certificate has expired. Users see browser security warnings, automated systems reject connections, and the organization appears untrustworthy. |
| Deprecated TLS 1.0/1.1 Protocol Supported | Info | The server accepts connections using TLS 1.0 or 1.1, deprecated by IETF, PCI DSS, and NIST. These protocols have known weaknesses (BEAST, POODLE) and should be disabled. |
| Weak Cipher Suites (RC4, DES, 3DES) | Low–High | The server supports cipher suites with known weaknesses. RC4 is biased and can be attacked statistically. DES and 3DES have small block sizes vulnerable to Sweet32 attacks. |
Technology Detection
Identifies the complete technology stack powering a web application—web servers, frameworks, CMS platforms, JavaScript libraries, CDN providers, and more. Version numbers are detected when available.
Technology detection is the foundation for targeted security assessment. Knowing the exact software and version tells you which CVEs to check, which default credentials to test, and which misconfigurations to look for. When enabled, the scanner also captures a full-page screenshot of each web service.
What gets detected:
| Category | Examples |
|---|---|
| CMS Platforms | WordPress, Drupal, Joomla, Shopify, Wix |
| Web Frameworks | React, Angular, Vue.js, Django, Laravel, Spring |
| Web Servers | nginx, Apache, IIS, Caddy, LiteSpeed |
| Programming Languages | PHP, Python, Node.js, Java, Ruby, Go |
| JavaScript Libraries | jQuery, Bootstrap, Lodash, Moment.js |
| CDN Providers | Cloudflare, Akamai, Fastly, CloudFront |
| Analytics & Marketing | Google Analytics, Hotjar, HubSpot, Segment |
| Security Tools | Cloudflare WAF, Imperva, DataDome, reCAPTCHA |
| Databases | MySQL, PostgreSQL, MongoDB, Elasticsearch |
| PaaS / Hosting | AWS, GCP, Azure, Heroku, Vercel, Lagoon |
Network Scanning Templates
These templates scan IP addresses and network services by performing port scanning, service fingerprinting, and protocol-level security testing.
Passive CVE Identification
Detects known CVE vulnerabilities in network services by matching detected software versions against the National Vulnerability Database (NVD). Nmap performs port scanning with service version detection; each service's CPE identifier is matched against a local CVE database updated from NVD feeds.
Many organizations have no visibility into what software versions are running on network-exposed services. Passive identification provides this without sending any exploit traffic, making it safe to run against production systems. Findings are marked "unverified" since they are based on version detection, not confirmed exploitation.
Detection examples:
| Finding | Severity | What it means |
|---|---|---|
| OpenSSH 7.4 — CVE-2018-15473 (User Enumeration) | Medium (CVSS 5.3) | The SSH server version allows an attacker to enumerate valid usernames. This information is used to target brute-force attacks against known accounts, significantly reducing the attack effort. |
| MySQL 8.0.x — CVE-2017-12419 | High | The detected MySQL version has a known vulnerability that could allow authenticated users to escalate privileges or access unauthorized data. |
| Apache HTTP Server 2.4.41 — Multiple CVEs | Varies | The detected Apache version has multiple known vulnerabilities. The scanner reports each CVE individually with its severity, enabling the operations team to prioritize patching. |
Active Network Vulnerability Scan
Actively probes network protocols to confirm exploitable vulnerabilities—unauthenticated database access, weak SSH configurations, exposed caches, anonymous FTP, and protocol-specific flaws.
While passive scanning flags potential issues based on version numbers, active scanning proves whether services are actually vulnerable. Findings are marked "verified" since they involve direct protocol interaction.
Detection examples:
| Finding | Severity | What it means |
|---|---|---|
| MongoDB Unauthenticated Access | High (CVSS 9.8) | A MongoDB instance accepts connections without authentication. An attacker can read, modify, or delete all data in the database. MongoDB instances have been the target of mass ransomware campaigns where attackers delete data and demand payment. |
| Redis Server Unauthenticated Access | High (CVSS 7.2) | A Redis in-memory database is accessible without authentication. An attacker can read all cached data (session tokens, user data, application state), write arbitrary data, and in some configurations execute system commands via Redis modules. |
| FTP Anonymous Login Enabled | Medium | The FTP server allows anonymous access. An attacker may be able to read sensitive files, upload malicious content, or use the server as a staging area for further attacks. |
| Apache Cassandra RCE via User-Defined Functions (CVE-2021-44521) | Critical (CVSS 9.1) | Apache Cassandra is vulnerable to remote code execution through malicious JavaScript user-defined functions. An attacker can execute arbitrary system commands on the database server. |
DNS & Email Security
Analyzes domain name configurations and email authentication records to identify spoofing risks, misconfigured DNS zones, and subdomain takeover opportunities.
Email Spoofing Detection
Evaluates SPF, DMARC, and BIMI DNS records and classifies each domain into one of six risk categories:
| Risk Level | Severity | Description |
|---|---|---|
| Fully Spoofable | Critical | No effective email authentication. Attackers can forge emails with high deliverability. |
| Subdomain Spoofable | High | Main domain is protected but subdomains are vulnerable. |
| Organizational Domain Spoofable | High | Subdomains are protected but the primary domain lacks enforcement. |
| Maybe Spoofable | Medium | Ambiguous or permissive policies. Spoofing success depends on the recipient's mail server. |
| Mailbox Dependent | Low | Some protection exists, but enforcement varies by provider. |
| Not Spoofable | Info | Strong SPF and DMARC enforcement in place. |
Email spoofing is the primary vector for phishing and Business Email Compromise (BEC). If attackers can send emails appearing to come from your domain, they can target customers, partners, and employees with highly convincing campaigns.
Detection examples:
| Finding | Severity | What it means |
|---|---|---|
| Email Spoofing Vulnerability — Fully Spoofable | Critical (CVSS 9.0) | The domain has no effective SPF or DMARC protection. Attackers can send emails as any address @yourdomain.com that will pass spam filters and reach inboxes. |
| Missing SPF Record | High (CVSS 7.5) | The domain has no SPF record. Receiving mail servers have no way to verify if an email genuinely came from your infrastructure. |
| Missing DMARC Record | High (CVSS 7.5) | Without DMARC, the domain cannot instruct receiving servers to reject or quarantine failed emails. Even with SPF, attackers can still spoof the visible "From" address seen by users. |
| Weak DMARC Policy (p=none) | Medium (CVSS 5.3) | A DMARC record exists but is set to monitoring-only mode. The domain remains vulnerable until the policy is upgraded to quarantine or reject. |
| SPF DNS Query Limit Exceeded | Medium (CVSS 5.3) | The SPF record requires more than 10 DNS lookups, violating the RFC specification. Receiving servers return an error and treat the domain as having no SPF record, completely nullifying email authentication. |
DNS Record Analysis
In addition to email security, the DNS scanner performs:
- Record resolution: A, AAAA, CNAME, MX, NS, TXT, SOA, CAA
- Zone transfer testing: Checks if DNS servers allow unauthorized zone transfers (AXFR)
- Subdomain takeover detection: Identifies CNAME records pointing to decommissioned cloud services
- BIMI analysis: Verifies Brand Indicators for Message Identification configuration
Choosing the Right Templates
| Use Case | Recommended Templates |
|---|---|
| Initial assessment | Technology Detection + Exposed Panels + SSL/TLS |
| Compliance audit (PCI, SOC 2) | SSL/TLS Analysis + HTTP Misconfiguration + Passive CVE Identification |
| Vulnerability management | CVE Vulnerability Scan + Passive CVE Identification + Default Credentials + Information Disclosure |
| Full security assessment | All templates |
| Email security review | DNS & Email Security |
Intrusiveness Levels
| Level | Templates |
|---|---|
| Non-intrusive | Technology Detection, Exposed Panels, SSL/TLS Analysis, Passive CVE Identification, DNS & Email Security |
| Low intrusion | CVE Vulnerability Scan, Information Disclosure, HTTP Misconfiguration |
| Moderate intrusion | Default Credentials, Active Network Vulnerability Scan, Browser-Based Scanning |
| High intrusion | DAST (Web Fuzzing) — will trigger WAFs and security monitoring |