đ How To Use OWASP Top 10 Risk Scanner
đ Step 1: Enter Code
Paste your web application code (PHP, JavaScript, Python, Java, HTML, or configuration files) into the input area. The scanner analyzes syntax and patterns.
âī¸ Step 2: Configure Scan
Select scan depth and focus on specific OWASP categories. Basic scan checks common patterns; deep scan performs more thorough analysis.
đ§ Step 3: Start Scan
Click "Start Security Scan" to analyze your code. The scanner detects potential vulnerabilities based on OWASP Top 10 risk patterns.
đ Step 4: Review Results
Examine identified risks by severity. Each finding includes risk level, OWASP category, location, and remediation advice.
đĄ Pro Tips
- Use the Sample button to load vulnerable code examples (SQL, Command, LDAP, XSS, etc.)
- Deep scan takes longer but finds more complex vulnerabilities
- Results include risk ratings (Critical, High, Medium, Low, Info)
- Copy or download the report for documentation
- Use the database schema above to build a vulnerability tracking system
đ Example Vulnerable Code (Multiple Injection Types)
// đ´ SQL INJECTION (A1)
$username = $_POST['username'];
$sql = "SELECT * FROM users WHERE username = '$username'";
$result = mysqli_query($conn, $sql);
// đ´ COMMAND INJECTION (A1)
$domain = $_GET['domain'];
system("ping " . $domain);
// đ´ LDAP INJECTION (A1)
$ldap_filter = "(uid=" . $_POST['username'] . ")";
$search = ldap_search($ldap_conn, $base_dn, $ldap_filter);
// đ´ XPATH INJECTION (A1)
$query = "//user[username='" . $_POST['user'] . "']";
$results = $xpath->query($query);
// đ´ NOSQL INJECTION (A1)
db.users.find({ username: req.body.username, password: req.body.password });
// đ´ XSS (A7)
echo "Hello " . $_GET['name'];
// đ´ INSECURE DESERIALIZATION (A8)
$data = unserialize($_POST['data']);
â Frequently Asked Questions
What OWASP Top 10 categories are covered? âŧ
Our scanner covers all OWASP Top 10 2021 categories: A1-Broken Access Control, A2-Cryptographic Failures, A3-Injection, A4-Insecure Design, A5-Security Misconfiguration, A6-Vulnerable Components, A7-Authentication Failures, A8-Software Integrity, A9-Logging Failures, A10-SSRF.
What injection types does it detect? âŧ
The scanner detects multiple injection types including: SQL, NoSQL, Command, LDAP, XPath, XML, and Expression Language injections. It looks for user input flowing into interpreters without proper sanitization.
How accurate is the risk detection? âŧ
The scanner uses pattern matching and static analysis to identify common vulnerability patterns. It has high accuracy for detecting standard issues but may produce false positives and cannot replace professional security audits.
What file types can I analyze? âŧ
You can analyze source code (PHP, JavaScript, Python, Java, Ruby, C#, HTML), configuration files (.htaccess, web.config, XML, YAML), and data samples. The scanner adapts its rules based on content patterns.
Is my code sent to your servers? âŧ
No! All scanning happens entirely in your browser. Your code remains private and is never transmitted. This ensures sensitive application code stays secure.
What's the database schema for? âŧ
The database schema is provided if you want to build a vulnerability tracking system. It's optional and not required for the scanner to work. You can store scan results, track remediation, and generate reports over time.
How should I fix identified risks? âŧ
Each finding includes specific remediation advice. General approaches include: using prepared statements for SQL, input validation/output encoding for XSS, avoiding system calls with user input, implementing proper access controls, and keeping software updated.