Technical Features

How does it work?​

ScanFactory combines 15 pentest solutions in one cloud platform.
  • We agree on scope

    You provide * and IP range. That’s all we need to do the job!

  • Deep-deep scan goes 24x7

    Platform maps attack surface:

    • Discovers domains and ports
    • Crawls websites and removes duplicate pages
    • Finds hidden parameters on forms
    • Launches web and infra scanners

  • You receive notifications

    Explore vulnerability details in web panel, or export them.

Main components

Burp Suite
Web application testing software. Includes 12 plugins.
#1 infrastructure vulnerability assessment solution.
Discovers subdomains. Includes 6 paid APIs.
WordPress security scanner.
Subdomain permutation generation tool.
Discovers URLs on websites.
Web path scanner.
Discovers hidden http parameters on URLs.
Bruteforces passwords on remote services.
Custom CVE scanner.
Detects technologies used on websites.
Fetches known URLs from Wayback Machine.

BurpSuite Extensions List:

Backslash powered scanner
Error message checks
PHP Object Injection Check
Freddy, Deserialization Bug Finder
Nginx alias traversal (“off-by-slash”)
Java Deserialization Scanner
J2EE Security Scanner
Asset Discover

Security issues we're searching for

Subdomain takeover
Situation in which an attacker is able to claim a subdomain on behalf of the main and real site. In a nutshell, this type of vulnerability involves a site creating a DNS record for a subdomain, such as Heroku (hosting company), and never claims to be a subdomain of that site.
SQL injection
One of the most affordable ways to hack a website. The essence of such injections is the injection of arbitrary SQL code into data (transmitted via GET, POST requests or Cookie values). If the site is vulnerable and performs such injections, then in fact it is possible to do anything with the database.
Password bruteforce
Brute force cryptographic attacks are the most versatile, but also the slowest. Used primarily by beginner hackers. Effective for simple encryption algorithms and keys up to 64 bits. For modern keys with a length of 128 bits (sometimes a large number of 200 digits is factored for a key) are ineffective.
Remote command execution
Remote command execution is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell.
Quick Scan. Free forever.

Detect most critical security issues in your company in 15 minutes

This service scores your company with 3 top-rated open-source security scanners and emails the automatic report to you.