Show HN: Check for web application security issues.

I can see you're not really selling to an informed audience (and that's fine!) but I <i>really</i> think you want to sacrifice some of the Google-like simplicity of your front page to explain what, exactly, you're testing on target sites.<p>Some reasons to at least give broad strokes about how you're testing:<p>(i) Testing for some kinds of web flaws is inherently intrusive; for instance, it's very hard to reliably test for stored XSS without potentially disrupting an application for users.<p>(ii) Aggressive spidering <i>will</i> create performance issues for some clients, and "oh well you should have known better" isn't going to stanch the PR bleeding when you take someone's site down.<p>(iii) If you're doing authz testing, you will eventually find a site where a post-auth crawl will delete huge swaths of database entries because someone implemented "delete" as a vanilla GET link.<p>(iv) (To me, the most important) Lots of uninformed clients will run something like this and feel confident they've checked the "security" part of their deployment checklist; without knowing exactly what you're testing for (and ideally being up front about the things you don't test for), you can give clients a really dangerous false confidence.

&#62; Please create a "webscan.html" file with the content "scanme"<p>I advice you to make the contents of this file unique for each website, otherwise:<p>- i can check 1000s of sites for the existence of webscan.html<p>- enter the sites that have such a file<p>- see the vulnerabilities of sites I don't own.

Doesn't work. I add the webscan.html file then scan again and get an empty response every time. URL is <a href="https://www.webscanservice.com/index.php/startscan" rel="nofollow">https://www.webscanservice.com/index.php/startscan</a> as well I don't know if that's correct or not.

Happy to see more people who care about security. We run a seemingly similar service, although I can't seem to get this one working. I'd definitely check out other ways of verifying the domain though, since this leaves all your customers open to the Google Hacking of searching for webscan.html for sites a hacker can toss through your system.<p><a href="http://www.tinfoilsecurity.com" rel="nofollow">http://www.tinfoilsecurity.com</a>

I'm attempting to scan a site that is accessed via https but it seems to default to http.

it just opens a blank page...(<a href="https://www.webscanservice.com/index.php/startscan" rel="nofollow">https://www.webscanservice.com/index.php/startscan</a>)

I'm sorry if your scan might take a while, the machine just can't handle this amount of traffic.

Nothing! Just a blank page.

Where's the button to stop a scan?

You should update "Log" tab with "Scan Queued ETA: X" and/or "Scan Started". How long should it take to start scanning?

FYI: Seems to work now.

Noticed the site is super slow, if you need help hosting this just let me know.

I wasn't able to try yet because of the required file but it looks cool so far. So far I'd suggest letting people know they need to add the webcam file first. Or if that's already there make it more prominent as its not really obvious. I'm checking it out on my iPad, maybe the desktop version makes that point clearer.