Codename SCNR

The all-seeing web application security scanner.
Try now

Codename SCNR with Introspector + AI

Killer features across the entire vulnerability life-cycle:

Automatically scan, dissect, get exploitation instructions, get code patches/fixes, get remediation guidance (code & instructions) and report.

Customize

In addition to classic configuration, you can use scripts for tailor made scans.
Learn more

Integrate

Its Ruby API, REST API, CLI and WebUI interfaces allow you to fit SNCR anywhere, thus keeping your SDLC healthy.
Learn more

Scale

Load-balance. Scale up or down, vertically or horizontally. Spread scans across machines and even combine resources from multiple machines.
Learn more

Report

With detailed reports in Plaintext, PDF, HTML, JSON and XML you can move further forward quicker to integrate and mitigate.
Learn more

Unrestricted functionality

Unrestricted functionality leading to cost-effectiveness:

  • Unrestricted target domains
  • Unrestricted scans (parallel too)
  • Unrestricted pages
  • Unrestricted scan time


No need to pay the more you scan, the more you scan the more you secure and the less you waste.

With Ecsypno's cost-effective approach, you are encouraged to make full use of your hardware at no additional cost.
Start as many parallel scans as your machines can handle and scan for as long as you need, all that you need!

Ecsypno

Flexible deployment

Enjoy a multitude of interfaces that cover every need.

Ecsypno

Abundance of security checks

First class support for:

  • XSS (with DOM variants)
  • SQL injection
  • NoSQL injection
  • Code injection
  • File inclusion variants
  • Many more...

    In addition, SCNR’s highly optimized techniques are top-of-the-line in reliability, accuracy and resiliency, even under unstable network conditions or when dealing with misbehaving web applications.
Ecsypno

Bleeding edge technology

By being backed-up by Google Chrome, SCNR is on the bleeding edge of support for modern web applications.

  • JavaScript/DOM/HTML5/AJAX.
  • Detection of DOM-based vulnerabilities.
  • Tracing of data and execution flows of DOM and JavaScript environments.
  • Extra tracing optimizations for common JavaScript frameworks.

Another way to think of SCNR is as an automated, distributed, high-performance JavaScript/DOM security debugger - amongst other things.

Web applications are no longer black-boxes with its client-side IAST/DAST hybrid approach.

Ecsypno

Intelligent

On-the-fly adaptation to each web application, down to the single input.

Analysis of each resource individually, which in turn allows for tailoring each request to the technologies being used, as well as the behavioral characteristics of each individual input vector.

This results in only pre-determined applicable payloads being injected when performing security checks, leading to less bandwidth consumption, less stress to the web application and, as a result, faster and more reliable scans.

Ecsypno

High performance

Codename SCNR wastes no time and minimizes delays by utilizing:

  • Incremental scans, thus reducing scan times from hours to minutes.
  • Mozilla's high-performance Rust language.
  • Lightweight concurrency and fast communications.
  • Multiple browser environments for parallel JavaScript/DOM operations.
  • Support for multi-Instance scans, utilizing multiple Instances/processes, for super-fast audits.

Ecsypno

Highly detailed, well-structured reports

Reports can be generated in a number of open formats that allow you to consume all relevant information and context from a single file that is intuitively organised and well-structured.

All reports include an abundance of context for easy reproduction and verification of identified issues.

Formats include:

  • Plaintext
  • PDF
  • HTML
  • XML
  • JSON
  • YAML
  • Marshal
Ecsypno

AI-powered

  • Get actionable and actually helpful info for every unique issue.
  • Get patches for identified vulnerabilities immediately.
  • Explore the full breadth of each vulnerability with exploitation guidance.
  • Get actionable remediation guidance for each issue.

The Introspector

Identify and remedy quicker than ever!

Narrow down issues from both the client and the server side. Know...everything!

  • Follow the server-side execution.
  • Follow the server-side data.
  • Follow the client-side execution.
  • Follow the client-side data.

Currently supported server-side languages: .NET, Java, Ruby (more to come!)

Ecsypno
Try now

Articles

Script your DOM XSS exploitation workflow

Hello all, I wanted to share some Codename SCNR scripting kung-fu with you. This is something you can use post-scan,...

The Arachni Chronicles

The Arachni Chronicles

A story of curiosity, experimentation, development, million euro deal, fraudsters, abandonment and revitalization. From the inception of the F/OSS Arachni...

Continuous client-side IAST/DAST Hybrid approach for Single-Page-Applications

Continuous client-side IAST/DAST Hybrid approach for Single-Page-Applications

Some very interesting technology was presented a few days ago in the following articles: Following the data: Taint-tracing in the...

Script your DOM XSS exploitation workflow

Hello all, I wanted to share some Codename SCNR scripting kung-fu with you. This is something you can use post-scan,...

The Arachni Chronicles

The Arachni Chronicles

A story of curiosity, experimentation, development, million euro deal, fraudsters, abandonment and revitalization.

From the inception of the F/OSS Arachni WebAppSec scanner to the opening of Ecsypno’s doors with its flagship product Codename SCNR.

Continuous client-side IAST/DAST Hybrid approach for Single-Page-Applications

Continuous client-side IAST/DAST Hybrid approach for Single-Page-Applications

Some very interesting technology was presented a few days ago in the following articles: Following the data: Taint-tracing in the...