OpenPenTests

Automated Security Scanning as a Service

Run professional DAST & SAST scans against your web applications — no setup required.

Get Started Login

What We Scan

DAST — Dynamic Application Security Testing

Scans your running web application from the outside, like a real attacker would.

  • SQL Injection — Detects injectable parameters in forms and URLs
  • Cross-Site Scripting (XSS) — Finds reflected and stored XSS vulnerabilities
  • Broken Authentication — Checks for weak session management and login flaws
  • Security Misconfigurations — Missing headers (CSP, X-Frame-Options, HSTS)
  • Sensitive Data Exposure — Detects unencrypted data, exposed API keys
  • CSRF Vulnerabilities — Missing or weak anti-CSRF tokens
  • Directory Traversal — Path traversal and file inclusion attacks
  • Server Information Leakage — Version headers, error pages, stack traces
Powered by OWASP ZAP

SAST — Static Application Security Testing

Analyzes your source code without running it, finding vulnerabilities before deployment.

  • Hardcoded Secrets — API keys, passwords, tokens in source code
  • Insecure Crypto — Weak algorithms (MD5, SHA1), bad random number usage
  • Command Injection — Unsafe use of os.system(), subprocess, eval()
  • Insecure Deserialization — Pickle, YAML, and XML parsing vulnerabilities
  • SQL Injection in Code — String-formatted SQL queries without parameterization
  • Insecure File Permissions — World-readable configs, weak chmod values
  • Dependency Vulnerabilities — Known CVEs in third-party packages
  • Debug/Test Code in Production — Assert statements, debug flags left enabled
Powered by Bandit

1. Register

Create your account and wait for admin activation.

2. Verify Target

Add your URL and prove ownership via DNS TXT record.

3. Scan

Launch DAST or SAST scans and get a detailed report.

All scans run in isolated Docker containers. Your data stays private.