Tool Web Security Scan
Category: Security · Since: v18.35.0 · Tier: Enterprise
Passive web security analysis for authorized domains. Checks OWASP top-10 indicators without exploitation. Observation and testing only. Requires domain authorization via stealth config.
Parameters
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| url | string | Yes | — | URL to scan |
| checks | string[] | No | all | Specific checks: headers, cookies, forms, disclosure, mixed_content, xss_indicators, open_redirect, clickjacking, cors, subresource_integrity |
| depth | enum | No | page | "page" for single page, "site" to crawl up to 10 linked pages |
Examples
Run a security scan on our staging site
Check only security headers and cookie flags on example.com
Do a full site security scan on our authorized domain
Authorization Required
This tool needs domain authorization via CBrowser Enterprise stealth config. Before scanning, you must:
- Enable stealth mode with
stealth_enable - Add the target domain to
authorizedDomains - Confirm domain ownership
Unauthorized domains will be rejected with an error.
10 Security Checks
| Check | What It Finds | Severity Range |
|---|---|---|
| Security Headers | Missing HSTS, CSP, X-Content-Type-Options, Referrer-Policy, Permissions-Policy | Low–High |
| Cookie Security | Missing HttpOnly, Secure, SameSite flags on session cookies | Medium–High |
| Form Security | HTTP form actions, missing CSRF tokens, insecure autocomplete | Low–High |
| Information Disclosure | HTML comments with secrets, exposed emails, API key patterns, stack traces | Low–High |
| Mixed Content | HTTP resources on HTTPS pages (active = high, passive = medium) | Medium–High |
| XSS Indicators | Reflected URL params, innerHTML assignments, eval() usage, document.write() | Medium–High |
| Open Redirect | URL parameters like redirect=, next=, goto= that could redirect to external sites | Medium |
| Clickjacking | Missing X-Frame-Options and CSP frame-ancestors, bypassable framebusting | Medium |
| CORS | Wildcard origins, credentials with wildcards, permissive access control | Medium–Critical |
| Subresource Integrity | External scripts/styles missing integrity attributes | Medium |
Response
{
"url": "https://example.com",
"domain": "example.com",
"scanType": "page",
"pagesScanned": 1,
"summary": {
"critical": 0,
"high": 2,
"medium": 3,
"low": 1,
"info": 0,
"score": 69
},
"checks": {
"headers": [...],
"cookies": [...],
"forms": [...]
},
"recommendations": [
"Add Content-Security-Policy header to prevent XSS attacks",
"Set HttpOnly flag on session cookies to prevent JavaScript access",
"Add SameSite=Strict to authentication cookies"
]
}
Scoring
Score = 100 - (critical x 25 + high x 10 + medium x 5 + low x 2), minimum 0.
| Score | Rating |
|---|---|
| 90–100 | Excellent |
| 70–89 | Good |
| 50–69 | Needs improvement |
| 25–49 | Poor |
| 0–24 | Critical |
What This Tool Does NOT Do
- No exploitation or payload injection
- No brute force attacks
- No authentication bypass attempts
- No scanning of unauthorized domains
- No port scanning or network enumeration
- No denial of service testing
This is passive analysis. It observes what the browser sees and reports security indicators. Manual review is recommended for XSS and open redirect findings.
Related
security_audit— MCP tool definition security (free tier)stealth_enable— Enable stealth mode with domain authorizationagent_ready_audit— AI-agent friendliness audit- Enterprise Features — Full enterprise documentation