Sample surface scan report
acme-demo.com
Sample data · Passive scan · 6 findings
1
Critical
2
High
2
Medium
1
Low
This is a sample report using a fictional domain. Your report will look exactly like this.
Findings (6 total)
Stripe secret key found in public repository
A live Stripe secret key (sk_live_…) was found in a commit to acme-demo/backend. This key provides full access to your Stripe account including charges, refunds, and customer data.
File: config/stripe.js (commit a3f8c21)
- const stripe = Stripe('sk_live_4xKt...REDACTED');
+ const stripe = Stripe(process.env.STRIPE_SECRET_KEY);Spring Boot /actuator/env endpoint publicly accessible
The /actuator/env endpoint returns environment variables without authentication, including database credentials and internal configuration.
HTTP 200 GET https://api.acme-demo.com/actuator/env
{"activeProfiles":["production"],"propertySources":[{"name":"systemEnvironment","properties":{"DATABASE_URL":{"value":"postgres://admin:REDACTED@db.acme-demo.com:5432/prod"}}}]}.git/config exposed at document root
The .git/config file is accessible at https://acme-demo.com/.git/config, revealing the private repository URL and potentially branch structure.
HTTP 200 GET https://acme-demo.com/.git/config
[core]
repositoryformatversion = 0
[remote "origin"]
url = git@github.com:acme/backend-private.gitContent-Security-Policy header missing
No Content-Security-Policy header was returned on any tested route. Without CSP, the application has no mechanism to mitigate XSS attacks that inject malicious scripts.
HTTP 200 GET https://acme-demo.com Present: Strict-Transport-Security, X-Frame-Options Missing: Content-Security-Policy Missing: Permissions-Policy
Subdomain pointing to deprovisioned Heroku deployment
staging.acme-demo.com resolves but returns a Heroku 'No such app' page. The DNS record exists but the Heroku app has been deleted. This subdomain is vulnerable to takeover.
A staging.acme-demo.com → 23.21.x.x (Heroku IP range) HTTP 200 GET https://staging.acme-demo.com Body: "No such app" — Heroku app has been deprovisioned
Referrer-Policy header not set
No Referrer-Policy header is present. By default, browsers may send the full URL as a Referer header to third parties, potentially leaking internal URL structure.
HTTP 200 GET https://acme-demo.com Missing: Referrer-Policy
What this scan couldn't check
This is a passive surface scan. The following require active probing or authenticated access, and are covered by the deep scan:
- ·Auth endpoint rate limiting and session security
- ·API exposure (GraphQL introspection, Swagger/OpenAPI)
- ·JS bundle secrets (Firebase config, Supabase keys, AWS keys)
- ·CORS misconfiguration
- ·Firebase/Supabase live rule analysis
- ·Private repository code analysis
Deep Scan ($39 one-time or $29/month)
Want a deeper look?
The deep scan adds active endpoint probing, JS bundle analysis, CORS checks, provider security, and optional static repo analysis. PDF export + master fix prompt included.