AISeen
Audit your site
/OverviewSEO ScoreGEO ScoreAEO ScoreSecurityPentest DefenseVibe ScoreZAP ScanSpeed & PerformanceTech StackGitHub AnalyzerFAQChrome Extension🏆 Рейтинг/Блог
⚔️

Pentest Defense Score — AISeen Docs

Як AISeen симулює перевірки пентестера: CORS, rate limiting, розкриття сервера, SQL помилки, відкриті шляхи та WAF.

What we check

🌐CORS MisconfigurationCritical
-20 pts

Checks if Access-Control-Allow-Origin is set to wildcard (*) or reflects arbitrary origins. A misconfigured CORS policy lets malicious sites make authenticated requests on behalf of your users.

Fix:Set CORS to specific trusted origins only. Never use * with credentials.
🔄Rate Limiting / Brute ForceHigh
-15 pts

Tests if the server returns HTTP 429 Too Many Requests or enforces any rate limit. Without rate limiting, attackers can brute-force login pages, APIs, and admin panels.

Fix:Implement rate limiting at the reverse proxy (Nginx, Cloudflare) or application level.
🏷️Server Version DisclosureHigh
-12 pts

Checks Server, X-Powered-By, and X-AspNet-Version headers for version numbers. Disclosing exact versions helps attackers find and exploit known CVEs quickly.

Fix:Remove or genericize these headers in your web server config.
💾SQL Error LeakageCritical
-20 pts

Sends a probe with a SQL injection character (') and checks if the response contains database error messages. Even partial SQL errors confirm injection vulnerabilities and reveal DB structure.

Fix:Use parameterized queries, prepared statements, and suppress all database error output in production.
📁Exposed Sensitive PathsCritical
-15 pts

Probes common high-risk URLs: /.git, /.env, /wp-admin, /phpmyadmin, /admin, /backup.zip, /backup.sql, /config.php, /.htaccess, /database.sql. Any accessible path can expose credentials or source code.

Fix:Block these paths at the web server level and never deploy source-control directories to production.
📋security.txt (RFC 9116)Low
-5 pts

Checks for /.well-known/security.txt — the standard file where you disclose how to report security vulnerabilities. Its absence is a minor signal that security is not a priority.

Fix:Create /.well-known/security.txt with contact email, PGP key, and disclosure policy.

Paths we probe

We send a GET request to each path. HTTP 200 or 403 (vs 404) indicates the path is accessible or recognized.

PathRisk if accessibleSeverity
/.git/Full source code exposureCritical
/.envAPI keys, DB credentials, secretsCritical
/backup.zipComplete site archiveCritical
/backup.sqlDatabase dump with all dataCritical
/config.phpDatabase credentialsCritical
/wp-admin/WordPress admin panel exposedHigh
/phpmyadmin/Database admin panelHigh
/admin/Admin panel discoveryHigh
/.htaccessServer config exposureHigh
/database.sqlDatabase dumpCritical

WAF Detection

We detect if a Web Application Firewall (WAF) is in front of your site. A WAF provides an additional layer of protection and reduces the effective deduction of some pentest findings by -10 points (your vulnerabilities are partially mitigated).

Cloudflare

cf-ray header, __cfduid cookie, CF-Cache-Status

Vercel

x-vercel-id header, vercel Edge Network banner

Akamai

akamai-origin-hop header, AkamaiGHost in Server

AWS WAF / CloudFront

x-amz-cf-id header, Via: 1.1 CloudFront

Fastly

Fastly-Request-ID header, X-Fastly-Request-ID

Sucuri

X-Sucuri-ID header, server: Sucuri/Cloudproxy

How scoring works

Score starts at 100. Each vulnerability found deducts points. If a WAF is detected, an additional -10 bonus reduction is applied to total deductions (reflecting partial mitigation).

Starting score100
CORS misconfiguration-20
SQL error leakage-20
Rate limiting missing-15
Exposed paths found-15
Server version disclosed-12
No security.txt-5
WAF detected (bonus)-10 to deductions

Score ranges

80 – 100

Hardened

No obvious pentest entry points. A real attacker would need significant effort. Keep monitoring for new exposures.

50 – 79

Exposed

Some recon-phase vulnerabilities present. Fix CORS, rate limiting, and server disclosure before launch.

0 – 49

Critical Risk

Multiple critical vulnerabilities found. Sensitive files may be exposed. Immediate remediation required.

Pentest Defense Score — AISeen Docs

Як AISeen симулює перевірки пентестера: CORS, rate limiting, розкриття сервера, SQL помилки, відкриті шляхи та WAF.

Перевірити сайт безкоштовно →