What does the vulnerability scan check?
ExposureIndex runs a passive and active vulnerability scan against your public-facing web applications. It checks for a broad range of issues across several categories:
Software version fingerprinting and CVE matching
The scanner identifies the software, framework, and CMS versions running on your web servers and matches them against known CVE (Common Vulnerabilities and Exposures) databases. If your WordPress installation, Apache server, nginx version, or any detected library has a known unpatched vulnerability, it will be reported.
Common web application vulnerabilities
| Finding | Description |
|---|---|
| Clickjacking | The page can be embedded in an <iframe> on an attacker-controlled site, enabling invisible click hijacking |
| Missing security headers | See the Security Headers topic |
| Information disclosure | Server version banners, error pages, directory listings, or debug output expose internal details |
| Insecure cookies | Session cookies missing HttpOnly, Secure, or SameSite flags |
| Open redirects | Redirect parameters that can be manipulated to send users to attacker-controlled URLs |
| Cross-Origin Resource Sharing (CORS) | Overly permissive CORS policy — see the CORS topic |
Understanding severity ratings
Findings are rated by severity:
| Severity | Meaning |
|---|---|
| Critical | Exploitable remotely with no authentication; direct path to data breach or system compromise |
| High | Significant risk; requires some conditions but likely exploitable |
| Medium | Exploitable under specific conditions or requires user interaction |
| Low | Minimal direct risk but contributes to attack surface or information disclosure |
| Informational | No direct risk; noted for completeness or best-practice guidance |
How to prioritise remediation
Not everything can be fixed at once. Use this order of priority:
- Critical and High findings with a known public exploit (PoC) — These are being actively targeted. Fix immediately.
- Outdated software with Critical CVEs — Update or patch the affected component.
- Authentication and session issues — Weak or exposed authentication is a direct path to account takeover.
- Medium findings on high-value pages — Login pages, payment pages, account management.
- Low and Informational — Address in your next scheduled maintenance window.
What to do for common finding types
Outdated CMS or server software
Fix: Update to the latest stable version. Enable automatic security updates where available.
For WordPress: Dashboard → Updates. Consider a managed WordPress host that handles core and plugin updates automatically.
For server software: On Debian/Ubuntu:
apt update && apt upgrade nginx
Insecure cookies
Cookies used for session management must have:
- HttpOnly — prevents JavaScript from reading the cookie (protects against XSS cookie theft)
- Secure — cookie is only sent over HTTPS
- SameSite=Strict or SameSite=Lax — protects against CSRF
Flask example:
app.config.update(
SESSION_COOKIE_HTTPONLY=True,
SESSION_COOKIE_SECURE=True,
SESSION_COOKIE_SAMESITE='Lax',
)
Nginx (for proxied applications):
proxy_cookie_flags ~ httponly secure samesite=lax;
Information disclosure
- Server version banners: Configure your web server to suppress version information.
nginx
server_tokens off;
apache
ServerTokens Prod
ServerSignature Off
- Directory listing: Disable automatic directory listing.
nginx
autoindex off;
apache
Options -Indexes
- Verbose error pages: Disable stack traces and debug output in production. Show a generic error page to users; log full details internally.
Clickjacking
Add the X-Frame-Options header — see the Security Headers topic for full configuration details.
Running scans
These scans are often included in Pen Test activities. These can be very expensive and often once per year activities. ExposureIndex runs these scans regularly and reports any findings as soon as the scan finishes.
Last updated: March 28, 2026