A professional desktop vulnerability scanner with 14 active scan modules. Runs entirely on your machine — no cloud, no subscriptions, no data leaving your network.
Each module is independently tested. No generic signatures — only confirmed, evidence-backed findings with remediation guidance.
Error-based, union-based, Boolean-blind and time-based. All major databases — MySQL, PostgreSQL, MSSQL, Oracle, SQLite.
Direct output and time-delay blind detection. Unix sleep and Windows ping payloads. Confirmed 2/2 probes required.
Reflected (HTML, script, event context), DOM-based source-to-sink analysis, stored XSS indicators.
Jinja2, Freemarker, Twig, ERB probes with echo-vs-eval verification. Server-side evaluation leads to RCE.
AWS/GCP metadata probes, localhost bypass, protocol smuggling, DNS rebinding indicators.
/etc/passwd, win.ini, PHP wrappers, encoding bypass. 23 payload variants with confirmation checks.
Rate limiting gaps, brute-force unprotected endpoints, JWT algorithm confusion, default credentials, account enumeration.
Introspection enabled, IDE exposure, mass assignment, HTTP parameter pollution, unauthenticated data endpoints.
Forced browsing to admin paths, price/quantity manipulation, HTTP verb tampering, path normalisation bypass.
CSP, HSTS, X-Frame-Options, CORS misconfiguration, CSRF, cookie security flags — all with proof-of-absence.
Cert expiry and hostname mismatch, TLS 1.0/1.1 active test, weak ciphers (RC4/DES), mixed content.
102 sensitive paths, Spring actuators, .git/.env/.htaccess exposure, phpinfo, Swagger, admin panels.
JS secret scanning — AWS keys, API tokens, JWTs, hardcoded IPs. Zero additional requests sent.
IDOR sequential enumeration, NoSQL operator injection, host header injection, cache poisoning.
From install to a complete vulnerability report in under an hour.
Paste the URL, choose a scan mode, configure crawl depth, set cookies or auth headers. ZScanner maps every page, form, and API endpoint automatically using its intelligent crawler.
Passive analysis, SSL deep scan, recon, headers, SQL injection, XSS, SSRF, SSTI, authentication, API security, business logic, and advanced threats — all concurrent with real-time findings.
A print-ready HTML report with cover page, risk score, executive summary, CVSS scores, OWASP classification, attack payloads, response evidence, and step-by-step remediation.
One license key. Unlimited scans. All 14 modules included in every plan.
Supports UPI · All Indian cards · Net Banking · International cards. License delivered instantly to your email. 7-day money-back guarantee.
ZScanner runs 14 active scan modules covering SQL injection (all techniques), XSS, command injection, SSTI (leads to RCE), SSRF, LFI, authentication flaws, GraphQL/API security, JWT issues, broken access control, SSL/TLS weaknesses, security header misconfigurations, and more — over 200 vulnerability types across the OWASP Top 10.
ZScanner is a fully offline desktop application for Windows, Linux, and macOS. Scan results stay on your machine. Only finding counts (not vulnerability details) are sent to zscanner.bithost.in for license tracking.
After payment, your license key arrives by email within seconds. Open ZScanner → Settings → License tab → Paste the key → click Activate. The app verifies the key against the portal and you're ready to scan.
ZScanner must only be used on systems you own or have explicit written permission to test. Unauthorised security testing is illegal. The tool is built for professional VAPT assessments and testing your own infrastructure.
We use Razorpay, which supports all major Indian debit/credit cards, UPI (GPay, PhonePe, Paytm, BHIM), Net Banking, and international Visa/Mastercard/Amex. INR and USD pricing available.
Yes — 7-day money-back guarantee if you encounter a technical issue we cannot resolve. Email support@bithost.in with your order ID within 7 days of purchase.
All plans include the same full-featured scanner with all 14 modules. The only difference is the license duration (1, 3, 6, or 12 months). Longer plans offer significant savings per month.
Download the app and get a license — full setup takes under 5 minutes.
v3.0 · 130.2 MB · SHA256: e2ef5a1d4c9e15ffc44a…