Dissect
Public Beta · v1.0

Know what your web page exposes to the Internet.

Dissect performs structured passive analysis of public web targets — headers, cookies, forms, auth surfaces, scripts, and sensitive paths — delivered as executive and technical reports.

PassiveNo exploitation
Single-pageDeep review
Free betaPublic testing

Launch scan

Enter a public URL. Results open as a structured security report.

Beta

Public HTTP/HTTPS only. You can paste a full URL or domain. Localhost, private networks, and direct IPs are blocked.

Try examples:
Ctrl + K to focus · Esc to clear

Three steps to a security report

1

Enter a public URL

Paste any public website you own or have permission to assess.

2

Passive analysis runs

Dissect fetches the page and inspects headers, cookies, forms, links, and scripts — without attacking the target.

3

Review your reports

Get an Executive summary for stakeholders and a Technical report for deeper review. Export JSON anytime.

Enterprise-grade passive coverage

Six analysis modules run against a single page without sending exploit payloads.

🛡

Headers & Transport

CSP, HSTS, X-Frame-Options, X-Content-Type-Options, and session header review with scoring.

🍪

Cookie Security

Secure, HttpOnly, and SameSite attribute validation for every Set-Cookie header.

📝

Forms & Auth

Form classification, hidden field analysis, suspicious parameters, and auth UI detection.

🔗

Links & Endpoints

Internal/external link mapping and interesting endpoint discovery from page structure.

⟨/⟩

Script Surface

Mixed-content script delivery, version disclosure, and client-side dependency signals.

Sensitive Paths

Admin, backup, config, and repository artifact candidates exposed through links.

Two reports, one scan

Executive Report

Risk posture at a glance

  • Overall risk level & score gauge
  • Plain-language summary
  • Top findings & severity charts
  • Prioritized remediation guidance
Technical Report

Full analyst workspace

  • Tabbed module breakdown
  • Header, cookie, and form tables
  • Per-form risk analysis cards
  • Exportable raw JSON output

What to expect during testing

Single-page scope

Each scan analyzes one URL only — no crawling or multi-page audits yet.

Public targets only

Localhost, private IPs, and internal hostnames are blocked for safety.

Passive analysis

No active exploitation, fuzzing, or authenticated testing in this release.

Session-based results

Reports are tied to your browser session. Run a new scan to replace the previous result.

JS-heavy pages

Rendered DOM analysis may take longer or fail on some targets depending on server resources.

Findings are indicators

Always validate results manually before treating them as confirmed vulnerabilities.

Scan only what you are permitted to assess

  • Use Dissect on systems you own or have explicit written permission to review.
  • Unauthorized scanning may violate laws or terms of service where you live.
  • Dissect is for security learning and authorized exposure review — not for abuse.

Common questions

Is Dissect free during the beta?

Yes. The public beta is free for testing. Features and availability may change as the product evolves.

Does Dissect store my scan results?

Results are saved server-side for your current session so you can view Executive and Technical reports. They are not published or shared with other users. Starting a new scan replaces the previous result.

Why was my scan blocked?

Dissect only accepts public HTTP/HTTPS URLs. Localhost, private network addresses, direct IP targets, and unresolved hostnames are rejected to prevent misuse.

Can I scan login-protected pages?

Not in v1. The scanner performs unauthenticated passive analysis of publicly reachable HTML pages only.

How accurate are the findings?

Dissect surfaces passive exposure indicators — missing headers, cookie flags, form risks, and similar signals. These are starting points for manual review, not guaranteed vulnerabilities.

Data handling in the public beta

  • What we scan: Only the URL you submit and the publicly reachable page content needed for passive analysis.
  • What we store: Scan results in a server-side JSON file linked to your session until you run a new scan or the session expires.
  • What we don't do: Sell scan data, share results between users, or perform authenticated access to your targets.
  • Your responsibility: Only scan targets you are authorized to assess.