Basic ↑Phase 3 · Authentication Tests

SSLyze

Heartbleed, CCS, deprecated protos. Part of AuditCore's automated security audit pipeline — runs on every scan in the Basic tier and above, with findings normalized into a single severity-rated table.

What is SSLyze?

SSLyze runs in the Authentication Tests phase of every AuditCore scan that includes it. Replay captured traffic across roles to find broken object-level / function-level authorization, and audit JWT, OAuth, session, cookie and SSL/TLS posture.

Out of the box it covers: Heartbleed, CCS, deprecated protos. Findings are normalized into AuditCore's vulnerability model so they appear next to results from every other scanner — no separate tabs, no tool-specific jargon, one CVSS-rated table.

If you've ever wondered which scanners actually run when you click "Start scan" on AuditCore, this is one of them. The full pipeline is documented per phase, and you can see exactly which tools fired on any given scan from the live terminal feed.

What it tests

Heartbleed, CCS, deprecated protos
Runs automatically as part of any Basic-tier scan and above
Findings appear in the standard AuditCore severity table (Critical / High / Medium / Low / Info)
Results are bundled into the PDF report and exposed via the API

Where it runs in the AuditCore pipeline

Phase 3/5 · Authentication Tests
Replay captured traffic across roles to find broken object-level / function-level authorization, and audit JWT, OAuth, session, cookie and SSL/TLS posture.

Source: scanners/sslyze_scanner.py

Sample findings

SSLyze fired on a real target

Typical run produces between 0 and dozens of normalized findings depending on the target's posture. Each finding includes severity, evidence, affected URL/parameter, and a remediation hint.

Available in Basic tier and above

Surface-level audit. Headers, cookies, CORS, SEO, SSL, basic Nmap, DMARC, sensitive files. Per-domain license — pay once, rescan unlimited.

Other authentication tests scanners

Security Headers Analyzer

7 security + 3 leaky headers

Cookie Security Analyzer

Secure/HttpOnly/SameSite

JWT Analyzer

alg:none, expired, sensitive data

Auth Replay (BOLA / BFLA Tester)

BOLA/BFLA/auth bypass via cross-role replay

FAQ

What does SSLyze test for?

Heartbleed, CCS, deprecated protos

Which AuditCore plan includes SSLyze?

Available from the Basic plan ($99) and up. Higher tiers also include this scanner — license once, rescan unlimited.

Is SSLyze safe to run on production?

Yes — SSLyze runs in the Authentication Tests phase, which is non-intrusive. It only reads data the target already exposes (DNS, HTTP responses, public files, headers).

Where does SSLyze run in the AuditCore scan pipeline?

Phase 3/5 — Authentication Tests. Replay captured traffic across roles to find broken object-level / function-level authorization, and audit JWT, OAuth, session, cookie and SSL/TLS posture.

Can I rerun SSLyze without paying again?

Yes. AuditCore uses a per-domain license model — once you've purchased a tier for a domain, every rescan (manual or scheduled) is included. No metered usage.