⚠️ Overview

Probely is a commercial web vulnerability scanner developed by Probely, Inc., a Portuguese cybersecurity company founded in 2016 by Nuno Loureiro. While marketed as a legitimate DAST (Dynamic Application Security Testing) tool for continuous security assessment, its aggressive scanning behavior and lack of proper authorization checks in many deployments have led security teams to classify it as a malicious bot when detected without prior consent. The scanner is available as a SaaS platform and on-premise appliance, with source code partially published on GitHub under the Probely organization.

🔧 Technical Capabilities

Probely performs automated crawling and vulnerability detection across web applications, targeting OWASP Top 10 issues including SQL injection, cross-site scripting (XSS), remote file inclusion (RFI), and server-side request forgery (SSRF). It employs both passive analysis of HTTP responses and active payload injection to identify weaknesses. The tool supports authentication handling via session cookies, form-based logins, and OAuth flows, enabling deep scanning of protected areas. Probely’s scanner uses a custom JavaScript engine to execute client-side code and discover single-page application (SPA) endpoints. It also conducts configuration audits for TLS, HTTP headers, and exposed admin panels. The scanner maintains a database of over 2,000 manually crafted test payloads and integrates with CI/CD pipelines via API and CLI wrappers.

📜 History & Notable Incidents

Probely was officially launched in 2017 after a Beta phase, and by 2019 it had been adopted by major enterprises such as SIBS (Portugal’s payment processor). In 2020, a security researcher demonstrated that Probely’s default scanning behavior could overwhelm small servers, leading to denial-of-service conditions. Multiple CVEs have been discovered via Probely reports, including CVE-2021-35587 (Oracle Access Manager bypass) and CVE-2022-22965 (Spring4Shell) where Probely provided the detection signature. The tool’s aggressive fingerprinting has occasionally triggered false positives in WAF logs, causing it to be blocked by default in several hosting providers’ rule sets.

🔍 Detection Indicators

Probely identifies itself via the User-Agent string Probely/1.0 (with variations like Probely/2.0) and the HTTP header X-Probely-Scan: 1. Behavioral fingerprints include rapid fire of requests at increasing depth, often targeting /admin, /wp-admin, and common API paths within seconds. Traffic originates from a dynamic IP pool mainly in the Netherlands (AS16265) and the US (AS396982), and the scanner always includes a Referer header set to the target domain. Logs typically show concurrent connections from 5–10 IPs with incremental URL paths.

☠️ Risk & Impact

Unauthorized Probely scans can leak sensitive application structure by enumerating hidden endpoints, parameter names, and authentication mechanisms. While the tool itself does not exploit vulnerabilities, its payload injection may trigger unintended data exposure (e.g., error messages revealing database schema) or cause transient denial-of-service on under-resourced servers. For organizations with compliance requirements (PCI DSS, GDPR), an unsanctioned scan could be interpreted as an active attack, generating false alarms in SOC environments.

🛡️ Mitigation

Probely is blocked immediately on detection because it performs systematic reconnaissance and vulnerability probing without explicit prior authorization. Its aggressive scan patterns and unvalidated payload delivery pose operational risks and may violate acceptable use policies. Blocking via IP reputation feeds, User-Agent filtering, or rate-limiting at the WAF layer prevents data leakage and resource exhaustion.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.