"Scan your Code as you would do with your Heart"

Quickly identify security threats in your application landscape and easily pinpoint high-risk vulnerabilities with ECG.

Request Trial
ECG Web Interface, Dashboard


Unmatched Bug Detection

The first and the only solution able to detect real and complex security vulnerabilities in TCL/ADP files. ECG scans your TCL code for previously unknown security flaws; it supports ACS and OpenACS frameworks, NaviServer and AOLserver webserver.


Outstanding Performance

Scan your code repository as a local file path or archive upload for hundreds of issue categorie and review findings in real-time. In-depth security analysis in minutes instead of hours (or days) for continuous testing.


Code Summary

ECG summarizes and traceback all code lines that are related to the issue, this speed up the process of reviewing the affected code and applying a security patch at the best location.


Low False Positive

Highly accurate analysis results to focus on meaningful findings without wasting time. A human Security Analyst will check each reported issues, filtering out false positives, for the most accurate analysis possible. With our mixed approach, complex security bugs in the source code will be accurately detected.


Issues Details

Review the root cause of each issue and understand how a threat actor can abuse this vulnerability. Quickly fix vulnerabilities without further ado by reviewing the reliable and actionable information and the code samples presented by ECG.


Vulnerability Context

Instantly review which sensitive function calls are affected by unsanitized input from a malicious user. You can check how inputs could tamper the affected expression with our unique context view.

Vulnerability Checks

ECG scans your TCL code for previously unknown security flaws.


  • Code Execution
  • Code Injection
  • Code Quality
  • Format String Attack
  • Socket Creation/HTTP Operations
  • SQL Injection: TDBC Call
  • TCL C API Code Execution
  • TCL C API Memory Allocation
  • Unrestricted File Read/Write
  • Unsafe Interpreter Creation
  • Windows Registry Read/Write

OpenACS/ACS Generic

  • Code Execution
  • Command Execution
  • Easter Egg
  • Open Redirect
  • SMTP Header Injection
  • SQL Injection
  • ZipSlip Check


  • ADP Debug Found
  • Basic Authentication
  • Code Execution
  • Command Execution
  • Control Port Interface
  • File Read/Write
  • Memory Allocation
  • NaviServer Configuration Parameters
  • Nsadmin Password
  • Open Redirect
  • Recommended Security Modifications
  • Running Process as Root
  • SMTP Header Injection
  • SQL Injection
  • Weak Crypto Function Usage
  • XSS
  • ZipSlip Check


  • Code Execution
  • Debug Enabled
  • File Inclusion
  • Safe Mode Disabled
  • Version With Known Vulnerabilities

Vulnerability Types

  • Buffer Overflow
  • Code Execution
  • Code Injection (eval)
  • Command Injection
  • Cookie Misconfiguration
  • Cross-Site Scripting
  • Dangerous Feature
  • Default or Weak Salts and Keys
  • Denial of Service
  • Deprecated Feature
  • Directory Listing
  • Disabled CSRF Protection
  • Disabled XSS Filter
  • Double Free
  • Enabled Debug Mode
  • Error Displaying
  • Execution After Redirect
  • File Upload
  • File Write (Arbitrary)
  • Format String
  • Hardcoded Password
  • Hard-coded Password
  • HTTP Parameter Pollution
  • HTTP Response Splitting
  • Incorrect Buffer Size
  • Information Leakage
  • Integer Overflow
  • Known Vulnerabilities (CVE)
  • LDAP Injection
  • Leftover Debug Code
  • Local File Inclusion
  • Log Forging
  • No File Extension Restriction
  • Null Pointer Dereference
  • Object Instantiation
  • Open Redirect
  • Path Traversal
  • Remote File Inclusion
  • Safe Mode Disabled
  • Server-Side Request Forgery
  • Session Fixation
  • Session Misconfiguration
  • SQL Injection
  • Suspicious Comment
  • Type Confusion
  • Use After Free
  • Use Basic Auth
  • Used Root User
  • Weak CORS Header
  • Weak Cryptography
  • Weak CSP header
  • Weak Encryption
  • Weak Hash Function
  • Weak HTTP header
  • Weak Password
  • Weak Strict-Transport-Security header
  • Weak X-XSS Protection header
  • XML/XXE Injection
  • XPath Injection
  • XQuery Injection