Menscan Documentation

Menscan is a lightweight security tool designed to scan Mendix applications for potential vulnerabilities. It is especially useful during penetration testing engagements to gather information passively and identify possible misconfigurations or exposure points.

Menscan is not a full scanner and should not be treated as a replacement for a thorough security assessment. It is a source of informational insights that support manual security testing efforts.

I've Been Scanned — What Now?

Menscan always attaches the following HTTP header to its requests:

X-Scanned-By: Menscan

If you've noticed this header in your application logs and are unsure about it:

  • Review your server logs for unusual behavior around the scan time.
  • Note that Menscan is a passive tool built for educational and research purposes.
  • The tool does not perform attacks, but like any publicly available tool, misuse is possible.
  • Menscan is not responsible for any malicious use by third parties.

Starting a Scan

Menscan offers two scanning modes:

Unauthenticated Scan

  • This mode does not require login credentials.
  • However, it will only work if Anonymous access is enabled in the Mendix app.
  • Some limited data can still be extracted even if anonymous access is disabled—see Pentesting Mendix Notes for more techniques.

Authenticated Scan

To use authenticated scanning:

  • Log in to the Mendix application using a browser.
  • Open Developer Tools or use an intercepting proxy like Burp Suite.
  • Extract the header named: Host-XASSESSIONID
  • Provide this header value when starting the scan with authentication enabled.

Authenticated scans provide more detailed insights based on the session's access rights.

What Does Menscan Show?

Here's a breakdown of the sections returned by a scan:

System Information

  • Shows the Mendix version in use.
  • Detects if the application is running in Development Mode

Demo Users

  • Reveals if Demo Users are enabled.
  • Returns the demo usernames and passwords in plaintext.
  • These accounts can often lead to privilege escalation or horizontal access attacks.

Constants

Lists all configured Mendix constants. These may contain: API keys, Secrets, Other sensitive system configuration values

Plugins

Shows all used Mendix plugins (modules). Some plugins might contain additional security risks depending on their implementation.

Metadata

The most revealing part of any Menscan scan is undoubtedly the Metadata section. Think of it as the open book of the Mendix application—if access rights aren't configured properly, this page might just show you everything.

Once a scan is authenticated, Menscan attempts to fetch the full structure of the Mendix domain model. It reads through the database tables, picking up the entities, attributes, and even user permissions. In many cases, it'll display whether a field is just readable or editable by the current user session.

And here's the catch: if something is flagged as editable, Menscan won't just list it—it'll alert you. That's a red flag for potential vulnerabilities like Cross-Site Scripting (XSS), data tampering, or even full data exfiltration.

Now imagine this: your application's database model is visible, and it turns out the current user role can not only view but edit sensitive attributes like "user_email" or "is_admin". That's no longer just metadata—it's a roadmap for privilege escalation or business logic abuse.

In short, the Metadata section paints a picture of how your Mendix app exposes its internals. If the display here looks too rich, it might mean access controls aren't doing their job—and you might be leaking more than you'd like to admit.

Final Notes

Menscan is a tool built by and for security researchers who focus on Mendix. It enables deeper understanding and auditing of Mendix applications, but it is only as powerful as the permissions you feed it.

For real-world assessments, Menscan should be paired with manual testing and complemented by in-depth reviews of source code, business logic, and backend integrations.