Menscan Documentation

Scanner for Mendix apps. Useful during pentests to find misconfigurations and exposed data.

Menscan isn't a full security scanner. It's a helper tool for manual testing.

I've Been Scanned — What Now?

Menscan adds this header to all requests:

X-Scanned-By: Menscan

If you see this in your logs:

  • Check your logs around the scan time
  • Menscan is passive—it doesn't attack anything
  • It's a research tool, but like any tool, it can be misused
  • I'm not responsible for malicious use

Starting a Scan

Two modes:

Unauthenticated Scan

  • No login needed
  • Only works if Anonymous access is enabled in the Mendix app
  • You can still get some data without anonymous access, see Pentesting Mendix Notes for details

Authenticated Scan

Steps:

  • Log into the Mendix app in your browser
  • Open DevTools or use Burp Suite
  • Find the cookie/header: __Host-XASSESSIONID
  • Paste it into Menscan when starting an authenticated scan

Authenticated scans show more data based on what that session can access.

What Does Menscan Show?

Scan results include:

System Information

  • Mendix version
  • Development mode status
  • Default credentials check (MxAdmin:1)
  • Exposed API documentation endpoints

Demo Users

  • Shows if demo users are enabled
  • Lists usernames and passwords
  • These can lead to privilege escalation

Constants

All Mendix constants. Often contains API keys, secrets, and other sensitive config.

Plugins

Lists all Mendix modules/plugins. Some might have security issues depending on how they're implemented.

Microflows

Microflows are Mendix's server-side business logic. Menscan enumerates all microflows the current session can invoke via the /xas/ runtime endpoint, then attempts to execute each one directly using "action": "executeAction". If access controls are misconfigured, any user, including anonymous, can trigger restricted business logic without touching the UI.

What to watch for:

  • Admin actions exposed to regular users — password resets, account unlocks, role changes
  • Data export microflows — bulk export of records to CSV or external systems
  • Anonymous-accessible microflows — business logic callable without any authentication
  • Integration triggers — microflows that call external APIs, send emails, or write to third-party systems

Metadata

This is where it gets interesting. The Metadata section shows the domain model—all entities, attributes, and what the current user can read or write.

If access controls are misconfigured, you'll see everything. Each field shows whether it's editable. If something is editable that shouldn't be, that's a problem.

For example: if a regular user can edit "is_admin" or "user_email", that's privilege escalation. If they can edit any field, that's data tampering. The Metadata section shows you exactly what's exposed.

Final Notes

Menscan is a tool for security researchers who work with Mendix. It shows you what the app exposes, but only if you have the right permissions.

Use it alongside manual testing, code reviews, and business logic analysis. It's not a replacement for thorough security assessment.