To8CA
8 - CyberThreat Identification Tools
Antibody Cyber Technology, LLC
Welcome! This guide walks you through each of To8CA's eight analyzers with step-by-step instructions and safe-to-use example inputs. Whether you're a cybersecurity student, studying for a certification, or a junior analyst getting started on the job — this page will help you understand what each tool does, when to use it, and how to interpret the results.
💡 Tip: The risk score is cumulative — each finding adds to the total. A score of 0 means no issues were detected. A score of 60+ is rated critical.
What it does: Examines a URL for signs of phishing — typosquatting (lookalike domains), suspicious TLDs, URL obfuscation tricks, dangerous keywords, and SSL certificate issues.
When to use it: You received a suspicious link in an email, chat message, or social media post and want to check it before clicking.
Try This — A typosquatting domain mimicking Google:
Try This — URL with @ sign obfuscation (hides real destination):
Try This — IP address instead of domain name:
Safe Baseline — A legitimate URL (should score 0 or near 0):
Typosquatting detected — The domain is visually similar to a well-known brand (e.g., "g00gle" vs "google"). Severity: high.
URL contains @ sign — Browsers ignore everything before the @, so the real destination is after it. Severity: high.
Suspicious TLD — TLDs like .tk, .ml, .xyz are heavily abused by phishers. Severity: medium.
IP address in URL — Legitimate sites use domain names, not raw IPs. Severity: medium.
💡 Pro tip: If the URL starts with just a domain (e.g., "example.com"), To8CA will automatically prepend https:// for you.
What it does: Checks a CVE (Common Vulnerabilities and Exposures) ID against CISA's Known Exploited Vulnerabilities catalog to determine if it's been used in ransomware campaigns.
When to use it: Your vulnerability scanner flagged a CVE and you need to know whether ransomware groups are actively exploiting it — this helps you prioritize patching.
Try This — ConnectWise ScreenConnect auth bypass (used by multiple ransomware groups):
Try This — MOVEit Transfer SQLi (CL0P ransomware campaign):
Try This — Log4Shell (widespread exploitation):
Found in CISA KEV — This CVE is confirmed to be actively exploited in the wild. This is a critical finding and should be patched immediately.
Known Ransomware Campaign Use: Yes — CISA has specifically flagged this CVE as used in ransomware operations.
CVSS Score — The NVD severity score (0–10). Anything 9.0+ is critical.
💡 Tip: You can also use the Zero-Day / CVE Analyzer (tab 7) to search the entire KEV catalog by keyword — try searching "ransomware" to see all ransomware-linked CVEs.
What it does: Parses Apache or Nginx access logs to detect DoS attack patterns — single-IP floods, endpoint hammering, abnormal request rates, POST floods, and low IP diversity.
When to use it: Your website is responding slowly and you suspect a DoS attack. Grab a chunk of your access log and paste it here for instant analysis.
Try This — Simulated flood from a single IP hitting /login repeatedly:
Single-IP flood — One IP is responsible for a disproportionate share of traffic. Severity: high.
Endpoint hammering — The same URL is being hit repeatedly at abnormal rates. Severity: high.
POST flood — Unusually high percentage of POST requests, which are more resource-intensive for servers. Severity: medium.
Low IP diversity — Almost all traffic comes from very few IPs, suggesting a targeted attack rather than legitimate traffic. Severity: medium.
💡 How to get logs: On Linux servers, logs are typically at /var/log/apache2/access.log or /var/log/nginx/access.log. Copy a recent block with: tail -500 /var/log/nginx/access.log
What it does: Combines an SSL/TLS certificate check with a DNS integrity analysis to detect conditions that could allow MitM attacks — expired certs, DNS resolution inconsistencies, missing DNSSEC, or rDNS mismatches.
When to use it: You want to verify that a connection to a domain is trustworthy and not vulnerable to interception.
example.com).Safe Baseline — A domain with valid SSL and DNSSEC:
Try This — Test with a known site (your own or any domain):
SSL certificate issues — Expired, self-signed, or mismatched certificates are red flags. Severity: high.
DNS inconsistency across resolvers — If different DNS providers return different IPs, someone may be poisoning DNS. Severity: high.
No DNSSEC — Without DNSSEC, DNS responses can be spoofed without detection. Severity: medium.
Combined risk score — The MitM check adds the phishing SSL score and the DNS score together for an overall risk assessment.
💡 Tip: The MitM analyzer runs two analyses behind the scenes (Phishing SSL + DNS Spoofing) and merges the findings. This gives you a comprehensive view of connection integrity from a single input.
What it does: Scans text input against 14+ SQL injection patterns — classic UNION-based, boolean-based blind, time-based blind, stacked queries, comment injection, and more.
When to use it: You're reviewing web application logs, form submissions, or URL query parameters and want to check if they contain SQL injection attempts.
Try This — Classic authentication bypass:
Try This — UNION-based data extraction:
Try This — Time-based blind injection:
Try This — Stacked query with DROP TABLE:
Safe Baseline — Normal input (should score 0):
Classic SQL injection — Patterns like ' OR 1=1 try to bypass authentication by making the WHERE clause always true. Severity: critical.
UNION SELECT — Attempts to append additional query results to extract data from other tables. Severity: critical.
Time-based blind — Uses WAITFOR DELAY or SLEEP() to detect injection by measuring response time. Severity: high.
Stacked queries — Semicolons followed by dangerous commands like DROP or INSERT. Severity: critical.
⚠️ Important: These are detection patterns only. To8CA identifies whether input looks like a SQL injection attempt — it does not execute any queries. All analysis happens through pattern matching, and your input is never stored.
What it does: Scans content for 16+ XSS payload patterns — script tags, event handlers (onclick, onerror), DOM manipulation, data URIs, JavaScript protocol handlers, and encoded payloads.
When to use it: You're reviewing user-submitted content, HTML form fields, URL parameters, or web application output for embedded XSS payloads.
Try This — Classic script tag injection:
Try This — Event handler injection (no script tag needed):
Try This — JavaScript protocol in a link:
Try This — DOM manipulation payload:
Safe Baseline — Normal HTML (should score 0):
Script tag detected — The most straightforward XSS vector. Severity: critical.
Event handler — Attributes like onerror, onclick, onload can execute JavaScript without a script tag. Severity: high.
JavaScript URI — javascript: protocol in href or src attributes. Severity: high.
DOM access — References to document.cookie, document.write, or innerHTML suggest data theft or DOM tampering. Severity: high.
💡 Tip: The SQLi and XSS detectors use the same backend endpoint. If your input contains both SQL and XSS patterns, all findings will appear together — the detector checks for both automatically.
What it does: Looks up individual CVEs against CISA's Known Exploited Vulnerabilities (KEV) catalog and enriches them with CVSS scores from NIST NVD. Also lets you search the full KEV catalog by keyword or vendor.
When to use it: Your vulnerability scanner found a CVE and you need to know: Is it being actively exploited? What's the severity? Is there a federal deadline to patch it?
Try This — OpenSSH signal handler race condition (recent):
Try This — Apache Log4j (Log4Shell):
Try This — ProxyShell (Microsoft Exchange):
Try This — KEV search for all Microsoft vulnerabilities:
Try This — KEV search for "remote code execution":
In CISA KEV: Yes — This vulnerability is under active exploitation. Federal agencies must patch by the listed due date. You should too. Severity: critical.
CVSS Score — Sourced from NIST NVD. Scale: 0.0 (none) to 10.0 (max). 9.0+ is critical, 7.0–8.9 is high.
Required Action — CISA's recommended remediation step (e.g., "Apply vendor update").
Due Date — The federal deadline for patching. If it's past due, treat it as an emergency.
💡 Where to find CVE IDs: Vulnerability scanners (Nessus, Qualys, OpenVAS), security advisories, vendor bulletins, or search cve.org directly.
What it does: Resolves a domain across four trusted DNS providers (Google 8.8.8.8, Cloudflare 1.1.1.1, Quad9 9.9.9.9, OpenDNS 208.67.222.222), compares the results, verifies DNSSEC status, and checks forward/reverse DNS consistency.
When to use it: You suspect DNS poisoning or want to verify that a domain's DNS is resolving honestly across the internet.
Try This — A domain with full DNSSEC (should be clean):
Try This — Check if your own domain has DNSSEC:
Try This — A popular site (check resolver consistency):
Try This — A cloud-hosted site (To8CA recognizes cloud providers):
All resolvers agree — All four DNS providers return the same IP(s). This is a good sign — no poisoning detected.
Resolver disagreement — Different resolvers return different IPs. This could indicate DNS cache poisoning. Severity: critical.
DNSSEC: Not enabled — The domain doesn't use DNSSEC, making it vulnerable to spoofing. Severity: medium.
DNSSEC: Enabled — DNSKEY records found. DNS responses are cryptographically signed. Good.
Cloud provider detected — If rDNS points to a cloud provider (AWS, GCP, Azure, Cloudflare, etc.), this is expected behavior and flagged as info, not a risk.
💡 DNSSEC matters: Without DNSSEC, attackers can forge DNS responses and redirect users to fake servers. If you manage a domain, enable DNSSEC at your registrar and DNS host. To8CA checks for it automatically.
Every analysis returns a risk score from 0 to 100 and a risk level:
Each individual finding within the results has its own severity:
No. To8CA does not store, log, or track any input you submit. All analysis is performed in real-time and results are returned directly to your browser. See the Privacy Policy for details.
No. All analysis is read-only and passive. Submitting a SQL injection payload to the detector does not execute SQL anywhere — it only runs regex pattern matching. Same for XSS, phishing URLs, and all other analyzers.
To8CA fetches the KEV catalog live from CISA's API on each request. You always get the latest data.
It means the CVE exists but hasn't been confirmed as actively exploited in the wild by CISA. It may still be dangerous — check the CVSS score from NVD for severity.
Most domains don't have DNSSEC enabled. It requires configuration at both your DNS host and domain registrar. DNSSEC adds cryptographic signatures that prevent DNS spoofing.
Yes — 30 requests per minute per IP address. This prevents abuse while allowing normal usage. If you hit the limit, wait a moment and try again.
