⚠️ Authenticated web application scanning. If you're thinking of adding authentication for an admin user, please read this article first: Adding an admin user when adding authentications
If you're worried about our scanning bringing a system offline or causing heavy traffic to a production system, rest assured that Intruder's scanning engines are configured to be safe to use – even when scanning production systems.
What about DoS?
When it comes to denial of service (DoS) vulnerabilities we test for them, but don’t exploit them so no need to worry about your systems being taken offline.
What about authenticated web-app scanning?
Before we jump straight in, it's worth understanding exactly what happens when you kick off an authenticated scan:
Our scanner crawls all pages within your application
Identifies different points where data can be sent to your application
Sends data (and crafted requests) to the application
Checks responses to see if there has been any successful exploitation or any vulnerabilities exist
Since the scanner will attempt to send different types of data to pages behind the login page, it's worth considering what kind of functionality the scanner will be able to interact with and what processes might be triggered. For example:
Creating an entry in our IT help desk ticketing system
Sending Slack/Teams messages
Sending requests to third-party organisations
If you choose to scan an application which has this sort of functionality you may see an increase in submissions as the scanner attempts to send multiple requests in a short timeframe.
For this reason, we always err on the side of caution and recommend scanning test environments, or those connected to a test harness. Though we don't recommend it, if you're wanting to add admin credentials, then please read this first.
What about API Scanning?
To consider the things to be aware of when scanning an API, it's best to first understand how the scanner operates. When you upload and scan using an API, the scanner will parse the schema and, from this, build a list of endpoints and requests.
It is therefore worth highlighting that if your schema contains endpoints that can modify or delete data (for example a DELETE endpoint), then given that the scanner is going to call every endpoint in the schema, if you provide an account that can modify data through the API, the scan has the potential to modify that data.
It is therefore recommended to review the endpoints in the schema in the context of the account you're giving the scanner access to and modify the schema or revoke account permissions if it is possible for the scan to perform actions that you wish to avoid.
What about Internal Scanning?
Our internal vulnerability scanner uses an agent installed onto the local machine. This agent is designed not to cause any damage to the machine on which it is installed. It does not require access to documents on the machine and will predominantly be checking system directories (e.g. C:/WINDOWS) and Application/Program Files.
The minimum requirements for the agent is a CPU Speed >= 1GHz and 1GB or more of RAM - provided these resource requirements are met (or exceeded) then the scanner will not experience any issues such as running out of memory or CPU capacity.
How do I cancel a scan
If you ever need to cancel a scan, just use the control panel on the scans page:
Can I throttle a scan?
Yes! If you know of any significant resource constraints on a certain system or reasons why your system may not respond well to a peak in traffic, Intruder does offer a throttled scan setting which can be used to scan at slower speeds. This shouldn't be required normally, but may be helpful when scanning certain problematic hosts.
Can I limit the ports that get scanned?
Yes, absolutely.
This would be especially helpful for those users with Application licenses, that want to limit scanning to just the application (and not the broader infrastructure).
If you have any further questions around how Intruder's scans might affect your systems, please contact us in the in-app chat box.