Skip to main content

Adding allowed domains for web application scans

How to configure allowed subdomains and cross-domains for authenticated web application scans

B
Written by Ben Stanley

Overview

When Intruder scans a web application, it intercepts network requests made during the scan. By default, requests to any domain other than your target will not succeed. This is intentional — it keeps scans focused and prevents unintended interaction with third-party services.

The Allowed domains section lets you specify additional domains that your application depends on, so those requests are permitted to complete during a scan. The scanner will also run a limited set of security checks on those network requests.

Subdomains vs cross-domains

Subdomains are domains that share the same apex domain as your target. For example, if your target is app.example.com, you can add api.example.com or cdn.example.com here. You can add as many subdomains as you need.

Cross-domains are entirely separate domains — for example, an external identity provider or a third-party API your application depends on. You can add up to 3 cross-domains per target.

If a domain shares the same apex as your target, add it under Subdomains — not Cross-domains.

How do I add these?

ℹ️ Note: Cross-domain support is currently in development and will be available in a future release. Only subdomains can be added as allowed domains at this time.

When adding or modifying a target's authentication, scroll down to Additional domains and click the downward arrow to reveal the Subdomains and Cross-subdomains fields:

When do I need this?

You may need to add allowed domains if your application:

  • Makes requests to subdomains not covered by your target (e.g. your target is app.example.com but it calls api.example.com)

  • Relies on an external authentication provider (e.g. auth.identityprovider.com)

  • Loads resources from a separate domain that is critical to the application functioning correctly during a scan

If these domains are missing, parts of your application may not work correctly during a scan, which could lead to missed vulnerabilities.

Examples

Scenario

What to add

Target is app.example.com, calls api.example.com

Add api.example.com under Subdomains

Login flow redirects to auth.example.com

Add auth.example.com under Subdomains

App uses login.auth0.com for authentication

Add login.auth0.com under Cross-domains

App loads assets from assets.cdn.io

Add assets.cdn.io under Cross-domains

What checks run on allowed domains?

Allowed domains are not scanned in full. Intruder will not crawl or actively probe these domains the way it does your primary target. Instead, security checks are run on the network requests that pass through them during a scan:

  • Inspect request and response traffic for vulnerabilities, such as misconfigured cookies, missing security headers, and information disclosure.

  • Replay intercepted requests with modified or fuzzed payloads to test for vulnerabilities like injection flaws in the responses.

Related Articles
Choosing the right license for scanning your web application
Will Intruder's scans damage my systems?
Can Intruder Scan Single-Page Applications?
Possible Scan Interference
How to configure authenticated scan scope
Did this answer your question?