⚠️ Authenticated web application scanning. If you're thinking of adding authentication for an admin user, please read this article first: Adding an admin user when adding Authentications
If you're worried about our scanning bringing a system offline or causing heavy traffic to a production system, rest assured that Intruder's scanning engines are configured to be safe to use – even when scanning production systems.
What about DoS?
When it comes to denial of service (DoS) vulnerabilities we test for them, but don’t exploit them so no need to worry about your systems being taken offline.
What about Authenticated web-app scanning?
Authenticated web-app scanning goes a step further than infrastructure and unauthenticated web application scanning. The scanner will attempt to send different types of data to pages behind the login page and so it's important to consider what kind of functionality the scanner will be able to interact with and what processes are started using functionality in your application.
Before adding any authentication it's worth asking yourself whether you want to scan the full web application in a production environment. For example, if any of the following sound familiar perhaps consider testing in an environment where this functionality is not enabled or is connected to a test harness:
My app has functionality which creates an entry in our IT help desk ticketing system
My app has functionality which sends my team a Slack/Teams message
My app has functionality to send requests to third-party organisations
If you choose to scan an application which has this sort of functionality you may see an increase in submissions as the scanner attempts to send multiple requests in a short timeframe.
Cancel a scan
If you ever need to cancel a scan, just use the control panel on the scans page:
Throttle a scan
If you know of any significant resource constraints on a certain system or reasons why your system may not respond well to a peak in traffic, Intruder does offer a throttled scan setting which can be used to scan at slower speeds. This shouldn't be required normally, but may be helpful when scanning certain problematic hosts.
Scan web ports only
For those with Authentication licenses, if you toggle to ‘Default Web ports only’ you can limit scanning to just the application (and not the broader infrastructure).
If you have any further questions around how Intruder's scans might affect your systems, please contact us in the in-app chat box.