⚠️ Authenticated web application scanning. If you're thinking of adding authentication for an admin user, please read this article first: Adding an admin user when adding authentications

If you're worried about our scanning bringing a system offline or causing heavy traffic to a production system, rest assured that Intruder's scanning engines are configured to be safe to use – even when scanning production systems.

When it comes to denial of service (DoS) vulnerabilities we test for them, but don’t exploit them so no need to worry about your systems being taken offline.

Before we jump straight in, it's worth understanding exactly what happens when you kick off an authenticated scan:

Since the scanner will attempt to send different types of data to pages behind the login page, it's worth considering what kind of functionality the scanner will be able to interact with and what processes might be triggered. For example:

If you choose to scan an application which has this sort of functionality you may see an increase in submissions as the scanner attempts to send multiple requests in a short timeframe.

For this reason, we always err on the side of caution and recommend scanning test environments, or those connected to a test harness. Though we don't recommend it, if you're wanting to add admin credentials, then please read this first.

To consider the things to be aware of when scanning an API, it's best to first understand how the scanner operates. When you upload and scan using an API, the scanner will parse the schema and, from this, build a list of endpoints and requests.

It is therefore worth highlighting that if your schema contains endpoints that can modify or delete data (for example a DELETE endpoint), then given that the scanner is going to call every endpoint in the schema, if you provide an account that can modify data through the API, the scan has the potential to modify that data.

It is therefore recommended to review the endpoints in the schema in the context of the account you're giving the scanner access to and modify the schema or revoke account permissions if it is possible for the scan to perform actions that you wish to avoid.

Our internal vulnerability scanner uses an agent installed onto the local machine. This agent is designed not to cause any damage to the machine on which it is installed. It does not require access to documents on the machine and will predominantly be checking system directories (e.g. C:/WINDOWS) and Application/Program Files.

The minimum requirements for the agent is a CPU Speed >= 1GHz and 1GB or more of RAM - provided these resource requirements are met (or exceeded) then the scanner will not experience any issues such as running out of memory or CPU capacity.

If you ever need to cancel a scan, just use the control panel on the scans page:

Yes! If you know of any significant resource constraints on a certain system or reasons why your system may not respond well to a peak in traffic, Intruder does offer a throttled scan setting which can be used to scan at slower speeds. This shouldn't be required normally, but may be helpful when scanning certain problematic hosts.

Yes, absolutely.
This would be especially helpful for those users with Application licenses, that want to limit scanning to just the application (and not the broader infrastructure).

If you have any further questions around how Intruder's scans might affect your systems, please contact us in the in-app chat box.