Skip to main content

How to configure authenticated scan scope

Understanding how to best configure your targets to allow the application scanning engine to scan relevant parts of your web-app or API

Written by Joe Haigh

⚠️ Minimising Risk

  • We'd advise against adding admin credentials, as explained in this article.

  • Whilst the scanner can run safely on many production websites, it's usually best to stick to staging to reduce the chance of damage.

Will the scan include cross-domains and subdomains associated with a single application?

Yes, an authentication method's Allowed domains section lets you specify additional domains that your application depends on, so those requests are permitted to complete during a scan. The scanner will also run a limited set of security checks on those network requests. Please visit our "Adding allowed domains for web application scans" article for more information.

Can I provide a list of URLs to exclude from authenticated scanning?

No, at this point (v1.2) the scanner will only exclude the Logout URL specified in your authentication configuration. All other (in-scope) URLs found during the crawling process will be included in the scan:

Can I determine the scan scope?

Partly, but only with a workaround.

The workaround would require you to:

  • Remove links to areas of the app you do not wish to scan that may be crawled to from the Entrypoint URL

Can I disable authentications so that they are not included in a scan?

Yes. From the Target Detail page, click into the Authentications tab. From here, you can see all of the authentications you have added to a target - you can disable any of these by clicking ... > Disable:

Can I run two authenticated scans on the same target at the same time?

Yes. It is possible to run a scan with as many authentications as desired – though we wouldn't necessarily recommend this.

Instead, we'd recommend running consecutive scans, making sure to only have one authentication enabled at a time.

Can I rate-limit the requests that are sent to my application?

No, currently (in v1.2) you cannot limit the number of requests per second that our authenticated scanner sends to your application. (This is possible for infrastructure scans for those on Pro, Enterprise, and Vanguard plans via 'advanced settings').

Can the scanner handle Single-Page Applications (SPAs)?

The scanner can handle simple SPAs, but the more complex or abnormal the behavior, the more likely it is that the coverage will be compromised.

To understand the correlation between complexity and coverage, it might help to understand how the scanner handles SPAs. It starts by fetching the application and running it within a headless browser; it then it manipulates the Document Object Model (DOM) and attempts to follow links it finds, recording a list of paths and parameters for further analysis as it goes. For more information, head to our SPA help article.

Related Articles
Can Intruder Scan Single-Page Applications?
Quick guide to authenticated web-app scanning
Quick guide to unauthenticated web-app scanning
How to configure advanced authentication methods
Did this answer your question?