How to configure authenticated scan scope

Understanding how to best configure your targets to allow the application scanning engine to scan relevant parts of your web-app or API

Joe Haigh avatar
Written by Joe Haigh
Updated over a week ago

Minimising Risk

  • We'd advise against adding admin credentials, as explained in this article.

  • Whilst the scanner can run safely on many production websites, it's usually best to stick to staging to reduce the chance of damage.

Will the scan include multiple domains associated with a single application?

No. At this time (v1.2) our scans are scoped to the one domain you have added authentication to.

This means if you add an authentication to the scan will not crawl to pages on This can cause issues for some single-page applications (SPAs) that use multiple endpoints.

The workaround for this would be to add each domain as a unique target and add authentication to it.

Will the scan include sub-domains?

No, our authenticated scans will only crawl to pages linked to the domain that has been authenticated.

This means if you add and authentication, but the scanner identifies a link to it will not follow that link.

The workaround for this would be to add and as targets and add authentication to each.

Can I provide a list of URLs to exclude from authenticated scanning?

No, at this point (v1.2) the scanner will only exclude the Logout URL specified in your authentication configuration. All other (in-scope) URLs found during the crawling process will be included in the scan.

Can I determine the scan scope?

Partly, but only with a workaround.

The workaround would require you to:

  1. Decide where you'd like the scanner to start spidering and use this as your Entrypoint.

  2. If there are areas of the app - linked from the entrypoint – that you don't wish to be scanned, you'll need to remove them.

Can I disable authentications so that they are not included in a scan?

Yes. From the Target Detail page, click into the Authentications tab. From here you can see all of the authentications you have added to a target - you can disable any of these by clicking ... > Disable.

Can I two authenticated scans on the same target at the same time?

Yes. It is possible to run a scan with as many authentications as desired – though we wouldn't necessarily recommend this.

Instead, we'd recommend running consecutive scans, making sure to only have one authentication enabled at a time. To do this:

Head to your target's detail page:

Scroll down to 'Authentications', click ... and hit Disable:

Can I rate-limit the requests that are sent to my application?

No, currently (in v1.2) you cannot limit the number of requests per second that our authenticated scanner sends to your application. (This is possible for standard scanning though via 'advanced settings').

Can the scanner handle Single-Page Applications (SPAs)?

The scanner can handle simple SPAs, but the more complex or abnormal the behaviour, the more likely it is that the coverage will be compromised.

To understand the correlation between complexity and coverage, it might help to understand how the scanner handles SPAs. It starts by fetching the application and running it within a headless browser; it then it manipulates the Document Object Model (DOM) and attempts to follow links it finds, recording a list of paths and parameters for further analysis as it goes. For more information, head to our SPA help article.

Did this answer your question?