Scan Internal APIs
You might need to identify when the request you receive is coming from the security scanner.
Usecases:
- Disable monitoring for Escape's requests
- Enable the introspection of your server only to the security scanner on your staging environment.
- Scan Internal APIs
Escape Identifier
Escape's scanner sends a secure token attached to every requests it sends. The header name is X-Escape-Identifier
and its value is an identification token attached to your organization.
X-Escape-Identifier: {{your-escape-identifier}}
Thanks to this header you can detect incoming requests from the scanner in your server, to add any custom handling logic you might want on top of this.
We recommend, for example, to whitelist this secret header in your WAF, to avoid any false positive alerts, and avoid blocking the detection of your attack surface.
You can find this token in your Organization Settings.
You should keep this token secret. If you think it has been compromised, you can regenerate it in your organization settings using the Revoke
button.
You can also define your own custom header, in your scan configuration, as an alternative to the default X-Escape-Identifier
header.
Simply go to the Authentication section of your scan configuration and add the following header auth configuration:
presets:
- type: headers
users:
- headers:
X-MySecretHeader: my-secret-value
username: user1
Using the Escape Proxy
If you can whitelist some IPs in your firewall, you can use the Escape proxy to scan your application.
To do so, you need to add the following parameter to your scan configuration :
client:
proxy:
type: escape
All requests sent by the scanner will be sent to your application through this proxy. The following IPs are used :
- IPv4 :
163.172.168.233
- IPv6 :
2001:bc8:47a4:61f::1
Now you need to whitelist these IPs in your firewall.
Using a Custom Proxy
If you can't whitelist IPs but you can deploy a service and expose it's IP, you can use a custom proxy to scan your application.
First you will need to deploy a proxy that can access your API. For that you can use the Escape proxy or any other proxy you want. You will also need to allow incoming trafic to this proxy in your firewall.
Now you must have the following information :
user
: the user allowed to connect to the proxy (your organization id if you use the Escape proxy)password
: the password of the user allowed to connect to the proxy (your api key if you use the Escape proxy)ip
: the ip to connect to your proxyport
: the port to connect to your proxy
Then you can add the following parameter to your scan configuration :
client:
proxy:
type: http
target: http://[user]:[password]@[ip]:[port]
Check the Client for more details.
Using Private Locations
Enterprise Customers also have the ability to scan their Internal VPN through Escape's Agent.