Skip to content

Scanning Internal Applications

You might need to identify when the request you receive is coming from the security scanner.

Use Cases

  • Disable monitoring for Escape's requests
  • Enable introspection of your server only for the security scanner on your staging environment
  • Scan internal applications

Escape Identifier

Escape's scanner sends a secure token attached to every request it sends. The header name is X-Escape-Identifier, and its value is an identification token attached to your organization.

X-Escape-Identifier: {{your-escape-identifier}}

This header allows you to detect incoming requests from the scanner and add custom handling logic.

We recommend whitelisting this secret header in your Web Application Firewall (WAF) to: - Avoid false positive alerts - Prevent blocking the detection of your attack surface

You can find this token in your Organization Settings.

Token Security

Keep this token secret. If you suspect it has been compromised, regenerate it in your organization settings using the Revoke button.

Custom Header Configuration

You can define a custom header as an alternative to the default X-Escape-Identifier header.

Go to the Authentication section of your scan configuration and add the following header authentication configuration:

presets:
  - type: headers
    users:
      - headers:
          X-MySecretHeader: my-secret-value
        username: user1

Using the Escape Proxy

If you can whitelist some IPs in your firewall, you can use the Escape proxy to scan your application.

Add the following parameter to your scan configuration:

client:
  proxy:
    type: escape

All requests sent by the scanner will be routed through this proxy. The following IPs are used:

  • IPv4: 163.172.168.233
  • IPv6: 2001:bc8:47a4:61f::1

Whitelist these IPs in your firewall.

Using a Custom Proxy

If you cannot whitelist IPs but can deploy a service and expose its IP, you can use a custom proxy to scan your application.

Prerequisites

  1. Deploy a proxy that can access your application
  2. Allow incoming traffic to this proxy in your firewall

You'll need the following information: - user: User allowed to connect to the proxy (your organization ID if using the Escape proxy) - password: User password (your API key if using the Escape proxy) - ip: IP to connect to your proxy - port: Port to connect to your proxy

Add the following parameter to your scan configuration:

client:
  proxy:
    type: http
    target: http://[user]:[password]@[ip]:[port]

Additional Details

Check the Client Reference for more configuration options.

Using Private Locations

Enterprise Customers can scan their Internal VPN through Escape's Agent.