🛠️ Scan Configuration¶
Most of your scan configuration already follows the existing API DAST scan configuration, such as authentication.
However, there are a few additional configurations that are specific to SPA DAST scans.
Authentication¶
Just like API scans, you can configure a simple header authentication preset for now.
presets:
- type: headers
users:
- headers:
Authorization: Bearer user1Token
username: user1
validation: false
Scope Configuration¶
In your Expert Configuration section in the settings of your scan, you can configure the scope of your scan. Scopes are regexes to match allowed URLs that the scanner should crawl and test.
Base URLs¶
In your Expert Configuration section in the settings of your scan, you can configure the base URLs of your scan. Base URLs is a map of base URLs to their respective depth. You can pre-seed the scanner with a list of URLs to start the scan from and enrich the crawling process by boosting known URLs.
scan:
profile: default
frontend_base_urls:
'https://example.com/user': 1
'https://example.com/user/profile': 2
authentication: {}
Maximum scan duration¶
You can configure your scan time in minutes, to achieve better coverage for bigger web applications.
Maximum is 8 hours = 480 minutes Default for Frontend scans: 30 minutes
Single page worker mode¶
For specific use-cases where your web application can only be used in a single page, without any reloads or navigations or page refresh (F5
etc...), this mode will force the scanner to only run in a single page and purely navigate in the elements of that page, not through any other URLs.
Worker Parallelism¶
To speed up or slow down your scan, you can configure the number of simultaneous opened pages for the scanner. Maximum allowed is 5 due to memory constraints. If you observe stability issues with failed scans, you can try to lower this value.
Integrated authentication¶
For specific use cases where the browser-based authenticaiton MUST happen in the same browser as the scanner engine, this option enables you to play the authentication procedure inside the scanner directly. This can help with specific authentication mechanism that rely on in-memory values, web-workers etc...
In most cases, automatic extraction of cookies, local storage, session storage in the default browser-based login will be sufficient and inject the values into the engine.
Crawling only mode¶
For faster scan times, we also provide a special mode that disables heavier security checks, but still crawling and API traffic generation, which will still be sent for analysis and security testing.
Scan Persistance¶
To speed up the scan, you can enable persistance mode. This will save URLs from previous scans and load them into the scanner engine.