Skip to content

🛠️ Scan Configuration

Most of your scan configuration already follows the existing API DAST scan configuration, such as authentication.

However, there are a few additional configurations that are specific to SPA DAST scans.

Authentication

Just like API scans, you can configure a simple header authentication preset for now.

presets:
  - type: headers
    users:
      - headers:
          Authorization: Bearer user1Token
        username: user1
validation: false

Scope Configuration

In your Expert Configuration section in the settings of your scan, you can configure the scope of your scan. Scopes are regexes to match allowed URLs that the scanner should crawl and test.

scan:
  profile: default
  frontend_scopes_regexes:
    - '.*/dashboard/.*'
authentication: {}

Base URLs

In your Expert Configuration section in the settings of your scan, you can configure the base URLs of your scan. Base URLs is a map of base URLs to their respective depth. You can pre-seed the scanner with a list of URLs to start the scan from and enrich the crawling process by boosting known URLs.

scan:
  profile: default
  frontend_base_urls: 
    'https://example.com/user': 1
    'https://example.com/user/profile': 2
authentication: {}

Maximum scan duration

You can configure your scan time in minutes, to achieve better coverage for bigger web applications.

Maximum is 8 hours = 480 minutes Default for Frontend scans: 30 minutes

scan:
  profile: default
  max_duration: 30

Single page worker mode

For specific use-cases where your web application can only be used in a single page, without any reloads or navigations or page refresh (F5 etc...), this mode will force the scanner to only run in a single page and purely navigate in the elements of that page, not through any other URLs.

scan:
  profile: default
  frontend_single_page_worker: true

Worker Parallelism

To speed up or slow down your scan, you can configure the number of simultaneous opened pages for the scanner. Maximum allowed is 5 due to memory constraints. If you observe stability issues with failed scans, you can try to lower this value.

scan:
  profile: default
  frontend_parallel_workers: 3

Integrated authentication

For specific use cases where the browser-based authenticaiton MUST happen in the same browser as the scanner engine, this option enables you to play the authentication procedure inside the scanner directly. This can help with specific authentication mechanism that rely on in-memory values, web-workers etc...

In most cases, automatic extraction of cookies, local storage, session storage in the default browser-based login will be sufficient and inject the values into the engine.

scan:
  profile: default
  frontend_integrated_authentication: true

Crawling only mode

For faster scan times, we also provide a special mode that disables heavier security checks, but still crawling and API traffic generation, which will still be sent for analysis and security testing.

scan:
  profile: default
  frontend_crawling_only: true

Scan Persistance

To speed up the scan, you can enable persistance mode. This will save URLs from previous scans and load them into the scanner engine.

scan:
  profile: default
  frontend_use_persistance: true