FAQ

Frequently Asked Questions on Frontend DAST¶

Q: My scan is taking too long and timing out. What should I do?¶

A: Try these parameters in order:

1. Reduce frontend_parallel_workers from 3 to 1
2. Enable frontend_use_persistence: true
3. Add problematic pages to your blocklist
4. Consider using only essential security checks:

   scan:
     frontend_security_checks_enabled:
       - API_CHECKS  # Fast mode: only analyze captured API traffic
   

Q: The scanner isn't finding all my application pages. How can I improve coverage?¶

A: Use these settings:

1. Increase max_duration to 180-240 minutes
2. Add known URLs to hotstart list
3. Ensure frontend_prefetch_sitemap: true
4. Increase frontend_max_fragments_visits and frontend_max_query_params_visits

Q: My application has complex authentication that breaks during scanning. What options do I have?¶

A: Configure these parameters:

1. Set frontend_integrated_authentication: true
2. Add logout buttons to frontend_blocklisted_element_selectors
3. Use frontend_single_page_worker: true if your app can't handle page reloads
4. Consider disabling API injection to avoid authentication issues:

   scan:
     frontend_security_checks_enabled:
       - ACTIVE_PAGE_CHECKS
       - PASSIVE_PAGE_CHECKS
       - NETWORK_CHECKS
       # API_CHECKS excluded
   

Q: I want to scan a production environment safely. What's the recommended configuration?¶

A: Use these conservative settings:

scan:
  frontend_security_checks_enabled:
    - PASSIVE_PAGE_CHECKS  # Safe, non-intrusive analysis
    - NETWORK_CHECKS       # Headers and SSL analysis
  frontend_parallel_workers: 1  # Minimal load
  max_duration: 60  # Short duration
  frontend_escape_user_header: false  # Avoid adding headers

Q: What's the difference between the security check types?¶

A: Each type targets different security aspects:

• ACTIVE_PAGE_CHECKS: Interactive vulnerability testing (XSS, SQL injection, etc.)
• PASSIVE_PAGE_CHECKS: Safe analysis (DOM security, browser storage, console errors)
• NETWORK_CHECKS: Infrastructure analysis (headers, cookies, SSL, dependencies)
• API_CHECKS: Security testing of captured API traffic from frontend

Use ALL for comprehensive testing or combine specific types for targeted analysis.

Q: My scan keeps getting stuck on the same pages with different parameters. How can I fix this?¶

A: Limit parameter exploration:

scan:
  frontend_max_query_params_visits: 2
  frontend_max_parameter_occurence: 3
  frontend_max_fragments_visits: 2

Q: I have a large e-commerce site with thousands of product pages. How should I configure the scan?¶

A: Use efficient crawling with blocklists:

scan:
  max_duration: 240  # Longer duration needed
  frontend_parallel_workers: 3
  frontend_max_parameter_occurence: 5  # Limit product variations
  frontend_security_checks_enabled:
    - PASSIVE_PAGE_CHECKS  # Efficient for large sites
    - API_CHECKS          # Capture API traffic patterns
blocklist:
  routes:
    - path: ".*/product/[0-9]+/reviews.*"  # Skip review pages
    - path: ".*/category/.*/page/[0-9]+.*"  # Skip deep pagination