Skip to content

FAQ

Frequently Asked Questions on Frontend DAST

Q: My scan is taking too long and timing out. What should I do?

A: Try these parameters in order:

  1. Reduce frontend_parallel_workers from 3 to 1
  2. Enable frontend_use_persistence: true
  3. Add problematic pages to your blocklist
  4. Consider using only essential security checks:
    scan:
      frontend_security_checks_enabled:
        - API_CHECKS  # Fast mode: only analyze captured API traffic
    

Q: The scanner isn't finding all my application pages. How can I improve coverage?

A: Use these settings:

  1. Increase max_duration to 180-240 minutes
  2. Add known URLs to hotstart list
  3. Ensure frontend_prefetch_sitemap: true
  4. Increase frontend_max_fragments_visits and frontend_max_query_params_visits

Q: My application has complex authentication that breaks during scanning. What options do I have?

A: Configure these parameters:

  1. Set frontend_integrated_authentication: true
  2. Add logout buttons to frontend_blocklisted_element_selectors
  3. Use frontend_single_page_worker: true if your app can't handle page reloads
  4. Consider disabling API injection to avoid authentication issues:
    scan:
      frontend_security_checks_enabled:
        - ACTIVE_PAGE_CHECKS
        - PASSIVE_PAGE_CHECKS
        - NETWORK_CHECKS
        # API_CHECKS excluded
    

A: Use these conservative settings:

scan:
  frontend_security_checks_enabled:
    - PASSIVE_PAGE_CHECKS  # Safe, non-intrusive analysis
    - NETWORK_CHECKS       # Headers and SSL analysis
  frontend_parallel_workers: 1  # Minimal load
  max_duration: 60  # Short duration
  frontend_escape_user_header: false  # Avoid adding headers

Q: What's the difference between the security check types?

A: Each type targets different security aspects:

  • ACTIVE_PAGE_CHECKS: Interactive vulnerability testing (XSS, SQL injection, etc.)
  • PASSIVE_PAGE_CHECKS: Safe analysis (DOM security, browser storage, console errors)
  • NETWORK_CHECKS: Infrastructure analysis (headers, cookies, SSL, dependencies)
  • API_CHECKS: Security testing of captured API traffic from frontend

Use ALL for comprehensive testing or combine specific types for targeted analysis.

Q: My scan keeps getting stuck on the same pages with different parameters. How can I fix this?

A: Limit parameter exploration:

scan:
  frontend_max_query_params_visits: 2
  frontend_max_parameter_occurence: 3
  frontend_max_fragments_visits: 2

Q: I have a large e-commerce site with thousands of product pages. How should I configure the scan?

A: Use efficient crawling with blocklists:

scan:
  max_duration: 240  # Longer duration needed
  frontend_parallel_workers: 3
  frontend_max_parameter_occurence: 5  # Limit product variations
  frontend_security_checks_enabled:
    - PASSIVE_PAGE_CHECKS  # Efficient for large sites
    - API_CHECKS          # Capture API traffic patterns
blocklist:
  routes:
    - path: ".*/product/[0-9]+/reviews.*"  # Skip review pages
    - path: ".*/category/.*/page/[0-9]+.*"  # Skip deep pagination