FAQ
Frequently Asked Questions on Frontend DAST¶
Q: My scan is taking too long and timing out. What should I do?¶
A: Try these parameters in order:
- Reduce
frontend_parallel_workers
from 3 to 1 - Enable
frontend_use_persistence: true
- Add problematic pages to your blocklist
- Consider using only essential security checks:
Q: The scanner isn't finding all my application pages. How can I improve coverage?¶
A: Use these settings:
- Increase
max_duration
to 180-240 minutes - Add known URLs to
hotstart
list - Ensure
frontend_prefetch_sitemap: true
- Increase
frontend_max_fragments_visits
andfrontend_max_query_params_visits
Q: My application has complex authentication that breaks during scanning. What options do I have?¶
A: Configure these parameters:
- Set
frontend_integrated_authentication: true
- Add logout buttons to
frontend_blocklisted_element_selectors
- Use
frontend_single_page_worker: true
if your app can't handle page reloads - Consider disabling API injection to avoid authentication issues:
Q: I want to scan a production environment safely. What's the recommended configuration?¶
A: Use these conservative settings:
scan:
frontend_security_checks_enabled:
- PASSIVE_PAGE_CHECKS # Safe, non-intrusive analysis
- NETWORK_CHECKS # Headers and SSL analysis
frontend_parallel_workers: 1 # Minimal load
max_duration: 60 # Short duration
frontend_escape_user_header: false # Avoid adding headers
Q: What's the difference between the security check types?¶
A: Each type targets different security aspects:
ACTIVE_PAGE_CHECKS
: Interactive vulnerability testing (XSS, SQL injection, etc.)PASSIVE_PAGE_CHECKS
: Safe analysis (DOM security, browser storage, console errors)NETWORK_CHECKS
: Infrastructure analysis (headers, cookies, SSL, dependencies)API_CHECKS
: Security testing of captured API traffic from frontend
Use ALL
for comprehensive testing or combine specific types for targeted analysis.
Q: My scan keeps getting stuck on the same pages with different parameters. How can I fix this?¶
A: Limit parameter exploration:
scan:
frontend_max_query_params_visits: 2
frontend_max_parameter_occurence: 3
frontend_max_fragments_visits: 2
Q: I have a large e-commerce site with thousands of product pages. How should I configure the scan?¶
A: Use efficient crawling with blocklists:
scan:
max_duration: 240 # Longer duration needed
frontend_parallel_workers: 3
frontend_max_parameter_occurence: 5 # Limit product variations
frontend_security_checks_enabled:
- PASSIVE_PAGE_CHECKS # Efficient for large sites
- API_CHECKS # Capture API traffic patterns
blocklist:
routes:
- path: ".*/product/[0-9]+/reviews.*" # Skip review pages
- path: ".*/category/.*/page/[0-9]+.*" # Skip deep pagination