Introduction¶
Most of your scan configuration already follows the global scan configuration, such as authentication, network or inference.
However, there are a few additional configurations that are specific to WebApp scans.
For example SPA and SSR applications may not be crawled the same way, and you may want to configure the crawler to crawl them differently.
Example¶
Here is an example configuration:
---
exploration_scope:
- dev.escape.tech
- staging.escape.tech
frontend_dast:
agentic_scanning: false
allowed_url_patterns: []
blocklist_patterns: []
blocklisted_element_selectors: []
escape_user_header: false
ff_request_sender_next: false
hotstart: []
location_id: ''
logout_detection:
auto_reauthenticate: true
enabled: true
logged_in_indicator_regex_patterns: []
logout_redirection_url_patterns:
- /login
- /signout
- /logout
- /sign-out
- /sign-in
- /sign-out
- /sign-in
session_cookie_regex_patterns:
- (SESSION|JSESSIONID|ASPSESSIONID[A-Z0-9]+|PHPSESSID|ASP\.NET_SessionId)
max_duration: 120
max_fragments_visits: null
max_parameter_occurence: null
max_query_params_visits: null
parallel_workers: 3
prefetch_sitemap: false
security_checks_enabled:
- ALL
single_page_worker: false
skipped_api_checks_url_patterns: []
use_legacy_crawling: false
use_persistence: true
user_agent: null
inference:
null_is_unauthenticated: true
scalars:
my_custom_scalar:
description: API keys internal to my organization. Should not be commited or
exposed to internet.
examples:
- org_ABCDEFGHIJKLMNOPABCDEFGHIJKLMNOP
ignored_names: []
ignored_pattern: null
is_sourceable: true
names:
- org_key
- organization_key
parents: []
pattern: ^org_[A-Z]{32}$
raise_on_commit: true
raise_on_exposure: true
sensitivity: HIGH
strategy: key_or_value
network:
cancel_unhealthy_scan_after: 120
custom_headers:
my-header:
- value1
- value2
x-scanned-by:
- escape.tech
escape_user: true
request_timeout_s: 2
requests_per_second: 1000
Configuration reference¶
Fields¶
CustomScalarConfig¶
description¶
Type : string
The description of the scalar.
examples¶
Type : List[string]*
Sample values for the scalar (used in the explore phase as default values).
ignored_names¶
Type : List[string]*
Names to ignore for the scalar.
ignored_pattern¶
Type : string
Regex to ignore for the scalar.
is_sourceable¶
Type : boolean
Use this scalar in the Agentic Exploration of the API.
If true, the scalar will be reinjected during the Agentic Exploration of the API.
names¶
Type : List[string]*
Possible names for the scalar.
parents¶
Type : List[ScalarParent]*
Root type the scalar is compatible with.
pattern¶
Type : string
Potential regex-friendly values to match the scalar value.
raise_on_commit¶
Type : boolean
Mark this scalar as non-commitable.
If escape find this scalar in a git repository, an issue will be raised.
raise_on_exposure¶
Type : boolean
Mark this scalar as non-exposable.
If escape find this scalar in any HTTP requests, an issue will be raised.
sensitivity¶
Type : ScalarSensitivity
Data sensitivity level.
Values MEDIUM and HIGH will serve to raise Sensitive Data issues in Escape.
strategy¶
Type : MatchingStrategy
The detection strategy.
FrontendAPIURLSkipRule¶
This is used to skip urls from API traffic. Does not block pages traffic.
method¶
Type : Method
HTTP method to skip (not set implies all methods).
url_pattern¶
Type : string*
FrontendDASTConfig¶
Most of your scan configuration already follows the global scan configuration, such as authentication, network or inference.
However, there are a few additional configurations that are specific to WebApp scans.
For example SPA and SSR applications may not be crawled the same way, and you may want to configure the crawler to crawl them differently.
agentic_scanning¶
Type : boolean
If true, the frontend scan will be performed with an LLM agent to find more vulnerabilities.
allowed_url_patterns¶
Type : List[string]*
The list of URL patterns to allow for the frontend scan crawling.
This is a list of regexes that will be used to filter the page URLs that are allowed to be visited. If not set, all URLs will be allowed, as long as their are in scope. For example, if exploration_scope is ["app.escape.tech"], test.app.escape.tech and escape.tech will not be allowed.
blocklist_patterns¶
Type : List[string]*
Just like API scans, you can also configure blocklisted page urls in your frontend scans.
List of regexes of urls that the scanner will not visit. This enables you to optimize the scanner time by avoiding crawling useless pages, like /faq/ and /articles/.
blocklisted_element_selectors¶
Type : List[string]*
The list of element selectors to block interactions with during the frontend scan. Things like logouts, lock buttons, help, chat, etc.
escape_user_header¶
Type : boolean
If true, the frontend scan will add the x-escape-user header to the requests.
ff_request_sender_next¶
Type : boolean
If true, the scan will use the new request sender (WIP).
hotstart¶
Type : List[string]*
The list of URLs to start the scan from.
In your Expert Configuration section in the settings of your scan, you can configure and add more base URLs for your scan. Base URLs is a list of URLs that the scanner should visit. You can pre-seed the scanner with a list of URLs to start the scan from and enrich the crawling process by boosting known URLs.
location_id¶
Type : string
logout_detection¶
Type : LogoutDetectionConfig*
max_duration¶
Type : integer
The maximum time in minutes that the scan will run for before stopping.
Defaults to 2 hours.
max_fragments_visits¶
Type : integer
The maximum number of visits to a page with the same fragment.
max_parameter_occurence¶
Type : integer
The maximum number of occurrences of a parameter in a URL.
max_query_params_visits¶
Type : integer
The maximum number of visits to a page with the same query parameters.
parallel_workers¶
Type : integer
The number of parallel workers to use for frontend scans.
Maximum is 5, default is 3. Recommended to lower this if you encounter stability issues.
prefetch_sitemap¶
Type : boolean
If true, the frontend scan will prefetch any available sitemaps (robots.txt, sitemap.xml, etc) and use them as a seed for the crawler.
security_checks_enabled¶
Type : List[FrontendSecurityChecksTypes]*
The security_checks_enabled parameter allows you to precisely control which security checks to run.
By default, all checks are enabled.You can mix and match depending on your needs (speed, coverage, etc).
single_page_worker¶
Type : boolean
If true, frontend scans will be performed in a single page worker.
Note that will slow down the scan, as it will not be able to explore multiple pages in parallel.
skipped_api_checks_url_patterns¶
Type : List[FrontendAPIURLSkipRule]*
Patterns to skip API traffic.
More granular than exploration_scope, this list will be used to filter the API traffic URLs that are not allowed to be scanned. This is useful to skip API traffic extraction for specific URLs, for example if you have a sensitive auth api.
use_legacy_crawling¶
Type : boolean
If true, the frontend scan will be performed with the legacy crawling engine, only based on URL patterns.
use_persistence¶
Type : boolean
If true, the frontend scan will use persistence to load discovered URLs from previous scans, to enhance crawling stability.
user_agent¶
Type : string
The user agent to use for frontend scans.
InferenceConfig¶
Inference configures how escape will detect secrets exposed by the API or in files.
The inference is also used to reinject IDs in the DAST scanners.
null_is_unauthenticated¶
Type : boolean
Consider empty API responses as unauthenticated.
To improve error inference, if your API always returns a response but without data when the user is unauthenticated, set this to true.
scalars¶
Type : Dict[CustomScalarConfig]
The user's defined scalars.
LogoutDetectionConfig¶
Configuration options for logout detection.
Enabled by default with default values. It will analyze all pages content and response redirections to detect if the user is logged out. If you want to disable it, set enabled to False.
auto_reauthenticate¶
Type : boolean
If true, automatically re-authenticate when frontend session expires.
enabled¶
Type : boolean
If true, the frontend scan will detect when the user is logged out.
logged_in_indicator_regex_patterns¶
Type : List[string]*
Regex patterns to detect if user is logged in.
If set, at least one pattern must match. Empty by default.
logout_redirection_url_patterns¶
Type : List[string]*
Regex patterns to detect if user is logged out.
If set, at least one pattern must match. Will default to some common patterns if not set.
session_cookie_regex_patterns¶
Type : List[string]*
Regex patterns to identify session cookies.
If set, at least one pattern must match. Will default to some common patterns if not set.
NetworkConfig¶
cancel_unhealthy_scan_after¶
Type : integer
The maximum time in seconds to wait for the scan to be healthy before canceling it.
custom_headers¶
Type : Dict[string, List[string]]
Custom headers to add to the requests.
escape_user¶
Type : boolean
Add the X-Escape-User header to the requests.
request_timeout_s¶
Type : integer
The maximum timeout duration for each request (in seconds).
requests_per_second¶
Type : integer
The maximum number of request per second.
Enums¶
FrontendSecurityChecksTypes¶
| Value |
|---|
ALL |
NONE |
API_CHECKS |
ACTIVE_PAGE_CHECKS |
PASSIVE_PAGE_CHECKS |
NETWORK_CHECKS |
MatchingStrategy¶
| Value |
|---|
key |
key_strict |
value |
value_strict |
key_or_value |
key_or_value_strict |
key_strict_or_value |
key_and_value_strict |
Method¶
| Value |
|---|
GET |
POST |
PUT |
DELETE |
PATCH |
ScalarParent¶
| Value |
|---|
String |
Int |
Float |
Boolean |
ScalarSensitivity¶
| Value |
|---|
NONE |
LOW |
MEDIUM |
HIGH |