Introduction¶
Most of your scan configuration already follows the global scan configuration, such as authentication, network or inference.
However, there are a few additional configurations that are specific to WebApp scans.
For example SPA and SSR applications may not be crawled the same way, and you may want to configure the crawler to crawl them differently.
Example¶
Here is an example configuration:
---
frontend_dast:
agentic_crawling:
enabled: false
instructions: ''
api_checks_during_auth: true
escape_user_header: false
frontend_agentic_pentesting: false
hotstart: []
location_id: ''
logout_detection:
auto_reauthenticate: true
enabled: true
logged_in_indicator_regex_patterns: []
logout_redirection_url_patterns:
- /login
- /signout
- /logout
- /sign-out
- /sign-in
- /sign-out
- /sign-in
session_cookie_regex_patterns:
- (SESSION|JSESSIONID|ASPSESSIONID[A-Z0-9]+|PHPSESSID|ASP\.NET_SessionId)
max_duration: 120
mode: read_write
parallel_workers: 3
prefetch_sitemap: false
relax_cors_security: true
scope:
api:
allowlist_domains: []
allowlist_url_patterns: []
skipped_url_patterns: []
pages:
allowlist_element_selectors: []
allowlist_url_patterns: []
blocklist_element_selectors: []
blocklist_patterns: []
max_parameterized_url_variations: 5
max_unique_fragments_per_page: 5
max_unique_values_per_query_param: 5
only_inscope_crawling_logs: true
security_checks_enabled:
- ALL
single_page_worker: false
static_crawling:
enabled: false
time_limit_seconds: 300
use_persistence: true
user_agent: null
inference:
null_is_unauthenticated: true
scalars:
my_custom_scalar:
description: API keys internal to my organization. Should not be commited or
exposed to internet.
examples:
- org_ABCDEFGHIJKLMNOPABCDEFGHIJKLMNOP
ignored_names: []
ignored_pattern: null
is_sourceable: true
names:
- org_key
- organization_key
parents: []
pattern: ^org_[A-Z]{32}$
raise_on_commit: true
raise_on_exposure: true
sensitivity: HIGH
strategy: key_or_value
network:
cancel_unhealthy_scan_after: 120
custom_headers:
my-header:
- value1
- value2
x-scanned-by:
- escape.tech
escape_user: true
ff_frontend_next_sender: false
parallel_requests: 10
request_timeout_s: 2
requests_per_second: 1000
Configuration reference¶
Fields¶
APIScopeConfig¶
Configuration for controlling which API traffic the scanner should analyze and test.
Note: The scanner observes API traffic without interfering with it - the web application continues to work normally. These settings only control what the scanner analyzes and tests for security issues.
allowlist_domains¶
Type : List[string]*
Allowlist of domains for API traffic analysis.
List of domains that the scanner will analyze for API traffic. If not set, all domains will be analyzed as long as they are in the exploration scope. For example: ["api.example.com", "backend.example.com"]
allowlist_url_patterns¶
Type : List[string]*
Allowlist of URL patterns for API traffic analysis.
List of regexes that define which API URLs the scanner will analyze and test. If not set, all API URLs will be analyzed, as long as they are in scope.
skipped_url_patterns¶
Type : List[FrontendAPIURLSkipRule]*
Patterns to skip security checks on specific API traffic.
More granular than skipped_url_patterns - the API traffic will still be captured and analyzed, but security checks will be skipped. This is useful for sensitive endpoints like authentication where you want to observe the traffic but not run active tests. You can optionally specify the HTTP method to skip.
AgenticCrawlingConfig¶
Configuration options for agentic crawling.
enabled¶
Type : boolean
This configuration value will be auto enabled if experimental.agentic_pentesting is set to True
instructions¶
Type : string
Instructions for the agentic crawling.
Instruct the agent to explore the application, depending on the page, what it should do etc...
You can describe business logic for the agent to crawl the application better, what data it should use, what to avoid.
CustomScalarConfig¶
description¶
Type : string
The description of the scalar.
examples¶
Type : List[string]*
Sample values for the scalar (used in the explore phase as default values).
ignored_names¶
Type : List[string]*
Names to ignore for the scalar.
ignored_pattern¶
Type : string
Regex to ignore for the scalar.
is_sourceable¶
Type : boolean
Use this scalar in the Agentic Exploration of the API.
If true, the scalar will be reinjected during the Agentic Exploration of the API.
names¶
Type : List[string]*
Possible names for the scalar.
parents¶
Type : List[ScalarParent]*
Root type the scalar is compatible with.
pattern¶
Type : string
Potential regex-friendly values to match the scalar value.
raise_on_commit¶
Type : boolean
Mark this scalar as non-commitable.
If escape find this scalar in a git repository, an issue will be raised.
raise_on_exposure¶
Type : boolean
Mark this scalar as non-exposable.
If escape find this scalar in any HTTP requests, an issue will be raised.
sensitivity¶
Type : ScalarSensitivity
Data sensitivity level.
Values MEDIUM and HIGH will serve to raise Sensitive Data issues in Escape.
strategy¶
Type : MatchingStrategy
The detection strategy.
FrontendAPIURLSkipRule¶
This is used to skip urls from API traffic testing. Does not block pages traffic.
method¶
Type : Method
HTTP method to skip (not set implies all methods).
url_pattern¶
Type : string*
FrontendDASTConfig¶
Most of your scan configuration already follows the global scan configuration, such as authentication, network or inference.
However, there are a few additional configurations that are specific to WebApp scans.
For example SPA and SSR applications may not be crawled the same way, and you may want to configure the crawler to crawl them differently.
agentic_crawling¶
Type : AgenticCrawlingConfig*
If true, the frontend scan will use an LLM agent to intelligently explore the application by filling forms and interacting with elements to maximize API traffic generation.
You can describe business logic for the agent to crawl the application better, what data it should use, what to avoid.
api_checks_during_auth¶
Type : boolean
If set to true, API checks will run during the authentication process. If set to false, API checks will only be enabled (IF included in security_checks_enabled) after authentication.
API Checks can break the authentication flow! If you face problems authenticating your scan, you should disable this option.
escape_user_header¶
Type : boolean
If true, the frontend scan will add the x-escape-user header to the requests.
frontend_agentic_pentesting¶
Type : boolean
If true, the frontend scan will be performed with an LLM agent to find more vulnerabilities. This configuration value will be auto enabled if experimental.agentic_pentesting is set to True.
hotstart¶
Type : List[string]*
The list of URLs to start the scan from.
In your Expert Configuration section in the settings of your scan, you can configure and add more base URLs for your scan. Base URLs is a list of URLs that the scanner should visit. You can pre-seed the scanner with a list of URLs to start the scan from and enrich the crawling process by boosting known URLs.
location_id¶
Type : string
logout_detection¶
Type : LogoutDetectionConfig*
max_duration¶
Type : integer
The maximum time in minutes that the scan will run for before stopping.
Defaults to 2 hours.
mode¶
Type : ScanMode
The choosen mode for the scan.
Default mode is read-write and suited to development environment. The read-only mode is safe for production environments, but will reduce the number of tests performed and the scan coverage.
parallel_workers¶
Type : integer
The number of parallel workers to use for frontend scans.
Maximum is 5, default is 3. Recommended to lower this if you encounter stability issues.
prefetch_sitemap¶
Type : boolean
If true, the frontend scan will prefetch any available sitemaps (robots.txt, sitemap.xml, etc) and use them as a seed for the crawler.
relax_cors_security¶
Type : boolean
If false, the browser will send preflight requests for API calls and can block them. If true, the browser will not send any preflight requests, and the Origin header will not be included in any request.
If your authentication uses headers, you should set this to true, else the browser may block all API calls if they violate cors policy.
scope¶
Type : FrontendDASTScopeConfig*
Configuration for controlling the scope of the frontend scan.
This groups all scope-related options for both page crawling and API traffic analysis. Use this to define what the scanner should and should not scan.
security_checks_enabled¶
Type : List[FrontendSecurityChecksTypes]*
The security_checks_enabled parameter allows you to precisely control which security checks to run.
By default, all checks are enabled.You can mix and match depending on your needs (speed, coverage, etc).
single_page_worker¶
Type : boolean
If true, frontend scans will be performed in a single page worker.
Note that will slow down the scan, as it will not be able to explore multiple pages in parallel.
static_crawling¶
Type : StaticCrawlerConfig*
use_persistence¶
Type : boolean
If true, the frontend scan will use persistence to load discovered URLs from previous scans, to enhance crawling stability.
user_agent¶
Type : string
The user agent to use for frontend scans.
FrontendDASTScopeConfig¶
Configuration options for controlling the scope of the frontend scan.
This configuration is organized into two main sections:
pages: Controls which pages the scanner should crawl and interact withapi: Controls which API traffic the scanner should analyze and test
This separation makes it clear what applies to page crawling versus API traffic analysis.
api¶
Type : APIScopeConfig*
Scope configuration for API traffic analysis and testing.
pages¶
Type : PageScopeConfig*
Scope configuration for page crawling and element interactions.
InferenceConfig¶
Inference configures how escape will detect secrets exposed by the API or in files.
The inference is also used to reinject IDs in the DAST scanners.
null_is_unauthenticated¶
Type : boolean
Consider empty API responses as unauthenticated.
To improve error inference, if your API always returns a response but without data when the user is unauthenticated, set this to true.
scalars¶
Type : Dict[CustomScalarConfig]
The user's defined scalars.
LogoutDetectionConfig¶
Configuration options for logout detection.
Enabled by default with default values. It will analyze all pages content and response redirections to detect if the user is logged out. If you want to disable it, set enabled to False.
auto_reauthenticate¶
Type : boolean
If true, automatically re-authenticate when frontend session expires.
enabled¶
Type : boolean
If true, the frontend scan will detect when the user is logged out.
logged_in_indicator_regex_patterns¶
Type : List[string]*
Regex patterns to detect if user is logged in.
If set, at least one pattern must match. Empty by default.
logout_redirection_url_patterns¶
Type : List[string]*
Regex patterns to detect if user is logged out.
If set, at least one pattern must match. Will default to some common patterns if not set.
session_cookie_regex_patterns¶
Type : List[string]*
Regex patterns to identify session cookies.
If set, at least one pattern must match. Will default to some common patterns if not set.
NetworkConfig¶
cancel_unhealthy_scan_after¶
Type : integer
The maximum time in seconds to wait for the scan to be healthy before canceling it.
custom_headers¶
Type : Dict[string, List[string]]
Custom headers to add to the requests.
escape_user¶
Type : boolean
Add the X-Escape-User header to the requests.
ff_frontend_next_sender¶
Type : boolean
Feature flag to enable the new sender in the frontend DAST.
parallel_requests¶
Type : integer
The maximum number of parallel requests to send.
request_timeout_s¶
Type : integer
The maximum timeout duration for each request (in seconds).
requests_per_second¶
Type : integer
The maximum number of request per second.
PageScopeConfig¶
Configuration for controlling which pages the scanner should crawl and interact with.
allowlist_element_selectors¶
Type : List[string]*
Allowlist of element zones the scanner can interact with.
Use this to make the scanner interact only with elements inside the given list of selectors. For example, using div#zone1 will only interact with elements inside <div id="zone1">...</div> and ignore everything else.
allowlist_url_patterns¶
Type : List[string]*
Allowlist of URL patterns for page crawling.
List of regexes that define which page URLs are allowed to be visited. If not set, all URLs will be allowed, as long as they are in scope. For example, if exploration_scope is ["app.escape.tech"], only URLs matching that domain will be allowed.
blocklist_element_selectors¶
Type : List[string]*
Blocklist of element selectors to avoid interactions with.
Things like logout buttons, lock buttons, help widgets, chat widgets, etc. If used with allowed_element_selectors, the blocklist will be applied after selecting the allowed elements.
blocklist_patterns¶
Type : List[string]*
Blocklist of URL patterns for page crawling.
List of regexes of URLs that the scanner will not visit. This enables you to optimize the scanner time by avoiding crawling useless pages, like /faq/ and /articles/.
max_parameterized_url_variations¶
Type : integer
The maximum number of different parameter values to test for parameterized URL patterns.
The scanner detects numeric and UUID segments in URL paths and fragments (e.g., IDs, UUIDs) and replaces them with {param} to create patterns. For example, /users/123/profile and /users/456/profile both match the pattern /users/{param}/profile.
This setting limits how many different parameter values will be tested for each pattern:
/users/123/profile(allowed, variation 1 of pattern)/users/456/profile(allowed, variation 2 of pattern)/users/789/profile(allowed, variation 3 of pattern)- ... up to 5 variations
/users/999/profile(blocked if limit reached)
max_unique_fragments_per_page¶
Type : integer
The maximum number of different fragments (anchors) to visit for the same page path.
For example, if set to 5, the scanner will visit up to 5 different fragments of /page.html:
/page.html#section1(allowed)/page.html#section2(allowed)/page.html#section3(allowed)/page.html#section4(allowed)/page.html#section5(allowed)/page.html#section6(blocked)
Already visited fragments can be revisited without counting against the limit. Note: Single Page Applications with route fragments (containing /) are not limited by this setting.
max_unique_values_per_query_param¶
Type : integer
The maximum number of different values to test for each query parameter on the same page path.
For example, if set to 5, for the /search page with parameter q:
/search?q=test1(allowed)/search?q=test2(allowed)/search?q=test3(allowed)/search?q=test4(allowed)/search?q=test5(allowed)/search?q=test6(blocked)
Already tested values can be revisited without counting against the limit. The limit applies independently to each query parameter (e.g., q, filter, page are tracked separately).
only_inscope_crawling_logs¶
Type : boolean
If true, the frontend scan will report only in-scope URLs under the "Crawling" tab.
StaticCrawlerConfig¶
Configuration options for static crawler.
Disabled by default. It will run a static crawled to extract & seed URLs to the scanner. This should not be enabled when using single page worker.
enabled¶
Type : boolean
If true, the frontend scan will run a static crawler to extract & seed URLs.
time_limit_seconds¶
Type : integer
Time limit for static crawling in seconds.
FrontendDASTConfig¶
frontend_dast¶
Type : FrontendDASTConfig*
inference¶
Type : InferenceConfig*
network¶
Type : NetworkConfig*
Enums¶
FrontendSecurityChecksTypes¶
| Value |
|---|
ALL |
NONE |
API_CHECKS |
ACTIVE_PAGE_CHECKS |
PASSIVE_PAGE_CHECKS |
NETWORK_CHECKS |
MatchingStrategy¶
| Value |
|---|
key |
key_strict |
value |
value_strict |
key_or_value |
key_or_value_strict |
key_strict_or_value |
key_and_value_strict |
Method¶
| Value |
|---|
GET |
POST |
PUT |
DELETE |
PATCH |
ScalarParent¶
| Value |
|---|
String |
Int |
Float |
Boolean |
ScalarSensitivity¶
| Value |
|---|
NONE |
LOW |
MEDIUM |
HIGH |
ScanMode¶
| Value |
|---|
read_only |
read_write |