Skip to content

Internal Network Scanning

Internal Assets hosted within private networks or behind firewalls can be scanned through the use of Private Locations and scanner identification mechanisms. This capability is applicable to both WebApp DAST and API DAST scanning modes.

Overview

Internal application scanning addresses scenarios where:

  • Applications are hosted on private networks without public internet access
  • Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) must differentiate scanner traffic from malicious requests
  • Access to specific endpoints or introspection capabilities is restricted to authorized security testing tools
  • Monitoring systems require exemption rules for security testing traffic

Scanner Identification

Escape Identifier Header

A secure identification token is automatically attached to every request transmitted by the Escape scanner. This token is organization-specific and allows server-side logic to recognize legitimate security testing traffic.

Header Format:

X-Escape-Identifier: {{your-organization-identifier}}

The identifier token is consistent across all scan types (WebApp DAST and API DAST) and remains stable unless explicitly regenerated.

Token Location:

The organization-specific identifier token can be retrieved from Organization Settings.

Use Cases for Scanner Identification

Web Application Firewall (WAF) Allowlisting:

Security appliances can be configured to recognize the X-Escape-Identifier header and exempt scanner traffic from rate limiting, blocking rules, or alert generation. This prevents false positive security alerts and ensures uninterrupted scan execution.

Conditional Introspection Access:

Server introspection endpoints (GraphQL introspection, OpenAPI documentation, API metadata) can be restricted to requests containing valid scanner identification. This allows security testing in staging environments while maintaining endpoint restrictions in production.

Monitoring Exemption:

Application Performance Monitoring (APM) and observability systems can filter scanner traffic from metrics, logs, and alerting pipelines, preventing distortion of production telemetry.

Selective Feature Enablement:

Application logic can detect scanner presence and enable specific behaviors such as:

  • Expanded error messages for vulnerability identification
  • Disabled CAPTCHA challenges
  • Relaxed rate limiting for comprehensive coverage
  • Test data population for business logic testing

Token Security

The organization identifier must be treated as a sensitive credential. If compromise is suspected, the token should be immediately regenerated via the Organization Settings interface using the Revoke functionality. Token regeneration will invalidate all existing scan configurations until updated.

Custom Header Configuration

Alternative identification headers can be configured when the default X-Escape-Identifier header is unsuitable or when additional authentication layers are required.

Custom headers are defined within the authentication configuration block and are applicable to both WebApp DAST and API DAST scans:

authentication:
  presets:
    - type: headers
      users:
        - headers:
            X-Custom-Scanner-Token: custom-secret-value
            X-Environment-Tag: security-testing
          username: scanner-user

Configuration Properties:

  • headers: Key-value pairs representing HTTP headers to be included in all requests
  • username: Identifier for the authentication preset (arbitrary label)

Custom headers are transmitted alongside the default X-Escape-Identifier header unless explicitly configured otherwise in the scan profile.

Private Location Configuration

Private Locations enable scanning of applications that are not accessible from the public internet. The Escape Repeater agent establishes an outbound connection from the private network to the Escape platform, allowing bidirectional communication for scan execution.

Private Location Architecture

  • Repeater Agent: Lightweight agent deployed within the private network
  • Outbound Connection: HTTPS tunnel initiated from the private network to Escape infrastructure
  • Request Proxying: Scanner requests are transmitted through the established tunnel to internal applications
  • Response Transmission: Application responses are returned through the tunnel for analysis

Configuring Private Locations

For New Applications (Dashboard)

When creating an application through the Escape dashboard:

  1. Navigate to the application creation workflow
  2. In the Network section, select a previously configured Private Location from the dropdown
  3. Proceed with standard application configuration (URL, authentication, scan settings)

Private Location selection is independent of application type (WebApp DAST or API DAST).

For New Applications (Public API)

Applications with Private Location assignments can be created programmatically through the Public API. Refer to the Public API Documentation for endpoint specifications and request schemas.

For Existing Applications

To configure an existing application for internal scanning:

  1. Navigate to the application's settings in the Escape dashboard
  2. Access the Advanced Settings section
  3. Select the Network tab
  4. Choose a Private Location from the available options
  5. Save the configuration

Subsequent scans will utilize the selected Private Location for network connectivity.

Private Location Management

Private Locations must be configured and registered before they can be assigned to applications. Configuration and management of Private Locations is performed through the Organization Settings - Private Locations interface.

Prerequisites:

  • Repeater agent deployment within the target network
  • Network egress rules permitting HTTPS connections to Escape infrastructure
  • Appropriate DNS resolution for Escape platform endpoints
  • Sufficient agent resources for concurrent scan execution

Security Considerations

Network Isolation

Private Location deployments maintain network isolation boundaries. The Repeater agent does not expose inbound network services and operates exclusively through outbound HTTPS connections.

Authentication Layering

Scanner identification headers complement, but do not replace, application-level authentication mechanisms. Both scanner identification and user authentication credentials should be configured for comprehensive testing.

Token Rotation

Organization identifier tokens should be periodically rotated as part of security hygiene practices. Token rotation requires coordinated updates to:

  • WAF allowlist configurations
  • Server-side identification logic
  • Monitoring exemption rules

Applicable Scan Types

The capabilities described in this document apply equally to:

  • WebApp DAST: Browser-based scanning of web applications and Single Page Applications (SPAs)
  • API DAST: Direct HTTP-based testing of REST APIs, GraphQL APIs, and other API architectures

Configuration syntax and private location behavior remain consistent across scan types.