Internal Network Scanning¶
Internal Assets hosted within private networks or behind firewalls can be scanned through the use of Private Locations and scanner identification mechanisms. This capability is applicable to both WebApp DAST and API DAST scanning modes.
Overview¶
Internal application scanning addresses scenarios where:
- Applications are hosted on private networks without public internet access
- Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) must differentiate scanner traffic from malicious requests
- Access to specific endpoints or introspection capabilities is restricted to authorized security testing tools
- Monitoring systems require exemption rules for security testing traffic
Scanner Identification¶
Sec-Escape-User Header¶
Every request sent by the Escape scanner carries a single Escape-specific HTTP header, Sec-Escape-User. Server-side logic can use it to recognize legitimate security testing traffic. The header is always present, with no token to provision and no configuration on the customer side.
Header Format:
The value identifies which simulated user sent the request (for example public, or a named user from your authentication configuration). The header is consistent across all scan types (WebApp DAST and API DAST).
Use Cases for Scanner Identification¶
Web Application Firewall (WAF) Allowlisting:
Security appliances can recognize the Sec-Escape-User header and exempt scanner traffic from rate limiting, blocking rules, or alert generation. This prevents false positive security alerts and keeps scans running. Because HTTP headers can be spoofed, Sec-Escape-User on its own is fine for tagging traffic but not for allowlisting: pair it with a source IP match or a shared-secret header. See Firewall Configuration for the recommended allowlist rules.
Conditional Introspection Access:
Server introspection endpoints (GraphQL introspection, OpenAPI documentation, API metadata) can be restricted to requests containing valid scanner identification. This allows security testing in staging environments while maintaining endpoint restrictions in production.
Monitoring Exemption:
Application Performance Monitoring (APM) and observability systems can filter scanner traffic from metrics, logs, and alerting pipelines, preventing distortion of production telemetry.
Selective Feature Enablement:
Application logic can detect scanner presence and enable specific behaviors such as:
- Expanded error messages for vulnerability identification
- Disabled CAPTCHA challenges
- Relaxed rate limiting for comprehensive coverage
- Test data population for business logic testing
Never allowlist on the header alone
Because HTTP headers can be spoofed, never let traffic bypass your WAF on the presence of Sec-Escape-User alone. An attacker who learns your WAF trusts the header can simply send it. Always combine it with an IP allowlist or a shared secret, as described in Firewall Configuration.
Custom Header Configuration¶
When you need an additional identification signal, for example a shared secret to allowlist on, configure custom headers. They are sent on every request alongside Sec-Escape-User and apply to both WebApp DAST and API DAST scans.
Custom headers live under the top-level network key in the scan configuration:
You can set them in your organization-wide defaults or in the Expert Configuration of an individual scan. Scan-level values override defaults. See Firewall Configuration for how to allowlist on a shared-secret header.
Private Location Configuration¶
Private Locations enable scanning of applications that are not accessible from the public internet. The Escape Repeater agent establishes an outbound connection from the private network to the Escape platform, allowing bidirectional communication for scan execution.
Private Location Architecture¶
- Repeater Agent: Lightweight agent deployed within the private network
- Outbound Connection: HTTPS tunnel initiated from the private network to Escape infrastructure
- Request Proxying: Scanner requests are transmitted through the established tunnel to internal applications
- Response Transmission: Application responses are returned through the tunnel for analysis
Configuring Private Locations¶
For New Applications (Dashboard)¶
When creating an application through the Escape dashboard:
- Navigate to the application creation workflow
- In the Network section, select a previously configured Private Location from the dropdown
- Proceed with standard application configuration (URL, authentication, scan settings)
Private Location selection is independent of application type (WebApp DAST or API DAST).
For New Applications (Public API)¶
Applications with Private Location assignments can be created programmatically through the Public API. Refer to the Public API Documentation for endpoint specifications and request schemas.
For Existing Applications¶
To configure an existing application for internal scanning:
- Navigate to the application's settings in the Escape dashboard
- Access the Advanced Settings section
- Select the Network tab
- Choose a Private Location from the available options
- Save the configuration
Subsequent scans will utilize the selected Private Location for network connectivity.
Private Location Management¶
Private Locations must be configured and registered before they can be assigned to applications. Configuration and management of Private Locations is performed through the Organization Settings - Private Locations interface.
Prerequisites:
- Repeater agent deployment within the target network
- Network egress rules permitting HTTPS connections to Escape infrastructure
- Appropriate DNS resolution for Escape platform endpoints
- Sufficient agent resources for concurrent scan execution
Security Considerations¶
Network Isolation¶
Private Location deployments maintain network isolation boundaries. The Repeater agent does not expose inbound network services and operates exclusively through outbound HTTPS connections.
Authentication Layering¶
Scanner identification headers complement, but do not replace, application-level authentication mechanisms. Both scanner identification and user authentication credentials should be configured for comprehensive testing.
Secret Rotation¶
If you allowlist on a shared-secret custom header, rotate the secret periodically as part of security hygiene practices. Rotation requires coordinated updates to:
- WAF allowlist configurations
- Any server-side logic that checks the header
- Monitoring exemption rules
Applicable Scan Types¶
The capabilities described in this document apply equally to:
- WebApp DAST: Browser-based scanning of web applications and Single Page Applications (SPAs)
- API DAST: Direct HTTP-based testing of REST APIs, GraphQL APIs, and other API architectures
Configuration syntax and private location behavior remain consistent across scan types.
Related Documentation¶
- WebApp DAST Configuration
- API DAST Configuration
- Authentication Configuration
- Public API Documentation
- Organization Settings - Private Locations