Hello! Setting up your targets correctly is one of the most important steps in ensuring a thorough security assessment. In the context of our scanner, a target refers to the specific domain, URL, web application, or API endpoint that you want to check for vulnerabilities.

Properly defining these ensures the scanner covers all relevant parts of your application and reduces the risk of missing critical security weaknesses.

Prerequisites

• You must have an active Astra Dashboard account.

• You should have the root URL or domain for the asset you wish to scan (e.g., https://app.example.com).

• If your application uses third-party resources or different hostnames for authentication (like Amazon Cognito), have those hostnames ready.

Instructions

1. Define Your Target URL

When you enter a target URL, the scanner automatically crawls and maps out all requests, pages, and resources directly associated with it.

• Single-page applications (SPAs): Enter the root of your web application.

• Specific paths: You can define a target as a specific subdirectory, such as https://example.com/portal.

2. Configure the Scan Scope

By default, all URLs within the same domain as your target are considered "in scope".

• If your target at app.example.com calls an API at api.example.com, it is included because they share the same root domain.

• Subdomains: You can choose whether to crawl subdomains during the Scanner Setup (Step 1).

3. Add External Hostnames

If your app relies on resources hosted on a different hostname (like a separate domain for an API or authentication), you must manually add them to the scope.

• Navigate to Scanner Setup > "What other hosts should we scan?" and list these hostnames explicitly to ensure full coverage.

4. Segment Large Applications

For complex platforms, it is a best practice to divide them into smaller, logical targets. This allows for more focused and efficient testing.

• Example: For an e-commerce site, create separate targets for https://example.com/store, https://example.com/sellers, and https://admin.example.com.

Expected Outcome

Once defined, the scanner will generate a site tree capturing every interaction, page, and API request it discovers. You can view the complete inventory of scanned URLs by downloading the Sitemap from your dashboard.

Troubleshooting & Best Practices

• Scan Behind Login: To uncover vulnerabilities in restricted areas, we highly recommend recording a login sequence so the scanner can authenticate as a user.

• Disconnected Resources: Remember that any APIs or resources not directly requested by your defined target URL will be ignored by default; these should be added as separate targets.

• Scan Speed: If your application experiences high latency during a crawl, you can adjust the Scan Speed in your target settings to reduce performance overhead.