How do you define a target for the vulnerability scanner?

What This Article Covers

This article defines what a target is within the context of a vulnerability scanner and explains how to effectively define and manage your targets for comprehensive vulnerability scanning. It covers understanding the scope of the scan, including how to handle different hostnames and best practices for organizing targets for optimal coverage.

Who Should Read This

This article is for anyone setting up or managing vulnerability scans, including developers, security engineers, system administrators, and IT professionals responsible for securing web applications, websites, or API endpoints.

Why This Matters

Properly defining your targets is crucial for accurate and comprehensive vulnerability assessments. A well-defined target ensures that the scanner covers all relevant parts of your application, identifying potential security weaknesses that might otherwise be missed. This leads to a more robust security posture and reduces the risk of exploitation.

What is a Target in the Vulnerability Scanner?

A target in the vulnerability scanner refers to the domain or URL that will be scanned for vulnerabilities. This can be a web application, a website, or an API endpoint.

Examples of Unique Targets:

• https://app.example.com

• https://example.com/portal

• https://www.example.com

Understanding the Scope of the Vulnerability Scan

Target URL

When you define a target URL, for example, https://app.example.com/admin, the scanner will automatically crawl and map out all requests, pages, APIs, and resources directly associated with this URL. It will then generate a site tree that captures these interactions.

Example of a Site Tree:

• GET https://app.example.com/admin/login

• GET https://app.example.com/admin/js/script.js?version=1234

• PATCH https://api.example.com/users/1234

Note: Any APIs or resources that are not directly requested from the defined target URL will not be scanned by default. To ensure thorough coverage, you should add them as separate targets.

Scope of the Scan

By default, all URLs within the same domain as your target URL will be considered in scope. Other domains will be excluded unless you manually add them. If you wish to restrict the scan to a particular URL, such as https://app.example.com or https://app.example.com/admin, you can configure this under the Scanner Setup in Step 1. Here, you'll find an option to choose whether to crawl subdomains.

Example:

If your target URL (https://app.example.com/admin) makes API calls to https://api.example.com, these calls will be considered in scope since they share the same root domain (example.com).

Scanning Resources on Different Hostnames

If your application utilizes APIs or resources hosted on a different hostname (a different domain or subdomain that is not part of your main application's domain), you can explicitly include these in the scan scope. You can update this configuration in the Scanner Setup under the "What other hosts should we scan?" section in Step 1.

Example:

When using Amazon Cognito for authentication, your application might make API calls to a hostname like mydomain.auth.us-east-1.amazoncognito.com. For full coverage, you would need to add this specific hostname (mydomain.auth.us-east-1.amazoncognito.com or even amazoncognito.com) to your scan scope.

Organizing Targets for Better Coverage

For large or complex applications, it's considered a best practice to divide them into smaller, logical targets. This approach facilitates more focused and efficient scanning, ensuring that each distinct section of your application is thoroughly tested.

[Insert Screenshot]

Additionally, configuring scan behind login for each target can significantly enhance the effectiveness of your assessment. This allows the scanner to authenticate as different users and access URLs that require specific login credentials, uncovering vulnerabilities in authenticated areas.

Example:

For an e-commerce platform, you could effectively organize your scan into the following distinct targets:

• https://example.com/store

• https://example.com/sellers

• https://admin.example.com

By segmenting your application in this manner, you ensure that each part is scanned in depth, thereby improving the overall effectiveness and completeness of your vulnerability assessment.

Need help? Raise a support ticket anytime from your Astra dashboard.