Articles on: General Questions (Pentest)

How do you define a target for the vulnerability scanner?

What is a Target in the Vulnerability Scanner?



A target refers to the domain or URL that will be scanned for vulnerabilities by the scanner. This could be a web application, a website, or an API endpoint.

Examples of Unique Targets:



https://app.example.com
https://example.com/portal
https://www.example.com




Understanding the Scope of the Vulnerability Scan



Target URL



When you define a target URL, for example, https://app.example.com/admin, the scanner will crawl and map out all requests, pages, APIs, and resources associated with this URL. It will generate a site tree capturing these interactions.

Example of a Site Tree:



GET https://app.example.com/admin/login
GET https://app.example.com/admin/js/script.js?version=1234
PATCH https://api.example.com/users/1234

Note: Any APIs or resources that are not directly requested from the defined target will not be scanned. To ensure thorough coverage, you may add them as separate targets.


Scope of the Scan



By default, all URLs within the same domain will be considered in scope. Other domains will be excluded unless manually added. If you wish to restrict the scan to a particular URL, such as https://app.example.com or https://app.example.com/admin, you can configure this under the Scanner Setup in Step 1, where you can choose whether to crawl subdomains.

Example:



If the target URL (https://app.example.com/admin) makes API calls to https://api.example.com, these will be considered in scope since they share the same root domain (example.com).


Scanning Resources on Different Hostnames



If your application uses APIs or resources hosted on a different hostname, you can include these in the scan scope by updating the configuration in the Scanner Setup under What other hosts should we scan? in Step 1.

Example:



When using Amazon Cognito for authentication, API calls may be made to mydomain.auth.us-east-1.amazoncognito.com. You would need to add this hostname (mydomain.auth.us-east-1.amazoncognito.com or amazoncognito.com) to the scan scope for full coverage.


Organizing Targets for Better Coverage



For large applications, it’s best practice to divide them into smaller logical targets. This allows for more focused and efficient scanning, ensuring each section of your application is thoroughly tested.

Additionally, configuring scan behind login for each target can enhance the test by allowing the scanner to authenticate as different users and access URLs that require login credentials.

Example:



For an e-commerce platform, you could organize the scan into the following targets:

https://example.com/store
https://example.com/sellers
https://admin.example.com

By segmenting your application in this way, you ensure that each part is scanned in depth, improving the overall effectiveness of your vulnerability assessment.

Updated on: 24/09/2024

Was this article helpful?

Share your feedback

Cancel

Thank you!