Articles on: General Questions (Pentest)

How do you define a target for the vulnerability scanner?

A target is a domain or URL that will be tested by our vulnerability scanner. It can be the URL of a web application, website, API etc.

Examples of some unique targets:

https://app.example.com
https://example.com/portal
https://www.example.com



What is the scope of the vulnerability scan?



Target URL



Let us say you set https://app.example.com/admin as the target URL. The scanner will crawl https://app.example.com/admin and create a site tree with all the requests, pages, APIs, resources etc. which are being requested from the target URL.

Example of Site Tree:

GET https://app.example.com/admin/login
GET https://app.example.com/admin/js/script.js?version=1234
PATCH https://api.example.com/users/1234

Any APIs or resources which are not requested from the app will not be scanned. You can add them as a separate target for better coverage.

Scope



All URLs having the same domain will be included in scope, and the rest will be excluded by default. If you would like to restrict the scan scope to only https://app.example.com or https://app.example.com/admin - you can update the configuration in the Scanner Setup under Should we crawl subdomains? in Step 1.

For example, if APIs calls are being made from https://app.example.com/admin to https://api.example.com - they will be considered to be in scope since both the URLs are having the same domain name, i.e example.com

Different Hostnames



If you have APIs or other resources residing on a different hostname that need to be scanned, you can add them to the scope from the Scanner Setup under What other hosts should we scan? in Step 1.

For example, when using Amazon Cognito, the authentication API call is made to mydomain.auth.us-east-1.amazoncognito.com. You will have to add mydomain.auth.us-east-1.amazoncognito.com or amazoncognito.com to the scope.

How to organize targets?



It is good practice to divide big applications into smaller logical targets. This way you can ensure that each important target is thoroughly tested, and the scan results are optimized.

Another strong reason for this is that scan behind login can be configured for each target, allowing the scanner to login to the application as different users and test the URLs requiring authentication.

For example, a big e-commerce application can be divided into the following targets:

https://example.com/store
https://example.com/sellers
https://admin.example.com

Updated on: 13/08/2022

Was this article helpful?

Share your feedback

Cancel

Thank you!