How to configure the Astra Vulnerability Scanner?
You can configure the Astra Vulnerability Scanner in a few steps using the Scanner Setup workflow. Enter details about your target so that the scanner can login, optimize for your technology and have maximum scan coverage.
Open the workflow by clicking on the Set up Scanner on the All Targets page, or from the Settings page for the target.
If you have any questions, or need assistance with the Scanner Setup - create a support ticket or reach out to your account manager
You have to define the target URL & scope of the scan so that the scanning is restricted to your application, and requests are not sent to third-parties.
A target is a domain or URL that will be tested by our vulnerability scanner. It can be the URL of a web application, website, API etc. Based on how your application is built, you will have to configure the scope.
Learn how to configure the scanner's scope
How to choose the testing environment - Production vs Staging
If you have authentication set up on your target, you can configure Astra to scan behind login like an authenticated user. Enter the credentials for different user roles available in your application, so that the scanner can authenticate using the login recording in the next step.
For example, your SaaS app has two user roles - USER (standard users of the application) and ADMIN (administrator user for management) so create an account for each role and enter it in the dashboard
It is recommended to create new user accounts for scanning as junk data may be added during testing
You can configure the scanner to authenticate with the target using multiple methods. This will be used during the scan to authenticate with the different user roles.
Recording a Login Sequence via Chrome Extension
Configuring Form-based or JSON authentication (advance)
If your application is protected with HTTP Basic Auth, please configure it before starting a scan
After configuring the Login Recording, you can click on Configure Advanced Settings to access additional configuration steps described below
Select the technologies used by the target, so that the scanner can detect more accurate vulnerabilities for the specific target and finish sooner. All scans start by running a fingerprinting module to detect all technologies in use in addition to the ones you have selected.
If you want the scanner to send additional HTTP headers with every request, you can configure them at this step. For example, you can add your own User-agent or Authentication header as required.
Example of actions you can perform:
Add new HTTP headers
Override any existing HTTP headers
Remove any HTTP header (leave the value empty)
You can specify URLs which you would like to exclude from the scanner scope, so that the scanner does not test them. If the crawled URL contains the specified string or matches the Regular Expression, then it will be excluded from the scan scope.
For example:
Logout URL so that the scanner does not get logged-out
E--commerce product pages for faster scans. Since the product pages have the same code, testing each page could lead to longer scans
Now quickly review everything you have configured so far and Start a Scan to get find out to the vulnerabilities found by the scanner.
If any configuration changes are made while a scan is running, they will take effect from the next scan onwards
Open the workflow by clicking on the Set up Scanner on the All Targets page, or from the Settings page for the target.
If you have any questions, or need assistance with the Scanner Setup - create a support ticket or reach out to your account manager
Step 1 - Scope Coverage
You have to define the target URL & scope of the scan so that the scanning is restricted to your application, and requests are not sent to third-parties.
A target is a domain or URL that will be tested by our vulnerability scanner. It can be the URL of a web application, website, API etc. Based on how your application is built, you will have to configure the scope.
Learn how to configure the scanner's scope
How to choose the testing environment - Production vs Staging
Step 2 - User Roles
If you have authentication set up on your target, you can configure Astra to scan behind login like an authenticated user. Enter the credentials for different user roles available in your application, so that the scanner can authenticate using the login recording in the next step.
For example, your SaaS app has two user roles - USER (standard users of the application) and ADMIN (administrator user for management) so create an account for each role and enter it in the dashboard
It is recommended to create new user accounts for scanning as junk data may be added during testing
Step 3 - Login Recording
You can configure the scanner to authenticate with the target using multiple methods. This will be used during the scan to authenticate with the different user roles.
Recording a Login Sequence via Chrome Extension
Configuring Form-based or JSON authentication (advance)
If your application is protected with HTTP Basic Auth, please configure it before starting a scan
After configuring the Login Recording, you can click on Configure Advanced Settings to access additional configuration steps described below
Step 4 - Optimize Tech
Select the technologies used by the target, so that the scanner can detect more accurate vulnerabilities for the specific target and finish sooner. All scans start by running a fingerprinting module to detect all technologies in use in addition to the ones you have selected.
Step 5 - Add HTTP Headers
If you want the scanner to send additional HTTP headers with every request, you can configure them at this step. For example, you can add your own User-agent or Authentication header as required.
Example of actions you can perform:
Add new HTTP headers
Override any existing HTTP headers
Remove any HTTP header (leave the value empty)
Step 6 - Exclude URLs
You can specify URLs which you would like to exclude from the scanner scope, so that the scanner does not test them. If the crawled URL contains the specified string or matches the Regular Expression, then it will be excluded from the scan scope.
For example:
Logout URL so that the scanner does not get logged-out
E--commerce product pages for faster scans. Since the product pages have the same code, testing each page could lead to longer scans
Step 7 - Summary
Now quickly review everything you have configured so far and Start a Scan to get find out to the vulnerabilities found by the scanner.
If any configuration changes are made while a scan is running, they will take effect from the next scan onwards
Updated on: 13/08/2022
Thank you!