Verify Ownership
What is Target ownership verification?
To run a vulnerability scan on your application, you must first verify that you own the application or domain being scanned this is called Target Verification.
Why is Target ownership verification required?
This verification is required to prevent unauthorized users from scanning your applications and uncovering vulnerabilities. Application verification before scanning is a crucial security measure. It ensures that only authorized users can initiate vulnerability scans on applications By verifying ownership, we maintain the integrity of the scanning process and safeguard your applications.
How to verify a Target's ownership?
The first step in securing your web application with Astra is by clicking on the "Start Verification" button on the targets page and then providing some basic information about your target.
After clicking on the button a side sheet opens up with a form titled "Tell us About your Application".
Let's break down each field and what you need to know:
Application Name (For Display):
This is the name of your application as you want it to appear in our system and reports. It should be the commonly known or marketed name of your app.
Business Name (For Certificates):
Enter the legal name of your business or organization. This name will be used on any certificates or official documentation related to the asset you want to test.
Target URL (STAGING/PRODUCTION):
Provide the URL of the application you want to verify ownership for. This can be either your staging or production environment, depending on which version you want to be scanned and verified. Ensure that this URL is accessible and represents the current state of your application.
After this, you need to select a target verification method
What are the different verification methods Astra offers?
Astra offers three distinct methods for verifying your ownership:
DNS Verification:
DNS verification involves adding a specific TXT record to your domain's DNS settings. This method proves that you have control over the domain associated with your application.
How it works:
Login to the domain/DNS control panel of your application
Navigate to the screen where you can Add a new record
Create a new record of type TXT
In the Name field, if you are verifying your root domain, enter @ or full domain name. Say test.com
In the Name field, If you are verifying a sub-domain, enter the sub-domain name in 'Name' field. Eg: If you are scanning api.test.com, please enter api in the 'Name' field.
Set the TTL to Auto
In the Content field enter the unique verification token shown in the dashboard. It will be of the format astra-asset-verification=<copy unique token from dashboard>
Save the DNS record, and wait a few minutes for propagation. In some cases it might take a few hours too.
File Upload:
The file upload method requires you to upload a specific file to the root directory of your web server. This method is recommended because it's typically faster and more straightforward than DNS verification.
How it works:
Select the File upload method
Click on Download verification file to get the unique HTML file
Upload the downloaded file to the root of your application, having the URL as shown in the dashboard.
Click on Verify HTML File
Why it's recommended:
Faster verification: DNS changes can take time to propagate, while file uploads are instant.
Easier to implement: No need to access DNS settings, which might be managed by a different team or service.
Less room for error: Simply uploading a file is generally less complex than modifying DNS records.
Manual Verification:
If you are not able to verify ownership using DNS Verification or File Upload, or your system does not support any of these methods - you can opt for Manual Verification. When we receive the request, our support team will try to establish ownership by other means, and could take up-to 12–24 hours. You will receive an email once the request is approved, and you can start a vulnerability scan. If possible, it is recommended to use DNS and file upload verification methods.
Choose the method that best suits your situation and technical capabilities. If you're unsure, we recommend starting with the File Upload method due to its simplicity and efficiency.
What happens after ownership verification?
Once the ownership verification process is complete, the target moves from "pending verification" to "Pending Setup" state.
At this stage, you'll need to provide information that helps our scanner thoroughly assess your application. This includes updating user roles and recording login credentials. These steps are crucial as they allow our scanner to access various parts of your application, including protected areas. By providing this information, you ensure that the security scan can be as comprehensive as possible, covering both public and authenticated sections of your application.
Common verification errors
Here are some common verification errors that are possible:
Wrong verification file uploaded: The verification file for each project is unique, so make sure you have uploaded the correct verification file
The connection to your server timed out: Make sure that your server is responding and try again.
Updated on: 05/09/2024
Thank you!