Web Target Setup
Configuring the Astra Vulnerability Scanner for your web application involves several crucial steps to ensure accurate and comprehensive security assessments. This guide will walk you through each step, from defining the target URL to starting a scan. Proper configuration is key to ensuring the scanner operates effectively and meets your specific security needs.
To begin, navigate to the Targets page and click on the Setup Target button.
You will be directed to the target setup wizard, where you can update and configure the target.
To ensure that the scan focuses solely on your application and avoids unnecessary requests to third-party domains, you must define the Target URL and Scope.
A target can be any domain, URL, web application, website, or API you wish to scan. Depending on how your application is structured, configure the scan's scope accordingly.
Learn how to configure the scanner's scope
How to choose the testing environment - Production vs Staging
In this step, you can also configure subdomain crawling.
For example, if your target URL is dash.xyz.com/admin, you can choose:
All Subdomains: Scans all pages under dash.xyz.com and api.xyz.com, as both share the domain xyz.com.
Target Subdomains: Scans only pages under dash.xyz.com, excluding those under api.xyz.com.
Starting with URI: Scans only URLs that begin with dash.xyz.com/admin, such as dash.xyz.com/admin/settings, but not dash.xyz.com/user.
If your application has APIs or resources on different hostnames, add them here to ensure the scanner tests these as well.
To enhance scan coverage, instruct Astra's scanner to explore all relevant subdomains and APIs. Additionally, you can upload an OpenAPI spec file for more thorough API Crawling.
If your target requires authentication, you can configure Astra to scan behind the login screens as different user roles. Enter the credentials for each role in your application.
For example: If your SaaS app has two roles—USER (standard users) and ADMIN (administrators)—create an account for each role and enter their credentials.
It is recommended to create new user accounts for scanning as junk data may be added during testing
You can configure the scanner to authenticate with the target using various methods. This configuration will be utilized during the scan to authenticate different user roles. This ensures that vulnerabilities behind login screens are tested.
Recording a Login Sequence via Chrome DevTools Recorder
You can also set the session length (in seconds), which will be used by the scanner during login.
Select the technologies used by your target to allow the scanner to detect vulnerabilities more accurately and complete the scan faster. This includes programming languages, frameworks, and libraries. The scan starts with a fingerprinting module to identify all technologies in use, in addition to those you select.
Provide an overview of your application, including its purpose and key features. This helps Astra's AI generate relevant business logic test cases.
Provide an overview of your application, including its purpose and functionality.
Example: A platform to buy movie tickets online where users can search for nearby theaters using GPS and purchase tickets. Built as a single-page application with React and Python."
If needed, configure the scanner to send additional HTTP headers with every request. You can also exclude specific URLs from the scan scope.
Add new HTTP headers.
You can also exclude URLs from the scan. If a crawled URL contains a specific string or matches a Regular Expression, it will be excluded from the scan scope.
Review all your configurations and click Complete setup to finalize the configuration.
If any configuration changes are made while a scan is running, they will take effect from the next scan onwards
Facing any issues? Feel free to raise a support ticket for assistance.
Access the Scanner Setup
To begin, navigate to the Targets page and click on the Setup Target button.
You will be directed to the target setup wizard, where you can update and configure the target.
Breakdown of each step
1. Define the Target URL & Scope of the Scan
To ensure that the scan focuses solely on your application and avoids unnecessary requests to third-party domains, you must define the Target URL and Scope.
A target can be any domain, URL, web application, website, or API you wish to scan. Depending on how your application is structured, configure the scan's scope accordingly.
Learn how to configure the scanner's scope
How to choose the testing environment - Production vs Staging
Configuring Subdomain Crawling
In this step, you can also configure subdomain crawling.
For example, if your target URL is dash.xyz.com/admin, you can choose:
All Subdomains: Scans all pages under dash.xyz.com and api.xyz.com, as both share the domain xyz.com.
Target Subdomains: Scans only pages under dash.xyz.com, excluding those under api.xyz.com.
Starting with URI: Scans only URLs that begin with dash.xyz.com/admin, such as dash.xyz.com/admin/settings, but not dash.xyz.com/user.
Adding Additional Hosts
If your application has APIs or resources on different hostnames, add them here to ensure the scanner tests these as well.
Step 2 - API Scanning
To enhance scan coverage, instruct Astra's scanner to explore all relevant subdomains and APIs. Additionally, you can upload an OpenAPI spec file for more thorough API Crawling.
Step 3 - User Roles
If your target requires authentication, you can configure Astra to scan behind the login screens as different user roles. Enter the credentials for each role in your application.
For example: If your SaaS app has two roles—USER (standard users) and ADMIN (administrators)—create an account for each role and enter their credentials.
It is recommended to create new user accounts for scanning as junk data may be added during testing
Step 4 - Login Recording
You can configure the scanner to authenticate with the target using various methods. This configuration will be utilized during the scan to authenticate different user roles. This ensures that vulnerabilities behind login screens are tested.
Recording a Login Sequence via Chrome DevTools Recorder
You can also set the session length (in seconds), which will be used by the scanner during login.
Step 5 - Optimize Tech
Select the technologies used by your target to allow the scanner to detect vulnerabilities more accurately and complete the scan faster. This includes programming languages, frameworks, and libraries. The scan starts with a fingerprinting module to identify all technologies in use, in addition to those you select.
Step 6 - Application Details
Provide an overview of your application, including its purpose and key features. This helps Astra's AI generate relevant business logic test cases.
Provide an overview of your application, including its purpose and functionality.
Example: A platform to buy movie tickets online where users can search for nearby theaters using GPS and purchase tickets. Built as a single-page application with React and Python."
Step 7 - Advance Settings
If needed, configure the scanner to send additional HTTP headers with every request. You can also exclude specific URLs from the scan scope.
Add new HTTP headers.
You can also exclude URLs from the scan. If a crawled URL contains a specific string or matches a Regular Expression, it will be excluded from the scan scope.
Step 8 - Complete Setup
Review all your configurations and click Complete setup to finalize the configuration.
If any configuration changes are made while a scan is running, they will take effect from the next scan onwards
Facing any issues? Feel free to raise a support ticket for assistance.
Updated on: 25/09/2024
Thank you!