This article collects questions you might ask yourself when using the Crashtest Security Suite and points you in the right direction.
How can I whitelist the Crashtest Security Scanners in my firewall?
Security Scanning is a sensitive issue that sometimes needs to be conducted for applications that are not publicly available. To configure your network perimeter in a way that allows our security scanner to access your applications, we provide a set of static IP addresses. All requests from our security scanning engine originate from one of these IP addresses.
You may whitelist these IP addresses within your firewall or load balancer so that the security scanner can access your private applications, such as your staging system or internal applications:
Here are the IP addresses as a comma-separated list for easier copying into your firewall settings:
How should I interpret the error messages during my scans, and what should I do?
If the scan configuration is not done correctly, or there is a problem with one of the scanners, you will receive an error message while the scan is running or after it finishes. In this wiki article, you can find a detailed list of possible error names that can be returned, along with suggestions for the following steps to take to try and complete the scan.
What should I do when I receive the Error Message: "Failed to verify the scan targets"?
First, check if the verification file has been uploaded correctly. If this is not the case, make sure the website is accessible to the scanner by the following:
- The website should be publicly accessible.
- If protected by a firewall, please make sure that our IP Addresses are whitelisted ( check the IP addresses provided previously).
- When the application has an HTTP Basic Authentication, the credentials need to be first configured.
What should I do when I receive the Error Message: "Scanner could not log in"?
You have to make sure that the website is accessible to the scanner. Check the following actions to make this possible.
The website should be publicly accessible.
If protected by a firewall, please make sure that our IP Addresses are whitelisted ( check the IP addresses provided previously).
If the application has an HTTP Basic Authentication, check that the credentials are right.
If protected by a login form, ensure that the credentials are correct.
If the authentication is token-based, please ensure that they are valid long enough to run a scan (ideally 24h+).
What should I do when I receive the Error Message "Scan failed for unknown reasons"?
There might be several reasons causing this error. First, make sure to check the following:
- The application is available.
- Login credentials are correct.
- IP addresses are whitelisted.
If all of these are checked and still not working, please contact support (firstname.lastname@example.org).
Why is my scan taking so long?
The full, invasive vulnerability scan might take longer than usual if you have an extensive application or has a huge number of pages. This can also happen if the crawler cannot group the paths to the pages due to their complex structure. Avoid this issue by the following actions:
- Group your pages in the “Grouped URL” setting. The pattern for grouping uses the asterisk as a placeholder for parts of the path.
- Add URLs to the “Denied URLs” section so you can reduce the scan scope manually before the start.
If your web application is relatively small and usually scans, this might need an expert review. Please get in touch with support in this case (email@example.com).