This article collects questions you might ask yourself when using the Crashtest Security Suite and points you in the right direction.
How can I whitelist the Crashtest Security Scanners in my firewall?
Security Scanning is a sensitive issue that sometimes needs to be conducted for applications that are not publicly available. Therefore, we provide a set of static IP addresses to configure your network perimeter to allow our security scanner to access your applications. All requests from our security scanning engine originate from one of these IP addresses.
You may whitelist these IP addresses within your firewall or load balancer so that the security scanner can access your private applications, such as your staging system or internal applications:
Here are the IP addresses as a comma-separated list for easier copying into your firewall settings:
How should I interpret the error messages during my scans, and what should I do?
If the scan configuration is not done correctly, or there is a problem with one of the scanners, you will receive an error message while the scan runs or after it finishes. In this wiki article, you can find a detailed list of possible error names that can be returned, along with suggestions for the following steps to take to try and complete the scan.
What should I do when I receive the Error Message: "Failed to verify the scan targets"?
First, check if the verification file has been uploaded correctly. If this is not the case, make sure the website is accessible to the scanner by the following:
- The website should be publicly accessible.
- If protected by a firewall, please ensure that our IP Addresses are whitelisted ( check the IP addresses provided previously).
- The credentials must be first configured when the application has an HTTP Basic Authentication.
What should I do when I receive the Error Message: "Scanner could not log in"?
You have to make sure that the website is accessible to the scanner. Check the following actions to make this possible.
The website should be publicly accessible.
If protected by a firewall, please ensure that our IP Addresses are whitelisted ( check the IP addresses provided previously).
If the application has an HTTP Basic Authentication, check that the credentials are correct.
If protected by a login form, ensure that the credentials are correct.
If the authentication is token-based, please ensure they are valid long enough to run a scan (ideally 24h+).
What should I do when I receive the Error Message "Scan failed for unknown reasons"?
There might be several reasons causing this error. First, make sure to check the following:
- The application is available.
- Login credentials are correct.
- IP addresses are whitelisted.
Please get in touch with our support team if all of these are checked and still not working.
Why is my scan taking so long?
The full, invasive vulnerability scan might take longer than usual if you have an extensive application or have a vast number of pages. This can also happen if the crawler cannot group the paths to the pages due to their complex structure. Avoid this issue by the following actions:
- Group your pages in the "Grouped URL" setting. The pattern for grouping uses the asterisk as a placeholder for parts of the path.
- Add URLs to the "Denied URLs" section so you can reduce the scan scope manually before the start.
If your web application is relatively small and usually scans, this might need an expert review. Please get in touch with support in this case (firstname.lastname@example.org).