This article collects questions you might ask yourself when using the Crashtest Security Suite and points you in the right direction.
How can I whitelist the Crashtest Security Scanners in my firewall?
Security Scanning is a sensitive issue that sometimes needs to be conducted for applications that are not publicly available. In order to configure your network perimeter in a way that allows our security scanner to access your applications, we provide a set of static IP addresses. All requests from our security scanning engine originate from one of these IP addresses.
You may whitelist these IP addresses within your firewall or load balancer so that the security scanner is able to access your private applications such as your staging system or internal applications:
Here are the IP addresses as a comma-separated list for easier copying into your firewall settings:
What should I do when I receive the Error Message: "Failed to verify the scan targets"?
First, check if the verification file has been uploaded correctly. If this is not the case, make sure the website is accessible to the scanner by the following:
- The website should be publicly accessible.
- If protected by a firewall, please make sure that our IP Addresses are whitelisted ( check the IP addresses provided previously).
- When the application has an HTTP Basic Authentication, the credentials need to be first configured.
What should I do when I receive the Error Message: "Scanner could not log in"?
You have to make sure that the website is accessible to the scanner. Check the following actions to make this possible.
The website should be publicly accessible.
If protected by a firewall, please make sure that our IP Addresses are whitelisted ( check the IP addresses provided previously).
If the application has a HTTP Basic Authentication, check that the credentials are right.
If protected by a login form, ensure that the credentials are correct.
If the authentication is token based: Please ensure that they are valid for long enough to run a scan (ideally 24h+).
What should I do when I receive the Error Message "Scan failed for unknown reasons"?
There might be several reasons causing this error. First, make sure to check the following:
- The application is available.
- Login credentials are correct.
- IP addresses are whitelisted.
If all of these are checked and it still not working, please contact support (email@example.com).
Why is my scan taking so long?
The full, invasive vulnerability scan might take longer than usual if you have a very large application or has an extremely large number of pages. This can also happen if the paths to the pages cannot be grouped together by the crawler due to their complex structure. Avoid this issue by the following actions:
- Group your pages in the “Grouped URL” setting. The pattern for grouping uses the asterisk as a placeholder for parts of the path.
- Add URLs to the “Denied URLs” section so you can reduce the scan scope manually prior to the start.
If your web application has a relatively small size and usually scans quickly, this might need an expert review. Please contact support in this case (firstname.lastname@example.org).