Frequently Asked Questions (FAQ)

This article collects questions you might ask yourself when using the Crashtest Security Suite - and points you in the right direction.

How do I scan my web application for security vulnerabilities?

Scanning your web applications is super easy with the Crashtest Security Suite. Just register for our free trial, set up your project, and get results within 2 minutes. For a detailed work-through, please go to our user guide (also in German). 

How can I scan an API for security vulnerabilities?

All you need to scan your API is a documentation file, such as Swagger v2 or OpenAPI v3 - JSON or YAML file. The documentation needs to be accessible for our security scanner. This can be done by hosting the documentation somewhere or sending the documentation through our API when starting a scan.
Instead of crawling your web application for attack vectors, we get the attack vectors from your API documentation. Register for our free trial to scan your API now.

With APIs playing a more and more important role in today's technology, it is important to scan not only web applications, but also APIs for security vulnerabilities. This enables you to scan the backend and communication for mobile apps, such as Apple or Android, or HTTP-based IoT devices.

What is the difference between Single Page and Multi Page applications?

Multi Page applications (MPAs) use a standard html structure for their content. They consist of mulitple individual pages, which are loaded from the server when needed. Popular examples are applications created in PHP and Python with frameworks such as Laravel or Django.

Single Page applications (SPAs) use AJAX and HTML5 to build responsive apps. These apps send most of their content with the initial request and respond to most user input on the client side without loading additional content from the server. Typically, JavaScript frameworks such as React, Angular, Vue, or Ember are responsible for handling the heavy lifting on the client side for a single-page app.

This is an excellent article to get more details on the differences, pros and cons for SPAs and MPAs.

How do I test my Single Page application for security vulnerabilities?

With the Crashtest Security Suite, there is no difference between scanning a Single Page application or a Multi Page application. Just register for our free trial, set up your project, and get results within 2 minutes. For a more detailed work-through, please go to our user guide (also in German). 

What is the challenge in testing Single Page applications compared to Multi Page applications?

Due to their responsive nature, Single Page applications (SPAs) use asynchronous API requests for backend communication and manipulating the DOM tree for showing information in real-time. Traditional crawlers have problems understanding all the JavaScript used in such cases and find ways to navigate through the application. Other security scanners use manual click-throughs as a base for automated vulnerability scanner.

The Crashtest Security SPA crawler is the only software on the market that allows you to scan SPAs without click-through models. This enables much faster setup, better adaption to changes, and takes away a lot of effort required previously to scan SPAs.

Are Multi Page applications more secure than Single Page applications?

The answer to this question obviously depends on the individual application and the developer's carefulness, as well as used security measures.

One potential concern for Single Page applications is the exposure of sensitive data

If you're not carefully about what data is contained by the initial page load, you could easily be sending data that shouldn't necessarily be exposed to all users. Because the entire page isn't generally visible in the browser in an SPA, this can lull a careless developer into a false sense of security. (Quote from Stack Exchange)

What is vulnerability scanning?

Vulnerability scanning allows the user to scan software for security vulnerabilities. This can happen on an infrastructure (i.e. network or physical) or an application level. Crashtest Security allows it's users to scan applications in an automated, agile manner with easy integration in agile processes.

The manual approach to security testing is called penetration testing. This is a service performed by a person, taking between 5 and 20 days, depending on the scope of the test. Manual penetration tests often require a specific setup for each test and are not suitable for agile software release processes. However, manuel pentesters can cover individual application specific flaws and test for more OWASP categories, such as Broken Access Control.
Insufficient Logging and Monitoring, however, is something that requires an internal analysis of the processes and tools.

What does a vulnerability scanner do?

A vulnerability scanner identifies possible attack vectors in the web application or API. The vulnerability scanner then checks whether these attack vectors can be exploited.

Vulnerability scanning can either happen on a non-invasive or invasive basis. It is recommended to only run invasive scans in non-production environments to not harm live applications. For a complete list of our scanners, see our list of current scanners

Why do I need vulnerability scanning?

Vulnerability scanning provides a number of benefits:

  • Ease of use: Vulnerability scanners make it simple to set up a test without being a security expert
  • Results within seconds: As the scanners provide results in real-time and operate with parallel requests, the first results are available within seconds of the start.
  • Integration in CI/CD-toolchains: Due to the frequency of releases in agile development processes, it is important to ensure every release is tested for security vulnerabilities.This is only possible when security scans can be triggered and evaluated in an automated fashion.
  • No repeat setup effort: In contrast to manual security testing, vulnerability scan setup can be configured once and is then performed on the current software version automatically.

Is it difficult to set up a vulnerability scan?

No. We get you through the project setup within 2 minutes and promise results within 5 minutes of registration for the Crashtest Security Suite. In addition to the first security vulnerabilities, you also get remediation advice for any found issues.

How do I prepare my application for a vulnerability scan?

For a vulnerability scan, you should set up your application in a way, that the scan does not interrupt your service and you can go back to a working state in case of any issues during the scan:

  • Ensure that you have the permission to conduct a security scan against your application. Talk to all people concerned with the application such as developers, product owner or the infrastructure team.
  • Inform the monitoring team about the security scan, so that no real alert is fired when the security scan starts.
  • Scan your application on a test or staging system instead of the production system, when you are doing invasive security scans such as the Crashtest Security Full Scan.
  • Do a backup before the vulnerability scan, so that you can roll back the system to a working state if needed.
  • Create a Test User for the vulnerability scan, so that you have a separation of the test data of the vulnerability scan and the other (test) data of the system

What login methods do vulnerability scanners support?

Our vulnerability scanner supports a number of authentication methods:

  • HTTP Basic Authentication
  • Login Form Authentication
  • Parameter Authentication (HTTP Headers, GET-parameter, and (Session) Cookies)

How long does a vulnerability scan take?

Our quick, non-invasive vulnerability scan takes 2-5 minutes. The length of the full, invasive vulnerability scan depends on the size and number of found attack vectors of your application. Most of our scans are done in under 4 hours, but if you have a very large application, the scan might take longer.

What does a vulnerability scan cost?

You can get your first vulnerability scan for free in our 14-day free trial right now

We charge by the number of scan targets rather than the number of scans. This means you can continuously scan your web apps without having to worry about a large bill or limitations. Let us know your specific security challenge and we will find the right pricing together. Just get in contact with us.

How can I whitelist the Crashtest Security Scanners in my firewall?

Security Scanning is a sensitive issue that sometimes needs to be conducted for applications that are not publicly available. In order to configure your network perimeter in a way that allows our security scanner to access your applications, we provide a set of static IP addresses. All requests from our security scanning engine originate from one of these IP addresses.

You may whitelist these IP addresses within your firewall or load balancer so that the security scanner is able to access your private applications such as your staging system or internal applications:

  • 34.107.11.19
  • 34.107.25.100
  • 34.107.26.185
  • 34.107.70.133
  • 34.107.89.107
  • 34.107.116.11
  • 35.246.166.174

Here are the IP addresses as a comma-separated list for easier copying into your firewall settings:

34.107.11.19,34.107.25.100,34.107.26.185,34.107.70.133,34.107.89.107,34.107.116.11,35.246.166.174