How to Verify a Scan Target

In this article, we explain why it is important to verify your website, how to verify a scan target, and we show common troubleshooting steps.

Why The Verification Is Required to Start The Full Scan?


The verification is required in order to confirm the ownership of the website (scan target). Since the full scanner is an invasive scan, it cannot be run until it is certain that you are the owner of the website or that it is the website of one of your customers.

This HTML file is just a hash key file. The scanner reads it to find a match and only after that the scanner can start scanning. 

There are three ways to verify your scan target:

  • Via File Upload
  • Using API Endpoints
  • Manual Verification
Below we list the steps and conditions for these three verification processes and some common troubleshooting methods.

Verification via File Upload

Please execute the following steps to complete the verification of the scan target.
  1. Please download your unique verification file, which contains your confirmation code.
  2. Place the file in the root directory of your scan targets web server. The file should be reachable via: https://crashtest-security.com/crashtest-0ef19492.html
  3. Leave the file at this location. The file is checked before each security scan.
  4. Click the "Verify" button to start the verification.
File Upload Verification Method

Verification via API Endpoints

To verify using API endpoints, update your API to include any of the following GET statements:

Any of the API endpoints listed above should return the scan target verification hash. 

API Endpoints Verification Method

Manual Verification via Customer Support

Get in touch with our customer support if the automatic verification options are not possible for you. This feature is usually available to our Professional plan subscribers, but in some cases, we do a review and help you verify your scan target manually in some cases.

Manual Verification Method

What should I do when I receive the Error Message: "Failed to verify the scan targets"?

First, check if the verification file has been uploaded correctly. If this is not the case, make sure the website is accessible to the scanner by the following:

  • The website should be publicly accessible.
  • If protected by a firewall, please make sure that our IP Addresses are whitelisted ( check the IP addresses provided there).
  • When the application has an HTTP Basic Authentication, the credentials need to be first configured.

How should I interpret the error messages during my scans, and what should I do?

If the scan configuration is not done correctly, or there is a problem with one of the scanners, you will receive an error message while the scan is running or after it finishes. In this wiki article, you can find a detailed list of possible error names that can be returned, along with suggestions for the following steps to take to try and complete the scan.

For more information about Crashtest Security visit crashtest-security.com