This article explains why it is essential to verify your website how to verify a scan target, and we show common troubleshooting steps.
Why Is The Verification Required to Start The Full Scan?
The verification is required to confirm the ownership of the website (scan target). Since the full scanner is an invasive scan, it cannot be run until it is certain that you are the owner of the website or that it is the website of one of your customers.
This HTML file is just a hash key file. The scanner reads it to find a match, and only after that, the scanner can start scanning.
There are four ways to verify your scan target:
- Via File Upload
- Using API Endpoints
- DNS Verification
- Manual Verification
Verification via File Upload
- Please download your verification file, which contains your confirmation code.
- Place the file in the root directory of your scan targets web server. The file should be reachable via: https://crashtest-security.com/crashtest-0ef19492.html.
- Leave the file at this location. The file is checked before each security scan.
- Click the "Verify" button to start the verification.
Verification via API Endpoints
To verify using API endpoints, update your API to include any of the following GET statements:
Any API endpoints listed above should return the scan target verification hash.
Verification via DNS Record
To verify using a DNS record create a TXT record under the target's domain and set the verification hash as a value.
Manual Verification via Customer Support
Get in touch with our customer support if the automatic verification options are not possible for you. This feature is usually available to our Professional plan subscribers, but in some cases, we do a review and help you verify your scan target manually in some cases.
What should I do when I receive the Error Message: "Failed to verify the scan targets"?
First, check if the verification file has been uploaded correctly. If this is not the case, make sure the website is accessible to the scanner by the following:
- The website should be publicly accessible.
- If protected by a firewall, please make sure that our IP Addresses are whitelisted ( check the IP addresses provided there).
- When the application has an HTTP Basic Authentication, the credentials must be first configured.
How should I interpret the error messages during my scans, and what should I do?
If the scan configuration is not done correctly, or there is a problem with one of the scanners, you will receive an error message while the scan is running or after it finishes. In this wiki article, you can find a detailed list of possible error names that can be returned, along with suggestions for the following steps to take to try and complete the scan.