How to Start Scanning Quickly

Three short steps to get started with automated penetration testing: Login, Scan Target Setup, Scan Start.

Watch The Demo

Watch this 10 minutes demo guiding you through the basic features Crashtest Security Suite offers.

How to Setup An Account and Your First Scan Target

This guide explains how to set up the Crashtest Security Suite to get you started with automated penetration tests. Our security scanner is designed for a fast setup, and you should be able to run your first scan within 2 minutes. Let us guide you through the process: 

Step 1: Log in

To use the Crashtest Security Suite, log in with your user credentials: https://www.crashtest.cloud. You will be automatically redirected to the Create Scan Target page. If you see an empty dashboard, you can always click the Plus Button or on Create New Scan Target to create your first scan target.

Login_SS

Step 2: Create a Scan Target

Next, you need to define some general scan target parameters.

Define the Scan Target type

Scan_type

First, you can define the type of project that shall be scanned. You can choose between: 

  • Multi-Page Application
    A traditional application is written with a server-side programming language. We will cover a multi-page application project in this quick setup.
  • JavaScript Application
    A web application that heavily uses JavaScript as a client language. These web applications usually load data asynchronously using AJAX or Single Page Applications (SPAs).
  • Application Programming Interface (API)
    Here you can choose between REST API and Microservice Architecture. You need a Swagger 2.0 or OpenAPI v3 file for this type of project, which describes the API for proper scanning. Please go to this link for more information on API scanning. If you need help with the setup, you can always contact our support for specific guidance on your situation.

Define the scan target details

Scan_target_details

Second, you define the basic information of your scan target:

  • Title
    The name of the scan target, which is shown in the dashboard and PDF report
  • Description
    Optional text to better identify your scan target
  • Protocol
    The protocol which will be used to scan your project (i.e., "http" / "https")
  • URL
    The domain name or IP address of the scan target. The security scanners will run all tests on this URL.

Define Scan Target Scope

Scan_target_Scope

Third, you define the scope for the scan you want to run.

  • "Quick Scan"
    This setting ensures that only the non-invasive scanners, such as fingerprinting, TLS/SSL, and Port Scan will be executed.
  • "Full Scan"
    This choice executes all security scanners and should only be performed on easily reproducible staging systems with no live customer data.
    Our scanners may damage the tested system. These damages might include but are not limited to the following list:
    • Sending arbitrary form requests that may pollute databases with random data
    • Creating workload spikes that might impact the user experience of other users when performing multiple requests at the same time (adjustable via "throttle"-setting)
    • Publishing production data (which might contain privacy-sensitive customer data) through altering SQL database requests

Please refer to our full list of scanners for a complete list of all security scanners and an overview of their settings.

Step 3: Verify Your Scan Target

To run a full scan, you will need to verify that you own or are associated with the scan target. This step allows us to ensure that non-authorized personnel is running extensive vulnerability scans on your web application or API.

File_upload_verification-png

There are four ways to verify your scan target:

  • via file upload
  • using API endpoints
  • DNS verification
  • manual verification
This article explains in detail how this is done.

Step 4: Starting the Scan

And you are almost done! After creating the scan target, it will appear in the scan target list on your dashboard. Now you are ready to start your first scan. Press the "Start" button.

Screenshot 2020-04-02 at 10.55.41

Alternatively, you can open the scan target page by clicking on the project name and "Start Scan."

Screenshot 2020-04-02 at 11.08.33

We hope you found this user guide helpful. The next step in your journey to continuous security is interpreting your scan results.

If you have feedback of any sort, positive or negative, please write us.

Happy automated pentesting!