What is Application Scanning

Application Scanning is a Dynamic Application Security Testing (DAST) tool that performs in-depth exploration and security assessment of your custom-built web application, thereby allowing deeper coverage of your assets.

Application Scanning allows you to:

  • Test for vulnerabilities specific to your web application. By actively exploiting the application we test for cross-site scriptingSQL injectionpath traversal, among others. We also scan for malware using VirusTotal and its antivirus solutions.

  • Decide when to scan. You can schedule scans on a daily, weekly or monthly basis, or start scans manually using the Detectify tool or the Detectify API. You can also stop these scans at any time.

  • Customize your scans. By creating Scan Profiles you have a high degree of flexibility in what to scan, how fast to perform scanning, and where scanning originates from.

Read more about Application Scanning features, or if you’re interested, you can set up Application Scanning using Scan Profiles, which you can find under Scan Management.

FAQ

Q: What is Dynamic Application Security Testing (DAST)?

A: DAST is the process of security testing your web application from the outside by performing simulated attacks in an automated way similarly as malicious actors try to find weaknesses. It is independent of your application and it does not require access to the source code as opposed to Static Application Security Testing (SAST).

Q: What should I secure with Application Scanning?

A: We recommend you to run Application Scanning on assets that host publicly accessible custom web applications, and web applications you would like to test more thoroughly for vulnerabilities. Application Scanning can also test for vulnerabilities in content behind login.

Q: Is it safe to scan my production environment?

A: We try to make our scanner as production-friendly as possible. This includes features like limiting the scanner speed as well as having production servers in mind when developing all our payloads, so they don’t cause any significant amount of damage if something goes wrong. However, there are risks we cannot eliminate as our tests need to be thorough. For example, we will test every button we find, so if you have a button that deletes all your data, we will press it.

The majority of our customers run our scans on their production servers without any problems. That said, we cannot guarantee that everything will go according to plan. If you are uncertain, try running Detectify on a developer instance or similar setup.

Q: Can I use Application Scanning on internal applications, such as a staging environment?

A: Application Scanning needs to access the website via the Internet, thus you need to allow access to your web applications if they are not publicly accessible, by for example using a reverse proxy.

Q: Can I test a Single Page Application (SPA) with Application Scanning?

A: To ensure better coverage of your SPA, we recommend that you turn on our Crawling beta features, which are more optimized for JavaScript-heavy websites and SPAs.

Q: Can I test Web APIs with Application Scanning?

A: Application Scanning is not intended for APIs, hence we cannot guarantee thorough testing of all API endpoints. However, if an API endpoint is found, it will be tested similarly as other URLs in your web application.

Note that Application Scanning cannot detect API endpoints that are not reachable through links found while browsing the web application, or from any common URL which we test for. For specifying such endpoints, you can read how to include or avoid URLs and paths in Application Scanning.