Why didn't my Application Scan have any URLs to test?

In the Scans page for Application Scanning, you can see the status of previous scans for a scan profile.

One potential warning that you might see here is "No URLs were found". This means that our crawler tried to access your site and find pages relevant for vulnerability testing, but found none. 

There are tests that Application Scanning can run without having any crawled URLs to go on, but typically, if there are no URLs to test, it's because access to the site is restricted in some way.

Examples of what could be wrong:

  • All site content is behind login, and no authentication settings have been set up for the scan profile.
  • The scan profile points to a site that didn't respond to the scan's requests.
  • The site the scan profile points to is blocking our scanner from accessing it.
  • The scan profile points to an endpoint that redirects outside of the scan profiles allowed scope. Application Scanning is allowed to go to subdomains of the scan profile endpoint, but it cannot go to sibling or parent domains. (a scan profile for www.example.com is not allowed to scan example.com)
  • The scan profile settings for "Which paths/URLs must we avoid?" and/or "Which subdomains must we avoid?" prevent the crawler from accessing anything.