The testing scope can be further influenced from Scope settings screen. You can define URL patterns you would like to specifically exclude such as maybe logout URLs. You can also create a white-list filter by using the "Include URLs" feature. Here we can declare the URL patterns which are only included in this test. All URLs, which do not match this pattern list will be excluded. While the security testing engine will use smart logic to automatically find the right scope for your application, it is always recommended to familiarise yourself with the target URL structure to ensure that only the most important parts are tested and the features which are non-essential or dangerous are excluded.

Authentication

Before starting the test you may wish to authenticate. Simply open another tab, navigate to the application you are testing and authenticate the same way you usually do from your browser. The Scanner will automatically use your current browser session and use it during testing. Ensure that your scope is configured to avoid following logout URLs. The Scanner will automatically avoid testing logout facilities it can successfully identify as such. This is a built-in feature.

Keep in mind that authenticated scans can be particularly destructive. Ensure that you are testing only non-production application with the correct level of privileges. Failure to do so could result in damaging the live application. If in doubt, consult with the vendor or development team to confirm the application is fit for authenticated testing.

Testing

To kick-off the test simply click the start button. The test will immediately start and you will be able to see the report is generated on the fly. Details are not spared from the report. We offer full details for every discovered vulnerability including the actual request that was used at the time of the test, the payload and the location where the payload was used. Relevant details are also conveniently organised for you. Errors, useful information and metadata is extracted during the scan and placed inside the report for inspection. This gives you a very deep insight how the scanner works, what it did and why it did it.

Unlike other web security tools, our philosophy is to ensure that you are in full control of the scanning process by being fully transparent how the tool performs. Every request that the scanner generates is displayed in the "Transaction View". Each request can be fully inspected with the provided HTTP viewers. Query parameters, headers, and the different body types are conveniently parsed and available for your convenience. We even generate the code for you to repeat the request in your language of choice. Any details regarding the vulnerabilities identified with the selected request are also present. So you know exactly which request identified which vulnerability. Our motto is full transparency!