Checking scan coverage and addressing gaps

Checking scan coverage and addressing any gaps is crucial for ensuring the effectiveness of your security scans. This process involves verifying that the scan included all intended parts of the application or system and identifying any additional areas that might need to be included. By carefully reviewing the scan results and addressing any identified gaps, you can improve the accuracy of your security assessments and enhance overall protection.

This document explains how you can check scan coverage and what to do when scan coverage is not as expected.  

Checking scan coverage

To check a scan’s coverage, you can examine the Crawled URLs report or the Sitemap.

• Crawled URLs report: The Crawled URLs report helps check scan coverage by showing the full paths of all URLs examined and their status codes. It confirms which parts of the application or system were covered and reveals if any URLs returned errors or unexpected responses. By reviewing this data, you can ensure that all critical areas were scanned and identify any gaps or issues in the scan coverage.
• Sitemap: The sitemap provides a visual representation of all URLs included in the scan, showing the structure and hierarchy of the application or system. By reviewing the Sitemap, you can confirm that all intended areas were covered and identify any missing or unscanned sections. This helps ensure that the scan is comprehensive and allows you to address any gaps in coverage.

How to check scan coverage through the Crawled URLs report

1. Log in to Invicti Enterprise.
2. Select Scans > Recent Scans from the left-side menu.
3. Locate the scan you would like to review and select Report.

4. Select Export on the Scan Summary page that opens.

5. In the Report drop-down, select Crawled URLs.

6. Click Export to download the report.

7. Open the Crawled URLs report and examine the URLs, Status Code, and Response Time columns to assess the scan's effectiveness.

• The URLs column lists all the crawled paths, allowing you to verify that the scan included all relevant areas of the application or system.
• The Status Code column provides the HTTP response codes received from each URL, helping you identify any errors or issues encountered during the scan, such as '404 Not Found' or '500 Internal Server Error'.
• The Response Time column shows how long it took to receive a response from each URL. This information can help you spot any performance issues or delays in the system.

After reviewing these columns, refer to the concluding sections of this document for guidance on how to proceed when scan coverage is as expected, as well as what steps to take if the scan coverage does not meet your expectations.

How to check scan coverage through the Sitemap

1. Log in to Invicti Enterprise.
2. Select Scans > Recent Scans from the left-side menu.
3. Locate the scan you would like to review and select Report.

4. Scroll down to the Technical Report section and select the Sitemap tab.
5. Review the Sitemap to ensure that the scan has covered all major sections of your application. Use the arrows to expand and collapse folders within the Sitemap to check for vulnerabilities and their severity levels.

6. If a vulnerability was detected, click on the items in the Sitemap to open the Issue tab on the right for more information about the identified vulnerability. This allows you to assess which parts of your application need attention and address any security issues effectively.

Refer to the concluding sections of this document for guidance on how to proceed when scan coverage is as expected, as well as what steps to take if the scan coverage does not meet your expectations.

Scan coverage is as expected

If the scan coverage is as expected, analyze the scan results to identify any vulnerabilities or issues. Use the detailed information from the scan to evaluate the security posture of your application or system, prioritize remediation efforts based on the severity of the findings, and implement necessary fixes to enhance overall security. You can also refer to Reducing Scan Times to learn how to shorten the duration of scans.

Scan coverage is not as expected

If scan coverage is not meeting your expectations, there are several aspects you can investigate. This section provides a detailed exploration of these areas.

Check if authentication is required

Check if your web application requires authentication. If it does, confirm that the authentication requirements are correctly configured in the scan profile and functioning properly. For more information, refer to our Configuring and Verifying Form Authentication in Invicti Enterprise documentation.  

Verifying authentication can help when coverage is not as expected by ensuring the scanner is configured correctly for login and session management. Proper authentication setup allows the scanner to access all areas of the web application, including password-protected sections. If authentication is not configured correctly, the scanner may miss these areas, leading to incomplete coverage. By confirming that authentication is correctly set up and functioning, you ensure that the scanner can access all necessary parts of the application, thereby improving scan coverage and identifying any gaps.

Review out-of-scope links

The information on out-of-scope links tells you which URLs or sections of your application are excluded from the scan. By carefully reviewing this information, you can ensure that all relevant areas are included in your scan.

1. Select Scans > Recent Scans from the left-side menu.
2. Locate the scan you would like to review and select Report.

3. Scroll down to the Technical Report section and select Knowledge Base > Out of Scope Links.

4. Review the list of uncrawled links for insights into why the scan did not cover specific endpoints.

To amend the scan scope and include some of these out-of-scope links, refer to the Scan Scope document for detailed instructions on adjusting your scan settings.

Consider adding additional targets

When checking scan coverage, it's crucial to consider that applications may have multiple interconnected subdomains. Review the Out of Entered Path Below Scope section in the Out of Scope Links to determine if any subdomains were inadvertently skipped. If some subdomains are missing, consider adding them as additional targets to ensure comprehensive scan coverage.

Import API definition files

To improve coverage with API-based pages and ensure that essential endpoints are included in your scan, review the Out of Scope links or the Crawled URL report to identify which API endpoints might be missing. Then, adjust your scan profile settings to include these endpoints by importing links or API definition files. After configuring your scan, run it and review the results to confirm that all critical API endpoints were included. Check the scan report for missed endpoints or errors and adjust your configuration as needed.

Create a Business Logic Recording

When coverage is not as expected, it may be due to missing or incorrect sequences of events required to navigate from point A to point B within the application. To address this, you can create a Business Logic Recording (BLR) to capture and guide the necessary interactions for the scan. For detailed instructions, refer to Using the Business Logic Recorder.

Increase the crawling page limit

You can increase the crawling page limit if the Crawled URL report indicates that a substantial part of the target was not covered. Although the default limit is 2500 links, which is generally adequate, raising this limit can help ensure more thorough coverage.

To review the crawling page limit, follow these steps:

1. Select Policies > New Scan Policy from the left-side menu.
2. Select Crawling.

3. Amend the Crawling Page Limit as needed.

4. Click Save at the bottom of the page.