Scan Preferences
Scan jobs can be configured with the optional "preferences" object. If no "preferences" object is passed to a scanning job the default parameters are used.
scan_type
Parameter type: string
Users can choose between two scan types, "full" or "lite" scans. Lite scans have less features but complete much faster than "full" scans. To view the full list of features for each scan type please visit: Scan Features
| Allowed parameters |
|---|
full |
default |
lite |
sqli
Parameter value: sqli
Parameter type: boolean
Activates SQL Injection vulnerability detection task. This task is disabled by default as to not cause overload on production environments
| Allowed Parameters | Description |
|---|---|
false (default) | Disables SQL Injection vulnerability detection |
true | Enables SQL Injection vulnerability detection |
xss
Parameter value: xss
Parameter type: boolean
Activates XSS vulnerability detection task. This task is disabled by default as to not cause overload on production environments
| Allowed Parameters | Description |
|---|---|
false (default) | Disables XSS vulnerability detection |
true | Enables XSS vulnerability detection |
crawler_options
Parameter type: JSON
Specifies which tasks will be executed by VScanner's crawler
| Field name | Description | Allowed parameters (Bool) |
|---|---|---|
exposed_emails | Returns discovered emails found while crawling | Default: True |
open_redirect | Discovers open redirect vulnerabilities | Default: True |
exposed_apikeys | Returns discovered API Keys found while crawling | Default: True |
open_directory | Discovers open directories while crawling | Default: False |
exposed_information | Returns files and configurations found while crawling, such as .env files | Default: False |
backdoor_detection | Discovers backdoors that may be present while crawling, such as malicious php files left by hackers | Default: False |
search_url_malware | Discovers URLs used by known malicious Javascript scripts | Default: False |
Important Note:
Please note that enabling options which are disabled by default in the crawler might lead to a significant increase in requests to the target endpoint. Be mindful that setting these options to 'True' can generate a high volume of requests.
Example of a JSON that enables all crawler options:
cms_brute_force
Parameter type: integer
Initiates a brute force attack on identified CMS systems such as WordPress.
| Allowed parameters | Description |
|---|---|
0 (default) | Disables CMS brute force |
1 | Enables CMS brute force |
web_brute_force
Parameter type: integer
Initiates a brute force attacks on Basic access HTTP authentication
| Allowed parameters | Description |
|---|---|
0 (default) | Disables Basic auth brute force |
1 | Enables Basic auth brute force |
scan_speed
Parameter type: string
Determines the speed of the crawler.
| Allow parameter | Proc. concurrency | Proc. parallelism | Max. req/sec |
|---|---|---|---|
"sequencial" | 1 | 1 | 10 |
"slow" | 2 | 3 | 80 |
"moderate" | 5 | 5 | 40 |
"fast" | 10 | 10 | 150 |
scan_deep
Parameter type: integer
Indicates the crawl depth used by the scanner.
Default value: 3
search_in_web_cache
Parameter type: boolean
Indicate whether VScanner should scan for the target's web pages that are cached but not currently indexed on the live site. Due to the large number of web pages included in the scan, it will naturally take longer to complete.
| Allowed parameters | Description |
|---|---|
false (default) | Disables searching in cached pages |
frue | Enables searching in cached pages |
leak_data_usage
Parameter type: integer
If enabled, VScanner will check whether any discovered emails are listed in data breach databases.
| Allowed parameters | Description |
|---|---|
0 (default) | Disables searching in cached pages |
1 | Enables searching in cached pages |
Last updated