This article summarises questions users have when first start using Crashtest Security Suite and answers them.

How do I scan my web application for security vulnerabilities?

Scanning your web applications is super easy with the Crashtest Security Suite. Just register for our free trial, set up your project, and get results within 2 minutes. For a detailed walk-through, please refer to our user guide (also in German).

How can I scan an API for security vulnerabilities?

With APIs playing a more and more important role in today’s technology, it is important to scan not only web applications, but also APIs for security vulnerabilities. This enables you to scan the backend and communication for mobile apps, such as Apple or Android, or HTTP-based IoT devices.

All you need to scan your API is a documentation file, such as Swagger v2 or OpenAPI v3 – JSON or YAML file. The documentation needs to be accessible for our security scanner. This can be done by hosting the documentation somewhere or sending the documentation through our API when starting a scan.
Instead of crawling your web application for attack vectors, we get the attack vectors from your API documentation. Register for our free trial to scan your API now.

How do I test my Single Page application for security vulnerabilities?

Setting up a scan for your Single Page Application (SPA) is easy. Just register for our free trial and set up your project. After choosing “Web Application” for your Scan Target Type, be sure to select “JavaScript Application”. For best results,  add authentication credentials to your scan. For a more detailed walk-through, please go to our user guide (also in German).

How do I prepare my application for a vulnerability scan?

For a vulnerability scan, you should set up your application in such a way that the scan does not interrupt your service and you can go back to a working state in case of any issues during the scan:

  • Ensure that you have permission to conduct a security scan against your application. Talk to all people concerned with the application such as developers, product owner or the infrastructure team.
  • Inform the monitoring team about the security scan, so that no real alert is fired when the security scan starts.
  • When you are doing invasive security scans such as the Crashtest Security Full Scan, scan your application on a test or staging system instead of the production system.
  • Do a backup before the vulnerability scan, so that you can roll back the system to a working state if needed.
  • Create a Test User for the vulnerability scan, so that you have a separation of the test data of the vulnerability scan and the other (test) data of the system.

What login methods do vulnerability scanners support?

Our vulnerability scanner supports a number of authentication methods:

  • HTTP Basic Authentication
  • Login Form Authentication
  • Parameter Authentication (HTTP Headers, GET-parameter, and (Session) Cookies)

How long does a vulnerability scan take?

Our quick, non-invasive vulnerability scan takes 2-5 minutes. The length of the full, invasive vulnerability scan depends on the size and number of found attack vectors of your application. Most of our scans are done in under 4 hours, but if you have a very large application, the scan may take longer.

What does a vulnerability scan cost?

You can get your first vulnerability scan for free in our 14-day free trial right now.

We charge by the count of scan targets rather than the number of scans. This means you can continuously scan your web apps without having to worry about a large bill or limitations. Let us know your specific security challenge and we will find the right pricing together. Just get in contact with us.