Skip to main content

Configure URLs for web application scans

Configure URLs in the Veracode Platform to control which pages the DAST scanner crawls and scans. Use the URL configuration options to allow additional URLs, exclude pages, upload crawl scripts, and control scan scope.

Allow URLs for DAST scans

By default, DAST only scans pages and requests that are subpaths of your target URL. Modern web applications often send requests to back-end APIs through JavaScript that may not be subpaths of the target URL. To include these APIs in your scan, add them to the allowed URLs list.

The allowed URLs are considered for navigational links, redirects, and determining which requests to scan. By default, you can add subdomains of your target URL. To add URLs from different domains, please contact Veracode Technical Support to verify you have scanning permissions for that domain.

Before you begin:

  • You must have a Veracode account with the Administrator, Creator, Submitter, or Security Lead role.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > DAST.
  3. Locate the web application you want to configure. In the Actions column, select Configure.
  4. Select the URL Configuration tab.
  5. In the Allowed URLs section, select ADD URL.
  6. Select Protocol and enter the URL.
  7. Select OK.

Exclude URLs from DAST scans

To improve scanning speeds for web applications with many pages, add URLs to the Blocked URLs list to exclude them from the scan.

When you add a URL to the blocked URLs list, the DAST scanner skips that URL and all subpaths. This is useful if your application has modules you want to exclude from the scan.

Before you begin:

  • You must have a Veracode account with the Administrator, Creator, Submitter, or Security Lead role.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > DAST.
  3. Locate the web application you want to configure. In the Actions column, select Configure.
  4. Select the URL Configuration tab.
  5. In the Blocked URLs section, select ADD URL.
  6. Select Protocol and enter the URL.
  7. Select OK.

Upload a crawl script

Provide Veracode with a crawl script containing the necessary input for the DAST scan engine to access all areas of the application. This ensures a comprehensive scan of your application.

Before you begin:

  • You must have a Veracode account with the Administrator, Creator, Submitter, or Security Lead role.
  • Ensure you have recorded the crawl script using the Selenium IDE with supported Selenium commands. Save it as an HTML or SIDE file (JSON format) with a maximum size of 5 MB.
  • Review the best practices.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > DAST.
  3. Locate the web application you want to configure. In the Actions column, select Configure.
  4. Select the URL Configuration tab.
  5. In the Enterprise mode section, for Crawl Script, select the crawl script file from the File Explorer and upload it.
  6. For Crawl options, select Use the automated crawl engine in addition to the crawl script. To limit the scan to only the actions defined in the crawl script, select Scan only what is specified in the crawl script.
  7. Select SAVE.

DAST runs the crawl script during prescan and provides information about commands that might fail during the URL scan.

Control the scan scope

Use directory restrictions to define the scope of a scan. Select how the scan can crawl directories relative to the target URL.

Before you begin:

  • You must have a Veracode account with the Administrator, Creator, Submitter, or Security Lead role.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > DAST.
  3. Locate the web application you want to configure. In the Actions column, select Configure.
  4. Select the URL Configuration tab.
  5. In the Enterprise mode section, for Directory Restrictions, select one of the following options:
    • Directory and Subdirectories: the scan crawls within the specified directory and any subdirectories, but not up from the starting point.
    • Directories only: the scan stays within the specified directory only, not crawling up or down.
    • No restrictions: the scan crawls up and down from the specified directory.
  6. Select SAVE.
Last updated on