If you’ve used our scanner you've likely noticed that coverage is a very important aspect of a scan.

As soon as your scan starts, you can download a provisory coverage report to get some sense of what is happening on your scan. Bear in mind, however, that this report might be subject to change until the scan is finished.

Once that happens, you can export the scan's detailed coverage report, where URLs scanned will be listed along with the ones that weren't scanned.

This acts as a tool for you to check if the scanner is reaching every endpoint possible and filtering them successfully.

How does the coverage work?

Before and while doing tests, the crawler will navigate your website to find every endpoint possible, while testing every input it might find. Then those URLs are sent to the scanner to be tested for any vulnerabilities.

Coverage is a fundamental aspect of a scan, as it may be the difference between a useful successful scan and an uninformative scan.

Finding your report

You can find your scan’s coverage next to the scan's report, and download it for further analysis.

By default, only the accepted endpoints are shown on the report. To include rejected endpoints on the report, go to your “Target Settings” and make sure to change the “Coverage Detail” under “Scanner”.

How do read the .csv file?

A Comma Separated Values (CSV) file is a plain text file that contains a list of data. A CSV file has a fairly simple structure. It’s a list of data separated by commas.

After downloading the desired file, you can open it on your terminal, text editor, or spreadsheet application.

It should look somewhat like this:

The first column is about the type of request the crawler made (HTTP requests such as GET, POST, PUT, DELETE, PATCH, etc.).

The second column regards the found/targeted URL. It's important to check this column to check if all the endpoints possible to your website are being reached.

The third and fourth columns are the request's response and its meaning. The most frequent responses are:

200 - OK
301 - Moved Permanently
302 - Found
307 - Temporary Redirect
308 - Permanent Redirect
401 - Unauthorized
403 - Forbidden
404 - Not Found
500 - Internal Server Error
503 - Service Unavailable

These requests are then accepted or rejected by the engine's standards. If the engine rejects an endpoint, it will provide a reason, such as:

  • is on keyword reject list

    • Meaning: Was rejected because the URL contains a keyword that is on our internal keyword reject list;

    • Words like "logout", "logoff" or "signout" are blocked, to ensure that the crawler doesn't lose its session.

  • file extension ignored

    • Meaning: Was rejected because the URL file extension is on our internal reject list.

    • Extensions such as .exe, .zip, and .tgz get rejected by the crawler.

  • is on user reject list

    • Meaning: Was rejected because the URL matches an item that is on the user's reject list.

  • deduplicated (simhash)

    • Meaning: The content structure of the endpoint's simhash was the same as another endpoint’s, so it was rejected

  • path limit reached

    • Meaning: The base URL (without fragments and query strings) reached the visit limit

  • query string limit reached

    • Meaning: The base URL with the same query string parameters (values excluded) reached the visit limit. The default limit is currently set as 2.

  • fragment limit reached

    • Meaning: The same base URL with fragments/hashes reached the visit limit

  • auto pattern limit reached

    • Meaning: This endpoint reached an automatic URL limiter limit; These limits detect IDs, hashes, slugs, localizations, UUIDs, etc.

  • path pattern limit reached

    • Meaning: This endpoint reached the user URL limiter limit

Examples

Here are a few examples to help you understand your coverage report:

  • "GET","http://example.com/product.php","200","accepted",""

A GET request to http://example.com/product.php responded with 200 (OK) and has been accepted to be tested for vulnerabilities by the scanner;

  • "POST","http://example.com/userinfo.php","302","accepted",""

A POST request to http://example.com/userinfo.php responded with 302 - Found and has been accepted to be tested for vulnerabilities by the scanner;

  • "GET","http://example.com/artists.php?artist=1","-","rejected", "deduplicated (simhash)"

A GET request to http://example.com/artists.php?artist=1 was rejected by the scanner because the endpoint's simhash was the same as another endpoint's;

  • "GET","http://example.com/showimage.php?file=./pictures/5.jpg","-","rejected","query string limit reached"

A GET request to http://example.com/showimage.php?file=./pictures/5.jpg was rejected by the scanner because the base URL with the query string reached the visit limit.

With this knowledge, you're now able to fully read your coverage feedback and identify any blind spots or misconfigurations of your target.

We'd also recommend you to visit our target and scope explanation guide to further understand a target's scope.

Did this answer your question?