Scans should cover as much of the target scope as possible to identify the maximum number of vulnerabilities. Learn more about how to generate a coverage report and what is the meaning of the coverage report?
The problem
When running a scan on a target, the coverage is low.
Troubleshoot the problem
To troubleshoot this problem, go through the following steps to identify the possible causes and respective solutions to fix it.
Step 1: Check for target authentication
If the target has authentication, check if the scan was able to log in:
In the Probely app, go to the TARGETS tab.
Identify the target in the list, and click on its name to see its details.
Click on SCAN ACTIVITY to see the list of scans.
Identify the scan in the list, and click on VIEW.
Click on CRAWLING REPORT to get the spreadsheet with the scanned URLs.
Identify URLs that are only available for authenticated users.
If no URLs for authenticated users are listed, the scan must have failed to log in.
Cause | Solution |
The scan failed to log in to the target. | Check the target authentication configuration. Learn more about Troubleshooting Target Authentication.
|
Step 2: Check for missing SPA API
If the target is a SPA (Single-Page Application) with a backing API, check if the API is in a different URL. For example:
SPA URL: https://example.com
SPA API URL: https://api.example.com
If the backing API has a URL different from the SPA, Probely scans need to know the API URL to scan the SPA properly.
Cause | Solution |
The target is a SPA with its backing API in a different URL. | Go to the target settings, and add an extra host with the URL of the backing API.
|
Step 3: Check for a blocking WAF
Check if scan requests started being blocked by a WAF after the scan has started:
In the Probely app, go to the TARGETS tab.
Identify the target in the list, and click on its name to see its details.
Click on SCAN ACTIVITY to see the list of scans.
Identify the scan in the list, and click on VIEW.
Click on CRAWLING REPORT to get the spreadsheet with the scanned URLs.
Check if, at some point, the URLs started having HTTP error status 403.
Open a browser in incognito mode, type those URLs to test them, and see if a WAF is blocking the access.
If a WAF starts blocking access to URLs, Probely cannot scan them.
Cause | Solution |
A WAF started blocking access to the URLs during the scan. | Add Probely’s IPs to the WAF’s whitelist. Learn more about How to configure Probely’s IPs in WAFs. |
Step 4: Check for blocking WordPress plugin
If the target is WordPress, check if scan requests are being blocked by a WordPress plugin (e.g., WordFence):
In the Probely app, go to the TARGETS tab.
Identify the target in the list, and click on its name to see its details.
Click on SCAN ACTIVITY to see the list of scans.
Identify the scan in the list, and click on VIEW.
Click on CRAWLING REPORT to get the spreadsheet with the scanned URLs.
Check if the URLs have HTTP error status 403.
Open a browser in incognito mode, type those URLs to test them, and see if a WordPress plugin is blocking the access.
If a WordPress plugin is blocking access to URLs, Probely cannot scan them.
Cause | Solution |
A WordPress plugin (e.g., WordFence) is blocking access to the URLs. | Configure the WordPress plugin to allow requests from Probely’s IPs. Refer to this article What is the scanner's outgoing IP address? |
After following these steps, identifying the causes, and applying the respective solutions, scans should have the expected coverage for your targets.
Learn more about this subject in the following articles: