Skip to main content
All CollectionsTroubleshootingTroubleshooting Scan Results
Troubleshooting: Low coverage in a scan
Troubleshooting: Low coverage in a scan

Learn how to troubleshoot issues in a scan with low coverage.

Jaime Vasconcelos avatar
Written by Jaime Vasconcelos
Updated over a week ago

Scans should cover as much of the target scope as possible to identify the maximum number of vulnerabilities. Learn more about how to generate a coverage report and what is the meaning of the coverage report?

The problem

When running a scan on a target, the coverage is low.

Troubleshoot the problem

To troubleshoot this problem, go through the following steps to identify the possible causes and respective solutions to fix it.

Step 1: Check for target authentication

If the target has authentication, check if the scan was able to log in:

  1. In the Probely app, go to the TARGETS tab.

  2. Identify the target in the list, and click on its name to see its details.

  3. Click on SCAN ACTIVITY to see the list of scans.

  4. Identify the scan in the list, and click on VIEW.

  5. Click on CRAWLING REPORT to get the spreadsheet with the scanned URLs.

  6. Identify URLs that are only available for authenticated users.

If no URLs for authenticated users are listed, the scan must have failed to log in.

Cause

Solution

The scan failed to log in to the target.

Check the target authentication configuration.

Step 2: Check for missing SPA API

If the target is a SPA (Single-Page Application) with a backing API, check if the API is in a different URL. For example:

If the backing API has a URL different from the SPA, Probely scans need to know the API URL to scan the SPA properly.

Cause

Solution

The target is a SPA with its backing API in a different URL.

Go to the target settings, and add an extra host with the URL of the backing API.

Step 3: Check for a blocking WAF

Check if scan requests started being blocked by a WAF after the scan has started:

  1. In the Probely app, go to the TARGETS tab.

  2. Identify the target in the list, and click on its name to see its details.

  3. Click on SCAN ACTIVITY to see the list of scans.

  4. Identify the scan in the list, and click on VIEW.

  5. Click on CRAWLING REPORT to get the spreadsheet with the scanned URLs.

  6. Check if, at some point, the URLs started having HTTP error status 403.

  7. Open a browser in incognito mode, type those URLs to test them, and see if a WAF is blocking the access.

If a WAF starts blocking access to URLs, Probely cannot scan them.

Cause

Solution

A WAF started blocking access to the URLs during the scan.

Add Probely’s IPs to the WAF’s whitelist.

Step 4: Check for blocking WordPress plugin

If the target is WordPress, check if scan requests are being blocked by a WordPress plugin (e.g., WordFence):

  1. In the Probely app, go to the TARGETS tab.

  2. Identify the target in the list, and click on its name to see its details.

  3. Click on SCAN ACTIVITY to see the list of scans.

  4. Identify the scan in the list, and click on VIEW.

  5. Click on CRAWLING REPORT to get the spreadsheet with the scanned URLs.

  6. Check if the URLs have HTTP error status 403.

  7. Open a browser in incognito mode, type those URLs to test them, and see if a WordPress plugin is blocking the access.

If a WordPress plugin is blocking access to URLs, Probely cannot scan them.

Cause

Solution

A WordPress plugin (e.g., WordFence) is blocking access to the URLs.

Configure the WordPress plugin to allow requests from Probely’s IPs.

After following these steps, identifying the causes, and applying the respective solutions, scans should have the expected coverage for your targets.

Learn more about this subject in the following articles:

Did this answer your question?