Concepts
Targets
A target is the URL of a web application or website you want to scan. It acts as the starting point for scanning and managing vulnerabilities. Examples of targets include:
https://app.example.comhttp://example.com/app1https://example.com
By default, all URLs within the same domain are included in the scan, while URLs from different domains are excluded. You can refine the scope to specific subdomains or paths, such as https://admin.example.com or https://app.example.com/admin, in the Target Configuration section.
For example:
If your application makes API calls from https://app.example.com/admin to https://api.example.com, these are considered within scope as they share the base domain (example.com). For external resources hosted on different domains, such as third-party APIs or payment gateways (e.g., auth.example-auth.com or payments.thirdparty.com), you can explicitly include them in the Allowed Hosts section to ensure a thorough scan.
This ensures all necessary resources, including APIs and third-party services, are analyzed for vulnerabilities.
Target Verification
Target Verification is a critical step because you can't scan a website without proper authorization from the owner. Before initiating a scan, it’s crucial to verify ownership of the domain to prevent unauthorized scanning. Target verification ensures that you have the necessary permissions to test the target website or application, safeguarding ethical and responsible scanning practices. Verifying your target helps prevent abuse and ensures compliance with security policies.
Scans
A scan, or vulnerability scan, is an automated process that identifies, analyzes, and reports security flaws within a web application. Using specialized tools, scans examine an application’s infrastructure and configurations to uncover potential risks like misconfigurations, exposed sensitive data, outdated software, or unpatched vulnerabilities.
The primary purpose of scans is to help organizations proactively identify weaknesses before attackers can exploit them, enabling timely remediation and improving overall security.
In ZeroThreat, the Scans section provides a comprehensive overview of all active and completed scans. From here, you can monitor the progress of ongoing scans and access detailed reports by simply clicking on a specific scan.
Additionally, the Shared Scans menu allows you to view scan reports shared by other users. This is particularly valuable in collaborative environments, where team members or clients can access relevant scan results without needing to initiate their own scans.
Organization
Organizations in ZeroThreat provide a structured way to group users, projects, and targets under a single entity, simplifying management. This setup allows you to efficiently assign roles, manage permissions, and define scopes, ensuring users have the right level of access to the resources they need.
You can create multiple organizations within a single account, each operating independently. This flexibility lets you customize settings and permissions for specific teams or projects.
For example, if a developer only needs access to start scans and view reports for a particular project, you can assign them a Contributor role within that project without granting full account access.
Data Storage Location
Storage Location refers to the physical server where your scan data and user information are stored. Choosing the right storage location is vital, especially for organizations that must comply with regulations like GDPR, which mandate storing user data within specific geographic regions.
By selecting the appropriate storage location, you ensure your data is managed securely and in line with legal and compliance requirements.
Why Configure Technology Stack?
Configuring the technology stack to match your application is crucial for accurate analysis and actionable insights. When you specify the technologies used in your application, ZeroThreat AI can generate detailed executive summaries and tailored remediation steps that align with your setup.
To get the best results, select the technologies that reflect your application’s stack. For example, if your application uses server-side technologies like PHP or ASP.NET, ensure you choose the corresponding options in both the Frontend and Backend dropdown menus. This allows the ZeroThreat AI to provide precise, relevant recommendations and improve the effectiveness of your scans.
Now that you’ve understood everything about the key concepts of security scanning your application with ZeroThreat, you’re ready to dive into action.
Head over to Quick Scan Guide to start your first scan.