DAST Scanning

Adjusting Scan Times

3min

DAST Scan Modes as well as the size of the site being scanned both play a role in determining how long scans run.

SOOS has a maximum scan timeout limit of 180 minutes. If a scan is not completed in this timeframe the scan will produce an error indicating an incomplete status. The baseline scan mode typically takes between ~2-4 minutes to complete, however fullscan and apiscan modes are both more complex and will take more time to complete. These may end up exceeding 180 minutes depending on the complexity and size (number of pages or endpoints) of the site/API being scanned. To avoid these times, ensure that unnecessary rules are being disabled (Excluding DAST Scan Rules), additionally, split the scan into logic sections using by Excluding URLs From Being Scanned.

If DAST scans are being run locally it is important to make sure the command window doesn't experience any kind of pause, for example if the screen lock engages. The pause & restart of the command window could cause the scan to exceed the time limit.

Adjusting Scan Timing

The DAST scan timing can be configured beyond simply disabling rules, using the following configurations.

Max Active Rule Duration

Use the -config scanner.maxRuleDurationInMins=1 parameter to set the maximum number of time in minutes that each active rule is allowed to execute. This prevents rules from hanging or becoming unresponsive while waiting for the web application to respond, and helps produce more predictable and repeatable scan times for active scans.

Max Scan Duration

In some situations, you may not want to wait for the full 180 minute timeout allowed by SOOS DAST scans, to configure a shorter timeout, use the -config scanner.maxScanDurationInMins=20 parameter to set the maximum number of minutes the entire scan is allowed to run.

Max Spider Duration

In larger sites or when trying to run quick CI/CD scans, setting the -config spider.maxDuration=1 parameter is useful in limiting how long the DAST scan will take to crawl the site and locate resources and pages to be included in the scan. In this example, the spider will crawl the site for a maximum of 1 minute before starting the actual scan against the located resources and pages.

This does not apply to API Scanning.

Combining Both Options

docker run -it soosio/dast --clientId=<soos_client_id> --apiKey="<soos_apikey>" --projectName="<project_name>" --otherOptions="-z '-config scanner.maxRuleDurationInMins=1 -config scanner.maxScanDurationInMins=20 -config spider.maxDuration=1'" --scanMode=baseline https://url-to-test