Verifying a domain
Before you can scan a domain on the Internet, ASoC must verify that you have permission to scan it. Verification is not needed for domains that are not available on the Internet (private sites).
About this task
Procedure
- In Settings > Domains, click Verify a new domain.
-
Select your preferred verification method:
- I'll add a verification file to my site's root
folder
- Click Download to save the file to your machine.
- Add the file to the root directory of your site (make sure to add it in a location above all parts of the site that you will be scanning).
- Send me an email with a verification link
- Click Send email.
- Open your the email sent to you and click the link.
- I'll add a verification file to my site's root
folder
-
Click Done.
The site is added to the list of domains, with status "Pending" The first time you run a scan, ASoC will verify the file you added, and change the status to "Verified".
Example
If your app includes links to URLs outside the domain of the Starting URL, they must be verified to be included in the scan (unless they are private sites and you are using an AppScan Presence. Consider these examples:
Sub-domains:
The Starting URL is: http://a.com/home/
.
The site has links to http://b.a.com
, which is a
sub-domain of a.com
.
The sub domain will be automatically included in the verification and scanning.
Parallel or parent domains:
The Starting URL: http://b.a.com/home/
.
The site has links to a parallel domain http://c.a.com
,
or to parent domain http://a.com
, and you want
those links included in the scan.
- Verify
a.com
, OR - Verify
b.a.com
andc.a.com
, and when creating the scan in Create scan > Dynamic (DAST), clear the Include only links in and below this directory check box.