Troubleshooting
This page covers common issues you may encounter with Application Scanning and how to resolve them.
Connectivity Issues
Target Must Be Accessible from Ireland
Application Scanning runs from infrastructure located in Ireland by default. Your target application must be accessible from this region. If your application uses geo-blocking or IP-based access restrictions, ensure the scanner IPs are allowlisted.
Scanner IP Addresses
Allowlist the following IP addresses in your firewall, WAF, and any IP-based access controls:
| Region | IP Addresses |
|---|---|
| EU (Ireland) | 52.17.9.21 |
| USA | 107.20.158.220, 3.234.180.95, 34.234.177.119 |
| India | 13.126.5.12, 3.7.157.159, 3.7.173.162 |
User Agent
The scanner identifies itself with the following user agent string:
Mozilla/5.0 (compatible; Detectify) +https://detectify.com/bot/{token}Where {token} is a unique identifier for your scan. You can use this user agent to create WAF exceptions or identify scanner traffic in your logs.
WAF and CDN Configuration
If your application is behind a WAF or CDN, ensure that:
- Scanner IP addresses are allowlisted and bypass WAF rules
- Rate limiting rules allow the scanner’s request volume
- Bot detection features have exceptions for Detectify’s user agent or IP addresses
- DDoS protection does not block sustained traffic from scanner IPs
Authentication Issues
Scanner Not Reaching Authenticated Pages
If the scan crawl map shows only public pages:
- Verify the Recorded Login works by using the Test login feature in authentication settings
- Check that the logout URL is excluded from the scan scope
- Ensure the test account credentials have not changed since the login was recorded
- Verify the test account has not been locked or disabled
Session Expiring During Scan
If the scanner repeatedly loses its authenticated session:
- Extend session timeout for the test account if possible
- Verify the session is not bound to a specific IP (scanner IPs differ from your recording IP)
- Check for idle timeout settings that may expire the session between requests
- Add re-authentication triggers in your scan profile settings
CAPTCHA and Anti-Bot Protection
CAPTCHAs and anti-bot systems prevent automated login and crawling. To scan applications with these protections:
- Disable CAPTCHA for the test account — Most CAPTCHA providers allow IP-based or account-based exceptions
- Allowlist scanner IPs in your anti-bot system — Add Detectify’s IPs to your bot management platform’s allowlist
- Use reCAPTCHA’s testing keys — Google reCAPTCHA provides test keys that always pass validation
If you cannot disable these protections, the scanner will be unable to authenticate and will only test unauthenticated pages.
Crawling Issues
Single-Page Application State Loss
SPAs that use client-side routing and state management can sometimes confuse crawlers. Symptoms include:
- Crawl map showing very few pages despite a large application
- Missing routes that are only accessible through JavaScript navigation
- Repeated visits to the same page with different URL fragments
Resolution: Verify that your SPA’s routes are accessible via direct URL navigation. If certain areas require specific state that cannot be reached through URL navigation alone, use Recorded Crawling to guide the scanner through those paths.
Slow Crawling
If scans take excessively long:
- Review the scan scope to ensure it is not too broad (e.g., accidentally including third-party domains)
- Check request throttling settings — very low RPS increases scan duration significantly
- Verify the application is responding promptly to scanner requests
- Exclude paths that generate unlimited dynamic content (e.g., calendar views that paginate infinitely)
Incomplete Coverage
If the scanner is not finding pages you expect:
- Check that the pages are linked from other pages or accessible from the start URL
- For authenticated content, verify the scanner is maintaining its session
- Use Recorded Crawling to guide the scanner to hard-to-reach areas
- Review the scope exclusions to ensure desired paths are not accidentally excluded
Protocol and Technology Considerations
HTTP-Based Testing
Application Scanning is optimized for HTTP-based interactions, which covers the vast majority of web application attack surface. For applications that also use WebSocket connections, HTTP-based endpoints and pages are fully tested, and WebSocket upgrade endpoints are discovered during crawling.
Applications Requiring Client Certificates
If your application requires mutual TLS (client certificate authentication), the scanner may not be able to connect. Contact Detectify support to discuss options for scanning client-certificate-protected applications.
Finding Issues
Unexpected False Positive
While Application Scanning maintains an approximately 99.7% true positive rate, occasional false positives can occur. If you believe a finding is a false positive:
- Review the proof-of-concept request and response carefully
- Reproduce the request manually to verify the behavior
- If confirmed as a false positive, report it through the finding’s feedback option
Missing Expected Vulnerabilities
If you know a vulnerability exists but the scanner did not report it:
- Verify the vulnerable page is within the scan scope and was crawled
- Check if the vulnerability requires a specific sequence of requests that the crawler may not have replicated
- Some vulnerability types require specific preconditions that the automated scanner may not establish
- The vulnerability may be in a technology or protocol not covered by current modules
Next Steps
- Configuration — Adjust scanner settings
- Authentication — Fix authentication configuration
- Results — Understanding scan findings