StackHawk

Why do I see unexpected URL’s in the Paths tab under Scan Details for a particular scan?

URL's on the site that a web spider should find

URL's contained in the API configuration (<a href="https://docs.stackhawk.com/hawkscan/configuration/openapi-configuration.html#openapi-configuration" rel="nofollow noopener noreferrer" target="_blank">OpenAPI spec</a> or <a href="https://docs.stackhawk.com/hawkscan/configuration/graphql-configuration.html#graphql-support" rel="nofollow noopener noreferrer" target="_blank">GraphQL schema</a>) configured for the application in stackhawk.yml

- URL's on the site that a web spider should find
- URL's contained in the API configuration (<a href="https://docs.stackhawk.com/hawkscan/configuration/openapi-configuration.html#openapi-configuration" rel="nofollow noopener noreferrer" target="_blank">OpenAPI spec</a> or <a href="https://docs.stackhawk.com/hawkscan/configuration/graphql-configuration.html#graphql-support" rel="nofollow noopener noreferrer" target="_blank">GraphQL schema</a>) configured for the application in stackhawk.yml

For example, for a particular API endpoint (/id), multiple variants show up in the Paths tab:

https://app1234.example.com/id/complete?query%5B%24queryone%5D=<br><br>https://app1234.example.com/id/complete?query%5B%24querytwo%5D=.*

The Paths tab represents a full listing of all URL's that HawkScan <b>found and tested</b> in various ways throughout the scanning process.

In other words, the URL's in the Path sections are not simply the list of base path URL's that HawkScan's spider found on the site and those that are contained in an OpenAPI configuration supplied to the scanner.

Factors that result in URL's appearing in the Paths tab:

URL's found by the HawkScan's <a href="https://docs.stackhawk.com/hawkscan/configuration/#hawkspider" rel="nofollow noopener noreferrer" target="_blank">web spider</a> (the default basic spider or the optional ajax spider)

API paths supplied by a configured <a href="https://docs.stackhawk.com/hawkscan/configuration/openapi-configuration.html#creating-an-openapi-spec" rel="nofollow noopener noreferrer" target="_blank">OpenAPI spec</a> (or <a href="https://docs.stackhawk.com/hawkscan/configuration/graphql-configuration.html#graphql-configuration" rel="nofollow noopener noreferrer" target="_blank">GraphQL schema</a>)

The number of tests that HawkScan runs during the scanning process

- this is influenced by the <a href="https://docs.stackhawk.com/web-app/tech-flags.html" rel="nofollow noopener noreferrer" target="_blank">Technology Flags configuration</a>
  - for instance, various versions of SQL Injection when multiple database types are configured

- URL's found by the HawkScan's <a href="https://docs.stackhawk.com/hawkscan/configuration/#hawkspider" rel="nofollow noopener noreferrer" target="_blank">web spider</a> (the default basic spider or the optional ajax spider)
- API paths supplied by a configured <a href="https://docs.stackhawk.com/hawkscan/configuration/openapi-configuration.html#creating-an-openapi-spec" rel="nofollow noopener noreferrer" target="_blank">OpenAPI spec</a> (or <a href="https://docs.stackhawk.com/hawkscan/configuration/graphql-configuration.html#graphql-configuration" rel="nofollow noopener noreferrer" target="_blank">GraphQL schema</a>)
- The number of tests that HawkScan runs during the scanning process
  - this is influenced by the <a href="https://docs.stackhawk.com/web-app/tech-flags.html" rel="nofollow noopener noreferrer" target="_blank">Technology Flags configuration</a>
    - for instance, various versions of SQL Injection when multiple database types are configured

In most cases, no specific action is required if additional / unexpected URL's appear in the Paths tab, other than reviewing the specific <a href="https://docs.stackhawk.com/hawkscan/viewing-scan-results.html#viewing-scan-results" rel="nofollow noopener noreferrer" target="_blank">scan results</a> as usual and tuning the Technology Flags configuration to test only the relevant technologies present in your application.

If instead you're not seeing all the URL's expected (e.g., API paths are missing), investigate whether the scanner is getting properly authenticated to the API during the scanning process.

See <a href="https://docs.stackhawk.com/hawkscan/authenticated-scanning/#authenticated-scanning" rel="nofollow noopener noreferrer" target="_blank">Authenticated Scanning</a> or launch the <a href="https://docs.stackhawk.com/hawkscan/authenticated-scanning/#launching-the-authenticated-scanning-guide" rel="nofollow noopener noreferrer" target="_blank">Setup Authenticated Scanning</a> wizard (Org--&gt;Applications--&gt;Dropdown Menu on a specific application) for more details. 

- See <a href="https://docs.stackhawk.com/hawkscan/authenticated-scanning/#authenticated-scanning" rel="nofollow noopener noreferrer" target="_blank">Authenticated Scanning</a> or launch the <a href="https://docs.stackhawk.com/hawkscan/authenticated-scanning/#launching-the-authenticated-scanning-guide" rel="nofollow noopener noreferrer" target="_blank">Setup Authenticated Scanning</a> wizard (Org--&gt;Applications--&gt;Dropdown Menu on a specific application) for more details. 

When generating a GraphQL schema, see <a href="https://intercom.help/stackhawk/en/articles/6194065-500-internal-error-when-attempting-to-scan-a-graphql-application-via-filepath" rel="nofollow noopener noreferrer" target="_blank">HawkScan fails with 500 Internal Error when attempting to scan a GraphQL application via filePath</a> to avoid schema parsing issues.

- When generating a GraphQL schema, see <a href="https://intercom.help/stackhawk/en/articles/6194065-500-internal-error-when-attempting-to-scan-a-graphql-application-via-filepath" rel="nofollow noopener noreferrer" target="_blank">HawkScan fails with 500 Internal Error when attempting to scan a GraphQL application via filePath</a> to avoid schema parsing issues.

Question:

Answer:

Additional Information: