This article applies to:

• App Scanner 8.x

Symptoms:

• You see the issue "first page restricted" on the assessment
• The issue detail appears as in the image below

Causes:

• The application URL redirects to another domain, and the Attack Boundary is set to 'Limit attacks to server of starting URL'. This setting restricts injections from being sent to any resource which is not on the original server.
• When a new assessment is created, the default attack boundary of 'Limit attacks to server of starting URL' is used.
• The "first page restricted" message will display when the first page of an application redirects to a different page on a separate domain or subdomain. This issue is most often seen when using a SSO service with your target application. Because the application URL immediately redirects to the authentication URL which is outside of the default Attack Boundary, the issue is seen. This issue is informing the user that the page App Scanner was redirected to will not be injected, but will be traversed.

Resolution:

You can remove this message by editing the Attack Boundary to include both the starting URL and the redirected host. This setting will result in both hosts being injected. 

Trustwave recommends you read about the Attack Boundary further before making changes. See the User Guide or the Related Article linked below.

Note:

This message does not mean the spider or interactive traversal were unable to traverse the page. It is only informing you that the page will not be injected.