Creating an Asset

To start scanning with Xint, you first need to register a site as an Asset. After that, when you want to scan the same site repeatedly, you don’t need to register it again — you just create a new scan under that Asset.

The Asset creation flow has 5 steps:

1. Target URL

Enter the URL that will serve as the starting point for the Asset and click the “Discover” button. Xint checks whether the URL you entered is reachable and automatically suggests recommended domains to include.

Note

The Target URL cannot be changed after the Asset is created. To scan a different URL, create a new Asset.

Advanced Options

These options fine-tune how Xint sends scan traffic. For typical sites, the defaults are fine.

Accept Insecure TLS Certificate

Xint’s scan engine validates HTTPS certificates when connecting to a website. If the target site’s TLS certificate has any issue, the connection is blocked for security reasons and the scan fails.

Enabling this option skips certificate validation and proceeds with the connection.

When to enable this option

• Self-signed certificates: The certificate was issued by the site itself rather than a trusted Certificate Authority (CA).
• Expired certificates: The certificate’s validity period has passed.
• Hostname mismatch: The domain registered in the certificate doesn’t match the target URL.

User Agent

You can set the User Agent header Xint uses when sending HTTP requests during a scan.

Use this to scan with a mobile browser’s User Agent, or to insert a specific string for identifying requests in server logs.

HTTP Basic Authentication

Enable this option if HTTP Basic Authentication is required to access the site.

• Origin: If multiple URLs require Basic Authentication, set this value so that all URLs that need authentication are covered.

Proxy

Use this to route scan traffic through a specific Proxy URL.

This is useful when scanning targets that are only reachable through an internal network or restricted environment.

2. Scan scope

Xint only scans URLs that fall within the Scan scope. Recommended domains based on the Target URL are suggested automatically — add or remove entries to tailor the scope to your needs.

Caution

• The Scan scope must have at least one entry.
• You can narrow scanning to a smaller area by entering a Path.
  • e.g., example.com/api
  • If no Path is provided, all paths are scanned by default.
• Wildcards (*) may only be used to include all subdomains.
  • ✅ *.example.com
  • ❌ example*.com
  • ❌ example.com/*
• URL schemes like http and https are added internally by Xint, so enter values without the URL scheme.

3. Vulnerability Categories

Specify which vulnerability categories to test for.

• Recommended (default): Uses the list of vulnerability categories recommended by the Xint team.
• Custom: Lets you choose exactly which categories to test for.

4. Allowed Scanning Time

If you want to restrict scanning to specific days and time windows, configure this option to control when scans may run.

Outside the allowed window, an in-progress scan is automatically paused and resumes when the next allowed window begins.

5. Name the Asset and Review

Give the Asset a name so you can identify it in the list, then review the values you entered in the previous steps.

When you’re done reviewing, click the “Create” button to create the Asset.

After the Asset is Created

Once the Asset is created, you can create the first scan against it right away. At scan time you’ll additionally specify execution-only options such as credentials (test accounts), Safe Mode, and an API document.

See Running a Scan for details.