Adding Domains
Overview
Domains represent the live environments where your application is deployed and accessible. Before Pensar can test your domains, they must be added to your project and verified using DNS TXT records. This verification process ensures you own or control the domains being tested.
Domain verification is required for both blackbox testing and whitebox testing against live environments.
Why Domain Verification?
Domain verification protects both you and other domain owners:
Verification ensures you control the domain before testing begins, preventing unauthorized security testing.
Protects other organizations from having their domains tested without permission.
Demonstrates due diligence and authorization for security testing activities.
Verification provides evidence of authorization, protecting against legal concerns about penetration testing.
Adding a Domain
Follow these steps to add and verify a domain:
Enter Domain Information
Provide the domain details:
- Domain URL: Just the domain name without protocol (e.g.,
app.example.com, nothttps://app.example.com) - API Schema (Optional): Upload an OpenAPI/Swagger schema file (JSON or YAML) to help with endpoint discovery
- Sitemap (Optional): Upload a sitemap file (XML or TXT) to discover pages and routes
Configure Authentication & Testing Parameters
Optionally configure:
- Authentication Credentials: Username/password or bearer tokens with role and context
- Allowed Actions: Define what actions are permitted during testing (default includes read operations, authentication testing, injection testing)
- Disallowed Actions: Define prohibited actions (default includes DELETE operations, dropping tables, DoS attacks)
Get Verification TXT Record
Pensar generates a unique DNS TXT record for verification: text Record Type: TXT Host: _pensar.app.example.com Value: pensar=abc123xyz789...
Add DNS TXT Record
Add the TXT record to your DNS configuration. See DNS provider instructions below.
DNS TXT Record Format
The verification TXT record follows this format:
Note: The actual format is pensar=<token>, not pensar-verification=<token>. The exact host name pattern may vary slightly based on your DNS provider.
Examples
For different domain configurations:
Subdomain
Root Domain
With Port
Path
Domain: app.example.com
Or for some DNS providers:
DNS Provider Guides
Instructions for common DNS providers:
Cloudflare
- Log in to your Cloudflare dashboard
- Select your domain
- Navigate to DNS > Records
- Click Add record
- Configure the record:
- Type: TXT
- Name:
_pensar-verify.app(or full:_pensar-verify.app.example.com) - Content:
pensar-verification=<your-token> - TTL: Auto (or 3600)
- Click Save
- Wait 1-5 minutes for propagation
- Verify in Pensar Console
Cloudflare DNS typically propagates within 1-2 minutes.
AWS Route 53
- Open the Route 53 console
- Select Hosted zones
- Choose your domain’s hosted zone
- Click Create record
- Configure the record:
- Record name:
_pensar-verify.app.example.com - Record type: TXT
- Value:
"pensar-verification=<your-token>" - TTL: 300
- Record name:
- Click Create records
- Wait 5-10 minutes for propagation
- Verify in Pensar Console
Note: TXT values in Route 53 should be enclosed in quotes.
Google Cloud DNS
- Open the Cloud DNS console
- Select your DNS zone
- Click Add record set
- Configure the record:
- DNS name:
_pensar-verify.app.example.com.(trailing dot) - Resource record type: TXT
- TXT data:
pensar-verification=<your-token> - TTL: 3600
- DNS name:
- Click Create
- Wait 5-10 minutes for propagation
- Verify in Pensar Console
Include the trailing dot in the DNS name for Google Cloud DNS.
GoDaddy
- Log in to your GoDaddy account
- Navigate to My Products > DNS
- Find your domain and click DNS
- Scroll to Records section
- Click Add > TXT
- Configure the record:
- Host:
_pensar-verify.app(subdomain only, without main domain) - TXT Value:
pensar-verification=<your-token> - TTL: 3600 seconds
- Host:
- Click Save
- Wait 10-30 minutes for propagation
- Verify in Pensar Console
Note: GoDaddy can take longer to propagate DNS changes.
Namecheap
- Log in to Namecheap
- Navigate to Domain List
- Click Manage next to your domain
- Go to Advanced DNS tab
- Click Add New Record
- Configure the record:
- Type: TXT Record
- Host:
_pensar-verify.app(subdomain part only) - Value:
pensar-verification=<your-token> - TTL: Automatic (or 3600)
- Click the checkmark to save
- Wait 10-30 minutes for propagation
- Verify in Pensar Console
DigitalOcean
- Log in to DigitalOcean
- Navigate to Networking > Domains
- Select your domain
- Scroll to Add a record
- Configure the record:
- Type: TXT
- Hostname:
_pensar-verify.app(or full subdomain) - Value:
pensar-verification=<your-token> - TTL: 3600
- Click Create Record
- Wait 5-10 minutes for propagation
- Verify in Pensar Console
Other DNS Providers
For other DNS providers, follow this general process:
- Log in to your DNS provider’s control panel
- Find the DNS management or DNS records section
- Add a new TXT record with:
- Host/Name:
_pensar-verify.<your-subdomain>.<your-domain> - Type: TXT
- Value:
pensar-verification=<your-token> - TTL: 3600 (or default)
- Host/Name:
- Save the record
- Wait for DNS propagation (typically 5-30 minutes)
- Verify in Pensar Console
If you’re unsure about your DNS provider’s process, contact their support with the record details you need to add.
Verification Troubleshooting
If domain verification fails, try these steps:
Check DNS Propagation
DNS changes can take time to propagate globally:
- Local propagation: 1-5 minutes
- Global propagation: Up to 48 hours (typically 10-30 minutes)
Use these tools to check if your TXT record is visible:
- DNS Checker
- What’s My DNS
- Command line:
dig _pensar-verify.app.example.com TXT - Command line:
nslookup -type=TXT _pensar-verify.app.example.com
Wait at least 10 minutes after adding the DNS record before attempting verification.
Verify Record Format
Ensure your TXT record is formatted correctly:
✅ Correct:
❌ Incorrect:
Common mistakes:
- Missing
_pensar-verifyprefix in host - Missing
pensar-verification=prefix in value - Extra quotes around the value (some providers add automatically)
- Incorrect subdomain in host
Check DNS Provider Settings
Some DNS providers have specific requirements:
- Trailing dots: Some providers require a trailing dot, others don’t
- @ symbol: Some use @ to represent the root domain
- Quotes: Some providers automatically add quotes to TXT values
- Multiple TXT records: Ensure your TXT record isn’t conflicting with others
Consult your DNS provider’s documentation for TXT record requirements.
Copy Token Carefully
The verification token must match exactly:
- Copy the full token from Pensar Console
- Don’t add extra spaces or line breaks
- Include the
pensar-verification=prefix - Don’t modify the token value
If verification still fails, try regenerating the verification token in Pensar Console.
Contact Support
If you’ve tried everything and verification still fails:
- Double-check all settings
- Confirm the DNS record is visible using DNS lookup tools
- Contact Pensar support with:
- Your domain name
- Screenshot of your DNS record configuration
- Results from DNS lookup tools
- Your DNS provider name
Managing Domains
Once domains are added, you can manage them in the Pensar Console:
View Domains
Edit Domains
Remove Domains
Re-verify Domains
See all domains associated with your project:
- Verification status (verified, pending, failed)
- Last tested date
- Number of findings per domain
- Environment type (staging, production)
- Authentication configuration status
Multiple Domains
Projects can have multiple domains for different purposes:
Test both environments separately:
https://staging.example.comhttps://production.example.com
Verify findings in staging before production testing.
Test different application areas:
https://app.example.com- Main applicationhttps://api.example.com- API serverhttps://admin.example.com- Admin panel
Each requires separate verification.
Test across deployment targets:
- Development environment
- QA/Testing environment
- Staging environment
- Production environment
Track findings per environment.
Test geographic deployments:
https://us.example.comhttps://eu.example.comhttps://asia.example.com
Ensure security across all regions.
Security Considerations
Production Testing: Be cautious when testing production domains. Consider:
- Testing during low-traffic periods
- Using staging environments when possible
- Configuring rate limits to prevent service disruption
- Notifying your team before production testing
TXT Record Visibility
DNS TXT records are publicly visible:
- Anyone can query your DNS TXT records
- The verification token doesn’t grant access to systems
- Records only prove domain ownership
- Safe to leave in place after verification
The token is safe to be public - it only verifies domain ownership, not system access.
Removing Verification Records
After verification, you can optionally remove the TXT record:
- Not required, record can stay indefinitely
- Needed if you want to re-verify in the future
- Removing it doesn’t affect existing tests
We recommend leaving it in place for continuous verification.
Next Steps
Configure authentication credentials for testing protected endpoints on your domains.
Start blackbox penetration testing on your verified domains.
Run whitebox tests against your live domains with source code analysis.
Return to the getting started guide to continue setup.
