Post & Get is the default request type. The web crawler submits requests to all forms. For authentication, this option is recommended best practice to ensure maximum vulnerability analysis and the most comprehensive scan results.
Select None of you want no requests submitted to forms unless application authentication is requested, in which case only the login form will be tested.
Select Post to limit web crawling to POST forms.
Select Get to limit web crawling to GET forms.
Use this field to specify a user agent for scans using this option profile. Note that the value entered here will override any user agent specified in the web application settings under Header Injection.
User Agent example: Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3
A parameter set tells us the request parameter settings you'd like us to inject into your web applications during scanning. We provide a default and it's easy to configure more. Just go to Configurations > Parameter Sets to add more. We use these parameters when we identify forms and other request parameters used by the web application being scanned. (These settings are not used for authentication or Selenium scripts.)
If you choose this option, we will not scan files with these extensions: pdf, zip and doc.
Forms considered unique are reported separately in your account. We’ll always use form field names to calculate form uniqueness. When you enable “Include form action URI” we’ll use form action URI and form field name for determining the uniqueness of a form.
Select this option to enable enhanced crawling for scans using this profile. With enhanced crawling enabled, we could cover links which are not detected organically but could have some vulnerabilities. We will re-crawl individual directories present in the links which are found during crawling.
Enhanced crawling adapts a directory chopping approach. For the links that are crawled and response for the requested link is received, the response will be the candidate for chopping. All the directories existing in the link will get chopped and all the newly generated links will get added to the crawl queue as requests.
Select this option to enable SmartScan for scans using this profile. SmartScan adds additional, more advanced scanning capabilities for testing web applications based on these frameworks: Angular JS, AJAX, Bootstrap, DWR and GWT.
Tell us the number of consecutive timeout errors allowed during the scan. If the count of timeout error exceeds the threshold, we will terminate the scan.
Tell us the number of consecutive unexpected errors allowed during the scan. If the count of unexpected error exceeds the threshold, we will terminate the scan.
Select an overall intensity level for the web application scan. Low is selected as a starting point. Your options are: Lowest, Low (initial setting), Medium, High and Maximum.
Specify an overall intensity level for the web application scan. Set # of HTTP Threads to tell us how many threads should be used to scan each host. Set the Delay between requests in milliseconds (the delay introduced by WAS in between the scanning engine requests sent to the applications server).
If you choose the password bruteforcing option, select User list to use a custom user-defined password bruteforce list and then select a list from the menu.
To use a service-provided list select System list, and then select one of the options provided:
Minimal (empty passwords + UID = password). Test the user name as a password and the empty password.
Limited (+ 10 most common passwords). Test the user name as a password, the empty password, plus the 10 most common passwords from our passwords list.
Standard (+ 20 most common passwords). Test the user name as a password, the empty password, plus the 20 most common passwords from our passwords list.
Exhaustive (will increase scan time). Test the user name as a password, the empty password, plus all passwords from our passwords list.
Custom. Test some custom number of password in addition to the user name and empty password. Tip - Use this option if you have a lockout mechanism for a number of failed attempts. When selected, enter the maximum number of passwords to be tested. If you enter 10, we'll test the user name as password, the empty password, plus the 8 most common passwords from our password list.