You can troubleshoot most scan problems by viewing the QIDs in the scan results. Go to Scans > Scan List, click the scan you want to troubleshoot, then click the View Report button in the preview pane.
See if the scan used the correct authentication record(s). When you open QID 150008 Web Application Authentication Failed. You’ll find the authentication record(s) in the Results section. If a Selenium script was used for authentication, open QID 150095 to see the Selenium script. Tell me more about Selenium Scripts
View the scan results report. In the details of QID 150008 you'll see the URI where our service attempted to log in. Check your web application to see if this is the correct URI for the login form.
How do I do this?
1) Go to the web application login form page in your browser.
2) Right click the login inputs form (generally the username and password fields) and choose"View Source".
3) Search for the keyword "<form"
4) If you see more than one result, see if <input type="password" is close by or between the opening <form and closing </form> tags that you found.
6) In that form look for the action keyword. A typical form would look like this:
<form action="/fo/user_login.php" method="POST">
7) See if the URI our service POSTed to (/fo/user_login.php in our example) matches the URI you see in the QID 150008.
Take these steps to determine the cause:
1) Verify in a browser that the IP address or FQDN and the provided port loads the web application.
2) Verify that the web application, as defined in your account, has the correct IP/FQDN and port.
3) Check if the web server is connected to the network.
4) Check to be sure the web server is up and running.
5) Check with the network administrator to ensure that the web application has the necessary access (IP address and port) from outside (if using the External scanners) or from the IP address assigned to the Scanner Appliance (if using a scanner appliance).
One of two things happened if your scan results report QID 150018 Connection Error Occurred During Scan. Either 1) your scan didn’t reach the maximum number of connection errors/timeouts and the scan was able to finish properly, or 2) your scan reached the maximum number of connection errors/timeouts and therefore did not finish the whole scan as expected. What can I do about it?
Here are some common causes:
- Slow network connections, such as scanning across a WAN link, can increase the time it takes to make each request.
- Slow responsiveness from the web application.
- Maximum crawl requests setting is too high in the option profile.
- Web application contains a lot of parameters (URIs and forms). The number of parameters directly affects the number of tests to be performed and, in turn, increases the overall scan time.
When a scan times out, you can determine where it stopped by reviewing QID 150021 Scan Diagnostics. Learn more
There are several ways to do this:
Reduce the number of vulnerability-related QIDs selected for the scan
This is the recommended solution by far because it does not rely on omitting links from the scan. The rule of thumb on how to select QIDs efficiently is to determine where the scan stopped, then create an option profile containing only the missing QIDs for the next scan. If the scan times out again, create more option profiles each with only one or two vulnerability-related QIDs.
Reduce the maximum number of links to crawl (in the option profile)
Crawling fewer links reduces the number of requests that must be made for crawling and performing tests. Selecting too few links to crawl may cause the scanner to miss portions of the web application. Links that are not crawled are links that are not tested.
Block HTML form submissions (using a POST data Exclude List in web application settings)
By doing this you prevent all the tests against forms, which gains time. But any vulnerability in a form will go undetected.
Add unnecessary sections of the web application to exclude list
This measure can reduce scan time by reducing links crawled. But remember that links that are not crawled are also not tested for vulnerabilities.
Here's a couple of things to check:
- Open QID 150009 Links Crawled and copy the URL into your browser to see if it's the starting URL of your site. If not you just need to edit the web application and update the Starting URL setting.
- Check your web application settings to be sure the starting URL is not added to the exclude list.