Web Application - Scan settings

Option Profile

Select the default option profile to be used for scanning this web application. Click View to view/edit its settings.

We use the default option profile automatically when users launch or schedule a scan for this web application. The default option profile can be set to any option profile you have permissions to use. If you don't have a WAS option profile in your account, we service provide an option profile called "Initial WAS Options" with the recommended settings for web application scanning.

Scanner Appliance

Select the default scanner appliance to be used for scanning this web application. We use the default scanner appliance automatically when users launch or schedule a scan for this web application. The default scanner appliance can be set to

External (for scanning a web application on an external-facing network)

Individual (for scanning a web application on an internal network. By default, only one internal scanner can be selected.)

Tags (for allocating multiple scanner appliances clubbed in a group by a single or multiple asset tags. Select an existing tag or create a new tags. All the scanner appliances that are associated with the selected tags form a scanner pool for the web application.)

Lock this scanner appliance for this web application. Select to lock the selected scanner appliance for scans of this web application. If selected, the scanner appliance specified here cannot be changed when launching or scheduling scans of this web application.

Scanning through a Proxy

Easily run web application scanning through a proxy by defining a default proxy for the web app. This way you don't need to select the proxy server in the scan settings and it makes it convenient for all users. Just select a proxy name from the list of proxies available in your account. Want to view (or edit) proxy settings? Select the proxy and then click View. Want to add a new proxy? Click Create.

Progressive Scanning

Progressive Scanning adds more scanning capabilities. Progressive Crawling expands the testing coverage for web applications over time. Each scan builds upon the information obtain in previous scans, prioritizing new content areas to expand coverage. Progressive Testing enhances the flexibility of scanning by automatically starting, stopping and resuming scans across your networks without manual intervention. By choosing Progressive Scanning as the default for this web application we'll add to the history of findings in stages, with each scan. You can easily override the default per scan if you want.

Report vulnerabilities protected by WAF

The ScanTrust option is visible only if this web application is protected by WAF.

Select to scan this web application. You can then view the WAF-blocked vulnerabilities in WAS detections and reports.

Tell me about the Cancel Option

This option allows you to cancel scans of this web app by default after some period of time - after a number of hours, or at a specific time. You can override this setting per scan and scan schedule if you wish. For example, say you know a certain web application should never be scanned 10pm to midnight. You could choose to cancel scans of this web app at a time before this window by default.

By default we do not cancel scans. Once a scan is launched it will run until it completes, or the maximum scan time is reached.

Keep in mind that cancelled scans may return partial, incomplete results.

Why use DNS override records

By default we'll use the DNS for the web application URL to crawl the web app and perform scanning. If you select a DNS override record, we'll use the mappings in your record instead. There a few reasons you might want to do  this. For example your web application does not have a DNS entry since it's in a non-production environment. Or the web application may have a different IP address in a non-production environment (e.g. development or QA) than in production.

Why use Form Training?

The Form Training option provides a customized facility to define action URI and add specific form field and its value to be substituted during crawling and fuzzing. It also allows you to override a specific html fields value in the given form.

Action URI

You can enter * in the 'Action URI' to tell us that the field values should be used for all the forms. If you want to define values for a specific form, enter value of the 'action' attribute of the form in the 'Action URI'.

Crawling Hints

Select crawling hints to instruct the scan to adhere to existing configurations when scanning the web application.

Crawl all links and directories found in the robots.txt file, if present. Robots.txt is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a web site that is otherwise publicly viewable.

Do not crawl links or directories that are excluded from the robots.txt file. Select to fully adhere to the robots.txt file, if present in the web application. Links and directories that are not included in the robots.txt file will not be crawled.

Crawl all links and directories found in the sitemap.xml, if present. Select to adhere to a sitemap.xml file if present in the web application. Sitemap.xml is an XML file that lists URLs for a site to inform search engines about URLs that are available for crawling.

Header Injection

Identify headers that need to be injected by our scanning service to scan the web application. This option is intended to be used when a workaround is needed for complex authentication schemes or to impersonate a web browser.

Enter header information in the field provided. You can enter a maximum of 131,072 characters.

Enter each header in the format: <header>: <text>.

Multiple headers may be entered. Each header must be on a separate line.

Example 1

To bypass a complex login form (for example, for multi-step authentication or CAPTCHA), where mwf_login is the session identifier for the application:

Cookie: mwf_login=2-e3b930b2cf6549d0351346d3cf56e9ae

Example 2

To bypass a complex login form (for example, for multi-step authentication or CAPTCHA), where ASPSESSIONIDAARTTCBQ is the session identifier for the application:

Cookie: ASPSESSIONIDAARTTCBQ=BGHDNEICDKJBGJFMOIAOPLAG

Example 3

To use a personalized user agent:

User-Agent: Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3

Some web applications display different information for different user agents. For instance a web application accessed by a mobile device will display light content containing different functionality, links, forms and underlying HTML code. For this reason, the scanning engine may find different vulnerabilities.

Example 4

To bypass basic authentication:

Authorization: Basic bXl1c2VyOm15cGFzc3dvcmQ=

When a header such as the above is provided, the header basic authentication overrides any authentication record with basic authentication defined.