Web application details

Name

Enter a name for the web application. You can enter a maximum 256 characters.

Owner

Initially, the user who adds the web application is the owner by default. You can edit the web application after it is saved and select another user in your subscription as the owner.

Target Definition

Web Application URL

Enter the URL of the target web application. For REST APIs scanning, enter the URL of the Swagger file (Swagger version 2 in JSON format is currently supported).

Tip - For a secure URL, click http:// to switch to https:// You can enter a maximum of 2048 characters.

Crawl Scope

You've selected Limit to URL hostname. This means we'll limit crawling to the hostname within the URL, using HTTP or HTTPS and any port.

Let's say your starting URL is http://www.test.com.

What links WILL be crawled - All links discovered in www.test.com domain will be crawled. Also note that http://www.test.com/* (* as a wildcard here) will be crawled. All links discovered in http://www.test.com/support and https://www.test.com:8080/logout, etc. will be crawled.

What links WILL NOT be crawled - No links will be followed from sub-domains of www.test.com. This means http://www2.test.com. and/or http://sub1.test.com/ will not be crawled.

Crawl Scope

You've selected Limit to content located at or below URL subdirectory. This means we'll crawl all links starting with a URL subdirectory using HTTP or HTTPS and any port.

Let's say your starting URL is http://www.test.com/news.

What links WILL be crawled - All links starting with http://www.test.com/news will be crawled. Also http://www.test.com/news/headlines and https://www.test.com:8080/news/ will be crawled.

What links WILL NOT be crawled - Links like http://www.test.com/agenda and http://www2.test.com will not be crawled.

Crawl Scope

You've selected Limit to URL hostname and specified sub-domain. This means we'll crawl only the URL hostname and one specified sub-domain, using HTTP or HTTPS and any port.

Let's say your starting URL is http://www.test.com/news/ and the sub-domain is sub1.test.com.

What links WILL be crawled - All links discovered in www.test.com and in sub1.test.com and any of its sub-domains will be crawled. Also these domains will be crawled: http://www.test.com/support, https://www.test.com:8080/logout, http://sub1.test.com/images/ and http://videos.sub1.test.com.

What links WILL NOT be crawled - Links whose domain does not match the web application URL hostname or is not a sub-domain of sub1.test.com will not be followed. This means http://videos.test.com will not be crawled.

Crawl Scope

You've selected Limit to URL hostname and specified domains. This means we'll crawl only the URL hostname and specified domains, using HTTP or HTTPS and any port.

Let's say your starting URL is http://www.test.com/news/ and the specified domains are sub1.test.com and site.test.com.

What links WILL be crawled - All links discovered in www.test.com and in sub1.test.com and all other domains specified will be crawled. This means these domains will be crawled: http://www.test.com/support, https://www.test.com:8080/logout and http://sub1.test.com/images/.

What links WILL NOT be crawled - Links whose domain does not match web application URL hostname or one of the domains specified will not be followed. This means http://videos.test.com and http://videos.sub1.test.com will not be crawled.

Explicit URLs to Crawl

Specify URLs you want the scan to crawl. This is useful for pages that are not directly linked to other pages within the application. For example, a registration link is e-mailed to the user and the user clicks through to the application registration page from the email. You can also include WSDL URLs for web services you want our service to crawl. Enter each URL on a separate line. Each entry must be a valid HTTP or HTTPS URL. In case of authenticated scan, ensure that you always put the login link as the first link. You can enter a maximum of 2048 characters for each URL. The URLs you enter must be consistent with the selected scope:

Limit to hostname. If this scope is selected, additional URLs must have the same FQDN or IP address as the starting URL.

Limit to sub-directories of the web application URL. If this scope is selected, additional URLs must be in the same path as the web application URL.

Follow links in a specific sub-domain. If this scope is selected, additional URLs must have the domain name specified in the Domain Name field.

Follow links to specific hosts. If this scope is selected, additional URLs must have domain names specified in the Domains field.

API Endpoint Definition

You can opt to define the target to be scanned: REST APIs or Burp Log file.

Postman Collection

You can also upload the Postman Collection exported file in JSON format and to scan the REST APIs for vulnerabilities. Upload the Postman Collection File is mandatory whereas upload of Postman Environmental Variables and Postman Global Variables file is optional.

Burp Log File

Upload the Burp log file to tell us which links need to be crawled and tested. You can upload only one Burp file at a time. If you upload a second file, the new file will replace the old file.

Information

Adding custom attributes

An attribute (name/value) can be defined for your internal host ID or any other categorization method you want. Once defined it's easy to filter your web apps list by custom attribute - go to Filter Results (left panel) and enter the attribute.

Adding custom attributes

An attribute (name/value) can be defined for your internal host ID or any other categorization method you want. If you select the "Overwrite..." check box we'll delete all previously set attributes on these web apps, and replace them with the new ones. Once defined, it's easy to filter your web apps list by custom attribute - go to Filter Results (left panel) and enter the attribute.

Business Function

Enter the function of the web application. You can enter a maximum of 64 characters.

Business Location

Enter the location of the web application. You can enter a maximum of 64 characters.

Business Description

Enter a description of the business of the web application. You can enter a maximum of 2048 characters.

Tags

Apply tags to the web application. Users with one or more of the applied tags in their scopes will have access to the web application. Select tags from the drop-down list.