Web Applications - The Basics

Good to Know

Why use authentication

Public vs Internal

Tagging web applications

Configure Crawling

Tell me about the crawl scope

What are exclusion lists?

Using Selenium scripts for scanning


Why use authentication

Many vulnerabilities require authenticated scanning for detection. Multiple authentication types are supported - Form, HTTP Basic and Digest. You may want to scan the same web application multiple times with different credentials. To do this, you can add multiple records and provide meaningful titles related to the privilege level like "Anonymous", "User", "Admin". For example a "User" record may find 300 links and 10 vulnerabilities, whereas an "Anonymous" record may find only 100 links and no vulnerabilities.

Public vs Internal

Internal scanning uses a scanner appliance placed inside your network. Select the scanner appliance you want to use by name from the Scanner Appliance menu in the web application settings. If you don't already have one, contact your Account Manager. Learn more

External scanning is always available using our cloud scanners set up around the globe at our Security Operations Centers (SOCs). For this option, choose External from the Scanner Appliance menu in the web application settings.

Would you like to enable Malware Monitoring? If you enable this feature in the settings of an external web application  we'll run daily malware scans on the web application. You can specify the time for these scans and opt in to notification emails.

Tagging web applications

Tags help you to organize your web applications and other objects in your subscription and to control user access to those objects. By applying a tag to a web application, you grant access to it for users with the same tag in their scopes. You can also use tags to filter the web applications list, create web application reports and more. Go to the Asset Management (AM) application to create and manage tags.

Tell me about the crawl scope

The crawl scope you choose in the web application settings determine where the scan will go. Your options are:

Limit to URL hostname

Limit to content located at or below URL subdirectory

Limit to URL hostname and specified sub-domain

Limit to URL hostname and specified domains

What are exclusion lists?

Exclusions lists are configurable at a global level (across all web applications in your subscription) as well as customizable for a web application. You can implement customized exclusion lists for your web application and ignore the global settings while creating or editing a web application.

You can use exclusion list to tell us which links to scan and which to ignore for all web applications in your subscription. For a production web application, it's best practice to blacklist pages with certain functionality that if executed would have undesirable results, such as possibly sending out too many emails, potentially submitting a "delete all" button, or disabling/deleting accounts.

Exclusion lists are white lists, black lists, POST data black list, and logout regular expression list. Learn more

What if I use a black list and a white list?

What if I use only a black list?

Using Selenium scripts for scanning

Use Qualys Browser Recorder to create a Selenium script. Qualys Browser Recorder is a free browser extension to record & play back scripts for web application automation testing. Qualys Browser Recorder includes the entire Selenium Core, allowing you to capture web elements and record actions in the browser to let you generate, edit, and play back automated test cases quickly and easily.

You can upload Selenium scripts to your web application settings, and we'll replay these scripts while scanning the web application. For example:

- We can replay recorded steps to scan a web application that requires complex workflows, such as selecting user input combinations that require certain knowledge and/or user interaction.

- We can replay recorded steps, like clicking a series of buttons or filling out forms.

- We can replay recorded steps to complete login and authentication requirements.

Where do I get Qualys Browser Recorder?

How do I create a Selenium script?