You can add new web scans to any scan group that is configured to include them.
To add and configure a new web scan:
- Go to the Network scans page.
- Click the menu icon and select Add web scan.
- Enter the general settings for the scan:
- Enter the URL that you want to scan in the Scan target URL field.
- Enter a name for the scan in the Name field.
- Select the Elements Vulnerability Management user responsible for the scan in the Responsible menu.
- Add relative URLs for scanning.
- Click Next to continue.
- Enter the policy settings for the scan.
- Run attacks: Select this option to test the application by running SQL injection and cross-site scripting attacks against it. Disabling this option means that the scan will finish quickly, so you can see how much of the application the web scan was able to crawl or detect. This option is mainly intended for debugging the coverage of a Web Scan.
- Crawler enabling: Specifies if the web scan is allowed to crawl and index the application or not. By disabling this feature, you need to use recordings to feed the web scan with the target URLs.
- Attack forms: This option specifies if the web scan is allowed to attack web forms identified within the application. A web form could be a contact form or a search function.
Important: If the target web application contains a web form that generates emails or similar and the web scan attacks such a web form, it may generate thousands of emails. If you are unsure if the application includes such functionality, you should disable this option or blacklist the scanning of such functionality.
- Additional entry points: Here you can add additional relative paths that the web scan might not be able to find automatically, because they are not linked anywhere.
- Extended scan log: Select this option if you want to get more extensive logging for debugging purposes.
- Enter any scan rules required for the scan.
Scan rules let you control what the web scan is and is not allowed to scan. You can define relative URL paths or use regular expressions.
- Set the custom headers for the scan.
This allows you to define custom HTTP request headers that should be used during the scan. For example:
- Change the User-Agent to avoid flooding website statistics.
- Change the User-Agent to simulate different browsers or operating systems.
- Apply specific cookies for authentication, load balancing, language etc.
- Define a custom Host header to reach an application on the target server.
- Set the number of threads used by the web scan.
Note: Web scan is very powerful and too many threads may cause Denial of Service conditions on some web sites. We recommend starting with a low number of threads to avoid overloading the application.
- Click Next.
- Add any recordings if needed:
- Select the recording type.
- Select Merge with previously added recordings if you want to add it to the existing recording.
If this setting is not selected, the existing recording will be overwritten.
- Click Browse and select your file.
- Select the authentication to use for the scan.
- HTTP basic authentication: Allows web scan to scan applications that require login credentials using basic authentication.
- Form-based authentication: Allows web scan to scan applications that require login credentials using form-based authentication. If you use this feature, you need to provide the following information:
- Login fingerprint: A string within any HTTP response indicating that the web scan has successfully authenticated to the application.
- Logout fingerprint: A string within any HTTP response indicating that the web scan has been logged out.
- A login HTTP request within your web scan recordings.
- If you want the scan to trigger notifications, turn on Notifications and select the conditions.
- Click Finish.