Scanning

Scan configuration

Web Application Scanning

Web Application Scanning (WAS) scanners provide comprehensive, updated information about your web application’s security posture. Scan audit and tuning policies define how targets are scanned. WAS has default policies for several common scanning objectives, and custom policies can be configured as well.

This page details the following topics:

• Work with Audit Policies
• Work with Tuning Policies

Reducing the number of audit/crawler/bruting processes and/or increasing the request delay can be used to throttle the scanner back to send data per second. Processes should be throttled back starting with the bruting processes, then the crawler processes, and finally the audit processes to minimize impact on the overall scan duration. Any changes to number of processes, request timeout or request delay will impact scan time.

Work with Audit Policies

An audit policy specifies which vulnerabilities and allowances to include in the scan.

To view audit policies

1. From the navigation menu, select Scans > Scan Policies.
2. Select the Audit tab. The Available Audit Policies page lists the scan audit policies with a brief description.

3. Select an audit policy from the list to view its settings.

To modify or create an audit policy

1. From the navigation menu, select Scans > Scan Policies.
2. Select the Audit tab.
3. Perform one of the following:

   1. Select an audit policy name to modify it.

      NOTE: You cannot modify default audit policies, which are denoted with a shield symbol, but you can select to copy the default policy using the copy icon to create a new audit policy with the same configuration. Once the audit policy is copied, you can modify the settings for the copy.

   2. Select + New audit policy to create a new policy.

4. Enter or modify the policy settings on the following sections and associated fields:
Field Definitions

General Information

• Policy Name

• Description

Allow Settings
Use toggles to set the following as ON or OFF.

• Allow POST

• Allow PUT

• Allow PATCH

• Allow DELETE

• Allow directory brute force

• Allow auth brute force

Vulnerability Settings
Customize the type of vulnerability checks performed by the scan by toggling the following ON or OFF.

• XSS

• XML Injection

• XPATH injection

• SQL injection

• Blind SQL injection

• Local file inclusion

• Remote file inclusion

• File uploads

• Directory traversal

• Command injection

• Insecure cookies

• Cookie-based injection

• Header-based injection

• LDAP injection

• Expression language injection

• Insecure forms

• Miscellaneous

• App detection

• Denial-of-Service

• SSL

• Parameter pollution

• Potentials

Business Group ACLs
Designate Business Group access for this audit policy.

• Select Owner Business Group

• Owner Business Groups

• Select Accessor Business Group

• Accessor Business Groups

5. Select Save.

Work with Tuning Policies

A tuning policy specifies scan performance settings.

To view tuning policies

1. From the navigation menu, select Scans > Scan Policies.
2. Select the Tuning tab. The Available Tuning Policies page lists the scan tuning policies with a brief description.
3. Select a tuning policy from the list to view its settings.

To modify or create a tuning policy

1. From the navigation menu, select Scans > Scan Policies.
2. Select the Tuning tab.
3. Perform one of the following:

   1. Select a tuning policy name to modify it.

      NOTE: You cannot modify default tuning policies, which are denoted with a shield symbol, but you can select to copy the default policy using the copy icon to create a new policy with the same configuration. Once the tuning policy is copied, you can modify the settings for the copy.

   2. Select + New tuning policy to create a new policy.

4. Enter or modify the policy settings on the following sections and associated fields:
   Field Definitions

   General Information

   • Policy Name

   • Description

   • User agent - The user agent for the scanner to use when scanning. Some web applications require this value to more closely align with a user agent used by a common web browser instead of the default setting.

   • HTTP headers - Additional HTTP headers to include in the scan in addition to the default set.

   • Policy Type - Which type of scan policy is being created.

     NOTE: Official PCI scans are required to use the PCI Tuning Policy type.

   Tuning Settings
   

   • Scan timeout - Determines whether the scan will run for an infinite time until complete or timeout after a specified time period.
   • Scan timeout value - Maximum time an individual web application will be scanned before being terminated by the scanner.
   NOTE: If a scan includes more than one web application this setting is applied per web application and not the overall scan.
   • 404 page regex - User provided regular expression to help the scanner correctly identify error pages. This is most beneficial when the web application returns a 200 HTTP response code for requests to files and directories that do not exist as it will speed up the scan and reduce false positives for discovered files and directories in the scan results.
   • Error page regex - User provided regular expression to help the scanner correctly identify error pages. This is most beneficial when the web application returns a 200 HTTP response code for requests that resulted in an error being generated server side.
   • Max depth - Maximum number of directories deep to crawl in the application.
   • Max page count - Maximum number of pages to crawl.
   • Max directory brute - Maximum number of directory brute force attempts per directory discovered.
   • Max authentication brute - Maximum number of authentication brute force attempts per directory discovered.
   • Banned usernames - Prevent the scanner from attempting brute force usernames included in this list.
   • Extra usernames - Additional usernames to include in the authentication brute forcing in addition to the default set included in the scanner.
   • Extra passwords - Additional passwords to include in the authentication brute forcing in addition to the default set included in the scanner.
   • Extra directories - Additional directories to include in the directory brute forcing in addition to the default set included in the scanner.
   • Speed - Changes which preset is used for the requested delay, request timeout, and max processes.
   • Request delay - Controls the time in between requests in seconds.
   NOTE: This delay is per process, not global. If the delay is set to 1 second and you have 10 of each auditor/crawler/bruting processes that would be about 30 requests per second versus 1 request a second if it was a global limit.
   • Request timeout - Controls how long the scanner will wait for a response from the target application in seconds.
   • Max audit processes - Controls the number of auditor processes that will be used during the scan. These processes are used to find vulnerabilities and will send things like cross-site scripting and SQL injection requests to the scanned web application to detect vulnerabilities.
   • Max crawler processes - Controls the number of crawler processes that will be used during the scan. These processes are used to process new links by navigating to the page, interacting with the page content and scraping new links / requests for auditing or additional crawling.
   • Max bruting processes - Controls the number of bruting processes that will be used during the scan. These processes are used to find new directories and files that may not otherwise be discoverable from simply crawling the website and clicking on available links.
5. Select Save.