Web Apps and Groups

WAS web applications are managed and grouped on the System > Web Apps & Groups page. From here, you can create web app scanning target configurations and specify their risk weight and authentication methods. Additionally, web app configurations can be grouped to help you organize the web apps in your scanning environment.

Allotted Web Applications

Your account has an allotted number of web app domains available for scanning, as determined during WAS service activation. Only unique domains are counted towards this total. Therefore, you can have multiple web app configurations for a given domain without each configuration counting against your available web applications. This is useful for creating different configurations to meet different scanning needs for a single domain.

View the Number of Allotted Web Apps on Your Account

From the navigation menu, select System > Service Subscriptions > Web Application Scanning.

You can also view the number of utilized and allotted web apps on the Dashboard when you log in to WAS.

To add additional web applications to your WAS service, contact Fortra Technical Support.

Create or Modify a WAS Configuration

NOTE: Your account has an allotted number of web application domains available for scanning. If you have reached the maximum number of domains, you will still be able to configure additional domains but these new domains will have a not authorized status and will not be scanned. Only unique domains count towards the allotted web apps, allowing you to create multiple web app configurations for a single domain.
  1. From the navigation menu, select System > Web Apps & Groups.

  2. Select the Web Apps tab. You are on the web applications page.

  3. Perform one of the following:

    1. To modify an existing web app, select a web application name or click .
    2. To create a new web app, select New web app.
  4. Enter or modify the web application settings (if you are deleting an application, select Delete, then Confirm):

    1. Name -  Type the web application target’s name.

    2. Description (Optional) - Type a description of the web application.

    3. URL - Provide the URL of the web application target.

    4. URL blocklist regexes: (Optional) Exclude URLs from scanning by providing a string literal to be substring matched against page content, comma separated. The URL blocklist functionality can be used to prevent one or more URLs from being crawled / audited. This can be used to help prevent potentially negative impact to a scanned application, help prevent the scanner from accidentally logging itself out during an authenticated scan or getting stuck on some calendar-like functionality. These blocklist regexes are only used for the web application definition where they are defined. Multiple web applications in the same scan can all use different blocklist regexes. Additionally, multiple items can be added to the list, one per line.

      In addition to regular expressions, plain strings can be used such as "logout", "send_mail", "change_password", etc. (without quotes). This will prevent the scanner from hitting URLs such as http://example.com/admin/logout.php or http://example.com/admin/change_password.jsp.

      For more information on Regular Expression Fields, see: What are Regular Expression Fields?

    5. Extra paths: (Optional)Provide a list of directories that should be included in a scan, comma separated.

    6. Enable risk weight: (Optional) Enable to reveal a Weight sliding scale, which lets you weight the web application’s risk to your environment. The higher the weight, the more the web app affects your WASSecurity GPA, and vice-versa.

      TIP: Be aware that changing a risk weight can adversely affect your Security GPA.
    7. Favorite: (Optional) Enable for easy access when creating a new scan.

    8. Authentication Type: If applicable, select the authentication type (basic, digest, header or form) and complete the relevant fields. For more information about Authentication Type, please see: Authentication.

  5. Select Save.
    Your new web application is created and will be available on the targets list when creating a new scan.

Delete a Web Application

  1. From the navigation menu, select System > Web Apps & Groups.
  2. Select the Web Apps tab.
  3. On the Web Apps page, select next to the app you want to delete.
  4. Select Delete, then Confirm. Your web application is deleted from WAS.

Create or modify a Web App Group

  1. From the navigation menu, select System > Web Applications.
  2. Select the Web App Groups tab. You are on the Web App Groups page.
  3. Perform one of the following:
    • Select a web app group name or click to modify it.
    • Select New web app group to create a new group.
  4. Enter or modify the following sections and associated fields (if you are deleting a web app group, select Delete, then Confirm):
    • Select to add web applications to the group.
    • Select to remove a web application from the group.
  5. Select Save.
  6. Your new web application group is created and will be available on the targets list when creating a new scan.

Delete a Web Application Group

  1. From the navigation menu, select System > Web Apps and Groups.
  2. Select the Web App Groups tab.
  3. On the Web Apps Groups page, select next to the web app group you want to delete.
  4. Select Delete, then Confirm. Your web app group is deleted from WAS.

Authentication

Only one type of authentication is configurable per web application definition, and only one set of credentials can be used per web application definition. If the same application needs to be scanned using multiple different types of authentication or using different user levels, this can be configured using multiple web application definitions.

If you select Authentication Type - None, the scan will still attempt to find easily guessable credentials, if enabled in Web Apps and Groups.

The most common types of authentication we encounter are Basic or Form based authentication. Additionally, the most reliable forms of authentication to use during scanning are Basic, Digest and Header because they are the simplest.

All authentication types will have a field for a "Success regex" and "Success URL". The success URL needs to be within the scope of the starting URL as defined by the web application definition URL. Additionally, this URL should ideally be a page that is only available after successfully authenticating to the web application. In the case of a single page application where the page content changes after authentication, but the URL is unchanged, checking against an API request or similar would also work.

Using the browser’s dev tools on the Network tab, you can view all the API requests that are made by a web application after logging in. This can give you some additional options to select a URL to use for the success URL.

NOTE: Don’t use URLs that contain URL fragments. URL fragments are not sent to the server and are only used by JavaScript in the browser and are not supported for success URLs. You can easily identify a URL fragment because they start with a "#" character, such as the ones Fortra VM uses. If URL fragments are used in the URL to navigate the app, open the browser’s dev tools and look for API requests that are made when navigating, these can be used for the success URL instead of a URL with a fragment.

The "Success regex" will be checked against the response body of a request to the specified "Success URL". Depending on the application, much of what you see in the browser may be the result of JavaScript and will not be present when the scanner tries to use it to match against during the scan. To find the raw data returned in the response body from the web application, the browser’s dev tools can be used again.

On the Network tab, you can select a request that the browser made and click on the Response tab, this is the data you should be able to regex against to determine successful authentication. As mentioned earlier, since this is a "regex" field, a regular expression or string literal can be used and should only match against something present on the page when authentication is successful. Using a regex similar to ".*" will match any content returned and should not be used to determine success.

NOTE: This process is not JavaScript aware because it needs to be very fast and is called throughout the scan to test whether or not the scanner is still authenticated to the web application.