Web Application - Additional Configurations
This page provides additional configurations, such as authentocation record, DNS override, and so on.
Authentication Records
Use authentication to discover and validate vulnerabilities by performing more in-depth assessment of your web applications. Some web applications require authenticated access to the majority of their functionality. Authenticated scanning can be configured for HTML forms like login pages and server-based authentication (HTTP Basic, Digest, NTLM). Learn more
Header Injection
Identify headers that need to be injected by our scanning service to scan the web application. This option is intended to be used when a workaround is needed for complex authentication schemes or to impersonate a web browser.
Enter header information in the field provided. You can enter a maximum of 131,072 characters.
Enter each header in the format: <header>: <text>.
Multiple headers may be entered. Each header must be on a separate line.
Example 1
To bypass a complex login form (for example, for multi-step authentication or CAPTCHA), where mwf_login is the session identifier for the application:
Cookie: mwf_login=2-e3b930b2cf6549d0351346d3cf56e9ae
Example 2
To bypass a complex login form (for example, for multi-step authentication or CAPTCHA), where ASPSESSIONIDAARTTCBQ is the session identifier for the application:
Cookie: ASPSESSIONIDAARTTCBQ=BGHDNEICDKJBGJFMOIAOPLAG
Example 3
To use a personalized user agent:
User-Agent: Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3
Some web applications display different information for different user agents. For instance a web application accessed by a mobile device will display light content containing different functionality, links, forms and underlying HTML code. For this reason, the scanning engine may find different vulnerabilities.
Example 4
To bypass basic authentication:
Authorization: Basic bXl1c2VyOm15cGFzc3dvcmQ=
When a header such as the above is provided, the header basic authentication overrides any authentication record with basic authentication defined.
Web API Endpoint Definition
You can opt to define the target to be scanned: REST APIs (Swagger and non-Swagger based) or Burp Log file.
Postman Collection
You can upload the Postman Collection exported file in JSON format and scan the REST APIs for vulnerabilities. Upload the Postman Collection File is mandatory whereas upload of Postman Environmental Variables and Postman Global Variables file is optional.
Burp Proxy Culture
Upload the Burp log file to tell us which links need to be crawled and tested. You can upload only one Burp file at a time. If you upload a second file, the new file will replace the old file.
Swagger/OpenAPI File
Upload the Swagger/OpenAPI file in JSON or YAML format and scan the REST APIs for vulnerabilities. You can upload one Swagger/OpenAPI file at a time. If you upload a second file, the new file will replace the old file. Learn more
Default DNS Override
Use DNS override records if you want to scan a web applications with multiple instances deployed in different environments. By default we'll use the DNS for the web application URL to crawl the web app and perform scanning. If you select a DNS override record, we'll use the mappings in your record instead. There a few reasons you might want to do this. For example your web application does not have a DNS entry since it's in a non-production environment. Or the web application may have a different IP address in a non-production environment (e.g. development or QA) than in production. Learn more
Set up Exclusion Lists
You can set the exclusions to define which links to scan and which to ignore for all web applications in your subscription. You can define Allow List, Exclude List, Post data Exclude List and also regular logout expression where the matching link is not scanned. Learn more.
Redundant Links
Redundant links are URLs with distinct paths that are identical. Qualys WAS allows customers to specify fully customizable patterns of redundant links so that a WAS scan won’t spend time crawling and testing duplicate links. You can now specify the patterns corresponding to redundant links, and the max occurrence for each pattern. QID 150140 lists redundant links/URL paths crawled and not crawled. We will report which Redundant Link URLs were matched, crawled, and tested, as well as which URLs were matched but skipped.
Path Fuzzing Rules
Define path fuzzing rules to tell us the components of your web page path that need to be tested.
Guidelines to create path fuzzing rules:
- must start with http:// or https://
- must include parameters
- can include only alphabets, numbers, and special symbols _.-~ in the parameter name
- cannot include blank parenthesis
- cannot include nested parameters {{}}
- cannot include unmatched parenthesis {}}
Example of web page:
http://www.abc.com/issue/17/section/sports/
The web server would read it as:
http://www.abc.com/search.php?issue=17§ion=sports
The path fuzzing rule would be:
http://www.abc.com/issue/{issue}/section/{section}
Defining this rule will ensure that issue and section parameters are fuzzed and we will limit the number of paths that match the same rule because they are redundant.
Form Training
The Form Training option provides a customized facility to define action URI and add specific form field and its value to be substituted during crawling and fuzzing. It also allows you to override a specific html fields value in the given form.
Action URI
You can enter * in the 'Action URI' to tell us that the field values should be used for all the forms. If you want to define values for a specific form, enter value of the 'action' attribute of the form in the 'Action URI'.
Reauthentication Setting
-
Auto-Retry Failed Authentication: Automatically tries to log in again if the first login attempt fails. This option is helpful when network issues or temporary connection errors cause login failures. However, if your credentials are incorrect, retrying does not work.
-
Wait Between Retries: Defines how many seconds to wait before trying to log in again after a failed attempt. A longer wait time reduces load on the server but increases scan time.
-
Maximum Login Attempts: Sets the number of re-authentication attempts allowed. The default value is fifteen retries. A higher number of login attempts increases the chances of a successful login, but may trigger security alerts due to excessive attempts.
-
URL to Confirm Active Session: This is an optional setting for adding a URL when re-authentication is used. It is used to verify if the login session is still active. If the URL returns “forbidden” (401), the scans will re-authenticate automatically.
Crawling behavior
This setting is used to set the page settlement time, the time (in seconds) the scans wait after a page loads before it starts scanning. The default value is five seconds. A longer wait time improves accuracy but slows down the scan.
Browser Setting
This setting keeps the browser’s same-origin policy enabled during scanning. When the check box is not selected, the scanner can access content from other domains, but this can cause some sites to block requests or behave unexpectedly.
Scan Time Optimization
This setting skips the header and cookie testing for URLs without parameters. It can speed up scanning, but it can miss vulnerabilities on simple pages.
Malware Monitoring
Select if you want to perform regular checks for malware on your external website. Malware Monitoring is available for external sites only.
Once enabled, we'll automatically run a malware scan within a few hours, and after that, we'll run a daily scan at the same time (you'll see the schedule within the MDS application). You can define a custom scan start time if you'd like. The web application owner will automatically receive an email notification when a scan detects malware, unless you turn off the notification option by clearing the check box. The malware scan results will be available in the MDS application.
Comments
Enter comments to be saved with the web application.