Your service level and account settings determine whether you can manage web applications. Your account settings might limit you to some applications or certain permissions (view, create, edit, delete). Learn more
On the Detections List tab (Detections > Detections) we list all vulnerabilities detected by scans on your web applications. This allows you to review them without running reports. Tip - Use the search tokens and filters options in the left pane to sort and locate detections you want to take actions on. Learn more
You choose a crawl scope option in your web application settings to determine the scope of scans for that web application. You can limit crawling to the URL hostname, content at or below a URL subdirectory, the URL hostname and a specified sub-domain, or the URL hostname and specified domains. In case of authenticated scan, ensure that you always put the login link as the first link. Learn More
Exclusions lists are configurable at a global level (across all web applications in your subscription) as well as per web application. You can implement customized exclusion lists for your web application and ignore the global settings while creating or editing a web application.
You can use exclusion list to tell us which links to scan and which to ignore for all web applications in your subscription. For a production web application, it's best practice to add in exclude list the pages with certain functionality that if executed would have undesirable results, such as possibly sending out too many emails, potentially submitting a "delete all" button, or disabling/deleting accounts.
Exclusion lists are allow lists, exclude lists, POST exclude list, logout regular expression list and parameter list.
What if I use an exclude list and an allow list?What if I use an exclude list and an allow list?
If a web application has both an exclude list and an allow list, we treat the allow list entries as exceptions to the exclude list. We will not crawl any exclude list entry unless it matches an allow list entry. We'll crawl all other links including those that match allow list entries.
What if I use only an exclude list?What if I use only an exclude list?
If a web application has an exclude list only (no white list), we'll skip all links that match exclude list entries. If the web application has an allow list only (no black list), we'll crawl only those links that match allow list entries.
What if I use parameter list?What if I use parameter list?
If you have add parameters in the global exclusion list, we will exclude these parameters from being tested in a scan and thereby improve a scan’s efficiency and effectiveness.
Some web applications require authenticated access to the majority of their functionality. Authenticated scanning can be configured for HTML forms like login pages and server-based authentication (HTTP Basic, Digest, NTLM, or SSL client certificates). Form and server authentication may be combined. Learn more
Yes. You can use Qualys Browser Recorder to create a Selenium script and then record and play back web applications functions during scans. For each web application in your account, you can create scripts to configure authentication and crawling. Learn more
Option profiles provide the settings for web application scans - crawling, sensitive content detection, vulnerability detection and password brute forcing. When launching or scheduling a scan, you'll need to choose an option profile. If you don't have a WAS option profile in your account, we've provided one called "Initial WAS Options" with the recommended settings for web application scanning. Learn more
Define a action URI, specific form field and its value to be substituted during crawling and fuzzing. This feature allows you to override a specific field's value in any given form. Global field names and associated values can be specified as well, independent of any form. Learn more
If your web application uses URL rewrite, you can now tell us the path components that need to be tested by defining the path fuzzing rules. The rules will tell us the path components/parameters that need to be fuzzed and we will prevent multiple crawling of paths that meet the rules. Go to WAS > Web Applications > Create/Edit a web application and define the rules in the Redundant Links section. Learn more
Use DNS override records if you want to scan a web applications with multiple instances deployed in different environments. DNS Override: By default we'll use the DNS for the web application URL to crawl the web app and perform scanning. If you select a DNS override record, we'll use the mappings in your record instead. Learn more
Is your web application protected by WAF? If yes, you can enable the ScanTrust feature to enhance scanning and reporting capabilities. Learn more
You can create maps using the VM application. As new maps are completed in your account, they will appear on the Maps tab. A map provides full information on your domains (DNS records and topology) and identifies active hosts located in your Internet/Intranet perimeter, depending on the map request. Learn more