Option Profile - Search Criteria
In this page, select search criteria to be applied during scanning a web application. Click on each type of setting to view fields and details of each field.
Detection ScopeDetection Scope
The detection scope settings determine whether the scan checks for vulnerabilities in our KnowledgeBase.
The following values are available to define the detection scope:
- CoreCore
Select Core to scan for the WAS core set of web application vulnerabilities in the KnowledgeBase.
Click the link Core QIDs in "View list of Core QIDs". From the QIDs included in Core Detection Scope screen, click Copy All QIDs. Next, add or remove QIDs from the list as required, then create a new search list with these QIDs.
Core scope includes vulnerabilities that Qualys considers most common in today's web applications. It does not include all the vulnerabilities that WAS can detect. For example, vulnerabilities such as QID 150233 - XSS vulnerabilities in old versions of Atlassian JIRA or QID 150225 - vulnerabilities in Liferay Portal are not included when Core detection scope is defined for the scan. Testing for all possible vulnerabilities will result in longer scan times.
Select Categories and choose the required predefined vulnerability categories to define the detection scope.
Select the check boxes for the categories. Click the number showing the total number of QIDs for the category that you want to customize. From the "QIDs included in category" screen, click Copy All QIDs. Next, add or remove QIDs from the list as desired, then create a new search list with these QIDs.
For example, Experimental category - WAS reports QIDs in the Experimental category to reduce False Positives or False Negatives scenarios. Experimental QIDs are findings where the vulnerability cannot be confirmed through an active Proof of Concept (POC). The reasons that the vulnerabilities could not be confirmed can include:
- Not all environments related to the vulnerability were tested due to logistics like licenses, access, or time constraints.
- Vulnerabilities may be limited to specific environments.
- The QID confirmation is in progress and all the variants to be tested and reported are not complete.
- Custom Search ListsCustom Search Lists
Select Custom Search Lists to use static or dynamic search lists to define the detection scope.
This provides the most granular control over detection scope. You can select search lists to include and search lists to exclude. Any QID's in the included list are included and those in the excluded list are excluded from the scope. The Custom Search Lists setting enables you to choose search lists defined in your account (Configuration > Search Lists) to identify vulnerabilities you want to include and vulnerabilities you want to exclude.
- XSS Power ModeXSS Power Mode
Select XSS Power Mode to run a specialized scan that performs comprehensive tests for cross-site scripting vulnerabilities.
The XSS Power Mode detection scope performs tests using the standard XSS payloads, which detect the most common instances of XSS, but also with additional payloads that can identify XSS in certain, less-common situations. Running a scan with XSS Power Mode increases the scan time but would provide more comprehensive testing for XSS vulnerabilities.
Select Everything in detection scope to check for all the WAS related vulnerabilities in a scan. This can lead to a longer scan time.
XSS payloads: Select the Include additional XSS payloads check box to enable comprehensive tests for cross-site scripting vulnerabilities to be executed during our standard scan.
Note: The comprehensive tests include XSS with exhaustive set of payloads including set of standard payloads. Running a scan with XSS payloads option enabled in the detection scope of scan provides the best assurance that your web application is free from XSS vulnerabilities. However, enabling this option leads to significant increase in the scan time.
Sensitive ContentSensitive Content
Our service can check for sensitive content in the web application pages it crawls based on known patterns (such as credit card numbers, social security numbers) or based on custom patterns you enter. The expression search mechanism can check for credit card numbers and social security numbers (United States only) while reducing false positives. Our service does not collect credit card information or social security information.
Select one or more types of sensitive content detection:
- Credit Card Numbers - Check for sensitive content based on credit card numbers.
- Social Security Numbers - US Format - Check for sensitive content based on social security numbers.
- Custom - Check for sensitive content based on custom patterns you specify. Sensitive content for custom checks may be specified as strings and regular expressions in the field provided. You can enter a maximum of 10 custom checks, where each check appears on a separate line. An entry for a single check must be a minimum of 5 characters and a maximum of 100 characters.
Important: Sensitive content detection will be performed only when you scan for QID 150016. If you select Custom Search List in the Detection Scope settings, you must add an Include search list that includes QID 150016.
Keyword URL SearchKeyword URL Search
Specify keywords in the form of strings and regular expressions when creating or editing an Option Profile to search for URL links that contains the specified keyword. Currently, we search for keywords only in the internal links that are found in the crawling phase for each target application in a Discovery/Vulnerability scan. You can enter a maximum of 10 keywords where each keyword appears on a separate line. A keyword should be 5 to 200 characters long.
All the unique links that contains the specified keywords are shown under information gathered QID 150141 in the WAS scan and web application reports. Note that we show the crawled links under QID 150009.
Next step: Option Profiles - Comments