Provide the Starting URL and user credentials for the scan, select the type of scan, and
(if not previously done) verify your permission to scan the site. Alternatively, you can upload your
own AppScan Standard scan (SCAN) or template (SCANT) file for scanning, or a traffic file recorded
using the AppScan Presence proxy server (CONFIG). If the site is not available on the Internet, you
will also need to create an AppScan Presence, or select an existing one, that has access to the site
and to the Internet.
Before you begin
It is recommended that you back up your site before scanning.
For more information about
using an AppScan Standard configuration (SCAN or SCANT file) for your scan, see Using AppScan Standard.
For more information about
using the AppScan Presence proxy server, see AppScan Presence.
Procedure
To scan your site:
- If your site is not available on the Internet, and an AppScan Presence does not yet
exist on the server: Create an AppScan
Presence.
- If you not yet done so: Create an
application for your scans.
- In the Application, click Create Scan.
- In the What type of app? screen:
- Public sites (available on the Internet): Click Web > Dynamic > Public
Network.
- Private sites (not available on the Internet): Click Web > Dynamic >
Private Network, then select the correct AppScan Presence from
the list.
Note: If an AppScan Presence has not yet been created, you can create it now by clicking
Create Presence, and following the instructions
here.
- In the What URL should we scan? screen:
- Type or paste in the URL from where you want the scan to start exploring the site.
Note: If your
app uses the default port (80 for HTTP; 443 for HTTPS), you need not include it in the URL. If you
include a non-default port value in the URL, it must be higher than 1024.
- To use the regular configuration, leave the No Radio button selected. If you want to
upload your own AppScan Standard configuration file (SCAN or SCANT), or AppScan Presence proxy
server traffic file (CONFIG), select Yes.
Important: If you choose "Yes", make
sure that the URL you entered above is identical to the Starting URL in the file you upload. Note
also that scans based on a configuration file uploaded by the user will not be examined by our Scan
Enablers in the event of any issues. If such a scan does not succeed, it will simply
fail.
- Click Continue.
- (If you chose to upload a file:) Click Select file and locate your SCAN, SCANT or CONFIG
file, or simply drag-and-drop it into the blue area.
- In the Scan Settings screen:
- Name: Optionally change the scan Name.
- Staging/Production: Select whether your site is a Staging site
(under development) or a Production site (live and in use).
A Staging scan
is more thorough but might affect site stability. A Production scan is less likely to do this, but
might occasionally do so. For this reason, always back up your data before scanning. See FAQ.
- Optionally select the Include additional verified domains check box. Do this only if the
scan will include sub-domains other than that of the Starting URL, and you are able to verify
all the sub-domains (or they are already verified).
Example 1:
- Starting URL: http://b.a.com/home/
- Site has links to http://c.b.a.com
and you want those links included in the scan.
- Select the check box.
Example 2:
- Starting URL: http://b.a.com/home/
- Site has links to http://c.a.com or to http://a.com
and you want those links included in the scan.
- Select the check box and then verify a.com in Step 3
(unless already verified).
- Test Policy: Optionally change the type of tests used for the scan:
- Comprehensive (Default)
- This is the most complete and thorough set of tests, and is used by default
- Application-Only
- This policy includes only application-level tests
- The Vital Few
- This policy includes a selection of tests that have a high probability of success. It can be
useful for evaluating a site when time is limited.
- Test Optimization: Lets you choose to send all, or an "intelligently selected subset" of
all tests in your selected policy (for details, see Test Optimization).
- Normal
- Performs in-depth testing, sending all tests that are appropriate for the site as configured.
This setting is recommended when a longer scan will not interrupt your development workflow.
- Optimized (Default)
- Speeds up the scan by sending only tests for the more common, severe and otherwise significant
vulnerabilities. This setting is recommended during development, as part of your DevOps cycle, and
whenever a faster, overall picture is needed.
- Login: If your application requires login, select Yes, and enter
valid user credentials so that ASoC can log in to the
site.
Tip: It is recommended to use dedicated test credentials rather than those of an
actual user.
If your app requires a third credential, click Does the app require a
third credential?, and enter a valid value, for
example:PIN# = 1234
Note that the use of a third credential will require
intervention by our Support team, and may cause the scan to take longer than usual. CAPTCHA is not
supported.
- HTTP Authentication: If your application requires Negotiate, NTLM, Kerberos, ADFS, Basic
or Digest authentication, select Yes, and enter
domain/username in the first field and password in the second.
- Optionally select/clear the Send me an email when the scan is complete
check box.
- Click Scan.
If your permissions for running this scan are already verified, the scan starts immediately.
Otherwise the URL verification screen appears.
- URL verification (appears only if your permission to scan this site has not yet been
verified). Select a verification method:
- Email: Select one of the registered administrators of the site, and
the domain or subdomain that you are authorized to scan. An email is sent to that administrator,
containing a link to click, confirming your permission to scan the site. You will be able to start
the scan only after that link is clicked. The link is valid for seven days, if not clicked during
that time you need to repeat this step.
- File: Download a file and save it to the root folder of your site.
The file's presence in the root folder confirms to ASoC
your permission to scan the site.
Important: The verification file must be available from
the same scheme, domain and port as the starting URL, however, once the file is detected by the
service, all the domain's applications are verified.
Important: If you
selected the
Include additional verified domains check box on the previous page, make sure to
verify using a domain that includes all parts of the site you wish to scan.
Example:
- Starting URL: https://b.a.com/home/
- Site has links to https://c.a.com or to https://a.com
and you want those links included in the scan.
- Verify using an a.com email address or by saving the file
under a.com
- Great, let’s verify: (appears only if your permission to scan this site
has not yet been verified):
- When the email link has been clicked, or you saved the verification file in the root folder,
click Verify. When verification is complete, the name changes from "Verify"
to "Next".
- Click Next.
- Personal Scan: If you do not want the issues found in this scan to be aggregated with
the rest of the issues found in this application, select the Run as a Personal Scan check
box. For details see Personal scans.
- Click Scan.
Results
The new scan is added to the Scans view with its starting time, and a
progress bar indicates that the scan is running. When the scan is complete the progress bar closes,
the results are summarized in a graph, and (if selected) you receive an email notification. See
Working with Scan Results.
Note: Free plan scans are limited to four hours in length, so large
or complex sites may not be completely covered by these.