⚠️ Important: We always err on the side of caution and recommend scanning test environments or those connected to a test harness. Though we don't recommend it, if you want to add admin credentials to a production target, then please read this article first: Adding an admin user when adding Authentications
ℹ️ Note:
Adding an external web application target will automatically assign an application license and kick off our web app scanner on your next scan.
Authenticated web-app scanning is only available to those who have purchased Application licenses.
💡Tip: For more information, please see these articles:
Contents
Overview
Throughout this example, we will be using 18.207.245.49, where we are hosting our test application. You may use a fully qualified domain name (FQDN) or IP address.
Adding a target
Head to the targets page, and click + Add Targets > External web application:
You can then add the Target and Entrypoint URL, and any Tags you'd like to assign:
You'll then have a chance to add on an API schema and/or authentication. If you choose to skip for now, you can add this later on, and the target will be scanned from an unauthenticated perspective:
Once you've added your target and optionally added a tag and any authentication or API schemas, you will see it appear in your targets list:
If you click on the target name, you will be taken to the Target Details page, where you can view more information about the target. If you click the 'Authentications' tab, you'll see a button inviting you to 'Add authentication'. Give it a click.
Adding authentications
Once you've clicked the '+ Add authentication" button the + Add button will allow you to add Authentications.
Once you click on + Add you will be presented with the following modal, which will allow you to choose which authentication type you would like to add:
ℹ️ Note: Starting a scan will test all authentications. Individual selection is not currently supported; if four authentications are assigned to a target, all four scans will run simultaneously.
To keep this user guide concise, we have created separate help guides for each of the authentication types, which you can access by clicking the hyperlinks below:
Starting a scan
To start a scan, navigate to Scans page > Scan Now. Then, select the targets you would like to scan, name the scan, and select your desired advanced settings:
ℹ️ Note: Advanced settings are only available on Pro, Enterprise, and Vanguard plans.
Once you're happy, click the Start Scan button. You'll see that the scan has started and will be listed under the In Progress section of the Scans page.
ℹ️ Note:
Please note that the progress base is an approximation, but this will become more accurate the more scans you run.
If you ever see "Analyzing Results", don't worry, it just means that our team is manually doing something to make sure they're accurate.
Authenticated web-app scans can take significantly longer to run than normal, infrastructure scans, so don't panic if it's been a few hours.
Reviewing results
Once the scan has finished and the results have been published, you'll be able to see all of the findings on your Issues page. Here you'll have the option to filter by tag/target/severity/exploit likelihood/CVSS/EPSS and more. You can also sort by severity or number of occurrences. For more details on the Issues Page, take a look at the Issues page explained article.
Clicking on an issue will allow you to see all occurrences of that issue, as well as the Scanner Output (for those looking for some extra detail on a finding), Description, and Remediation advice. Clicking on the Actions button allows you to snooze an issue or occurrence, run a rescan of the issue after fixing it, as well as send to an integration of your choice.
Downloading a report
You can download a report from the Dashboard, Reports, or Scans pages. For full information, take a look at this article!