Overview
In beSECURE, a regular scan will scan a client's network (layers 2-6) for vulnerabilities while a web scan specifically focuses on vulnerabilities found on web applications (layer 7). The Web Scan option in beSECURE includes tests for things like cross-site scripting and SQL injection.
There are a few ways to create a web scan, but an important note is that any full qualified domain name (FQDN) or IP address that a user wants scanned needs to be on a regular scan. You cannot perform a web scan on a hostname that is not associated with a scan.
Regular scans allow for multiple hosts to be on one scan while web scans are created per hostname. This is because the crawler must crawl the site to find the dynamic pages, and then beSECURE scans the dynamic pages.
It is also important that the scanner IPs are whitelisted to allow access for beSECURE to perform the scan.
Creating a web scan
There are three methods to create a web scan in beSECURE:
Method 1: Create New Scan Wizard
- Log in to beSECURE.
- In the upper-left corner of the Home page, select DevOps.
- Select Create New Scan.
- In the Scan Name box, enter a name for the scan.
- In the Range box, enter the IP address(es) and/or hostname(s) to scan. If you enter multiple entries, separate each with a comma (for example, 192.168.0.0, 192.168.0.1).
- In the Organization box, select from the organizations you've registered with your account.
- In the LSS box, select your local scanning server (if you've deployed one) or select an integrated cloud option.
- Leave the Create Web Scan checkbox selected.
- In the Contact box, select which contact in your account will receive notifications regarding the scan.
- All Notifications are selected by default. If you don't want the Contact to receive a notification, clear its checkbox.
- In the Schedule box, select when you want the scan to run.
- For Routine, select the corresponding frequency you want the scan to run based on your Schedule setting.
- Select Create to save your settings and schedule the scan.
Method 2: Add a web scan to an existing scan
- Log in to beSECURE.
- In the upper-left corner of the Home page, select DevOps.
- Select Scans > Scans List.
- From the Scan List page, select the desired scan.
- On the Settings > Main tab, select the checkbox(es) for each web scan you want to run.
- Select Save.
Method 3: Create a web scan from the Web Scan page
- Log in to beSECURE.
- In the upper-left corner of the Home page, select DevOps.
- Select Scans > Web Scans List.
- Select the New
button. - On the Settings > Main tab, do the following:
- In the Web Scan Name box, enter a name for the scan.
- In the LSS box, select your local scanning server (if you've deployed one) or select an integrated cloud option.
- In the Organization box, select from the organizations you've registered with your account,
- In the Scan box, select a scan to run.
- In the Hostname box, enter the hostname to scan.
- Select Create to save your settings and start your scan.
Overview of Web Scan Details tabs
Settings
- Main - Displays the required Web Scan details including Web Scan Name, LSS, Organizaton, the scan name the hostname is associated with, and the hostname being scanned.
- Authentication - The ability to add authentication for Web Scans is an option, but is not required. There are six authenticiation options: Basic, NTLM, Web Login, Webtest, SSL Clientcertifications, and Javascript (only relevant if using an on-premises scanner).
- Tests - Displays the types of vulnerabilities that are being scanned for. There is an option to disable any type of test.
- Crawler - The website is crawled to find the dynamic pages and then beSECURE will only scan the dynamic pages. The scrapper is the default crawler and is the only option on cloud2/3. If using an on-premises scanner, there is an option for the DOM crawler (JavaScript crawler).
If there is a specific starting point that needs to be crawled not connected to the default URL, you can add it as a new starting point or only that single page. Instead of having the website crawled for dynamic pages, you can import a comma separated values (CSV) file containing a list of dynamic pages (if available). - Configuration - beSECURE limits URLs crawled and scanned per website to 500. Other settings include automatic start scanning (after the site is done with the crawling process), recrawl before starting to scan, and turn off duplicate script detection.
Permissions
The Permissions tab allows you to assign a web scan to one or several users, providing them the ability to edit or delete the scan.
To assign a user, select the user from the Available box, and then that user will move to the Assigned box.
Reporting
The Reporting tab allows you to assign a contact (or group) who will receive email notifications regarding the scan.
Scheduling
The Scheduling tab allows you to control when the web scan will run. You can also see when the scan was mostly recently run and when the next schedule scan is scheduled.
Note: Schedule changes will not take effect until you select Modify Schedule, and then select Modify. The scan and web scan must be configured to use the same schedule.
Status
The Status tab displays if the scan is running or not. If the scan is running, a progress bar will be visible. You can stop or pause the scan, and then restart it at another time. If the scan is not running, there is an option to disable the scan so that it will not run when it is scheduled. You can reenable the scan as needed.
Other
The Other tab contains a Comment box where you or the system can enter important information regarding scan.
Other key options
While viewing a web scan, you can access these other options from the upper-right corner of the page:
- Immediate Scan - Allows you to run a scheduled scan immediately, rather than waiting for its scheduled time.
- Modify - Saves any changes made to the scan.
- Delete - Deletes the scan.
- View Scan Settings - View the scan settings associated with web scan.
- View Report - View the results for previously run scan and web scan.