In order that you find Application Scanning as useful as possible, this article provides guidance on how to set up and fine tune your Scan Profile so you get the most accurate results.
What to scan?
We recommend you to run Application Scanning on assets that host publicly accessible custom web applications, and you would like to test more thoroughly for vulnerabilities. For example, Application Scanning can test for vulnerabilities on content behind login using authentication.
Typically your web application is located on the apex domain, ex. detectify.com hosts Detectify. In some cases you may have a web application that is located on a subdomain, ex. blog.detectify.com and labs.detectify.com are two additional web applications that host our two blogs. For this example, three separate Scan Profiles should be created to cover the three different applications.
You can create your scan profiles under the Application Scanning page.
The first scan
While there are many settings that influence your scan behavior, we recommend to run the first scan with default settings. This will give you a baseline result that you can use to better tailor the behavior of the scan to your web application.
The runtime of Application Scanning depends on a lot of factors, and therefore can be anywhere from 15 minutes up to 48 hours.
If we’re can't reach the scan profile endpoint via HTTP(S) protocol on the scan profile ports (default is 80 and 443) due to firewall or other network issues, we will notify you that the scan failed to resolve. You can take a look at how to allow Detectify to access your site.
After the first scan
Once your first scan is completed, you can look at the results, and consider what can be optimized on your Scan Profile. To get an overview of what was scanned, you can view the following findings
“Discovered Hosts” identifies which hosts (domains or IPs)
FAQ
Q: I have very different behaviors in my web application with and without login, can I test both?
A: You can create multiple scan profiles for the same web application with one having the authentication specified, and the other not. That way you will have both behaviors tested.
Q: If Detectify is unable to hack in the logged in area without providing the authentication, doesn’t that mean my content behind it is secure?
A: Content behind login can only be as secure as the login itself. Even if there is no means to publicly register accounts for your application, hackers can find other ways to gain access by stealing login credentials, for example using phishing attacks or by means of social engineering. Hence, we always recommend limiting the damage a hacker can do even if they gain access to that content by ensuring they cannot access more than the user whose credentials were stolen is able to access.