Web applications can run a variety of ports, hence Application Scanning can check for different open ports, and perform discovery and assessment on them in case they accept HTTP traffic.
In order to see which ports were assessed during the scan, we provide a finding titled “Discovered Hosts”, which you can find in the results.
Our scanner checks against a range of commonly exposed ports, which include standard ports such as 80, 443, 8080, 8081, as well as ports related to specific technologies, such as 3000, 5432, 7001. The exact list depends on our assessment capabilities, which we are constantly improving upon. Altogether we test for more than 50 ports in Application Scanning.
In case you would like to limit assessment to some specific ports, you can disable scanning of common ports in the Application Scanning settings under “Should we scan common ports?”. In order to disable scanning of common ports, you need to include at least one port to scan.
Common ports are checked for each host the scan receives at the beginning of the scan. If “Should we crawl subdomains?” is enabled, all already discovered subdomains of the Scan Profile endpoint that you see under Attack Surface will be included. Ex. for the Scan Profile endpoint example.com, if blog.example.com and admin.example.com are existing subdomains, the scan will check for all common ports for all three hosts.
In case you would like to include or avoid specific ports, you can specify these ports by number in Application Scanning settings under “Which ports must we include” and “Which ports must we avoid”.
Similarly as with the common ports, these conditions are applied for all hosts the scan touches. Ex. for the Scan Profile endpoint example.com, if blog.example.com and admin.example.com are existing subdomains, including ports 443 with common ports disabled will result in scanning example.com:443, blog.example.com:443 and admin.example.com:433, and no further port on either host.
Q: Do I need to include ports 80 or 443 in order to run a scan?
A: There is no need to include either ports 80 or 443. For example, your web application can run on 8080, and simply including that, and disabling scanning common ports will allow proper scanning of the application.
Q: Can I have different port settings per subdomain for the scan?
A: The same port settings apply to all hosts included in the scan. If you would like to scan different subdomains with different port settings, we recommend setting up new Scan Profiles with the specific settings.