The Application Scanning page shows all your scan profiles. From this page, you can start scans and manage each scan profile's configuration. Application Scanning is in the sidebar menu under configurations with Surface Monitoring. If you want to create an application scan profile, you must first add and verify the asset from the Surface Monitoring page.
Managing your Scan Profiles
In the Application Scanning page, you find a list of your Scan Profiles, which includes:
Scan profile name: By selecting the name, you can differentiate between different Scan Profiles on the same endpoint.
Asset: The domain that defines the extent of what is scanned.
Last scan: This shows the time when the last scan finished or if the scan is currently running.
Last scan status: If a previous scan has run, this will show if the scan ran without issues or if there are any warnings or failures that should be investigated. Hoover to learn more or click "Investigate" to get information on how to solve it.
Scan interference: This shows if we have found issues with fully assessing your web application due to a WAF.
Next scan: The time of the next scan, if any scan is scheduled. Selecting the Next scan brings you to Scan Profile settings.
Actions: Here you can start scans manually, remove the scan profile, or go to scan profile settings where all settings for that particular profile can be modified such as the schedule and more detailed settings for the scope of the profile.
You can Start a new scan or Stop a running scan, and under additional actions, you can visit the settings, or delete the Scan Profile. To create a new Scan Profile, select the Create Application Scan Profile button on the top of the page, and fill in the required information. Note, that these actions are only available for team members with “Admin” or “Editor” roles.
Scan Profiles that are not included in your subscription are grayed out, and you cannot start a scan for them. You are still able to view results for previous scans. Read more on Application Scanning billing on how to change your subscription to include these Scan Profiles.
Scan recommendations
On top of the Application Scanning page, you will find Scan Recommendations. These are shown when there are high-value web apps, with a lot of functionality and features, not covered by Application Scanning today. These are apps that Detectify has classified using statistical inference to help improve our customers' coverage. These are web apps that we recommend that you add an application scan profile to to ensure that you have good vulnerability assessment coverage. Go here to read more about our classification and recommendations feature.
Scan warnings and failures
Scans will fail if it isn't able to reach a webapp on the specified domain. This can happen because of multiple reasons such as:
- No A records can be found on the domain, even when following a CNAME chain recursively.
- No ports are found open on the IPs. Scan profiles will look for web applications on ports 80 and 443 by default. If you are hosting the app on another port, you can specify that from the scan profile settings.
- The open ports are not speaking HTTP.
Scans will show a warning if recorded login fails. Recorded login is used to bypass authentication to enable a deep assessment of the web application behind it. Because recorded login uses actual clicks and interactions on your actual application, it is sensitive to navigation and layout changes made by your engineers. If the site changes behavior, you might need to record a new login sequence and the warning will help you know if that is the case. There might be other reasons for the recorded login failure, so ensure you investigate the issue by navigating to the finding that contains further explanation.
Scans will also display a warning if no or very few URLs are found.
Scan interference
While running Application Scanning, Detectify will evaluate whether we deem the scanning is blocked by a web application firewall (WAF). We do this by sending payloads that mimic malicious behaviour and then evaluate the response from the web server. Go here to read more about it.
FAQ
Q: How can I see the Scan Profiles for a specific asset?
A: You can use the search bar to filter the list based on the asset name.
Q: I don’t see the Start button. Instead, I see a button saying "Investigate. Why?
A: If a scan profile fails or has scan interference, like being blocked by WAF, we primarily guide you to investigate the issue before starting another scan. However, you can still start a scan if you want to by clicking "Investigate" and then you can start a scan from the open modal.
Q: I don’t see the Start button. Why?
A: Only users with an “Admin” or “Editor” role in the team can start the scans. Contact your team admin to elevate your user’s role. If there is a problem with your scan, you will instead of the Start button see an Investigate button to learn more about the problem and how to resolve it.