As a new user of AppCheck, setting up scans may seem complex, even overwhelming, especially scans of web applications. This guide will teach the basics of creating such scans. When you are familiar with the process, you will find in the vast majority of cases it is quite simple and only take a few minutes.
This guide will only describe the steps needed to setting up a scan. Settings which are not mentioned in this guide can usually be left with their default values.
- Determine the Type of Scan
- Create a New Scan
- Add Scan Targets
- Authentication
- Optimisations
- Notifications
- Scheduling
- Scanning Hub
- Save
Determine the Type of Scan
The first consideration when creating a scan is the scan target. Is your target an item of infrastructure (such as a server or laptop), a web application, or an API? This guide will cover scanning web applications and APIs, see [infra guide] to learn how to create a scan for an item of infrastructure.
For more information on types of scan targets, see 3 Types of Scanning - Port Scanning, Web Application Scanning, and Infrastructure Scanning.
It is common to combine both types of scan as a way of adding extra value - your web application scan may also include a small infrastructure scan, and your infrastructure scan may include small web application scans. The question we are asking at this point is what will be the main target of your scan: is it a web application (including APIs) or an item of infrastructure?
A web application scan target will always take the form of a URL, and will always be accessed over HTTP or HTTPS. http://example.com and https://api.example.com are web application scan targets.
example.com is not a URL, it is simply a fully qualified domain name - it does not identify a web application, it identifies a server, and as such would be an infrastructure scan target.
ftp://example.com/ is a URL, but it does not use HTTP or HTTPS, and so is not a valid scan target.
Your application may be made up of multiple parts, such as the front-end and the API, eg https://www.example.com and https://api.example.com, which must both be accessed together to use the application. Is this case, both web application targets should be added to the same scan.
If your API is not called directly from the end-user's browser, but is instead called by your front-end application server, then it does not need to be included in the scan - only the components accessed by the end-user need to be included in the scan.
Once you have determined that your main target is a web application, you can proceed to set up a scan.
Create a New Scan
Scanning a front-end application (on its own, or alongside an API)
From the main menu in the AppCheck Scanner Portal, select:
- Scans
- New Scan
- Web Application
- Standard or Single-Page Application
- Web Application
- New Scan
Scanning an API on it's own
From the main menu in the AppCheck Scanner Portal, select:
- Scans
- New Scan
- Web Application
- API
- Web Application
- New Scan
For more information on standalone API scans, see Setting Up An API Scan
Give Your Scan a Name
Use a naming convention of your choice.
We strongly recommend not including the scan target URL in the name. The scan name may be included in notification emails from the Scanner in the form of links which point to the Scanner Portal - when your email client detects a hyperlink where the text is a URL and that URL differs from the link target the email client may identify the email as malicious. Including the hostname should be safe, so you may simply wish to remove the scheme, for example use example.com instead of https://example.com.
Add Scan Targets
Add the Primary Scan Target
Enter your scan targets in the Targets field. For convenience, the targets registered with your account, you Account Scope, are shown on the right hand side. You can copy and paste from here to save having to type the targets in.
Your targets will be colour-coded to indicate the type of target (you may need to press enter to complete adding a target). By default, when you add a Web Application Scan Target, eg https://example.com, the corresponding infrastructure targets is added automatically (eg example.com). This is usually desirable, as it may reveal vulnerabilities in the environment the application is running in alongside findings from the application itself, but if you do not wish to utilise this behaviour you can remove the infrastructure target.
Consider Additional Scan Targets
Additional targets may include:
- The API(s) associated with the application
- CMS
- Subdomains used as part of the application (eg https://account.example.com)
The targets you include will be crawled within one browser session.
There are two main reasons to do this:
Endpoint discovery
It may not be possible to crawl one of your targets on its own, but its endpoints can be discovered when interacting with another target. For example: crawling your front-end application may be the only way to discover your API endpoints and files hosted in your CMS platform.
Authentication
Access to one of your targets may require authentication, and the easiest way to gain authentication is through another target. For example, it may not be possible to make requests to your API without first opening an authenticated session via the front-end application.
It is usually possible to scan such targets on their own, but this is generally a lot more complex to set up (see Configuring Authentication for a Standalone API Scan)
When we refer to a Web Application Scan Target, we are referring to a root URL, eg https://example.com, not https://example.com/cool_stuff. See Application Scan Targets, Scope, Seeded Targets and Denied Targets for more information.
Authentication
Configuring authentication for a web application scan is the most complex part of the scan setup, and so is discussed in a dedicated guide.
See also Selecting an Account for your Authenticated Web Application Scan
You may wish to familiarise yourself with basic scan creation by completing this guide before adding authentication; however, it is strongly recommended to set up an authenticated scan when you are ready. If your application makes use of an authentication barrier then it is highly likely that much of the application will not be scannable without configuring authentication.
When you are ready to configure authentication, you will usually do so by populating the following fields:
- Web Application Scanner Settings
- Authenticated Scanning
- Username
- Password
- Login URL
- GoScript
- GoScript Variables (optional)
- Authenticated Scanning
Example
Digest Authentication and NTLM have their own areas in the scan settings. If your application uses another non-UI based authentication process, or you have other specific needs, search our FAQs to find more guides.
Optimisations
Most scan settings should be left on the defaults, and this guide will not go in to any specific scan settings. However, you may wish to peruse Making Scans Faster, starting with Platform-Specific Checks for Platforms You Do Not Use.
Notifications
The scan Owner was set at the top of the page in
- Scan Settings
- Belongs To
when you created the scan. As well as changing this, you can also assign Watchers near the bottom of the page in
- Watcher Settings
The Owner and Watchers will receive email notifications when the scan starts and stops.
Scheduling
A scheduled start time for the scan, including a repeat, can be set in
- Scan Settings
- Scheduled Start Date
- Repeat
This is optional, the scan can be started manually, or via our API.
A scan window can also be set - running scans will automatically be paused outside of a scan window, if specified. This can be found in
- Scan Window Settings
- Add Schedule
Scanning Hub
By default scans are run from AppCheck's public Scanning Hubs. If you have purchased a Private AppCheck Scanning Hub you will have the option of configuring which hub(s) your scan should run from. This can be found at
- Advanced Config Settings
- Scanning Hub
If you have not purchased a Private Appcheck Scanning Hub this option will not be shown.
Save
To finish creating your scan, click Save, or Save and Scan if you wish to also begin the scan immediately.
You will be able to edit the scan by selecting
- Scans
- All Scans
then clicking the pencil icon:
Changes made to a scan configuration while the scan is running can be saved but will not take effect until the next time the scan starts.
Comments
0 comments
Article is closed for comments.