Scan settings: Method

To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings. Then, in the Scan Settings category, select Method.

Scan mode

The Scan Mode options are described in the following table.

Option	Description
Crawl Only	This option completely maps a site's tree structure. After a crawl has been completed, you can click Audit to assess an application’s vulnerabilities.
Crawl and Audit	As OpenText DAST maps the site's hierarchical data structure, it audits each resource (page) as it is discovered (rather than crawling the entire site and then conducting an audit). This option is most useful for extremely large sites where the content may possibly change before the crawl can be completed. This is described in the Default Settings Crawl and Audit Mode option called Simultaneously. For more information, see Crawl and audit mode.
Audit Only	OpenText DAST applies the methodologies of the selected policy to determine vulnerability risks, but does not crawl the web site. No links on the site are followed or assessed.
Manual (Not available for Guided Scan)	Manual mode enables you to navigate manually to whatever sections of your application you choose to visit. It does not crawl the entire site, but records information only about those resources that you encounter while manually navigating the site. This feature is used most often to enter a site through a web form logon page or to define a discrete subset or portion of the application that you want to investigate. After you finish navigating through the site, you can audit the results to assess the security vulnerabilities related to that portion of the site that you recorded.

Crawl and audit mode

The Crawl and Audit Mode options are described in the following table.

Option	Description
Simultaneously	As OpenText DAST maps the site's hierarchical data structure, it audits each resource (page) as it is discovered (rather than crawling the entire site and then conducting an audit). This option is most useful for extremely large sites where the content may possibly change before the crawl can be completed.
Sequentially	In this mode, OpenText DAST crawls the entire site, mapping the site's hierarchical data structure, and then conducts a sequential audit, beginning at the site's root.

Crawl and audit details

The Crawl and Audit Details options are described in the following table.

Option	Description
Include search probes (send search attacks)	If you select this option, OpenText DAST will send requests for files and directories that might or might not exist on the server, even if those files are not found by crawling the site. This option is selected by default only when the Scan Mode is set to Crawl & Audit. The option is cleared(unchecked) by default when the Scan Mode is set to Crawl Only or Audit Only.
Crawl links on File Not Found responses	If you select this option, OpenText DAST will look for and crawl links on responses that are marked as “file not found.” This option is selected by default when the Scan Mode is set to Crawl Only or Crawl & Audit. The option is not available when the Scan Mode is set to Audit Only.

Option

Description

Include search probes (send search attacks)

If you select this option, OpenText DAST will send requests for files and directories that might or might not exist on the server, even if those files are not found by crawling the site.

This option is selected by default only when the Scan Mode is set to Crawl & Audit. The option is cleared(unchecked) by default when the Scan Mode is set to Crawl Only or Audit Only.

Crawl links on File Not Found responses

If you select this option, OpenText DAST will look for and crawl links on responses that are marked as “file not found.”

This option is selected by default when the Scan Mode is set to Crawl Only or Crawl & Audit. The option is not available when the Scan Mode is set to Audit Only.

Navigation

The Navigation options are described in the following table.

Option	Description
Auto-fill Web forms during crawl	If you select this option, OpenText DAST submits values for input controls found on all forms. The values are extracted from a file you create using the Web Form Editor. Use the browse button to specify the file containing the values you want to use. Alternatively, you can select the Edit button (to modify the currently selected file) or the Create button (to create a web form file). Caution! Do not rely on this feature for authentication. If the crawler and the auditor are configured to share state, and if OpenText DAST never inadvertently logs out of the site, then using values extracted by the Web Form Editor for a login form may work. However, if the audit or the crawl triggers a logout after the initial login, then OpenText DAST will not be able to log in again and the auditing will be unauthenticated. To prevent OpenText DAST from terminating prematurely if it inadvertently logs out of your application, go to Scan Settings - Authentication and select Use a login macro for forms authentication.
Prompt for Web form values	If you select this option, OpenText DAST pauses the scan when it encounters an HTTP or JavaScript form and displays a window that enables you to enter values for input controls within the form. However, if you also select Only prompt for tagged inputs, OpenText DAST will not pause for user input unless a specific input control has been designated Mark as Interactive Input (using the Web Form Editor). This pausing for input is termed "interactive mode" and you can cancel it at any time during the scan. For more information about configuring an interactive scan, see Interactive scans.
Use Web Service Design	This option applies only to web service scans. When performing a web service scan, OpenText DAST crawls the WSDL site and submits a value for each parameter in each operation. These values are contained in a file that you create using the Web Service Test Designer tool. OpenText DAST then audits the site by attacking each parameter in an attempt to detect vulnerabilities such as SQL injection. Use the browse button to specify the file containing the values you want to use. Alternatively, you can select the Edit button (to modify the currently selected file) or the Create button (to create a SOAP values file).

Option

Description

Auto-fill Web forms during crawl

If you select this option, OpenText DAST submits values for input controls found on all forms. The values are extracted from a file you create using the Web Form Editor. Use the browse button to specify the file containing the values you want to use. Alternatively, you can select the Edit button (to modify the currently selected file) or the Create button (to create a web form file).

Caution! Do not rely on this feature for authentication. If the crawler and the auditor are configured to share state, and if OpenText DAST never inadvertently logs out of the site, then using values extracted by the Web Form Editor for a login form may work. However, if the audit or the crawl triggers a logout after the initial login, then OpenText DAST will not be able to log in again and the auditing will be unauthenticated. To prevent OpenText DAST from terminating prematurely if it inadvertently logs out of your application, go to Scan Settings - Authentication and select Use a login macro for forms authentication.

Prompt for Web form values

If you select this option, OpenText DAST pauses the scan when it encounters an HTTP or JavaScript form and displays a window that enables you to enter values for input controls within the form. However, if you also select Only prompt for tagged inputs, OpenText DAST will not pause for user input unless a specific input control has been designated Mark as Interactive Input (using the Web Form Editor). This pausing for input is termed "interactive mode" and you can cancel it at any time during the scan.

For more information about configuring an interactive scan, see Interactive scans.

Use Web Service Design

This option applies only to web service scans.

When performing a web service scan, OpenText DAST crawls the WSDL site and submits a value for each parameter in each operation. These values are contained in a file that you create using the Web Service Test Designer tool. OpenText DAST then audits the site by attacking each parameter in an attempt to detect vulnerabilities such as SQL injection.

Use the browse button to specify the file containing the values you want to use. Alternatively, you can select the Edit button (to modify the currently selected file) or the Create button (to create a SOAP values file).

SSL/TLS protocols

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols provide secure HTTP (HTTPS) connections for Internet transactions between web browsers and web servers. SSL/TLS protocols enable server authentication, client authentication, data encryption, and data integrity for web applications.

Note: If Use OpenSSL Engine is selected in Application Settings, the SSL/TLS Protocols options are disabled. You cannot select individual protocols. For more information, see Application settings: General.

Select the SSL/TLS protocol(s) used by your web server. The following options are available:

Use SSL 2.0
Use SSL 3.0
Use TLS 1.0
Use TLS 1.1
Use TLS 1.2

If you do not configure the SSL/TLS protocol to match your web server, OpenText DAST will still connect to the site, though there may be a performance impact.

For example, if the setting in OpenText DAST is configured to Use SSL 3.0 only, but the web server is configured to accept TLS 1.2 connections only, OpenText DAST will first try to connect with SSL 3.0, but will fail. OpenText DAST will then implement each protocol until it discovers that TLS 1.2 is supported. The connection will then succeed, although more time will have been spent in the effort. The correct setting (Use TLS 1.2) in OpenText DAST would have succeeded on the first try.

See also

Scan settings: Allowed Hosts

Scan settings: Authentication

Scan settings: Cookies/Headers

Scan settings: Custom Parameters

Scan settings: File Not Found

Scan settings: Filters

Scan settings: General

Scan settings: HTTP Parsing

Scan settings: JavaScript

Scan settings: Policy

Scan settings: Proxy

Scan settings: Requestor

Scan settings: Session Exclusions

Scan settings: User Agent