Running a Basic Scan (website scan)

The options displayed by default on this and subsequent windows are extracted from the OpenText DAST default settings. Any changes you make will be used for this scan only. If you click Settings (Default) at the bottom of the window to access the full complement of OpenText DAST settings, any selections you make are also temporary. To change the default settings, you must select Default Scan Settings from the Edit menu. For more information, see Default scan settings.

Recommendation

OpenText recommends that you run only one scan at a time. When using SQL Express, in particular, depending on the size of the site, conducting concurrent (or parallel) scans might result in high usage of RAM, CPU, and disk resources on the OpenText DAST host.

Configuring Basic Scan options

  1. In the Scan Name box, enter a name or brief description of the scan.

  2. Select one of the following scan modes:

    • Crawl Only: Completely map a site's hierarchical data structure. After a crawl has been completed, you can click Audit to assess an application’s vulnerabilities.

    • Crawl and Audit: Map the site's hierarchical data structure and audit each resource (page). Depending on the default settings you select, the audit can be conducted as each resource is discovered or after the entire site is crawled. For information regarding simultaneous vs. sequential crawl and audit, see Crawl and audit mode.

    • Audit Only: Apply the methodologies of the selected policy to determine vulnerability risks, but do not crawl the website. No links on the site are followed or assessed.

    • Manual: Enables you to navigate manually to whatever sections of your application you choose to visit, using TruClient with Firefox. OpenText DAST does not crawl the entire site, but records information only about those resources that you encounter while manually navigating the site. This feature is used most often to enter a site through a web form logon page or to define a discrete subset or portion of the application that you want to investigate. Once you finish navigating through the site, you can audit the results to assess the security vulnerabilities related to that portion of the site that you recorded.

      Note: Manual mode is not available when scheduling a scan.

  3. Select a rendering engine from the Rendering Engine drop-down list. The rendering engine you select determines which Web Macro Recorder is opened when recording a new macro or editing an existing macro while configuring a scan. Options are as follows:

    • Event-based (preferred) – Selecting this option designates the Event-based Web Macro Recorder, which uses TruClient with Firefox technology.

    • Session-based – Selecting this option designates the Session-based Web Macro Recorder, which uses Internet Explorer browser technology.

    Note: You cannot configure the Rendering Engine for Manual mode. Manual mode uses the TruClient with Firefox technology.

  4. Select one of the following scan types:

    • Standard Scan: Performs an automated analysis, starting from the target URL. This is the normal way to start a scan.

    • Manual Scan: (also known as Step Mode) Enables you to navigate manually to whatever sections of your application you choose to visit, using TruClient with Firefox. This choice appears only if you select the Manual Scan mode.

    • List-Driven Scan: Performs a scan using a list of URLs to be scanned. Each URL must be fully qualified and must include the protocol (for example, http:// or https://). You can use a text file, formatted as comma-separated list or one URL per line.

      • To import a list, click Import.

      • To build or edit a list using the Site List Editor, click Manage. For more information, see Using the Site List Editor.

    • Workflow-Driven Scan: Audits only those URLs included in the macro that you previously recorded and does not follow any hyperlinks encountered during the audit. A logout signature is not required. This type of macro is used most often to focus on a particular subsection of the application. If you select multiple macros, they will all be included in the same scan. You can use .webmacro files, Burp Proxy captures, or .har files. For more information, see Selecting a workflow macro .

      Important! If you use a login macro in conjunction with a workflow macro or startup macro or both, all macros must be of the same type: all .webmacro files or all Burp Proxy captures or all .har files. You cannot use different types of macros in the same scan.

  5. Continue according to the following table.

    If you selected... Then follow these instructions...
    Standard Scan

    1. In the Start URL box, type or select the complete URL or IP address of the site you want to examine.

      If you enter a URL, it must be precise. For example, if you enter MYCOMPANY.COM, OpenText DAST will not scan WWW.MYCOMPANY.COM or any other variation (unless you specify alternatives in the Allowed Hosts setting).

      An invalid URL or IP address will result in an error. If you want to scan from a certain point in your hierarchical tree, append a starting point for the scan, such as http://www.myserver.com/myapplication/.

      Scans by IP address will not pursue links that use fully qualified URLs (as opposed to relative paths).

      OpenText DAST supports both Internet Protocol version 4 (IPV4) and Internet Protocol version 6 (IPV6). IPV6 addresses must be enclosed in brackets. For more information, see Internet Protocol version 6.

    2. If you select Restrict to folder, you can limit the scope of the scan to the area you choose from the drop-down list. The choices are:

      • Directory only - OpenText DAST will crawl and/or audit only the URL you specify. For example, if you select this option and specify a URL of www.mycompany/one/two/, OpenText DAST will assess only the "two" directory.

      • Directory and subdirectories - OpenText DAST will begin crawling and/or auditing at the URL you specify, but will not access any directory that is higher in the directory tree.

      • Directory and parent directories - OpenText DAST will begin crawling and/or auditing at the URL you specify, but will not access any directory that is lower in the directory tree.

        • For information about limitations to the Restrict to folder scan option, see Restrict to folder limitations.
    Manual Scan

    Enter a Start URL and, if desired, select Restrict to folder. See Standard Scan described previously.

    Note: You cannot configure the Rendering Engine for Manual mode. Manual mode uses the TruClient with Firefox technology.
    List-Driven Scan

    Do one of the following:

    • Click Import and select a text file or XML file containing the list of URLs you want to scan.

    • Click Manage to create or modify a list of URLs.
    Workflow-Driven Scan

    Do one of the following:

    • Click Manage to select, edit, record, import, export, or remove a macro.

    • Click Record and create a macro.

    Note: You can include more than one macro in a scan.

  6. Click Next.

    The Authentication and Connectivity page appears.

Configuring network authentication and connectivity

On the Authentication and Connectivity page, you can configure proxy, network authentication, and site authentication settings.

Configuring proxy settings

To configure access to the target website through a proxy server:

  1. Select Network Proxy.

  2. Choose an profile from the Proxy Profile list. Profiles are:

    • Auto Detect: Use the Web Proxy Autodiscovery Protocol (WPAD) to locate a proxy autoconfig file and use this to configure the browser's web proxy settings.

    • Use System Proxy: Import your proxy server information from the local machine.

    • Use PAC File: Load proxy settings from a Proxy Automatic Configuration (PAC) file. If you select this option, click Edit to enter the location (URL) of the PAC. For more information, see Configuring the proxy profile.

    • Use Explicit Proxy Settings: Specify proxy server settings. If you select this option, click Edit to enter proxy information. For more information, see Configuring the proxy profile.

    • Use Mozilla Firefox: Import your proxy server information from Firefox.

    Note: Electing to use browser proxy settings does not guarantee that you will access the Internet through a proxy server. If the Firefox browser connection settings are configured for "No proxy," or if the Windows setting "Use a proxy server for your LAN" is not selected, then a proxy server will not be used.

Configuring network authentication

To configure network authentication to the target website:

  1. Select Network Authentication.

  2. Select an authentication method and enter your network credentials. The authentication methods are:

    • ADFS CBT

    • Automatic

    • Basic

    • Digest

    • Kerberos

    • Negotiate

    • NT LAN Manager (NTLM)

    • OAuth 2.0 Bearer

  3. Do one of the following:

    • For all authentication methods except OAuth 2.0 Bearer, type a user ID in the User Name box and the user's password in the Password box.

    • For the OAuth 2.0 Bearer method, click Configure and continue with Configuring OAuth 2.0 bearer credentials.

Using client certificates

To use a client certificate for a website, click Settings > Authentication and continue as follows:

  1. In the Client Certificates area, select the Enable check box.

  2. Click Select.

    The Client Certificates window opens.

  3. Do one of the following:

    • To use a certificate that is local to the computer and is global to all users on the computer, select Local Machine.

    • To use a certificate that is local to a user account on the computer, select Current User.

      Note: Certificates used by a common access card (CAC) reader are user certificates and are stored under Current User.

  4. Do one of the following:

    • To select a certificate from the "Personal" ("My") certificate store, select My from the drop-down list.

    • To select a trusted root certificate, select Root from the drop-down list.

  5. Does the website use a CAC reader or a certificate that is password protected?

    • If yes, do the following:

      1. Select a certificate that is prefixed with “(Protected)” from the Certificate list.

        Information about the selected certificate and a Password/PIN field appear in the Certificate Information area.

      2. If a password or PIN is required, type it in the Password/PIN field.

        3. Note: If a password or PIN is required and you do not enter it at this point, you must enter the password or PIN in the Windows Security window each time it prompts you during the scan.

        Important! By default, OpenText DAST uses OpenSSL. If you are using a specific SSL/TLS protocol rather than OpenSSL, the Profiler portion of scan configuration may not work with certificates that are protected with a password.

      3. Click Test.

        If you entered the correct password or PIN, a Success message appears.

    • If no, select a certificate from the Certificate list.

      Information about the selected certificate appears below the Certificate list.

  6. Click OK.

Updating certificates in composite scan settings

The composite scan settings include a BIN file that contains encrypted certificate data. If you need to replace or update the client certificate in your composite scan settings, you can place the updated PFX or P12 file inside the certificates directory in the composite settings ZIP file. When OpenText DAST opens the settings, it will check for PFX and P12 files first. If none are present, then the BIN file will be decrypted and used. For more information about composite settings, see Application settings: General.

To replace or update the client certificate:

  1. Locate the encrypted BIN file in the certificates directory in your composite scan settings ZIP. The file name is a GUID, similar to the following:

    <your-scansettings.zip>\certificates\0b627638-efda-4d01-a83e-80ee3a79b4cf.bin

    Note: The default settings file location in Windows is C:\ProgramData\HP\HP WebInspect\Settings\.

  2. Place the updated PFX or P12 file into the same directory.

  3. Rename the PFX or P12 file the same name as the BIN file. Using the previous example, the file name will be as follows:

    0b627638-efda-4d01-a83e-80ee3a79b4cf.pfx

    — OR —

    0b627638-efda-4d01-a83e-80ee3a79b4cf.p12

    Important! Be sure to retain the original file extension.

  4. Optionally, if you want to retain an encrypted certificate in the settings, save the settings again and the BIN file will reflect the updated PFX or P12 certificate. The PFX or P12 certificates will be removed from the ZIP.

Tip: PFX and P12 certificates frequently require a password. Use one of the following options to provide the password for the settings:

Configuring site authentication

To configure site authentication:

  1. Select Site Authentication to use a recorded macro containing one or more usernames and passwords that enables you to log in to the target site. The macro must also contain a "logout condition," which indicates when an inadvertent logout has occurred so OpenText DAST can rerun this macro to log in again.

    If the macro uses parameters for which values are masked in the Web Macro Recorder, then these values are also masked when configuring a Basic Scan in OpenText DAST.

    If Enable macro validation is selected in Scan Settings: Authentication for scans that use a login macro, OpenText DAST tests the login macro at the start of the scan to ensure that the log in is successful. If the macro is invalid and fails to log in to the application, the scan stops and an error message is written in the scan log file. For more information and troubleshooting tips, see Testing login macros.

    Note: Macro testing is not supported for macros containing two-factor authentication.

    Important! If you use a macro that includes Two-factor Authentication, then you must configure the Two-factor Authentication Application settings before starting the scan. For more information, see Application settings: Two-Factor Authentication.

    Continue according to the following table.

    To... Then...
    Use a pre-recorded Web Macro Recorder macro

    Click the ellipsis button (...) to select a macro.

    If, after selecting the macro, you want to modify it using the Web Macro Recorder, click Edit.

    Tip: To erase the macro name, clear the Site Authentication check box.

    Create a new macro

    Click Record.

    The Web Macro Recorder opens.

    Note: For more information about using the Web Macro Recorder, see the Web Macro Recorder Help.

    Automatically create a login macro

    Note: You cannot automatically create login macros for privilege-escalation and multi-user login scans.

    1. Select Auto-gen Login Macro.

    2. Type a username in the Username field.

    3. Type a password in the Password field.

    Optionally, click Test to locate the login form, generate the macro, and run macro validation tests before advancing to the next stage in the Scan wizard. If you need to cancel the validation test prior to completion, click Cancel.

    If the macro is invalid and fails to log in to the application, an error message appears. For more information and troubleshooting tips, see Testing login macros.

  2. Click Next.

    The Crawl Coverage and Thoroughness page appears.

Configuring crawl coverage and thoroughness

To configure a balance between efficiency and thoroughness:

  1. To optimize settings for an application built using either Oracle Application Development Framework Faces components or IBM WebSphere Portal, select Framework and then choose Oracle ADF Faces or WebSphere Portal from the Optimize scan for list. Fortify may develop other settings overlays and make them available through Smart Update.

    For more information about scanning a WebSphere portal, see WebSphere Portal FAQ .

  2. Use the CrawlCoverage slider to specify the crawler settings.

    This slider may or may not be enabled, depending on the scan mode you selected. The label associated with this slider also depends on your selection. If enabled, the slider enables you to select one of four crawl positions. Each position represents a specific collection of settings, as represented by the following labels:

    A Thorough crawl is an automated crawl that uses the following settings:

    A Default crawl is an automated crawl that uses the following (default scan) settings:

    A Normal crawl is an automated crawl that uses the following settings:

    A Quick crawl uses the following settings

    If you click Settings (to open the Advanced Settings dialog box) and change a setting that conflicts with any setting established by one of the four slider positions, the slider creates a fifth position labeled Customized Coverage Settings

  3. Click Next.

    The Audit Coverage and Thoroughness page appears.

Configuring audit coverage and thoroughness

You can select a different policy than the default selection or you can configure multiple policies for better coverage or for additional focus on a specific type of vulnerability. For example, if you want to run a scan using the Standard policy, but want additional focus on SQL Injection, you can select the Standard policy and the SQL Injection policy for the scan. The sensor aggregates all selected policies during the scan.

To select a different policy:

  1. In the Audit Depth (Policy) list, slide the toggle for the selected policy to the disabled position.

  2. Slide the toggle for the desired policy to the enabled position.

    The selected policy appears in the ENABLED SCAN POLICIES list. For descriptions of policies, see OpenText DAST policies.

  3. Click Next.

    The Detailed Scan Configuration page appears. If the Run Profiler Automatically option is selected, a "Profiling Site..." message appears.

To select additional policies:

  1. In the Audit Depth (Policy) list, slide the toggle for the desired policies to the enabled position.

    The selected policies appear in the ENABLED SCAN POLICIES list. For descriptions of policies, see OpenText DAST policies.

  2. Click Next.

    The Detailed Scan Configuration page appears. If the Run Profiler Automatically option is selected, a "Profiling Site..." message appears.

Using the Profiler

On the Detailed Scan Configuration page, OpenText DAST conducts a preliminary examination of the target website to determine if certain settings should be modified. If changes appear to be required, the Profiler returns a list of suggestions, which you may accept or reject.

For example, the Server Profiler may detect that authorization is required to enter the site, but you have not specified a valid user name and password. Rather than proceed with a scan that would return significantly diminished results, you could follow the Server Profiler's suggestion to configure the required information before continuing.

Similarly, your settings may specify that OpenText DAST should not conduct "file-not-found" detection. This process is useful for websites that do not return a status "404 Not Found" when a client requests a resource that does not exist (they may instead return a status "200 OK," but the response contains a message that the file cannot be found). If the Profiler determines that such a scheme has been implemented in the target site, it would suggest that you modify the OpenText DAST setting to accommodate this feature. 

To launch the Profiler each time you access this page, select Run Profiler Automatically.

To launch the Profiler manually, click Profile. For more information, see Server Profiler.

Results appear in the Settings section.

If the profiler does not recommend changes, the Scan Wizard displays the message, "No settings changes are recommended. Your current scan settings are optimal for this site."

Choosing Profiler suggested settings

You can choose to accept or reject the suggested settings in the Settings area of the Detailed Scan Configuration page.

Several options may be presented even if you do not run the Profiler. They include:

To accept or reject Profiler suggestions:

  1. Accept or reject the suggestions as follows:

    • To accept a setting, select the associated check box.

    • To reject a setting, clear the associated check box.

  2. If necessary, provide the requested information.

  3. Click Next.

    The Congratulations window appears.

Auto fill web forms

Select Auto-fill Web forms during crawl if you want OpenText DAST to submit values for input controls on forms it encounters while scanning the target site. OpenText DAST will extract the values from a prepackaged default file or from a file that you create using the Web Form Editor. You may:

Add allowed hosts

Use the Allowed Host settings to add domains to be crawled and audited. If your web presence uses multiple domains, add those domains here. For more information, see Scan settings: Allowed Hosts.

To add allowed domains:

  1. Click Add.

  2. On the Specify Allowed Host window, enter a URL (or a regular expression representing a URL) and click OK

For more information about adding or editing Allowed Hosts, see Specifying allowed hosts.

Reuse identified Suppressed Findings

You can import vulnerabilities that were changed to false positive or ignored in previous scans. If those false positive or ignored items match vulnerabilities detected in the current scan, the vulnerabilities will be changed to false positive or ignored. You can import suppressed findings from existing scans or suppressed findings files. For more information, see Suppressed findings.

To reuse identified suppressed findings:

  1. Select Import Suppressed Findings.

  2. Continue according to the following table.

    To use... Then...
    Existing scans

    1. Click select scans.

      The Select a Scan to Import Suppressed Findings dialog opens.

    2. Select one or more scans containing suppressed findings from the same site you are now scanning.

    3. Click OK.
    Suppressed findings files

    1. Click select file.

      A standard Windows file selection dialog box opens.

    2. Select the file to import, and then click Open.

    3. Optionally, repeat Steps a and b to select additional files.

Note: You cannot import suppressed findings when scheduling a scan or conducting an Enterprise scan.

Sample macro

OpenText DAST’s example banking application, zero.webappsecurity.com, uses a Web form login. If you scan this site, select Apply sample macro to run the sample macro containing the login script.

Traffic analysis

Select Launch and Direct Traffic through Web Proxy to use the Web Proxy tool to examine the HTTP requests issued by OpenText DAST and the responses returned by the target server.

While scanning a website, OpenText DAST displays in the navigation pane only those sessions that reveal the hierarchical structure of the website, plus those sessions in which a vulnerability was discovered. However, if you select Enable Traffic Monitor, OpenText DAST adds the Traffic Monitor button to the Scan Info panel, allowing you to display and review each HTTP request sent by OpenText DAST and the associated HTTP response received from the server.

Congratulations

The contents of the Congratulations window vary, depending your choices and configuration.

Uploading to Fortify WebInspect Enterprise scan template

When connected to an enterprise server (Fortify WebInspect Enterprise), you can send the settings for this scan to Fortify WebInspect Enterprise, which will create a scan template. However, you must be assigned to a role that allows you to create scan templates.

Saving settings

You can save the settings you configured for this scan, which would allow you to reuse the settings for a future scan.

Generating reports

If you are scheduling a scan, you can instruct OpenText DAST to generate a report when the scan completes.

  1. Select Generate Reports.

  2. Click the Select reports hyperlink.

  3. (Optional) Select a report from the Favorites list.

    A "favorite" is simply a named collection of one or more reports and their associated parameters. To create a favorite once you have selected reports and parameters, click the Favorites list and select Add to favorites.

  4. Select one or more reports.

  5. Provide information for any parameters that may be requested. Required parameters are outlined in red.

  6. Click Next.

  7. If you select Automatically Generate Filename, the name of the report file will be formatted as <reportname> <date/time>.<extension>.  For example, if creating a compliance report in pdf format and the report is generated at 6:30 on April 5, the file name would be "Compliance Report 04_05_2022 06_30.pdf." This is useful for recurring scans.

    Reports are written to the directory specified for generated reports in the Application settings.

  8. If you did not select Automatically Generate Filename, enter a name for the file in the Filename box.

  9. Select the report format from the Export Format list.

  10. If you selected multiple reports, you can combine then all into one report by selecting Aggregate reports into one report.

  11. Select a template that defines the headers and footers used for the report and, if necessary, provide the requested parameters.

  12. Click Finished.

  13. Click Schedule.