Creating a web application scan is similar to other McAfee Vulnerability Manager scan configurations. The Web App Config settings are different on the Settings tab of a scan configuration.
Tip: If you want to use the asset settings in a scan configuration (like the port number), scan the
asset instead of a URL that matches the asset.
1 Select Scans | New scan.
2 On the Scan details page, select Use a McAfee Vulnerability Manager template. 3 Select a web scan template, then click Next.
• CWE/SANS Top 25 Scan – Searches for the CWE/SANS Top 25 most dangerous
programming errors/vulnerabilities in web applications.
• Deep Web Scan – Performs the most thorough web application assessment possible without
constraints such as time limitations.
• Informational Web Crawl – Indexes your web application and provide informational level
vulnerabilities.
• Light Web Scan – Performs a quick web application assessment of the most critical
vulnerabilities within a two hour time period.
• OWASP Top 10 Scan – Searches for a broad consensus of what are considered the most
critical web application security flaws listed in the OWASP Top 10 list.
• PCI DSS Compliance Scan – Searches for vulnerabilities that would impact compliance with
the Payment Card Industry (PCI) Data Security Standard.
4 On the Targets tab, type a unique scan name. Typing a description is optional.
5 Type the URL of the web application you want to scan, then click Next. You can also browse or
search for a web application asset.
• Type the full URL (example: http://www.hostname.com), otherwise the product scans this system as an asset and not a web application.
• You should scan one web application per scan configuration because one web application could lead to multiple web pages, with scan data returned for each page.
• A URL is validated when the scan runs, not when the scan is created. During a scan, if a URL resolves to an IP address that is outside your IP range, it is not scanned.
How web application scans work
• When adding the same web application to two different scans, if the URLs differ, the product might consider each URL as an asset that requires a license.
For example: If http://myhost.com and http://myhost.com/cmdinjection/ are added to different scans, this web application would be treated as two different assets, each requiring a license.
• A URL can be case-sensitive, so the product creates individual web application assets for the same URL with different cases.
For example: http://myhost.com/CMDinjection/ and http://myhost.com/cmdinjection/ are treated as two different assets, each requiring a license.
6 Click the icon on the left side of the page to change the settings, then click Next.
Hosts – Specify options for ICMP, UDP, and TCP scanning Also select/deselect the Asset Tagging option.
The product expects ICMP, UDP, or TCP. If these are not being used, you must specify a non-standard port or the asset is not assessed.
• Services – Specify the services you want discovered on your network
• Credentials – Create and manage credentials used to access systems on your network
• Vuln Selection – Specify the vulnerabilities you want checked under the General, Windows,
Wireless, and Shell categories
Some web vulnerability checks appear under multiple web vulnerability categories. Selecting a web vulnerability check under one category selects that same web vulnerability check in other categories. For example: Web Server uses Basic Authentication is under Authentication and Information Crawl-Only Vulnerabilities. Selecting either web vulnerability category selects this specific web vulnerability in the other category.
• Optimize – Change settings to optimize the performance of the product
• Web App Config – Specify the entry paths, exclude paths, exclude parameters, and port
pairs for web application scans
Override asset settings (use scan's settings against all targets) – If any of the web
applications in the scan configuration have an existing web application configuration, selecting this option overrides that configuration and use the web application settings on this page.
Use asset settings (use scan's settings as defaults for targets without their own settings) – Any web application in the scan configuration without an existing web application
configuration uses the settings on this page. All web applications with an existing web application configuration uses the existing configuration.
Use Existing Config – All existing web application configurations appear in a drop-down list.
Entry Paths – The web address to use as a starting point for the scan configuration. Type one URL per
line. Press Enter to add a line.
Exclude Paths – Any web addresses within the web application that you do not want to scan are typed in
here. Type one URL per line. Press Enter to add a line.
Exclude Parameters – Any web parameters within the web application that you do not want to scan are
typed in here. Type one parameter per line. Press Enter to add a line.
For example: If you use a session ID, you should exclude that parameter from the scan configuration. Otherwise, the product changes the session ID, to check for vulnerabilities, and web application could terminate the session before the scan is complete.
Port Pairs – If you have specific HTTP and HTTPS ports for the web application, type those ports here.
McAfee Vulnerability Manager 7.5 Product Guide 87
7 Specify if you want to create remediation tickets for this scan when it has completed running.
Deselect the checkbox if you do not want remediation tickets created.
8 Select the FoundScore Type you want used for this scan (Internal or External). This setting
defines the set of calculations used to determine the FoundScore value.
9 Select the format in which you want reports created.
10 Select the report sections you want to include in your report, then click Next.
11 Select Active to enable the scan. If you decide to activate this scan and set the Schedule Type to
immediate, the scan starts right after you save it. Inactive scans are saved but are not run automatically (you can run them manually by clicking Activate on the scan configuration page).
12 Select the scan engine.
Note: If the Select Engine displays AutoSelect, the Global Administrator or Root Organization
Administrator has enabled automatic scan engine selection.
13 Select a time zone to coordinate the scan start time.
• Use Engine Time – Uses the time zone the scan engine is in as the start time for the scan
configuration.
• Use Local Time – Uses the time zone you select and calculates the start time (based on UTC
time).
Note: UTC time is constant. If the selected timezone alters the time (like daylight savings time),
the start time for a recurring scan changes.
14 Schedule the scan to run immediately, at a specific date and time, or on a recurring schedule. To
use a Scan Window so that the scan runs during specific hours or on specific days, select the checkbox and type the window details.
15 Save the scan.
• Save and Scan Now – Active and Immediate are selected. This saves the scan
configuration and starts the scan.
• Schedule Scan – Active and One Time or a recurring schedule are selected. This saves the
scan configuration and the scan starts at the scheduled date and time.
• Save – Inactive is selected. This saves the scan configuration without starting the scan.