Configuring a basic scan without security testing

Use this task to configure a basic scan with minimal configuration. This scan will automatically discover more URLs to test in your web application. Use this method for an application that has a lot of static links and does not require a lot of user interaction. This scan does not test for security issues, but helps you start exploring your site to determine complete site coverage.

Procedure

  1. Add the Starting URLs to the What to Scan page. Ensure that the Starting URLs are valid and that they do not redirect to a domain that is different than the domain you are scanning.
    Reasons for adding non-valid URLs:

    You might want to do so for a number of reasons:

    1. If you are disconnected from the Internet or your web server has not yet been activated.
    2. If your starting URL is actually a redirect to another domain, then add the second domain to your starting URL list. For example, the starting URL www.example.com/support actually redirects to support.example.com. The starting URL list must include both support.example.com and www.example.com/support. And, even though support.example.com might not be valid, if it is not added as a starting URL then it would not be scanned in this situation.
    3. Similarly, if there is content within your starting URL that redirects to another directory, you must also include that directory as a starting URL. For example, if there are pages inside www.example.com/products that redirect to www.example.com/japan/products, then they would both need to be added as starting URLs to be scanned.
    4. If you want to scan directories that are not part of the starting URL, and to also help define the In starting domains, only scan links in and below the directory of each starting URL check box. For example, the starting URL www.example.com/products is a valid URL, but the URL www.example.com/services is not. However, you want to scan the pages inside both URLs and no others on the website. To do this, add both URLs as starting URLs and on the What to Scan page and select the In starting domains, only scan links in and below the directory of each starting URL check box.
  2. Determine if you want to scan above the directory included in the Starting URL. If you only scan in and below its directory, your scan might stop prematurely because it can only find the URLs included in your starting domains. To scan above the starting URL, clear the In starting domains, only scan links in and below the directory of each starting URL check box on the What to Scan page.
  3. If the site branches out to other domains that you must visit as part of this scan, add these domains to the What to Scan page.
  4. Specify the environment that defines the site on the Environment Definition page. This can reduce the total number of tests that are sent and also reduce the overall scan time.
  5. Certain areas of the site might need to be excluded. On the Exclude Paths and Files page, use regular expression to exclude the URL pattern, such as an addtocart function.
  6. On the Explore Options page:
    1. Limit the scan to 500 pages. In a preliminary scan it is important to keep the page limit low until you have resolved all the issues that arise during the scan.
    2. Select Execute Javascript to discover URLs and dynamic content. This will ensure that any URLs that are constructed within JavaScript™ code are discovered as part of the scan. If your site contains Flash, select Execute Flash to discover URLs and potential vulnerabilities to discover more URLs.
    3. Select a user-agent for the scan to use while exploring the site. See User-Agents for more details.
  7. Because this is a basic scan of your application, you will not be scanning for security issues yet. On the Security page, disable the Perform security tests check box, and click Save.
  8. Run the job. An initial scan of a website or application is always an iterative process, so consider your first run to be a preliminary one. You will likely need to make changes to the scan configuration to obtain better results from the next scan.
  9. After the job and the report pack has run, use the Pages report to verify scan coverage.