QuickScan Setup tab controls

Scan Name

The name of the scan defaults to the starting URL (plus any unique identifiers) you entered on the previous page, but you can change it to something more meaningful if required.

URLs to be Scanned

QuickScan identified these URLs while you explored your application and classified them as login URLs or as regular URLs. If an in-session page was detected, it is also classified. Only one page can be in-session.

To reclassify a page: Click the appropriate up or down arrow to move it above the Login Steps bar or below the Explore bar in the list.

To identify an in-session page: If the highlighted URL is not the page you want to use as the in-session page, select the appropriate check box for the desired page and click the In-session button. Note that if you move the classification line below the page marked as in-session, the in-session classification will be removed.

To add URLs: Rerecord the login if necessary or explore more URLs to complete the list.

Permissions: Indicates whether you are allowed to scan each URL in the list. If there are no security permissions for that URL, it might be because there are licensing restrictions, or that the URL does not belong to a server group that you have been assigned. Contact your Product Administrator if you need your permissions enhanced.

Test Explore URLs as an ordered sequence: Select this option when parts of your web application can only be reached by sending requests in a specific order. The scan will play back the URLs in the order you recorded them before it sends tests. Selecting this option will slow down testing.

Automatic explore: If you set a scan to crawl without limiting the number of pages, the scan may take a long time to complete.

Number of pages: Shorten the scan duration by entering a specific number of pages.

Depth limit: Use this option to ensure the scan only reaches the top most pages in your website. The scan will not crawl further than the specified number of pages; the default is 20 clicks deep. If you set the depth limit to less than 6 clicks, you might not get accurate information in the Deep Pages report, because the default limit reported in the Deep Pages report is 6 clicks deep. Note: On upgrade, this option is not enabled.

Login Session IDs: The Login Session IDs list displays the cookies and parameters that were detected during login. You can select variables in this list and use the Track and Stop Tracking buttons to change their status. When a Session ID is tracked, its values are parsed from the response of a login request and then applied to all requests sent for the remainder of the scan session. If your site uses a different value each session, it is difficult for the job to determine whether a page is the same as a previous session if it is not tracking session IDs. By default, regexp:.*ses.* and regexp:.*id.* are tracked. Tracked Session IDs are added to the Parameters and Cookies page. If a custom parameter without a name is discovered during login and is set to be tracked, the definition of the custom parameter will be modified.

Automatic Login

If the application requires a one-time login, use a user name and password so the scan can log in for you.

In-Session Detection

The In-session status icon indicates whether you have correctly set up in-session detection for this scan, and if in-session detection is active, disabled, or enabled. A message accompanies each icon with an update and possible remediation tasks.

The Details field displays the Activate in-session detection check box and the in-session pattern that the scan will use during scanning to verify that it is logged in. Enable the Activate in-session detection check box for this scan if required. If the default pattern is not the one you want to use, enter a different regular expression, and click Update.

Test Policy

A test policy is a predefined set of security tests sent during the scan.

User Scan Permissions

To perform security tests, you must have permission to do so. This list displays the specific server groups with the assigned test policies where you are allowed to create security scans. A server group is a set of URLs, IP addresses, or IP address ranges that define a group of servers. Contact your Product Administrator if you need additional scan permissions.

Platform Authentication

When the scan encounters a page that requires HTTP basic or NTLM authentication, it automatically provides the user name and password that you choose.

Client-Side Certificate

Browse your file system to locate the client-side certificate. The password is used to verify you have permission to upload the certificate.