Before you begin, check the top menu bar (across the top of the application window) to see whether the WAS module lock icon is enabled for your subscription. When the WAS module is enabled, then a red lock appears like this:
Contact Technical Support or your Technical Account Manager to enable this feature.
You'll notice the WAS Scan option on the left menu (under Navigation) and the Web Applications option on the left menu (under Tools) when your account has web application management permissions. Managers are assigned these permissions automatically. Sub-accounts (Readers, Scanners and Unit Managers) must be assigned these permissions as described in Step 5.
Create web application(s) to make them available as targets for web application scans. Before you launch a web application scan, the target web application must be defined in your account. Provide application information (virtual host, starting port and starting URI), authentication records for one or more authentication types (Form, HTTP Basic, NTLM and/or Digest) when authentication is desired, black/white lists to ensure that only selected parts of the web application will be scanned, and business information for tracking.
A discovery scan follows the links it encounters in your web application and gathers information about it. Note that a discovery scan does not perform vulnerability testing. It's recommended you run a discovery scan the first time you scan a web application. This is a good way to understand where the scan will go and whether there are URIs you should blacklist for vulnerability scans. Typically, a web application discovery scan takes a shorter time to complete than a web application vulnerability scan.
Define a web application discovery scan to run on demand or schedule it to run sometime in the future. Select a target web application in your account and a web application profile to apply to discovery.
Managing Web Application Profiles
Launching Web Application Discovery Scans
Scheduling Web Application Discovery Scans
When the scan is finished, view the web application discovery scan results with information gathered from the scan including the links crawled.
Be sure to check QID 150009 Links Crawled and QID 150021 Scan Diagnostics. If necessary, edit your web application settings and run another discovery scan to confirm that web crawling occurs as expected.
Choose one of these methods for editing a web application profile that you will apply to the web application scan for vulnerabilities: 1) Edit the web application profile titled "Initial WAS Options". Or 2) Create a new web application profile.
Managing Web Application Profiles
Define a web application vulnerability scan to run on demand or schedule it to run sometime in the future. Select a target web application in your account and, optionally, a web authentication record for an authenticated scan.
Launching Web Application Vulnerability Scans
Scheduling Web Application Vulnerability Scans
When the scan is finished, view the web application vulnerability scan results. Web application scan results identify detected vulnerabilities, sensitive content and information gathered based on the web application profile settings.
Web Application scan reports draw on data returned from the most recent scan of the web application. These types of scan reports are available: Interactive and Scorecard.
Running Web Application Interactive Reports
Running Web Application Scorecard Reports
The WAS module implements a two-level permissions system for managing user access to web application management features.
At the account level, Managers have full access rights for web application management. Managers can grant extended permissions for web application management to any user in the subscription. Unit Managers can grant extended permissions to any user in their business unit as long as the Unit Manager also has the permissions.
At the web application level, Managers have full access rights (Read, Write, and/or Execute) for all web applications. Each web application owner has full rights to their own web application. Users with full access rights to a specific web application may grant other users access rights to the web application. A user may view the web application (Read permission), edit the web application and run reports on it (Write permission), and scan the web application (Execute permission).