General

How do I add a web application?

Before starting your first web app scan, you must create a web application asset.

  1. Log in to Security Center.
  2. Click Asset Manager > Web applications.
  3. Click Add Web Application.
  4. Under the headline General Information, enter the following:
    • Web application: the web application URL that will act as a starting point for all your WAS scans. Examples URLs:
      • http://www.example.com
      • https://www.example.com
      • http://www.example.com/subfolder
      • http://www.example.com/subfolder/page.html
      • https://www.example.com:7443
      • http://123.123.123.123
    • Application name: the name of the web application.
    • Business impact: The importance of the web application.
    • Owner: the owner of the web application.
    • Unify with: Choose the web server that the web application is hosted on to create a unified asset.
  5. Under the headline REST API Scanning enter the following:
    • Open API path: Enter the path to the Open API specification documentation for your REST API.
      Please notice that the domain of the Open API URL is required to match the target URL domain.
    • Query string authentication: Add authentication in the format "a=b".
    • Header authentication: Add header to be sent with each HTTP request sent to the REST API for authentication. An example value for this field is: "Basic: bearer 0x12345"
  6. Under the headline Application details enter the following:
  7. Under the headline Scan settings enter the following:
    • Scan profile: select the scan profile for the schedule.
    • Scanner Appliance: select External for external scanning of your web application from Holm Security VMP cloud platform, or select an installed Scanner Appliance for local scanning.
    • Crawl all links and directories found in robots.txt; if present, check to enable. Notice that all URLs found will be scanned even if set to "Disallow."
    • Crawl all links and directories found in sitemap.xml; if present, check to enable.
    • Headers and cookies: Add headers to inject into the Holm Security WAS scanner.
    • JavaScript Scanning: Enables JavaScript to be rendered by the scan engine. 
  8. Under the headline Authentication enter the following:
  9. Under the headline Crawl exclusion list enter the following

    Whitelist

    • URLs: check to enable; whitelisting URLs will override blacklisted URLs. If you define a whitelist and don't add any URLS to your blacklist, all URLS except those in the whitelist will be considered blacklisted and, therefore, not scanned.
    • URL: enter URLs you want to whitelist.
    • Regular expressions: to enable whitelisting, a regular expression will override blacklisted regular expressions. If you define a whitelist and don't add any regular expressions to your blacklist, all regular expressions except those in the whitelist will be considered blacklisted and, therefore, not scanned.
    • Regular expressions: enter regular expressions you want to whitelist.

     Blacklist

    • URLs: check to enable; blacklisted URLS will not be scanned by Holm Security WAS scanner
    • URL: enter URLs you want to blacklist.
    • URL Extensions: enabled by default; you can choose to disable this.
    • URL Extension: some extensions that can cause the scan to take longer time is already added to the blacklist. You can add more by typing in the extension and pressing Enter, or remove extensions by clicking the "x" next to the extension. Blacklisted extensions will not be scanned by Holm Security WAS scanner.
    • Regular expressions: to enable blacklisted, the Holm Security WAS scanner will not scan regular expressions.
    • Regular expressions: enter regular expressions you want to blacklist.
  10. Done!