Skip to content
  • There are no suggestions because the search field is empty.

How do I add a web asset?

Before starting your first web application assessment, you must create a web application asset. This asset defines the scope, configuration, and authentication for your assessment.

Add a new web application asset

  1. Log in to your Security Center.

  2. In the main navigation bar, hover over Assets.

  3. From the dropdown menu, select Web applications & APIs.

  4. Click + Add web application.

General information

Under General information, enter the following:

  • Web application: The starting URL for your assessment. Examples:

    • http://www.example.com

    • https://www.example.com

    • http://www.example.com/subfolder

    • http://www.example.com/subfolder/page.html

    • https://www.example.com:7443

    • http://123.123.123.123

  • Asset name: A descriptive name for the web application.

  • Business impact: The importance or criticality of the application.

  • Unify with: Select the web server hosting the web application to create a unified asset.

  • Description: A description of the web application.
  • Owner: The owner of the web application. You can set this to Inherit from tags, assign it to a Team, or assign it to a specific User.

  • GDPR compliance: You can enable the Personal data holder option.

REST API scanning

Under REST API scanning, enter the following:

  • Open API path: The path to the Open API specification for your REST API.  The domain of the Open API URL must match the target URL domain.

  • Query string authentication: Add authentication in the format a=b. Press Enter to save.

  • Header authentication: Add authentication headers to each HTTP request. Example: Basic: bearer 0x12345.

Application details

Under Application details, configure:

  • Crawl scope: Select the crawl scope for the assessment.

  • Explicit URLs to crawl: Option to enter explicit URLs to crawl. Press Enter to save. For detailed guidance, see:

https://support.holmsecurity.com/knowledge/what-does-the-different-settings-for-crawl-scope-mean

  • Allowed domains: Option to scan multiple domains within a single web application assessment. Press Enter to save. For detailed guidance, see:

https://support.holmsecurity.com/knowledge/how-do-i-scan-multiple-domains-in-web-app-scanning

Scan settings

Under Scan settings, configure:

  • Crawling hints:  Option to enable crawling hints like Crawl all links and directories found in robots.txt, if present, and Crawl all links and directories found in sitemap.xml, if present. All discovered URLs will be assessed. Check to enable.

  • Headers and cookies: Add Headers to inject into the assessment. Press Enter to save. Option to Ignore session cookies. Check to enable.

  • JavaScript scanning: Enable JavaScript scanning (available only for external scans and the Scanner Appliance with revision 49+). Check to enable.

Authentication

Under Authentication, configure:

  • Authentication type: The authentication method for your web application. For detailed guidance, see:

https://support.holmsecurity.com/knowledge/what-authentication-methods-does-the-web-app-scanner-have

Crawl exclusion list

Configure the Crawl exclusion list to whitelist or blacklist URLs and patterns:

Whitelist

  • URLs: Whitelisted URLs override blacklisted URLs. Check to enable.

  • URL: Enter URLs to whitelist. Press Enter to save.

  • Regular expressions: Enable regex whitelisting. Regex rules override blacklisted regex rules. Check to enable.

  • Regular expression: Add regex for whitelisting. Press Enter to save.

Blacklist

  • URLs: Blacklisted URLs will not be assessed. Check to enable.

  • URL: Add URLs for blacklisting. Press Enter to save.

  • URL extensions: Enabled by default.

  • URL extension: Add or remove URL extensions. Press Enter to save.

  • Regular expressions: Enter regex rules for URLs to exclude from assessment. Press Enter to save.

  • POST data blacklist: By blacklisting certain POST data fields, the scanner will skip sending test inputs or attacks to those parameters. Check to enable.
  • Regular expression: Enter regex rules for excluding certain POST data fields. Press Enter to save.

  • CSS Blacklist: Blacklisting with CSS selectors can help you remove an element from the target site. For example, an element with a duplicate ID. Check to enable. For detailed guidance, see:

https://support.holmsecurity.com/knowledge/how-do-i-blacklist-css-selectors

  • Regular expression: Enter regex rules for excluding certain CSS selectors. Press Enter to save.

Once all settings are configured, the web application asset is ready for assessment.