Skip to content
  • There are no suggestions because the search field is empty.

How does a web assessment work?

This article provides a general overview of Web Application Security (WAS).

Starting point

The starting point should be an exact URL, like one of the following examples, including HTTP or HTTPS. The assessment will start here and follow all links found within the scope you have selected. By doing this, the assessment will scan your entire web application.

Starting point URL examples:

  • http://www.example.com
  • https://www.example.com
  • http://www.example.com/subfolder
  • http://www.example.com/subfolder/page.html
  • https://www.example.com:7443

Multi-domain support

You can use this feature to perform a thorough assessment of multiple domains within the same web application. By including additional domains alongside your main target. In a single assessment, you can gain a comprehensive understanding of your entire web presence.

This feature lets you scan all the domains associated with your web application in one go, ensuring no potential vulnerabilities or risks go unnoticed.

Read more about how to add additional domains to your assessment here:

https://support.holmsecurity.com/knowledge/how-do-i-scan-multiple-domains-in-web-app-scanning

Scan scope

A single web application assessment is limited to 8,000 pages or 24 hours. A larger or longer assessment will be automatically stopped. Notice that you will still receive results for the pages found during the assessment.

HTTP and HTTPS

If you have the same web application under both HTTP and HTTPS, you can choose either one.

Redirects

Our crawler doesn’t follow redirects between HTTP and HTTPS, for example, from http://www.yourbusiness.com to https://www.yourbusiness.com; if you have a redirect, enter the redirect target as the URL for the assessment.

Exclude URLs and forms

Please read this information for URL and form exclusion:

https://support.holmsecurity.com/knowledge/how-do-i-exclude-one-or-more-urls-from-being-scanned

Excluded pages

The following file formats are ignored during the assessment because they contain static content:

  • DOC
  • DOCX
  • XLS
  • XLSX
  • PPT
  • PPTX
  • PDF
  • ZIP
  • WOFF