Objective 1: Set the stage

This article explains how to get started with InsightAppSec using a free trial account. After you receive your free trial confirmation email, you can sign in to InsightAppSec at https://insight.rapid7.com.

During the free trial, you can scan one personal domain or Rapid7’s demo domains (http://www.webscantest.com/ and http://hackazon.webscantest.com/). You will see these options when you first sign in to InsightAppSec.

Scanning Rapid7’s pre-configured demo applications can help you explore the capabilities of InsightAppSec, while scanning your own domain helps you ensure that InsightAppSec is the right security tool for your technology stack. After you make your decision, consult the appropriate help section to:

Scan Your Own Domain

You can scan one personal domain with a free trial account. Before you begin the scan, ensure that you meet the prerequisites in the next section.

Before You Begin

Before you can scan your own domain, you’ll need to validate your ownership of the domain. This requires you to add a custom-generated meta tag to your application’s root path. Ensure that you have access to modify the source code of web pages in the application you are going to scan.

During an InsightAppSec scan, your web application may experience a high amount of incoming network traffic. Some firewalls may block attack traffic and prevent InsightAppSec from testing your application for vulnerabilities. In such cases, you must whitelist the IP addresses of the InsightAppSec cloud engines to scan your web applications.

Scan Your Web Application

To scan your application:

  1. On the welcome page, click the Scan my Domain button.
  1. When the "Set up target domain" wizard appears, enter the URL of the domain you would like to scan and press the Enter key. Be sure to select the right protocol for the URL, such as http or https.
  1. You’ll now see a custom generated meta tag that you must place the <head> tag in the HTML code of your application’s index page. The index page is the page that appears by default (for example: index.html or default.aspx) at the URL you are testing. Click the Copy button to copy the meta tag to your clipboard. Insert the meta tag in the index page and redeploy your web application.
  2. Click the Verify button. The InsightAppSec engine will access your web page and check for the presence of the meta tag. If the tag is found, the Verify button will say “Verified” in green and the Run Scan button will become clickable.
  3. Click the Run Scan button to start the scan. InsightAppSec will now provision a scan engine and initialize your scan. This process may take a few minutes.

After your scan starts, InsightAppSec will take you to the Scan Overview page where you can monitor the scan's progress.

Note

During the free trial, InsightAppSec will scan your web application for passive attack modules by default. After you become familiar with InsightAppSec, you can customize your scans to test for all attacks. We will learn how to customize scans in a subsequent lesson of this quick start guide.

Scan a Demo Domain

To scan a Rapid7 pre-configured vulnerable web application:

  1. On the welcome page, click the Scan a Demo Domain button.
  1. You will receive the option to scan either a basic site (http://www.webscantest.com/) or an ecommerce site (http://hackazon.webscantest.com/). Both of these websites are owned by Rapid7 and have been deliberately made vulnerable to test the features of your Dynamic Analysis Security Testing (DAST) tool.

Select one of the sites and click the Run Scan button. InsightAppSec will now provision a scan engine and initialize your scan. This process may take a few minutes.

After your scan starts, InsightAppSec will take you to the Scan Overview page where you can monitor the scan’s progress.