Objective 2: Gain Visibility
InsightAppSec enables you to minutely control the scope and thoroughness of your scan based on your requirements. These controls are available under the Scan Configs section of your app. Having mostly used default settings in the past scans, this is a good time to explore the customizations available as part of the Scan Config wizard.
Create a Scan Config
- In the "All Apps" page, click on the name of your app.
- Select the Scan Configs tab.
- Click the Create New Scan Config button. The Scan Configuration wizard will appear. Refer to the articles in the Scan Configuration section for details about this wizard.
- Provide a name and description for the scan configuration.
- Set the Scan Scope which includes settings like the maximum number of pages to crawl, URLs to include or exclude from the scan, as well as parameters to include or exclude from the scan. If you are testing the tool on a customer facing application, it would be useful to either use a low number of links to crawl or restrict your testing to a small subsection of the site using wildcards.
- Add your authentication credentials if certain parts of the app are visible only after logging in. The webscantest and hackazon apps accept Basic and Form authentication, but you can also try authentication on your own apps and experience improved scan results.
- Select an attack template. For the first scan, we recommend using the "Crawl Only" template to make an inventory of the publicly visible resources on your web application. You can then focus on a smaller subsection of the app to run more comprehensive tests such as the "All modules" template.
- Click the Save button to save the template. You can then create Schedules and Blackouts to control the timing of scans around other activity in your network.
- Click the Scan Now button on the top right corner of the screen and choose your newly created scan configuration.
Monitor scan activity
The App Overview page lists all the scans for any app. Clicking on a Scan name will take you to the Scan Overview page. When the scan is in progress, this page displays a live count of discovered vulnerabilities, and on scan completion it provides a list of all the vulnerabilities discovered in the scan. Take a look at the scanning help guide to learn more.