Recently Viewed Topics
Get Started with Tenable.io Web Application Scanning
Before you begin, learn about Tenable.io Web Application Scanning and establish a deployment plan and analysis workflow to guide your configurations.
Determine which web applications are within scope for scanning. This includes staging and production sites. If staging sites are only accessible internally, then visit the Introduction section.
If you plan to assess web applications that are located behind a firewall or are not publicly accessible, you must deploy the on-prem Tenable.io Web Application Scanning appliance described in the Install a Core WAS Appliance documentation.
Configure site overviews of sites needing scans
Site overviews do not require authentication. These help you to get a general idea or glimpse at the content reviewed in the full scan.
Site overviews also attempt to find potentially required authentication, including login forms and HTTP authentication.
Configure standard Web App scans against the sites
Standard web application scans perform a series of tests against the site to look for OWASP Top 10 vulnerabilities.
Currently, credentials are still optional. Some web applications do not require credentialed scans to get the full picture. The cases where authentication are necessary are:
Pages that immediately require logon to proceed.
User/Member portals that only offer a basic landing page without signing in.
To configure scans:
- Create a scan.
- Start the scan.
- To edit the scan or change the scan permissions, follow the Configure Scan Settings and Set Scan Permissions instructions.
- Once a scan completes, View your Scan Results.
Add Credentials to a Scan
Visit the following sections to add the appropriate credentials to your scan.
- Server-Based Authentication
- NTLM Authentication
- Basic / Digest Authentication
- Web App Authentication
- HTML Form Authentication
- Selenium Authentication
Increase Scan Intensity
Optionally, you can configure your scan settings to increase your scan intensity.