TOC & Recently Viewed

Recently Viewed Topics

Get Started with Web Application Scanning


Before you begin, learn about Web Application Scanning and establish a deployment plan and analysis workflow to guide your configurations.

Determine which web applications are within scope for scanning. This includes staging and production sites. If staging sites are only accessible internally, then visit the Introduction section.

Install (Optional)

If you plan to assess web applications that are located behind a firewall or are not publicly accessible, you must deploy the on-premises Web Application Scanning appliance described in the Install a Core WAS Appliance documentation.

Note: There is no limit to the number of web applications you can scan with a trial license. However, you can only run one scan at a time.

Tip: Ensure your system meets the System Requirements and Hardware Requirements.

Configure Scans

Configure site overviews of sites needing scans

Site overviews do not require authentication. These help you to get a general idea or glimpse at the content reviewed in the full scan.

Site overviews also attempt to find potentially required authentication, including login forms and HTTP authentication.

Configure standard Web App scans against the sites

Standard web application scans perform a series of tests against the site to look for OWASP Top 10 vulnerabilities.

Currently, credentials are still optional. Some web applications do not require credentialed scans to get the full picture. The cases where authentication are necessary are:

  • Pages that immediately require logon to proceed.

  • User/Member portals that only offer a basic landing page without signing in.

To configure scans:

  1. Create a scan.
  2. Start the scan.
  3. To edit the scan or change the scan permissions, follow the Configure Scan Settings and Set Scan Permissions instructions.
  4. Once a scan completes, View your Scan Results.


Add Credentials to a Scan

Visit the following sections to add the appropriate credentials to your scan.

Optional Configuration

Increase Scan Intensity

Optionally, you can configure your scan settings to increase your scan intensity.

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable,, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.., Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.