Assessment Settings in Tenable Web App Scanning Scans

Assessment settings specify which web application elements you want the scanner to audit as it crawls your URLs. You can configure Assessment settings when you create a scan or user-defined scan template. For more information, see Scan Templates.

The Assessment settings include the following sections:

Scan Type
Common and Backup Pages
Credentials Bruteforcing
Elements to Audit
Optional
DOM Element Exclusion

Scan Type

These settings specify the intensity of the assessment you want the scanner to perform.

Setting	Default Value	Description	Required
Assessment	Recommended	Drop-down box that allows you to choose from the following options to specify the scan type you want the scanner to perform. Recommended — The scanner audits elements based on Tenable's recommendations. None — The scanner does not audit any elements. Quick — The scanner audits the most common elements listed. Extensive — The scanner audits all the elements listed. Custom — The scanner audits only the elements you select. Note: If you select Recommended, Quick, or Extensive and then make changes to the settings in this section, the Scan Type setting automatically changes to Custom.	Yes

Setting

Default Value

Description

Required

Assessment

Recommended

Drop-down box that allows you to choose from the following options to specify the scan type you want the scanner to perform.

Recommended — The scanner audits elements based on Tenable's recommendations.
None — The scanner does not audit any elements.
Quick — The scanner audits the most common elements listed.
Extensive — The scanner audits all the elements listed.
Custom — The scanner audits only the elements you select.

Note: If you select Recommended, Quick, or Extensive and then make changes to the settings in this section, the Scan Type setting automatically changes to Custom.

Yes

Common and Backup Pages

Setting	Default Value	Description
Detection Level	Most Detected Pages	Drop-down box that allows you to choose from the following options to specify which pages you want the scanner to crawl. Most Detected Pages - The scanner crawls only the most detected pages. Extended Dictionary - The scanner tests more path variations for detecting hidden pages, increasing the overall scan duration. Note: The Detection Level drop-down box is available only when you select Custom in the Scan Type settings.

Setting

Default Value

Description

Detection Level

Most Detected Pages

Drop-down box that allows you to choose from the following options to specify which pages you want the scanner to crawl.

Most Detected Pages - The scanner crawls only the most detected pages.
Extended Dictionary - The scanner tests more path variations for detecting hidden pages, increasing the overall scan duration.

Note: The Detection Level drop-down box is available only when you select Custom in the Scan Type settings.

Credentials Bruteforcing

The Credentials Bruteforcing setting is available only for the Scan template.

Setting	Default	Description
Credentials Bruteforcing	Disabled	When enabled, any plugins that perform bruteforcing included in the Plugins settings run. When disabled, bruteforcing plugins do not run, even if they are included in the Plugins settings. Note: The Credentials Bruteforcing setting is available only when you select Custom in the Scan Type settings.

Setting

Default

Description

Credentials Bruteforcing

Disabled

When enabled, any plugins that perform bruteforcing included in the Plugins settings run.

When disabled, bruteforcing plugins do not run, even if they are included in the Plugins settings.

Note: The Credentials Bruteforcing setting is available only when you select Custom in the Scan Type settings.

Elements to Audit

These settings specify the elements in your web application that you want the scanner to analyze for vulnerabilities.

Setting	Scanner Action
Cookies	Checks for cookie-based vulnerabilities.
Headers	Checks for header vulnerabilities and insecure configurations (for example, missing X-Frame-Options).
Forms	Checks for form-based vulnerabilities.
Links and Query String Parameters	Checks for vulnerabilities in links and their parameters.
Parameter Names	Performs extensive fuzzing of parameter names.
Parameter Values	Performs extensive fuzzing of parameter values.
Path Parameters	Assesses path parameters. Path parameters are used in URL rewrite to identify the object of the action within the URL. For example, scanId is a path parameter for the following URL, used to identify the scan to display results: http://example.com/scan/scanId/results
JSON Elements / Request Body (JSON)	Audits JSON request data.
XML Elements / Request Body (XML)	Audits XML request data.
UI Forms	Checks input and button groups associated with JavaScript code. Note: With UI Forms, Tenable Web App Scanning takes the inputs on the page, and any buttons, and creates form-like elements from them (UI Forms). For each button, Tenable Web App Scanning creates a UIForm element with inputs that are all the inputs on the page.
UI Inputs	Checks orphan input elements against associated document object model (DOM) events. Note: UI Inputs are when there is an input that responds to an event. For example, after typing in the input in a search bar, the search bar responds to an "onEnter" event which loads the next page. So, Tenable Web App Scanningcreates a UIInput element to audit this vector as well.

Optional

Setting	Default	Description
URL for Remote Inclusion	None	Specifies a file on a remote host that Tenable Web App Scanning can use to test for a Remote File Inclusion (RFI) vulnerability. If the scanner cannot reach the internet, the scanner uses this internally-hosted file for more accurate RFI testing. Note: If you do not specify a file, Tenable Web App Scanning uses a safe, Tenable-hosted file for RFI testing.

Setting

Default

Description

URL for Remote Inclusion

None

Specifies a file on a remote host that Tenable Web App Scanning can use to test for a Remote File Inclusion (RFI) vulnerability.

If the scanner cannot reach the internet, the scanner uses this internally-hosted file for more accurate RFI testing.

Note: If you do not specify a file, Tenable Web App Scanning uses a safe, Tenable-hosted file for RFI testing.

DOM Element Exclusion

DOM element exclusions prevent scans from interacting with specific page elements and their children. This setting is available for Scan, Overview, and PCI scan templates.

Note: When the scanner is deciding whether to exclude an element based on an attribute value, it performs an equality check. So, if you want to exclude any element with css class foo, the scanner excludes an element that has class="foo", but not an element that has class="foo bar".

You can add exclusions by clicking the add button and selecting Text Contents or CSS Attribute.

Setting	Default	Description
Text Contents	None	Excludes elements based on text contents. For example, if you want to prevent the scanner from clicking a logout button named Log Out, you could match the text Log Out.
CSS Attribute	None	Excludes elements based on a CSS attribute key-value pair. For example, if you want to prevent the scanner from interacting with a form that contains the CSS attribute key-value pair id="logout", type id for the key and logout for the value.

Setting

Default

Description

Text Contents

None

Excludes elements based on text contents.

For example, if you want to prevent the scanner from clicking a logout button named Log Out, you could match the text Log Out.

CSS Attribute

None

Excludes elements based on a CSS attribute key-value pair.

For example, if you want to prevent the scanner from interacting with a form that contains the CSS attribute key-value pair id="logout", type id for the key and logout for the value.