Assessment Settings in WAS Scans

Assessment settings specify which web application elements you want the scanner to audit as it crawls your URLs. You can configure Assessment settings when you create a scan or user-defined scan template. For more information, see Scan Templates.

The Assessment settings include the following sections:

Scan Type

These settings specify the intensity of the assessment you want the scanner to perform.

Setting Default Value Description Required
Assessment Recommended

Drop-down box that allows you to choose from the following options to specify the scan type you want the scanner to perform.

  • Recommended — The scanner audits elements based on Tenable's recommendations.
  • None — The scanner does not audit any elements.
  • Quick — The scanner audits most the common elements listed
  • Extensive — The scanner audits all the elements listed.
  • Custom — The scanner audits only the elements you select.

Elements to Audit

These settings specify the elements in your web application that you want the scanner to analyze for vulnerabilities.

Setting Scanner Action


Checks for cookie-based vulnerabilities.


Checks for header vulnerabilities and insecure configurations (for example, missing X-Frame-Options).


Checks for form-based vulnerabilities.

Links and Query String Parameters

Checks for vulnerabilities in links and their parameters.

Parameter Names

Performs extensive fuzzing of parameter names.

Parameter Values

Performs extensive fuzzing of parameter values.

Path Parameters

Assesses path parameters. Path parameters are used in URL rewrite to identify the object of the action within the URL. For example, scanId is a path parameter for the below URL, used to identify the scan to display results:

JSON Elements / Request Body (JSON)

Audits JSON request data.

XML Elements / Request Body (XML)

Audits XML request data.

UI Forms

Checks input and button groups associated with JavaScript code.

UI Inputs

Checks orphan input elements against associated document object model (DOM) events.


Setting Default Description
URL for Remote Inclusion


Specifies a file on a remote host that Web Application Scanning can use to test for a Remote File Inclusion (RFI) vulnerability.

If the scanner cannot reach the internet, the scanner uses this internally-hosted file for more accurate RFI testing.

Note: If you do not specify a file, Web Application Scanning uses a safe, Tenable-hosted file for RFI testing.

DOM Element Exclusion

DOM element exclusions prevent scans from interacting with specific page elements and their children. This setting is available for Scan, Overview, and PCI scan templates.

You can add exclusions by clicking the add button and selecting Text Contents or CSS Attribute.

Setting Default Description
Text Contents None

Excludes elements based on text contents.

For example, if you want to prevent the scanner from clicking a logout button named Log Out, you could match the text Log Out.

CSS Attribute None

Excludes elements based on a CSS attribute key-value pair.

For example, if you want to prevent the scanner from interacting with a form that contains the CSS attribute key-value pair id="logout", type id for the key and logout for the value.