Assessment Settings in Tenable Web App Scanning Scans

Assessment settings specify which web application elements you want the scanner to audit as it crawls your URLs. You can configure Assessment settings when you create a scan or user-defined scan template. For more information, see Scan Templates.

The Assessment settings include the following sections:

Scan Type

These settings specify the intensity of the assessment you want the scanner to perform.

Setting Default Value Description Required
Assessment Recommended

Drop-down box that allows you to choose from the following options to specify the scan type you want the scanner to perform.

  • Recommended — The scanner audits elements based on Tenable's recommendations.
  • None — The scanner does not audit any elements.
  • Quick — The scanner audits the most common elements listed.
  • Extensive — The scanner audits all the elements listed.
  • Custom — The scanner audits only the elements you select.

Note: If you select Recommended, Quick, or Extensive and then make changes to the settings in this section, the Scan Type setting automatically changes to Custom.

Yes

Common and Backup Pages

Setting Default Value Description

Detection Level

Most Detected Pages

Drop-down box that allows you to choose from the following options to specify which pages you want the scanner to crawl.

  • Most Detected Pages - The scanner crawls only the most detected pages.

  • Extended Dictionary - The scanner tests more path variations for detecting hidden pages, increasing the overall scan duration.

Note: The Detection Level drop-down box is available only when you select Custom in the Scan Type settings.

Credentials Bruteforcing

The Credentials Bruteforcing setting is available only for the Scan template.

Setting Default Description

Credentials Bruteforcing

Disabled

When enabled, any plugins that perform bruteforcing included in the Plugins settings run.

When disabled, bruteforcing plugins do not run, even if they are included in the Plugins settings.

Note: The Credentials Bruteforcing setting is available only when you select Custom in the Scan Type settings.

File Upload Assessment

Setting Default Description

File Upload Assessment

Disabled

When enabled, the scanner attempts to detect file upload vulnerabilities based on generic attacks against relevant inputs, or specific attacks against known software vulnerabilities. A file upload vulnerability detection can remotely create files on the scanned web application which the scanner cannot delete.

Elements to Audit

These settings specify the elements in your web application that you want the scanner to analyze for vulnerabilities.

Setting Scanner Action

Cookies

Checks for cookie-based vulnerabilities.

Headers

Checks for header vulnerabilities and insecure configurations (for example, missing X-Frame-Options).

Forms

Checks for form-based vulnerabilities.

Links and Query String Parameters

Checks for vulnerabilities in links and their parameters.

Parameter Names

Performs extensive fuzzing of parameter names.

Parameter Values

Performs extensive fuzzing of parameter values.

Path Parameters

Assesses path parameters. Path parameters are used in URL rewrite to identify the object of the action within the URL. For example, scanId is a path parameter for the following URL, used to identify the scan to display results:

http://example.com/scan/scanId/results

JSON Elements / Request Body (JSON)

Audits JSON request data.

XML Elements / Request Body (XML)

Audits XML request data.

UI Forms

Checks input and button groups associated with JavaScript code.

Note: With UI Forms, Tenable Web App Scanning takes the inputs on the page, and any buttons, and creates form-like elements from them (UI Forms). For each button, Tenable Web App Scanning creates a UIForm element with inputs that are all the inputs on the page.

UI Inputs

Checks orphan input elements against associated document object model (DOM) events.

Note: UI Inputs are when there is an input that responds to an event. For example, after typing in the input in a search bar, the search bar responds to an "onEnter" event which loads the next page. So, Tenable Web App Scanningcreates a UIInput element to audit this vector as well.

Optional

Setting Default Description
URL for Remote Inclusion

None

Specifies a file on a remote host that Tenable Web App Scanning can use to test for a Remote File Inclusion (RFI) vulnerability.

If the scanner cannot reach the internet, the scanner uses this internally-hosted file for more accurate RFI testing.

Note: If you do not specify a file, Tenable Web App Scanning uses a safe, Tenable-hosted file for RFI testing.

DOM Element Exclusion

DOM element exclusions prevent scans from interacting with specific page elements and their children. This setting is available for Scan, Overview, and PCI scan templates.

Note: When the scanner is deciding whether to exclude an element based on an attribute value, it performs an equality check. So, if you want to exclude any element with css class foo, the scanner excludes an element that has class="foo", but not an element that has class="foo bar".

You can add exclusions by clicking the add button and selecting Text Contents or CSS Attribute.

Setting Default Description
Text Contents None

Excludes elements based on text contents.

For example, if you want to prevent the scanner from clicking a logout button named Log Out, you could match the text Log Out.

CSS Attribute None

Excludes elements based on a CSS attribute key-value pair.

For example, if you want to prevent the scanner from interacting with a form that contains the CSS attribute key-value pair id="logout", type id for the key and logout for the value.