Assessment Settings in Tenable Web App Scanning Scans
Assessment settings specify which web application elements you want the scanner to audit as it crawls your URLs. You can configure Assessment settings when you create a scan or user-defined scan template. For more information, see Scan Templates.
The Assessment settings include the following sections:
- Scan Type
- Common and Backup Pages
- Credentials Bruteforcing
- Elements to Audit
- Optional
- DOM Element Exclusion
These settings specify the intensity of the assessment you want the scanner to perform.
| Setting | Default Value | Description | Required |
|---|---|---|---|
| Assessment | Recommended |
Drop-down box that allows you to choose from the following options to specify the scan type you want the scanner to perform.
Note: If you select Recommended, Quick, or Extensive and then make changes to the settings in this section, the Scan Type setting automatically changes to Custom. |
Yes |
| Setting | Default Value | Description |
|---|---|---|
|
Detection Level |
Most Detected Pages |
Drop-down box that allows you to choose from the following options to specify which pages you want the scanner to crawl.
Note: The Detection Level drop-down box is available only when you select Custom in the Scan Type settings. |
The Credentials Bruteforcing setting is available only for the Scan template.
| Setting | Default | Description |
|---|---|---|
|
Credentials Bruteforcing |
Disabled |
When enabled, any plugins that perform bruteforcing included in the Plugins settings run. When disabled, bruteforcing plugins do not run, even if they are included in the Plugins settings. Note: The Credentials Bruteforcing setting is available only when you select Custom in the Scan Type settings. |
| Setting | Default | Description |
|---|---|---|
|
File Upload Assessment |
Disabled |
When enabled, the scanner attempts to detect file upload vulnerabilities based on generic attacks against relevant inputs, or specific attacks against known software vulnerabilities. A file upload vulnerability detection can remotely create files on the scanned web application which the scanner cannot delete. |
These settings specify the elements in your web application that you want the scanner to analyze for vulnerabilities.
| Setting | Scanner Action |
|---|---|
|
Cookies |
Checks for cookie-based vulnerabilities. |
|
Headers |
Checks for header vulnerabilities and insecure configurations (for example, missing X-Frame-Options). |
|
Forms |
Checks for form-based vulnerabilities. |
|
Links and Query String Parameters |
Checks for vulnerabilities in links and their parameters. |
|
Parameter Names |
Performs extensive fuzzing of parameter names. |
|
Parameter Values |
Performs extensive fuzzing of parameter values. |
| Path Parameters |
Assesses path parameters. Path parameters are used in URL rewrite to identify the object of the action within the URL. For example, scanId is a path parameter for the following URL, used to identify the scan to display results: http://example.com/scan/scanId/results |
|
JSON Elements / Request Body (JSON) |
Audits JSON request data. |
|
XML Elements / Request Body (XML) |
Audits XML request data. |
|
UI Forms |
Checks input and button groups associated with JavaScript code. Note: With UI Forms, Tenable Web App Scanning takes the inputs on the page, and any buttons, and creates form-like elements from them (UI Forms). For each button, Tenable Web App Scanning creates a UIForm element with inputs that are all the inputs on the page. |
|
UI Inputs |
Checks orphan input elements against associated document object model (DOM) events. Note: UI Inputs are when there is an input that responds to an event. For example, after typing in the input in a search bar, the search bar responds to an "onEnter" event which loads the next page. So, Tenable Web App Scanningcreates a UIInput element to audit this vector as well. |
| Setting | Default | Description |
|---|---|---|
| URL for Remote Inclusion |
None |
Specifies a file on a remote host that Tenable Web App Scanning can use to test for a Remote File Inclusion (RFI) vulnerability. If the scanner cannot reach the internet, the scanner uses this internally-hosted file for more accurate RFI testing. Note: If you do not specify a file, Tenable Web App Scanning uses a safe, Tenable-hosted file for RFI testing. |
DOM element exclusions prevent scans from interacting with specific page elements and their children. This setting is available for Scan, Overview, and PCI scan templates.
Note: When the scanner is deciding whether to exclude an element based on an attribute value, it performs an equality check. So, if you want to exclude any element with css class foo, the scanner excludes an element that has class="foo", but not an element that has class="foo bar".
You can add exclusions by clicking the 
button and selecting Text Contents or CSS Attribute.
| Setting | Default | Description |
|---|---|---|
| Text Contents | None |
Excludes elements based on text contents. For example, if you want to prevent the scanner from clicking a logout button named Log Out, you could match the text Log Out. |
| CSS Attribute | None |
Excludes elements based on a CSS attribute key-value pair. For example, if you want to prevent the scanner from interacting with a form that contains the CSS attribute key-value pair id="logout", type id for the key and logout for the value. |