TOC & Recently Viewed

Recently Viewed Topics



Before you begin, learn about Web Application Scanning and establish a deployment plan and analysis workflow to guide your configurations.

Determine which web applications are within scope for scanning. This includes staging and production sites. If staging sites are only accessible internally, then visit the Introduction section.

Install (Optional)

If you plan to assess web applications that are located behind a firewall or are not publicly accessible, you must deploy the on-premise Web Application Scanning appliance described in the Install a Core WAS Appliance documentation.

Tip: Ensure your system meets the System Requirements and Hardware Requirements.

Configure Scans

Configure site overviews of sites needing scans

Site overviews do not require authentication. These help you to get a general idea or glimpse at the content reviewed in the full scan.

Site overviews also attempt to find potentially required authentication, including login forms and http authentication.

For more on authentication types, please see:

Configure standard webapp scans against the sites

Standard web application scans perform a series of tests against the site to look for OWASP Top 10 vulnerabilities.

Currently, credentials are still optional. Some web applications do not require credentialed scans to get the full picture. The cases where authentication are necessary are:

  • Pages that immediately require logon to proceed.

  • User/Member portals that only offer a basic landing page without signing in.

To configure scans:

  1. Create a scan.
  2. Start the scan.
  3. To edit the scan or change the scan permissions, follow the Configure Scan Settings and Set Scan Permissions instructions.
  4. Once a scan completes, View your Scan Results.


Add Credentials to a Scan

Visit the following sections to add the appropriate credentials to your scan.

  • NTLM Auth
  • Basic Auth
  • Webapp auth
  • HTML Form Auth

Increase Scan Intensity

Visit the following sections to increase your scan intensity.

  • Increase Scan aggressiveness
  • Increase scan timeout/length


We could probably touch on remediation efforts, automation, or other topics in this section.

Copyright 2017 - 2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable,, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.