Document Version: 3.8

Date2020-05-22


Copyright

© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.


Purpose

This document provides users with a comprehensive overview of the Configuration. It is assumed that the reader has basic access to the OUTSCAN/HIAB account with an Appsec, Cloudsec, or Scout subscription.

Introduction

The Configuration view consists of the target information that links to an asset, and the scan settings. 

Scan settings include Automated scanning process, allowing restriction of scan duration and its impact on the scanned asset.

For Scale:

  • Scope definition of scans to cover the desired functionality available on limited number of hosts, either through certain expressions that match the response body, or by mapping a host towards certain IPs.
  • Initial state of the web application, usually in the form of an authentication procedure.

For Scout:

  • The initial seed data for the asset discovery.

For Cloudsec:

  • The cloud account and the compliance policy.

Configurations

The Configurations view lists all configurations. 

To customize the view,

  1. Click on the Filter icon to see the available columns and filtering options. See Common Settings, for more information. 
  2. Add desired columns by clicking on the Show/Hide Column icon.



Along with Common Settings, the Configurations view also has grouping functionality.

Groups

To access the group tree, click the Group tree tab in the Filter and Settings panel. 

To create groups,

  1. Click the green Plus icon in the lower right corner of the Group Tree panel.
  2. In the Create Group window, enter a name for the group.
  3. Select a subgroup if the new group is part of a master group.
  4. Click the blue ADD button.

    APPSEC59

Add a Configuration

To add a configuration:

  1. Click on green Plus icon in the lower right corner.
  2. Select the type of assessment to perform:

Application Assessment

The targets can be added as:

     •  URL
     •  IPv4
     •  IPv6
     •  IPv4:port
     •  IPv6:port
     •  Hostname

https://outpost24.com 
203.0.113.1 
198.51.100.5:5291 
[2001:db8:1:2:3:4:5:6] 
[2001:db8:2fa:bba:dd3:f3c:11:2b]:928
outpost24.com 

When adding more than one target, separate them using a newline.

  1. After adding the targets, click the ADD button in the lower right corner.

    Note

    Entries not starting with https protocol are prefixed with https://.

A configuration name is extracted from the host, optional port and path to build a unique and user friendly representation of the added configuration. URL fragments and queries are not used for configuration names.

Example inputs and generated configuration names:

  • https://outpost24.com/ > outpost24.com
  • https://outpost24.com:8080/admin/login/ > outpost24.com:8080/admin/login
  • https://outpost24.com:8080/admin/#/login > outpost24.com:8080/admin
  • https://outpost24.com:8080/admin?relogin=true > outpost24.com:8080/admin
  • http://91.216.32.99:8081 > 91.216.32.99:8081


The Choose scanner (HIAB only) option is visible if at least one Appsec scanner is available.

  • The first scanner in the list is selected by default.
  • The selected scanner can be changed in the Edit view. 

Note

To add scans in HIAB Appsec, one of the regular HIAB scanners must be turned into Appsec scanner.
See Setting up a HIAB as an Appsec Scale Scanner for more information.

Cloud Assessment

Choose the cloud account and the compliance policy you would like to check the account for:

Asset Discovery

The targets can be added as:

  • URL
  • IPv4
  • IPv6
  • IPv4:port
  • IPv6:port
  • Hostname


E.g.:
198.51.100.0
198.51.100.0:443
198.51.100.0/24
198.51.100.0-198.51.100.255

[2001:db8::]
[2001:db8::]:928
[2001:db8::]/32
[2001:db8::]-[2001:db8:1:2:3:4:5:6]

example.com
www.example.com
www.example.com:8081
https://www.example.com:8081/admin
CODE


Note

Adding new configurations also populate the Assets. The assets are deducted from the submitted target information. If an asset already exists, the created configuration is linked to it. Else, it is created upon creation of the configuration and linked.

Edit a Configuration

Select the configuration you want to edit by clicking on it.

APPSEC27

The configuration panel is displayed to the right side of the window. It consists of:

  • Settings
  • Schedules
  • Request Filter
  • Authentication
  • Host Maps

SETTINGS

The Settings tab allows you to configure the scope of the scan.


General Settings

OptionDescription

Name

Provide the name that should be displayed in the exported report.

Time limit

Set a time limit until when the scheduled scan should run. Use format: 2h50m.

Seed URLs

Provide the seed URL of the target. Use newline to add multiple seed URLs.

Member of group

Select a group from the list. Default group is All.

Include infrastructure scan

Check this box if you want to conduct an infrastructure scan.


Note

Infrastructure scanning is a process where other ports are checked for available services. If any active ports are found, they are tested for vulnerabilities which then is displayed in the findings section. It is recommended to allow at least 2 hours for the port scan to finish, as otherwise the scan can terminate early leading to missing some of the open ports and services running on them.

Scan Intensity

The Scan Intensity determines the behavior and the impact of the scanner on the target application.

OptionDescription

Normal

Simulates multiple users at a time.

Low

Simulates one user at a time, sequential requests. 

Vulnerability Testing (Fuzzing)

Select one of the options, depending on type of scan that needs to be performed on the target application.

OptionDescription

Active and passive

By enabling this option, the scanner performs checks for common application vulnerabilities like tests for SQL injections, XSS attacks, response splitting, performs path enumeration, and much more.

Passive only

In this mode, the scanner follows existing links on the page without brute-forcing assets, then looks for patterns in response headers and body to determine potentially outdated and vulnerable components or server misconfigurations.

User Agent

OptionDescription

Desktop

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36.

Custom

Create a custom User Agent using format shown in Desktop option. This can be an arbitrary text as long as it is valid in the HTTP header context following the https://tools.ietf.org/html/rfc7231#section-5.5.3 standard, it is recommended to follow the convention as described here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent.

SCHEDULES

On the Schedules tab, you configure when the scan should run.



Add a Schedule

  1. Click on the green Plus icon located on the bottom of the panel to open the Add schedule window.




  2. Select Create new schedule.


    OptionDescription

    Schedule name

    Provide a name for the schedule.

    Time

    Set a time when the schedule must be triggered. The time value is saved in UTC (Coordinated Universal Time) and the offset corresponds to the system time in the user web browser and therefore might differ for users accessing the schedule options in different time zones. For example, a schedule time set to 10:00 in July (summertime) by a user located in Copenhagen
    (UTC+2) appears as 09:00 to a user located in London (UTC+1) at the same time.
    Recurrence / Every

    Determines the frequency of the scheduled scan. Select one of the available options in the menu:

    Option       Description
    None
    OnceThe scan is scheduled to run only once on a select start date. 
    MinuteSet the recurrence window by providing the Number of minutes in this field. If set, the scan is schedules to run every nth minute.
    HourSet the recurrence window by providing the Number of hours in this field. 
    Day

    Set the recurrence window by providing the Number of days in this field. 

    Example: If set to 2, it means that the scan is scheduled to run once in every 2 days.

    WeekSelect on which days of the week the scan should run.
    MonthSelect the occurrence of days, weekday, day of the month when the scan should run.
    YearSelect on which the day of year the scheduled scan should run.

    Tip

    A scan is not restarted when a schedule is triggered while it is still running. It starts when the next schedule time ticks.

    On these days

    Determines what days of the week the scheduled scan should run. Select one of the available options in the menu.

    Occurrence of the weekday

    Determines occurrence of the selected weekday the scheduled scan should run.

    2,3 - will schedule 2nd and 3rd selected weekday in the month

    Day of the month

    Determines what day of the month the scheduled scan should run.

    4,8,10 - will schedule 4th, 8th and 10th day of the month.

    Starts onSet the start date for the schedule. 
    Ends onSet an end date for the schedule. The schedule becomes inactive after this date.
    Ends after_occurrencesSet the number of occurrences the schedule must be triggered before it becomes inactive.
    Never endsIf set, the schedule never becomes inactive.
  3. Click on the ADD button to schedule the configuration.

Edit a Schedule

  • Click on the Edit icon to update an existing schedule.
  • Click on the Delete icon to remove an existing schedule

Examples

  1. A schedule is set to run only once on 2020-02-02 at 2 PM: 



  2. A schedule is set to run everyday at 11 AM, starting on 2020-02-02:



  3. A schedule is set to run every week on Tuesday and Thursday at 9 AM, starting on 2019-09-27:



  4. A schedule is set to run every second Tuesday of every third month at 9:30 AM, starting on 2019-09-27:



  5. A schedule is set to run on 18th of every month at 10 PM, starting on 2019-09-27:



  6. A schedule is set to run on 18th of every month at 10 PM, starting on 2019-09-27 and disabled after 4 occurrences in other words, the scan runs only four times:




  7. A schedule is set to run on 18th of every month at 10 PM, starting on 2019-09-27 and disabled from 2020-01-01, 00:00:

REQUEST FILTER

Request filter is used to limit the scanner from visiting resources which can disrupt normal behavior of web application, or to limit the scan scope within given parameters. The request filter can, for example disallow all POST based requests to avoid sending too many repetitive requests which in turn could affect availability of the web application.

APPSEC31

To add a filter click the green Plus icon in the lower right corner to display the filter configuration.

Filter Type

Can't match - Requests that are excluded from the scan. If any of the options are empty, like Method or Body type, the filter matches all types of methods and body types. The more granular the filter is, the narrower the filter is thus potentially leading to more requests getting through the filter and being visited during crawling stage. 

This type of filter applies to both directly visited resources like links within web application scope, as well as resources required to properly render the web application. 

The latter is not in direct scope at the crawling phase such as:

  • Externally hosted images
  • Media players
  • Widgets
  • JavaScript libraries

and other resources included in the web application. 

Use the Can't match filter when the scanner needs to be limited visiting certain pages or performing certain types of requests such as:

  • Checking out in web-shop
  • Finalizing booking
  • Preventing sending logout request when authentication procedure is defined
  • Avoiding web activity trackers and analytics from logging scanner's activity

Must match - Requests that must match the specified rules to be included in the scan. Any requests not matching the given rules are considered out-of-scope at crawling phase and thus never visited. This type of filter is useful whenever a scan must be performed at certain depth or path within the scanned web application. 

Must match filter applies only to resources directly found in the rendered web application such as links and buttons. The filter does not limit external resources required to properly render the web application like:

  • JavaScript libraries
  • Externally hosted images
  • Widgets

and other indirectly requested resources. 

To limit requests of that nature, use a Can't match type of filter instead.

If ¨\.php\??¨ is provided as must match, it means the scanner scans only pages of ¨.php¨ file type and excludes other pages.

Method: Optional

Select any of the supporting HTTP request methods or leave the field empty (unspecified).

The available methods are:

  • GET
  • POST
  • DELETE
  • PATCH
  • PUT

Body Type: Optional

Select the desired content type from the drop-down menu, so that the request body also use the same format as query string. If you leave the field empty, it matches all the requests.

URL

Provide the URL to which the filter settings must be applied (RE2 regex matching). 

Body:  Optional

Provide the body to which the filter settings must be applied (RE2 regex matching).

/login_example\.php

After filling the desired settings into filter configuration dialog, click the ADD button. 

AUTHENTICATION 

Here, you can configure authentication for an asset.


SSL Authentication

APPSEC33

Certificate

X.509 PEM certificate

The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “---BEGIN …” line.

Private key

PEM encoded signature. Accepted types: RSA, DSA, ECDSA

Starting with: -----BEGIN RSA PRIVATE KEY-----

Passphrase

Passphrase used for private key.

Web Authentication

None

Choose None if you wish not to have any authentication. 

Basic

Choosing Basic authentication is appropriate when establishing initial state of the crawled application using the WWW-Authenticate HTTP header as specified in RFC1945.


To terminate a scan due to logged out state, it is recommended to specify Scan abort pattern. The pattern should be in RE2 format or as simple text matching the response that indicates logged out state of the application to the scanner. The pattern is being matched against all responses coming from the scanned application, both headers and body, and if the response matches the specified pattern, the scan stops. This is used to prevent crawling of application outside of its desired state and to make sure that reported findings belong to correct application state.

Login Form

This configuration allows to set up an authentication procedure based on a login form present on the website:

Review the rendered HTML of login page to locate the form input element. This can be done by right clicking on the page and choosing Inspect or Inspect element. See the example guide for Firefox for more information. 

Below you can see an example code snippet and where the required value would be found:

<form action="/user/login" method="post" id="user-login" accept-charset="UTF-8">
    <div>
        <div class="form-item form-type-textfield form-item-name">
            <label for="edit-name">Username or email <span class="form-required" title="This field is required.">*</span></label>
            <input type="text" id="edit-name" name="user" value="" maxlength="60" class="form-text required"> 
       </div>
        <div class="form-item form-type-password form-item-pass">
            <label for="edit-pass">Password <span class="form-required" title="This field is required.">*</span></label>
            <input type="password" id="edit-pass" name="pass" size="60" maxlength="128" class="form-text required">
        </div>
        <div class="form-actions form-wrapper" id="edit-actions">
            <input type="submit" id="edit-submit" name="op" value="Log in" class="form-submit">
        </div>
    </div>
</form>
XML

In this example, the name of the username input field is user.

<input type="text" id="edit-name" name="user" value="" maxlength="60" class="form-text required">

and password input field is pass and that's what should be submitted in the authentication configuration.

<input type="password" id="edit-pass" name="pass" size="60" maxlength="128" class="form-text required">

Selenium

This functionality allows you to add a Selenium script that is executed during the scan.

Note

Install the Selenium IDE plugin to record scripts in the web browser.


Follow the below procedure to install Selenium IDE plugin:

  1. Go to https://www.seleniumhq.org/selenium-ide/
  2. Select "CHROME DOWNLOAD" or "FIREFOX DOWNLOAD".

    Note

    More information about installing and using the Selenium IDE plugin is available on https://www.seleniumhq.org/selenium-ide/docs/en/introduction/getting-started/.

To record a script:

  1. Open the plugin by navigating to the Selenium IDE in your web browser:




  2. Select Create a new project.
  3. Enter the project name and click OK.



  4. Click the Start recording (REC) button.



  5. Enter the URL of the app you want to login to.



  6. Click START RECORDING.
  7. The plugin now opens the URL in a new web browser window.



    You can see the Selenium IDE is recording notice at the bottom of the page.
  8. Follow the necessary steps to log in to that web application.
  9. Once authentication is succeeded, click the Stop recording button.



  10. The script appears in the Selenium IDE console:

    Note

    The script must be automatically added to the Default Suite upon its creation. Otherwise, follow the instructions on https://www.seleniumhq.org/selenium-ide/docs/en/introduction/getting-started/ to add the test suite and organize your tests.

  11. Click the Save project button to save the script as a .side file:



To add a script to Scale authentication:

  1. Log in to the new Outpost24 portal.
  2. Go to Configurations > Scan configurations.
  3. Select Authentication from the menu on the left-hand side.


  4. Select Selenium.


  5. Open the .side script file previously saved in Selenium IDE:



  6. Click SAVE.

The saved .side script is executed before scan starts and the output from the script is used to establish authenticated state.

Caution

Make sure that the private IP range 10.88.0.0/16 is not used in your environment, since this is used to communicate with a restricted container on the scanner. Having targets in this range while using the side scripts feature may cause issues while scanning them.

Custom



The basic concept of a Custom authentication flow is to create instructions for the scan to follow so it can establish a desired initial state before an actual scan starts on application specified Seed URLs. The custom authentication flow provides an environment for executing Lua scripts for exchanging HTTP messages over the network, recording cookies and providing dynamically generated seed URLs.

Some script examples are added to make it easier with Lua custom authentication script. The script input is populated depending on the chosen example from the dropdown.

The available examples include:

  • Cookie based
  • XPath
  • Wordpress

Information regarding Lua can be found at https://lua.org. Web application scanner specific documentation can be found by selecting the Custom authentication radio button.

To terminate a scan due to logged out state, it is recommended to specify Scan abort pattern. The pattern should be in RE2 format or as simple text matching the response that indicates logged out state of the application to the scanner. The pattern is being matched against all responses coming from the scanned application, both headers and body, and if the response matches the specified pattern, the scan stops. This is used to prevent crawling of application outside of its desired state and to make sure that reported findings belong to correct application state.

After selecting the preferred authentication, click SAVE.

HOST MAPS

APPSEC37


Host maps allows to define maps between names and addresses. They can be used to force certain DNS resolutions or to scan web hosts on an HTTP server where there are no DNS records for the web hosts. The entry in the To field must be a valid IPv4/IPv6 address. The IPv6 address must not be enclosed with square brackets.

Examples:

From
To
outpost24.com>203.0.113.1


internal.outpost24.com


>

192.0.2.3
192.0.2.4
192.0.2.5
192.0.2.6

203.0.113.3>198.51.100.9


Note

When using multiple entries in the To section, a round-robin selection is applied to these entries.

To add a host map, click on the green Plus icon in the lower right corner.  

The bin icon beside the To section marks the entered host map for deletion when saving.

After entering the host map, click SAVE.

Manage a Configuration

Select one or more configurations, to view the available actions:



  1. Click on the Add tags icon to add a tag to the selected configuration.
  2. Click on the Remove tags icon to remove a tag applied to the selected configuration.

    Note

    See Tags for more information.
  3. Click on the Batch edit icon to enable same settings for more than one configuration.
  4. Click on the Scan now icon to initiate a scan instantly. 
  5. Click on the Delete icon to remove the selected configuration.

    Note

    Removing scan configurations will not remove any other associated data like assets or schedules.

Preconditions for a Configuration to Run

  1. It is enabled.
  2. It has a schedule
  3. The schedule has remaining Occurrences > 0 or not set at all.
  4. The seed URLs must pass all request filters.