This document provides users with an overview of the Configuration in the Outpost24 Portal UI.


The Configuration view consists of the target information that links to an asset, and the scan settings. 

Scan settings include Automated scanning process, allowing restriction of scan duration and its impact on the scanned asset.

For Scale:

  • Scope definition of scans to cover the desired functionality available on limited number of hosts, either through certain expressions that match the response body, or by mapping a host towards certain IPs.
  • Initial state of the web application, usually in the form of an authentication procedure.

For Scout:

  • The initial seed data for the asset discovery.

For Cloudsec:

  • The cloud account and the compliance policy.


It is assumed that the reader has basic access to the OUTSCAN/HIAB account with an Appsec, Cloudsec, or Scout subscription.


To access the group tree, click the Group tree tab in the Filter and Settings panel. 

To create groups,

  1. Click the green Plus icon in the lower right corner of the Group Tree panel.
  2. In the Create Group window, enter a name for the group.
  3. Select a sub-group if the new group is part of a main group.
  4. Click the blue ADD button.

    Create Group

Add a Scan configuration

To add a Scan configuration:

  1. In the Portal menu column on the left hand side, click Configuration to expand it.
  2. Click Scan configurations to open the Scan configurations view.

  3. To create a new configuration click on the green Plus sign down on the right hand side.
  4. Select a Asset discovery to perform a discovery scan

    or select the type of Assessment to perform.
    See Assessment section for more information about each assessment choice.
  5. Click on the blue Add button in the lower right corner to add the configuration.


Application Assessment

The targets can be added as:

  • URL
  • IPv4
  • IPv6
  • IPv4:port
  • IPv6:port
  • Hostname


When adding more than one target, separate them using a newline.

  1. After adding the targets, click the ADD button in the lower right corner.


    Entries not starting with https protocol are prefixed with https://.

A configuration name is extracted from the host, optional port and path to build a unique and user friendly representation of the added configuration. URL fragments and queries are not used for configuration names.

Example inputs and generated configuration names:

  • https://outpost24.com/ > outpost24.com
  • https://outpost24.com:8080/admin/login/ > outpost24.com:8080/admin/login
  • https://outpost24.com:8080/admin/#/login > outpost24.com:8080/admin
  • https://outpost24.com:8080/admin?relogin=true > outpost24.com:8080/admin
  • >

The Choose scanner (HIAB only) option is visible if at least one Appsec scanner is available.

  • The first scanner in the list is selected by default.
  • The selected scanner can be changed in the Edit view. 


To add scans in HIAB Appsec, one of the regular HIAB scanners must be turned into Appsec scanner.
See Setting up a HIAB as an Appsec Scale Scanner for more information.

Docker Assessment

See Scan a Docker Image for more information.

Cloud Assessment

Choose the Credentials and the Policy you would like to check the account for:

See Cloudsec Scan Configuration for more information.


Adding new configurations also populate the Assets. The assets are deducted from the submitted target information. If an asset already exists, the created configuration is linked to it. Else, it is created upon creation of the configuration and linked.

Edit a Configuration

Select the configuration you want to edit by clicking on it.

Select the configuration

The configuration panel is displayed to the right side of the window. It consists of:

  • Settings
  • Schedules
  • Request Filter
  • Authentication
  • Host Maps


The Settings tab allows you to configure the scope of the scan.


General Settings



Provide the name that should be displayed in the exported report.

Time limit

Set a time limit until when the scheduled scan should run. Use format: 2h50m.

Seed URLs

Provide the seed URL of the target. Use newline to add multiple seed URLs.

Member of group

Select a group from the list. Default group is All.

Include infrastructure scan

Check this box if you want to conduct an infrastructure scan.


Infrastructure scanning is a process where other ports are checked for available services. If any active ports are found, they are tested for vulnerabilities which then is displayed in the findings section. It is recommended to allow at least 2 hours for the port scan to finish, as otherwise the scan can terminate early leading to missing some of the open ports and services running on them.

Scan Intensity

The Scan Intensity determines the behavior and the impact of the scanner on the target application.



Simulates multiple users at a time.


Simulates one user at a time, sequential requests. 

Vulnerability Testing (Fuzzing)

Select one of the options, depending on type of scan that needs to be performed on the target application.


Active and passive

By enabling this option, the scanner performs checks for common application vulnerabilities like tests for SQL injections, XSS attacks, response splitting, performs path enumeration, and much more.

Passive only

In this mode, the scanner follows existing links on the page without brute-forcing assets, then looks for patterns in response headers and body to determine potentially outdated and vulnerable components or server misconfigurations.

User Agent



Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36.


Create a custom User Agent using format shown in Desktop option. This can be an arbitrary text as long as it is valid in the HTTP header context following the https://tools.ietf.org/html/rfc7231#section-5.5.3 standard, it is recommended to follow the convention as described here:


On the Schedules tab, you create a schedule when the scan should run. The schedule is also accessible through Automation > Schedules in the main menu to the left.

Blocked Time Slot can not be set in Scan Configuration. To set Blocked Time Slot open the schedule in Automation > Schedules.

Error rendering macro 'excerpt-include'

No link could be created for 'DocT:Common Portal Scheduling'.

Request Filter

Request filter is used to limit the scanner from visiting resources which can disrupt normal behavior of web application, or to limit the scan scope within given parameters. The request filter can, for example disallow all POST based requests to avoid sending too many repetitive requests which in turn could affect availability of the web application.


To add a filter click the green Plus icon in the lower right corner to display the filter configuration.

Add a filter

Filter Type

Can't match - Requests that are excluded from the scan. If any of the options are empty, like Method or Body type, the filter matches all types of methods and body types. The more granular the filter is, the narrower the filter is thus potentially leading to more requests getting through the filter and being visited during crawling stage. 

This type of filter applies to both directly visited resources like links within web application scope, as well as resources required to properly render the web application. 

The latter is not in direct scope at the crawling phase such as:

  • Externally hosted images
  • Media players
  • Widgets
  • JavaScript libraries

and other resources included in the web application. 

Use the Can't match filter when the scanner needs to be limited visiting certain pages or performing certain types of requests such as:

  • Checking out in web-shop
  • Finalizing booking
  • Preventing sending logout request when authentication procedure is defined
  • Avoiding web activity trackers and analytics from logging scanner's activity

Must match - Requests that must match the specified rules to be included in the scan. Any requests not matching the given rules are considered out-of-scope at crawling phase and thus never visited. This type of filter is useful whenever a scan must be performed at certain depth or path within the scanned web application. 

Must match filter applies only to resources directly found in the rendered web application such as links and buttons. The filter does not limit external resources required to properly render the web application like:

  • JavaScript libraries
  • Externally hosted images
  • Widgets

and other indirectly requested resources. 

To limit requests of that nature, use a Can't match type of filter instead.

If ¨\.php\??¨ is provided as must match, it means the scanner scans only pages of ¨.php¨ file type and excludes other pages.

Method: Optional

Select any of the supporting HTTP request methods or leave the field empty (unspecified).

The available methods are:

  • GET
  • POST
  • PUT

Body Type: Optional

Select the desired content type from the drop-down menu, so that the request body also use the same format as query string. If you leave the field empty, it matches all the requests.


Provide the URL to which the filter settings must be applied (RE2 regex matching). 

Body:  Optional

Provide the body to which the filter settings must be applied (RE2 regex matching).


After filling the desired settings into filter configuration dialog, click the ADD button. 


Here, you can configure authentication for an asset.


SSL Authentication

SSL Authentication


X.509 PEM certificate

The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “---BEGIN …” line.

Private key

PEM encoded signature. Accepted types: RSA, DSA, ECDSA

Starting with: -----BEGIN RSA PRIVATE KEY-----


Passphrase used for private key.

Web Authentication


Choose None if you wish not to have any authentication. 


Choosing Basic authentication is appropriate when establishing initial state of the crawled application using the WWW-Authenticate HTTP header as specified in RFC1945.

Web Authentication

To terminate a scan due to logged out state, it is recommended to specify Scan abort pattern. The pattern should be in RE2 format or as simple text matching the response that indicates logged out state of the application to the scanner. The pattern is being matched against all responses coming from the scanned application, both headers and body, and if the response matches the specified pattern, the scan stops. This is used to prevent crawling of application outside of its desired state and to make sure that reported findings belong to correct application state.

Login Form

This configuration allows to set up an authentication procedure based on a login form present on the website:

Login Form

Review the rendered HTML of login page to locate the form input element. This can be done by right clicking on the page and choosing Inspect or Inspect element. See the example guide for Firefox for more information. 

Below you can see an example code snippet and where the required value would be found:

<form action="/user/login" method="post" id="user-login" accept-charset="UTF-8">
        <div class="form-item form-type-textfield form-item-name">
            <label for="edit-name">Username or email <span class="form-required" title="This field is required.">*</span></label>
            <input type="text" id="edit-name" name="user" value="" maxlength="60" class="form-text required"> 
        <div class="form-item form-type-password form-item-pass">
            <label for="edit-pass">Password <span class="form-required" title="This field is required.">*</span></label>
            <input type="password" id="edit-pass" name="pass" size="60" maxlength="128" class="form-text required">
        <div class="form-actions form-wrapper" id="edit-actions">
            <input type="submit" id="edit-submit" name="op" value="Log in" class="form-submit">

In this example, the name of the username input field is user.

<input type="text" id="edit-name" name="user" value="" maxlength="60" class="form-text required">

and password input field is pass and that's what should be submitted in the authentication configuration.

<input type="password" id="edit-pass" name="pass" size="60" maxlength="128" class="form-text required">


This functionality allows you to add a Selenium script that is executed during the scan.



Install the Selenium IDE plugin to record scripts in the web browser.

Follow the below procedure to install Selenium IDE plugin:

  1. Go to https://www.seleniumhq.org/selenium-ide/


    More information about installing and using the Selenium IDE plugin is available on https://www.seleniumhq.org/selenium-ide/docs/en/introduction/getting-started/.

To record a script:


Before recording a test (and before a test run ), make sure that the browser is completely clean of any cookies or other saved data for that webpage. In other words, clean wbcache before each recording/run of selenium.

  1. Open the plugin by navigating to the Selenium IDE in your web browser:

  2. Select Create a new project.
  3. Enter the project name and click OK.

  4. Click the Start recording (REC) button.

    Start recording (REC)

  5. Enter the URL of the app you want to login to.

  7. The plugin now opens the URL in a new web browser window.

    Selenium IDE is recording

    You can see the Selenium IDE is recording notice at the bottom of the page.
  8. Follow the necessary steps to log in to that web application.
  9. Once authentication is succeeded, click the Stop recording button.

    Stop recording

  10. The script appears in the Selenium IDE console:

    Selenium IDE console


    The script must be automatically added to the Default Suite upon its creation. Otherwise, follow the instructions on https://www.seleniumhq.org/selenium-ide/docs/en/introduction/getting-started/ to add the test suite and organize your tests.

  11. Click the Save project button to save the script as a .side file:

    Save project


It is recommended to add a verification in the script to make sure that the script was successfully logged in. By adding a command to check for an element to be accessible will verify if that the login procedure has finished and was successful and the scanning can proceed, else the script will start scanning the login page.

Example of useful test commands.

  • Wait for element editable
  • Wait for element visible
  • Wait for element present

To add a script to Scale authentication:

  1. Log in to the new Outpost24 portal.
  2. Go to Configurations > Scan configurations.
  3. Select Authentication from the menu on the left-hand side.

  4. Select Selenium.
    Select Selenium

  5. Open the .side script file previously saved in Selenium IDE:

    Open the .side

  6. Click SAVE.

The saved .side script is executed before scan starts and the output from the script is used to establish authenticated state.


Make sure that the private IP range is not used in your environment, since this is used to communicate with a restricted container on the scanner. Having targets in this range while using the side scripts feature may cause issues while scanning them.



The basic concept of a Custom authentication flow is to create instructions for the scan to follow so it can establish a desired initial state before an actual scan starts on application specified Seed URLs. The custom authentication flow provides an environment for executing Lua scripts for exchanging HTTP messages over the network, recording cookies and providing dynamically generated seed URLs.

Some script examples are added to make it easier with Lua custom authentication script. The script input is populated depending on the chosen example from the dropdown.

The available examples include:

  • Cookie based
  • XPath
  • Wordpress

Information regarding Lua can be found at https://lua.org. Web application scanner specific documentation can be found by selecting the Custom authentication radio button.

To terminate a scan due to logged out state, it is recommended to specify Scan abort pattern. The pattern should be in RE2 format or as simple text matching the response that indicates logged out state of the application to the scanner. The pattern is being matched against all responses coming from the scanned application, both headers and body, and if the response matches the specified pattern, the scan stops. This is used to prevent crawling of application outside of its desired state and to make sure that reported findings belong to correct application state.

After selecting the preferred authentication, click SAVE.

Host Maps


Host maps allows to define maps between names and addresses. They can be used to force certain DNS resolutions or to scan web hosts on an HTTP server where there are no DNS records for the web hosts. The entry in the To field must be a valid IPv4/IPv6 address. The IPv6 address must not be enclosed with square brackets.






When using multiple entries in the To section, a round-robin selection is applied to these entries.

To add a host map, click on the green Plus icon in the lower right corner.  

The bin icon beside the To section marks the entered host map for deletion when saving.

After entering the host map, click SAVE.

Manage a Configuration

Select one or more configurations, to view the available actions:

Manage a Configuration

  1. Click on the Add tags icon to add a tag to the selected configuration.
  2. Click on the Remove tags icon to remove a tag applied to the selected configuration.


    See Tags for more information.
  3. Click on the Batch edit icon to enable same settings for more than one configuration.
  4. Click on the Scan now icon to initiate a scan instantly. 
  5. Click on the Delete icon to remove the selected configuration.


    Removing scan configurations will not remove any other associated data like assets or schedules.

Preconditions for a Configuration to Run

  1. It is enabled.
  2. It has a schedule
  3. The schedule has remaining Occurrences > 0 or not set at all.
  4. The seed URLs must pass all request filters.

Related Articles


© 2023 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.


Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.