Purpose

This document provides users with an overview of the Configuration in the Outpost24 Portal UI.

Introduction

The Configuration view consists of the target information that links to an asset, and the scan settings. 

Scan settings include Automated scanning process, allowing restriction of scan duration and its impact on the scanned asset.

For Scale:

  • Scope definition of scans to cover the desired functionality available on limited number of hosts, either through certain expressions that match the response body, or by mapping a host towards certain IPs.
  • Initial state of the web application, usually in the form of an authentication procedure.

For Scout:

  • The initial seed data for the asset discovery.

For Cloudsec:

  • The cloud account and the compliance policy.

Requirements

It is assumed that the reader has basic access to the OUTSCAN/HIAB account with an Appsec, Cloudsec, or Scout subscription.

Groups

To access the group tree, click the Group tree tab in the Filter and Settings panel. 

To create groups,

  1. Click the green Plus icon in the lower right corner of the Group Tree panel.
  2. In the Create Group window, enter a name for the group.
  3. Select a sub-group if the new group is part of a main group.
  4. Click the blue ADD button.

    Create Group

Add a Scan configuration

To add a Scan configuration:

  1. In the Portal menu column on the left hand side, click Configuration to expand it.
  2. Click Scan configurations to open the Scan configurations view.



  3. To create a new configuration click on the green Plus sign down on the right hand side.
  4. Select a Asset discovery to perform a discovery scan



    or select the type of Assessment to perform.
    See Assessment section for more information about each assessment choice.
  5. Click on the blue Add button in the lower right corner to add the configuration.

Assessment

Application Assessment

The targets can be added as:

  • URL
  • IPv4
  • IPv6
  • IPv4:port
  • IPv6:port
  • Hostname


https://outpost24.com 
203.0.113.1 
198.51.100.5:5291 
[2001:db8:1:2:3:4:5:6] 
[2001:db8:2fa:bba:dd3:f3c:11:2b]:928
outpost24.com 

When adding more than one target, separate them using a newline.

  1. After adding the targets, click the ADD button in the lower right corner.

    Note

    Entries not starting with https protocol are prefixed with https://.

A configuration name is extracted from the host, optional port and path to build a unique and user friendly representation of the added configuration. URL fragments and queries are not used for configuration names.

Example inputs and generated configuration names:

  • https://outpost24.com/ > outpost24.com
  • https://outpost24.com:8080/admin/login/ > outpost24.com:8080/admin/login
  • https://outpost24.com:8080/admin/#/login > outpost24.com:8080/admin
  • https://outpost24.com:8080/admin?relogin=true > outpost24.com:8080/admin
  • http://91.216.32.99:8081 > 91.216.32.99:8081

The Choose scanner (HIAB only) option is visible if at least one Appsec scanner is available.

  • The first scanner in the list is selected by default.
  • The selected scanner can be changed in the Edit view. 

Note

To add scans in HIAB Appsec, one of the regular HIAB scanners must be turned into Appsec scanner.
See Setting up a HIAB as an Appsec Scale Scanner for more information.

Docker Assessment


See Scan a Docker Image for more information.

Cloud Assessment

Choose the Credentials and the Policy you would like to check the account for:

See Cloudsec Scan Configuration for more information.

Note

Adding new configurations also populate the Assets. The assets are deducted from the submitted target information. If an asset already exists, the created configuration is linked to it. Else, it is created upon creation of the configuration and linked.

Edit a Configuration

Select the configuration you want to edit by clicking on it.

Select the configuration

The configuration panel is displayed to the right side of the window. It consists of:

  • Settings
  • Schedules
  • Request Filter
  • Authentication
  • Host Maps

Settings

The Settings tab allows you to configure the scope of the scan.


SETTINGS

General Settings

OptionDescription

Name

Provide the name that should be displayed in the exported report.

Time limit

Set a time limit until when the scheduled scan should run. Use format: 2h50m.

Seed URLs

Provide the seed URL of the target. Use newline to add multiple seed URLs.

Member of group

Select a group from the list. Default group is All.

Include infrastructure scan

Check this box if you want to conduct an infrastructure scan.


Note

Infrastructure scanning is a process where other ports are checked for available services. If any active ports are found, they are tested for vulnerabilities which then is displayed in the findings section. It is recommended to allow at least 2 hours for the port scan to finish, as otherwise the scan can terminate early leading to missing some of the open ports and services running on them.

Scan Intensity

The Scan Intensity determines the behavior and the impact of the scanner on the target application.

OptionDescription

Normal

Simulates multiple users at a time.

Low

Simulates one user at a time, sequential requests. 

Vulnerability Testing (Fuzzing)

Select one of the options, depending on type of scan that needs to be performed on the target application.

OptionDescription

Active and passive

By enabling this option, the scanner performs checks for common application vulnerabilities like tests for SQL injections, XSS attacks, response splitting, performs path enumeration, and much more.

Passive only

In this mode, the scanner follows existing links on the page without brute-forcing assets, then looks for patterns in response headers and body to determine potentially outdated and vulnerable components or server misconfigurations.

User Agent

OptionDescription

Desktop

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36.

Custom

Create a custom User Agent using format shown in Desktop option. This can be an arbitrary text as long as it is valid in the HTTP header context following the https://tools.ietf.org/html/rfc7231#section-5.5.3 standard, it is recommended to follow the convention as described here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent.

Schedules

On the Schedules tab, you create a schedule when the scan should run. The schedule is also accessible through Automation > Schedules in the main menu to the left.

Blocked Time Slot can not be set in Scan Configuration. To set Blocked Time Slot open the schedule in Automation > Schedules.


Error rendering macro 'excerpt-include'

No link could be created for 'DocT:Common Portal Scheduling'.


Request Filter

Request filter is used to limit the scanner from visiting resources which can disrupt normal behavior of web application, or to limit the scan scope within given parameters. The request filter can, for example disallow all POST based requests to avoid sending too many repetitive requests which in turn could affect availability of the web application.

REQUEST FILTER

To add a filter click the green Plus icon in the lower right corner to display the filter configuration.

Add a filter

Filter Type

Can't match - Requests that are excluded from the scan. If any of the options are empty, like Method or Body type, the filter matches all types of methods and body types. The more granular the filter is, the narrower the filter is thus potentially leading to more requests getting through the filter and being visited during crawling stage. 

This type of filter applies to both directly visited resources like links within web application scope, as well as resources required to properly render the web application. 

The latter is not in direct scope at the crawling phase such as:

  • Externally hosted images
  • Media players
  • Widgets
  • JavaScript libraries

and other resources included in the web application. 

Use the Can't match filter when the scanner needs to be limited visiting certain pages or performing certain types of requests such as:

  • Checking out in web-shop
  • Finalizing booking
  • Preventing sending logout request when authentication procedure is defined
  • Avoiding web activity trackers and analytics from logging scanner's activity

Must match - Requests that must match the specified rules to be included in the scan. Any requests not matching the given rules are considered out-of-scope at crawling phase and thus never visited. This type of filter is useful whenever a scan must be performed at certain depth or path within the scanned web application. 

Must match filter applies only to resources directly found in the rendered web application such as links and buttons. The filter does not limit external resources required to properly render the web application like:

  • JavaScript libraries
  • Externally hosted images
  • Widgets

and other indirectly requested resources. 

To limit requests of that nature, use a Can't match type of filter instead.

If ¨\.php\??¨ is provided as must match, it means the scanner scans only pages of ¨.php¨ file type and excludes other pages.

Method: Optional

Select any of the supporting HTTP request methods or leave the field empty (unspecified).

The available methods are:

  • GET
  • POST
  • DELETE
  • PATCH
  • PUT

Body Type: Optional

Select the desired content type from the drop-down menu, so that the request body also use the same format as query string. If you leave the field empty, it matches all the requests.

URL

Provide the URL to which the filter settings must be applied (RE2 regex matching). 

Body:  Optional

Provide the body to which the filter settings must be applied (RE2 regex matching).

/login_example\.php

After filling the desired settings into filter configuration dialog, click the ADD button. 

Authentication

Here, you can configure authentication for an asset.


AUTHENTICATION

SSL Authentication

SSL Authentication

Certificate

X.509 PEM certificate

The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “---BEGIN …” line.

Private key

PEM encoded signature. Accepted types: RSA, DSA, ECDSA

Starting with: -----BEGIN RSA PRIVATE KEY-----

Passphrase

Passphrase used for private key.

Web Authentication

None

Choose None if you wish not to have any authentication. 

Basic

Choosing Basic authentication is appropriate when establishing initial state of the crawled application using the WWW-Authenticate HTTP header as specified in RFC1945.


Web Authentication

To terminate a scan due to logged out state, it is recommended to specify Scan abort pattern. The pattern should be in RE2 format or as simple text matching the response that indicates logged out state of the application to the scanner. The pattern is being matched against all responses coming from the scanned application, both headers and body, and if the response matches the specified pattern, the scan stops. This is used to prevent crawling of application outside of its desired state and to make sure that reported findings belong to correct application state.

Login Form

This configuration allows to set up an authentication procedure based on a login form present on the website:

Login Form

Review the rendered HTML of login page to locate the form input element. This can be done by right clicking on the page and choosing Inspect or Inspect element. See the example guide for Firefox for more information. 

Below you can see an example code snippet and where the required value would be found:

<form action="/user/login" method="post" id="user-login" accept-charset="UTF-8">
    <div>
        <div class="form-item form-type-textfield form-item-name">
            <label for="edit-name">Username or email <span class="form-required" title="This field is required.">*</span></label>
            <input type="text" id="edit-name" name="user" value="" maxlength="60" class="form-text required"> 
       </div>
        <div class="form-item form-type-password form-item-pass">
            <label for="edit-pass">Password <span class="form-required" title="This field is required.">*</span></label>
            <input type="password" id="edit-pass" name="pass" size="60" maxlength="128" class="form-text required">
        </div>
        <div class="form-actions form-wrapper" id="edit-actions">
            <input type="submit" id="edit-submit" name="op" value="Log in" class="form-submit">
        </div>
    </div>
</form>
XML

In this example, the name of the username input field is user.

<input type="text" id="edit-name" name="user" value="" maxlength="60" class="form-text required">

and password input field is pass and that's what should be submitted in the authentication configuration.

<input type="password" id="edit-pass" name="pass" size="60" maxlength="128" class="form-text required">

Selenium

This functionality allows you to add a Selenium script that is executed during the scan.

Selenium

Note

Install the Selenium IDE plugin to record scripts in the web browser.


Follow the below procedure to install Selenium IDE plugin:

  1. Go to https://www.seleniumhq.org/selenium-ide/
  2. Select "CHROME DOWNLOAD" or "FIREFOX DOWNLOAD".

    Note

    More information about installing and using the Selenium IDE plugin is available on https://www.seleniumhq.org/selenium-ide/docs/en/introduction/getting-started/.

To record a script:

Important

Before recording a test (and before a test run ), make sure that the browser is completely clean of any cookies or other saved data for that webpage. In other words, clean wbcache before each recording/run of selenium.

  1. Open the plugin by navigating to the Selenium IDE in your web browser:




  2. Select Create a new project.
  3. Enter the project name and click OK.



  4. Click the Start recording (REC) button.

    Start recording (REC)

  5. Enter the URL of the app you want to login to.



  6. Click START RECORDING.
  7. The plugin now opens the URL in a new web browser window.

    Selenium IDE is recording

    You can see the Selenium IDE is recording notice at the bottom of the page.
  8. Follow the necessary steps to log in to that web application.
  9. Once authentication is succeeded, click the Stop recording button.

    Stop recording

  10. The script appears in the Selenium IDE console:

    Selenium IDE console

    Note

    The script must be automatically added to the Default Suite upon its creation. Otherwise, follow the instructions on https://www.seleniumhq.org/selenium-ide/docs/en/introduction/getting-started/ to add the test suite and organize your tests.

  11. Click the Save project button to save the script as a .side file:

    Save project

Tip

It is recommended to add a verification in the script to make sure that the script was successfully logged in. By adding a command to check for an element to be accessible will verify if that the login procedure has finished and was successful and the scanning can proceed, else the script will start scanning the login page.

Example of useful test commands.

  • Wait for element editable
  • Wait for element visible
  • Wait for element present


To add a script to Scale authentication:

  1. Log in to the new Outpost24 portal.
  2. Go to Configurations > Scan configurations.
  3. Select Authentication from the menu on the left-hand side.
    Authentication

  4. Select Selenium.
    Select Selenium

  5. Open the .side script file previously saved in Selenium IDE:

    Open the .side

  6. Click SAVE.

The saved .side script is executed before scan starts and the output from the script is used to establish authenticated state.

Caution

Make sure that the private IP range 10.88.0.0/16 is not used in your environment, since this is used to communicate with a restricted container on the scanner. Having targets in this range while using the side scripts feature may cause issues while scanning them.

Custom


Custom

The basic concept of a Custom authentication flow is to create instructions for the scan to follow so it can establish a desired initial state before an actual scan starts on application specified Seed URLs. The custom authentication flow provides an environment for executing Lua scripts for exchanging HTTP messages over the network, recording cookies and providing dynamically generated seed URLs.

Some script examples are added to make it easier with Lua custom authentication script. The script input is populated depending on the chosen example from the dropdown.

The available examples include:

  • Cookie based
  • XPath
  • Wordpress

Information regarding Lua can be found at https://lua.org. Web application scanner specific documentation can be found by selecting the Custom authentication radio button.

To terminate a scan due to logged out state, it is recommended to specify Scan abort pattern. The pattern should be in RE2 format or as simple text matching the response that indicates logged out state of the application to the scanner. The pattern is being matched against all responses coming from the scanned application, both headers and body, and if the response matches the specified pattern, the scan stops. This is used to prevent crawling of application outside of its desired state and to make sure that reported findings belong to correct application state.

After selecting the preferred authentication, click SAVE.

Host Maps

HOST MAPS


Host maps allows to define maps between names and addresses. They can be used to force certain DNS resolutions or to scan web hosts on an HTTP server where there are no DNS records for the web hosts. The entry in the To field must be a valid IPv4/IPv6 address. The IPv6 address must not be enclosed with square brackets.

Examples:

From
To
example.com>203.0.113.1


internal.example.com


>

192.0.2.3
192.0.2.4
192.0.2.5
192.0.2.6

203.0.113.3>198.51.100.9


Note

When using multiple entries in the To section, a round-robin selection is applied to these entries.

To add a host map, click on the green Plus icon in the lower right corner.  

The bin icon beside the To section marks the entered host map for deletion when saving.

After entering the host map, click SAVE.

Manage a Configuration

Select one or more configurations, to view the available actions:

Manage a Configuration

  1. Click on the Add tags icon to add a tag to the selected configuration.
  2. Click on the Remove tags icon to remove a tag applied to the selected configuration.

    Note

    See Tags for more information.
  3. Click on the Batch edit icon to enable same settings for more than one configuration.
  4. Click on the Scan now icon to initiate a scan instantly. 
  5. Click on the Delete icon to remove the selected configuration.

    Note

    Removing scan configurations will not remove any other associated data like assets or schedules.

Preconditions for a Configuration to Run

  1. It is enabled.
  2. It has a schedule
  3. The schedule has remaining Occurrences > 0 or not set at all.
  4. The seed URLs must pass all request filters.

Related Articles





Copyright

© 2023 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.