Scan Configuration Settings

Purpose

This document provides users with an overview of the Configuration in the Outpost24 Portal UI.

Technical Preview

This document contains parts that are technical previews of features that is currently under development. These features may be hidden behind a feature flag.

Introduction

The Configuration view consists of the target information that links to an asset, and the scan settings.

Scan settings include Automated scanning process, allowing restriction of scan duration and its impact on the scanned asset.

For Scale:

Scope definition of scans to cover the desired functionality available on limited number of hosts, either through certain expressions that match the response body, or by mapping a host towards certain IPs.
Initial state of the web application, usually in the form of an authentication procedure.

For Scout:

The initial seed data for the asset discovery.

For Cloudsec:

The cloud account and the compliance policy.

Requirements

It is assumed that the reader has basic access to the OUTSCAN/HIAB account with an Appsec, Cloudsec, or Scout subscription.

Groups

To access the group tree, click the Group tree tab in the Filter and Settings panel.

To create groups,

Click the green Plus icon in the lower right corner of the Group Tree panel.
In the Create Group window, enter a name for the group.
Select a sub-group if the new group is part of a main group.
Click the blue ADD button.

Add a Scan configuration

To add a Scan configuration:

In the Portal menu column on the left hand side, click Configuration to expand it.
Click Scan configurations to open the Scan configurations view.
To create a new configuration click on the green Plus icon down on the right hand side.
Select a Asset discovery to perform a discovery scan

or select the type of Assessment to perform.

See Assessment section for more information about each assessment choice.
Click on the blue Add button in the lower right corner to add the configuration.

Assessment

Application Assessment

The targets can be added as:

URL
IPv4
IPv6
IPv4:port
IPv6:port
Hostname

https://outpost24.com 
203.0.113.1 
198.51.100.5:5291 
[2001:db8:1:2:3:4:5:6] 
[2001:db8:2fa:bba:dd3:f3c:11:2b]:928
outpost24.com

When adding more than one target, separate them using a newline.

After adding the targets, click the ADD button in the lower right corner.

Entries not starting with https protocol are prefixed with https://.

A configuration name is extracted from the host, optional port and path to build a unique and user friendly representation of the added configuration. URL fragments and queries are not used for configuration names.

Example inputs and generated configuration names:

https://outpost24.com/ > outpost24.com
https://outpost24.com:8080/admin/login/ > outpost24.com:8080/admin/login
https://outpost24.com:8080/admin/#/login > outpost24.com:8080/admin
https://outpost24.com:8080/admin?relogin=true > outpost24.com:8080/admin
http://91.216.32.99:8081 > 91.216.32.99:8081

The Choose scanner (HIAB only) option is visible if at least one Appsec scanner is available.

The first scanner in the list is selected by default.
The selected scanner can be changed in the Edit view.

To add scans in HIAB Appsec, one of the regular HIAB scanners must be turned into Appsec scanner.
See Setting up a HIAB as an Appsec Scale Scanner for more information.

Docker Assessment

See Scan a Docker Image for more information.

Cloud Assessment

Choose the Credentials and the Policy you would like to check the account for:

See Cloudsec Scan Configurationfor more information.

Network Host Assessment

See for Nework Scan Configuration more information.

Agent Assessment

The assets are deducted from the submitted target information.

Edit a Configuration

Select the configuration you want to edit by clicking on it.

The configuration panel is displayed to the right side of the window. It consists of:

Settings
Schedules
Request Filter
Authentication
Host Maps

Settings

The Settings tab allows you to configure the scope of the scan.

General Settings

Option	Description
Name	Provide the name that should be displayed in the exported report.
Time limit	Set a time limit until when the scheduled scan should run. Use format: 2h50m.
Seed URLs	Provide the seed URL of the target. Use newline to add multiple seed URLs.
Member of group	Select a group from the list. Default group is All.
Include infrastructure scan	Check this box if you want to conduct an infrastructure scan.

Infrastructure scanning is a process where other ports are checked for available services. If any active ports are found, they are tested for vulnerabilities which then is displayed in the findings section. It is recommended to allow at least 2 hours for the port scan to finish, as otherwise the scan can terminate early leading to missing some of the open ports and services running on them.

Scan Intensity

The Scan Intensity determines the behavior and the impact of the scanner on the target application.

Option	Description
Normal	Simulates multiple users at a time.
Low	Simulates one user at a time, sequential requests.

Vulnerability Testing (Fuzzing)

Select one of the options, depending on type of scan that needs to be performed on the target application.

Option	Description
Active and passive	By enabling this option, the scanner performs checks for common application vulnerabilities like tests for SQL injections, XSS attacks, response splitting, performs path enumeration, and much more.
Passive only	In this mode, the scanner follows existing links on the page without brute-forcing assets, then looks for patterns in response headers and body to determine potentially outdated and vulnerable components or server misconfigurations.

User Agent

Option	Description
Desktop	Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36.
Custom	Create a custom User Agent using format shown in Desktop option. This can be an arbitrary text as long as it is valid in the HTTP header context following the https://tools.ietf.org/html/rfc7231#section-5.5.3 standard, it is recommended to follow the convention as described here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent.

Schedules

On the Schedules tab, you create a schedule when the scan should run. The schedule is also accessible through Automation > Schedules in the main menu to the left.

Blocked Time Slot can not be set in Scan Configuration. To set Blocked Time Slot open the schedule in Automation > Schedules.

Add a Schedule

Click on the green Plus icon located on the bottom right corner of the screen to open the Add schedule window.

Fill in the schedule form.

Option	Description
Schedule name	Provide a name for the schedule.
Time	Set a time when the schedule must be triggered. The time value is saved in UTC (Coordinated Universal Time) and the offset corresponds to the system time in the user web browser and therefore might differ for users accessing the schedule options in different time zones. For example, a schedule time set to 10:00 in July (summertime) by a user located in Copenhagen (UTC+2) appears as 09:00 to a user located in London (UTC+1) at the same time.
Scan window	How long is the period where scanning is allowed. Minimum period is 1 hour and maximum is 7 days.
Recurrence	Determines the frequency of the scheduled scan. Select one of the available options in the menu: None - The scan will never run. Once - The scan is scheduled to run only once on a select start date. Hour - Set the recurrence window by providing the Number of hours in this field. Day - Set the recurrence window by providing the Number of days in this field. Example: If set to 2, it means that the scan is scheduled to run once in every 2 days. Week - Select on which days of the week the scan should run. Month - Select the occurrence of days, weekday, day of the month when the scan should run. Year - Select on which the day of year the scheduled scan should run. Tip A scan is not restarted when a schedule is triggered while it is still running. It starts when the next schedule time ticks.
Every	N-th Depending on recurrence, Every sets the amount of Hour, Day, Week, Month, Year. Example. N-th=1, Recurrence=Day = Every day. N-th=3, Recurrence=Month = Every third month. N-th=2, Recurrence=Week = Every other week.
Starts on	Set the start date for the schedule.
Ends on	Set an end date for the schedule. The schedule becomes inactive after this date.
Ends after_occurrences	Set the number of occurrences the schedule must be triggered before it becomes inactive.
Never ends	If set, the schedule never becomes inactive.

Click on the ADD button to schedule the configuration.

Edit a Schedule

Click on an existing schedule to open the edit function. Follow the same steps as Add a Schedule and click the Save button.

Removing a Schedule

To remove a schedule either:

Right click on the schedule that shall be removed to open a menu.
Then click Delete.

or

Select the schedule you want to remove by ticking the box to the left on the row.
Click on the bin icon at the bottom right of the screen to delete the schedule.

In both cases, confirm by clicking the red DELETE button.

Scan Calendar

To see the schedule click on the Scan Calendar tab You can select between a Month or Week view.

The scheduled scans are displayed in blue and the Blocked Time Slots in red. To adjust the view to other time zone than saved in the schedule, select above Month/Week toggle desired time zone.

The Blocked Time Slots are time periods where scanning is not allowed. If a scan interfere with a blocked time slot, the scan is set to pending during that time and resumes after the time slot is over.

Blocked Time Slots

To block specific time slots click in the calendar to add or remove blocks. To select or deselect multiple block, click and drag across desired area to mark on unmark blocks.

The blocked time is displayed in the Scan Calendar tab as red blocks.

The number in the tab name indicates the number of days that have Blocked Time Slots.

Example Schedule

A schedule is set to run only once on 2023-02-02 at 2:00 PM:
A schedule is set to run everyday at 11:00 AM, starting on 2023-01-20:
A schedule is set to run every week on Tuesday and Thursday at 9:00 AM, starting on 2023-01-20:
A schedule is set to run continuously on every second Tuesday of every third month at 9:30 AM, starting on 2023-01-20:
A schedule is set to run on 18th of every month at 10:00 PM, starting on 2023-01-20:
A schedule is set to run on 18th of every month at 10:00 PM, starting on 2023-01-20 and disabled after 4 occurrences in other words, the scan runs only four times:
A schedule is set to run on 18th of every month at 10:00 PM, starting on 2023-01-20 and disabled from 2024-01-01, 00:00:

Request Filter

Request filter is used to limit the scanner from visiting resources which can disrupt normal behavior of web application, or to limit the scan scope within given parameters. The request filter can, for example disallow all POST based requests to avoid sending too many repetitive requests which in turn could affect availability of the web application.

To add a filter click the green Plus icon in the lower right corner to display the filter configuration.

Filter Type

Can't match - Requests that are excluded from the scan. If any of the options are empty, like Method or Body type, the filter matches all types of methods and body types. The more granular the filter is, the narrower the filter is thus potentially leading to more requests getting through the filter and being visited during crawling stage.

This type of filter applies to both directly visited resources like links within web application scope, as well as resources required to properly render the web application.

The latter is not in direct scope at the crawling phase such as:

Externally hosted images
Media players
Widgets
JavaScript libraries

and other resources included in the web application.

Use the Can't match filter when the scanner needs to be limited visiting certain pages or performing certain types of requests such as:

Checking out in web-shop
Finalizing booking
Preventing sending logout request when authentication procedure is defined
Avoiding web activity trackers and analytics from logging scanner's activity

Must match - Requests that must match the specified rules to be included in the scan. Any requests not matching the given rules are considered out-of-scope at crawling phase and thus never visited. This type of filter is useful whenever a scan must be performed at certain depth or path within the scanned web application.

Must match filter applies only to resources directly found in the rendered web application such as links and buttons. The filter does not limit external resources required to properly render the web application like:

JavaScript libraries
Externally hosted images
Widgets

and other indirectly requested resources.

To limit requests of that nature, use a Can't match type of filter instead.

If ¨\.php\??¨ is provided as must match, it means the scanner scans only pages of ¨.php¨ file type and excludes other pages.

Method: Optional

Select any of the supporting HTTP request methods or leave the field empty (unspecified).

The available methods are:

GET
POST
DELETE
PATCH
PUT

Body Type: Optional

Select the desired content type from the drop-down menu, so that the request body also use the same format as query string. If you leave the field empty, it matches all the requests.

application/json - https://tools.ietf.org/html/rfc4627
application/x-www-form-urlencoded - https://tools.ietf.org/html/draft-hoehrmann-urlencoded-01
multipart/form-data - https://tools.ietf.org/html/rfc7578
multipart/mixed - https://tools.ietf.org/html/rfc2046#section-5.1.3
text/plain - https://tools.ietf.org/html/rfc2646#page-4

URL

Provide the URL to which the filter settings must be applied (RE2 regex matching).

Heading 2 http://example\.com

Body: Optional

Provide the body to which the filter settings must be applied (RE2 regex matching).

/login_example\.php

After filling the desired settings into filter configuration dialog, click the ADD button.

Authentication

Here, you can configure authentication for an asset.

SSL Authentication

Certificate

X.509 PEM certificate

The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “---BEGIN …” line.

Private key

PEM encoded signature. Accepted types: RSA, DSA, ECDSA

Starting with: -----BEGIN RSA PRIVATE KEY-----

Passphrase

Passphrase used for private key.

Web Authentication

None

Choose None if you wish not to have any authentication.

Basic

Choosing Basic authentication is appropriate when establishing initial state of the crawled application using the WWW-Authenticate HTTP header as specified in RFC1945.

To terminate a scan due to logged out state, it is recommended to specify Scan abort pattern. The pattern should be in RE2 format or as simple text matching the response that indicates logged out state of the application to the scanner. The pattern is being matched against all responses coming from the scanned application, both headers and body, and if the response matches the specified pattern, the scan stops. This is used to prevent crawling of application outside of its desired state and to make sure that reported findings belong to correct application state.

Login Form

This configuration allows to set up an authentication procedure based on a login form present on the website:

Review the rendered HTML of login page to locate the form input element. This can be done by right clicking on the page and choosing Inspect or Inspect element. See the example guide for Firefox for more information.

Below you can see an example code snippet and where the required value would be found:

XML

<form action="/user/login" method="post" id="user-login" accept-charset="UTF-8">
    <div>
        <div class="form-item form-type-textfield form-item-name">
            <label for="edit-name">Username or email <span class="form-required" title="This field is required.">*</span></label>
            <input type="text" id="edit-name" name="user" value="" maxlength="60" class="form-text required"> 
       </div>
        <div class="form-item form-type-password form-item-pass">
            <label for="edit-pass">Password <span class="form-required" title="This field is required.">*</span></label>
            <input type="password" id="edit-pass" name="pass" size="60" maxlength="128" class="form-text required">
        </div>
        <div class="form-actions form-wrapper" id="edit-actions">
            <input type="submit" id="edit-submit" name="op" value="Log in" class="form-submit">
        </div>
    </div>
</form>

In this example, the name of the username input field is user.

<input type="text" id="edit-name" name="user" value="" maxlength="60" class="form-text required">

and password input field is pass and that's what should be submitted in the authentication configuration.

<input type="password" id="edit-pass" name="pass" size="60" maxlength="128" class="form-text required">

Selenium

This functionality allows you to add a Selenium script that is executed during the scan.

Install the Selenium IDE plugin to record scripts in the web browser.

Follow the below procedure to install Selenium IDE plugin:

Go to https://www.seleniumhq.org/selenium-ide/
Select "CHROME DOWNLOAD" or "FIREFOX DOWNLOAD".

More information about installing and using the Selenium IDE plugin is available on https://www.seleniumhq.org/selenium-ide/docs/en/introduction/getting-started/.

To record a script:

Important

Before recording a test (and before a test run ), make sure that the browser is completely clean of any cookies or other saved data for that webpage. In other words, clean wbcache before each recording/run of selenium.

Open the plugin by navigating to the Selenium IDE in your web browser:
Select Create a new project.
Enter the project name and click OK.
Click the Start recording (REC) button.
Enter the URL of the app you want to login to.
Click START RECORDING.
The plugin now opens the URL in a new web browser window.

You can see the Selenium IDE is recording notice at the bottom of the page.
Follow the necessary steps to log in to that web application.
Once authentication is succeeded, click the Stop recording button.
The script appears in the Selenium IDE console:

The script must be automatically added to the Default Suite upon its creation. Otherwise, follow the instructions on https://www.seleniumhq.org/selenium-ide/docs/en/introduction/getting-started/ to add the test suite and organize your tests.
Click the Save project button to save the script as a .side file:

Tip

It is recommended to add a verification in the script to make sure that the script was successfully logged in. By adding a command to check for an element to be accessible will verify if that the login procedure has finished and was successful and the scanning can proceed, else the script will start scanning the login page.

Example of useful test commands.

Wait for element editable
Wait for element visible
Wait for element present

To add a script to Scale authentication:

Log in to the new Outpost24 portal.
Go to Configurations > Scan configurations.
Select Authentication from the menu on the left-hand side.
Select Selenium.
Open the .side script file previously saved in Selenium IDE:
Click SAVE.

The saved .side script is executed before scan starts and the output from the script is used to establish authenticated state.

Caution

Make sure that the private IP range 10.88.0.0/16 is not used in your environment, since this is used to communicate with a restricted container on the scanner. Having targets in this range while using the side scripts feature may cause issues while scanning them.

Custom

The basic concept of a Custom authentication flow is to create instructions for the scan to follow so it can establish a desired initial state before an actual scan starts on application specified Seed URLs. The custom authentication flow provides an environment for executing Lua scripts for exchanging HTTP messages over the network, recording cookies and providing dynamically generated seed URLs.

Some script examples are added to make it easier with Lua custom authentication script. The script input is populated depending on the chosen example from the dropdown.

The available examples include:

Cookie based
XPath
Wordpress

Information regarding Lua can be found at https://lua.org. Web application scanner specific documentation can be found by selecting the Custom authentication radio button.

To terminate a scan due to logged out state, it is recommended to specify Scan abort pattern. The pattern should be in RE2 format or as simple text matching the response that indicates logged out state of the application to the scanner. The pattern is being matched against all responses coming from the scanned application, both headers and body, and if the response matches the specified pattern, the scan stops. This is used to prevent crawling of application outside of its desired state and to make sure that reported findings belong to correct application state.

After selecting the preferred authentication, click SAVE.

Host Maps

Host maps allows to define maps between names and addresses. They can be used to force certain DNS resolutions or to scan web hosts on an HTTP server where there are no DNS records for the web hosts. The entry in the To field must be a valid IPv4/IPv6 address. The IPv6 address must not be enclosed with square brackets.

Examples:

From		To
example.com	>	203.0.113.1
internal.example.com	>	192.0.2.3 192.0.2.4 192.0.2.5 192.0.2.6
203.0.113.3	>	198.51.100.9

When using multiple entries in the To section, a round-robin selection is applied to these entries.

To add a host map, click on the green Plus icon in the lower right corner.

The bin icon beside the To section marks the entered host map for deletion when saving.

After entering the host map, click SAVE.

Manage a Configuration

Select one or more configurations, to view the available actions in the bottom tool row:

Click on the Edit tags icon to manage tag on the selected configuration.

See Tags for more information.
Click on the Scan now icon to initiate a scan instantly.
Click on the Delete icon to remove the selected configuration.

Removing scan configurations will not remove any other associated data like assets or schedules.

The same tools are available by right clicking the configuration.

Preconditions for a Configuration to Run

It is enabled.
It has a schedule.
The schedule has remaining Occurrences > 0 or not set at all.
The seed URLs must pass all request filters.

References

https://tools.ietf.org/html/rfc7231#section-5.5.3
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent.
application/json - https://tools.ietf.org/html/rfc4627
application/x-www-form-urlencoded - https://tools.ietf.org/html/draft-hoehrmann-urlencoded-01
multipart/form-data - https://tools.ietf.org/html/rfc7578
multipart/mixed - https://tools.ietf.org/html/rfc2046#section-5.1.3
text/plain - https://tools.ietf.org/html/rfc2646#page-4
https://www.seleniumhq.org/selenium-ide/
https://www.seleniumhq.org/selenium-ide/docs/en/introduction/getting-started/
https://lua.org