Scan Configuration Settings

Purpose

This document provides users with an overview of the Configuration in the Outpost24 Portal UI.

Technical Preview

This document contains parts that are technical previews of features that is currently under development. These features may be hidden behind a feature flag.

Introduction

The Configuration view consists of the target information that links to an asset, and the scan settings. 

Scan settings include Automated scanning process, allowing restriction of scan duration and its impact on the scanned asset.

For Scale:

• Scope definition of scans to cover the desired functionality available on limited number of hosts, either through certain expressions that match the response body, or by mapping a host towards certain IPs.

• Initial state of the web application, usually in the form of an authentication procedure.

For Netsec:

• Host discoveries and vulnerability scans are limited to host and port range definitions, expressed as either IP addresses or FQDNs.

• Applicable scan policy which can be limited to authenticated scanning only through SSH when custom credentials are configured and selected.

For Cloudsec:

• The cloud account and the compliance policy.

Requirements

It is assumed that the reader has basic access to the OUTSCAN/HIAB account with an Appsec, Cloudsec, or Scout subscription.

Groups

To access the Scan Configuration groups, click the group tree icon as shown in the image.  

To create groups:

1. Click the blue CREATE NEW GROUP button at the bottom of the Group Tree panel.

2. In the Create Group window, enter a name for the group.

3. Select a sub-group if the new group is part of a main group.

4. Click the blue ADD button.
   

   

Add a Scan Configuration

To add a Scan Configuration:

1. In the Portal menu column on the left hand side, click Configuration to expand it.

2. Click Scan configurations to open the Scan configurations view.
   

   

3. To create a new configuration click on the green plus icon down on the right hand side.

4. Select a Asset discovery to perform a discovery scan
   
   

   

   
   or select the type of Assessment to perform.

5. Click on the blue Add button in the lower right corner to add the configuration.

See Scan Assessment Configuration for more information about each assessment choice and how to configure them.

Edit a Configuration

Select the configuration you want to edit by clicking on it.

The configuration panel is displayed to the right side of the window. It consists of several tabs, which vary depending on the selected template:

• Settings (Template: Scale, Cloudsec, Cloud Discovery, Docker Scan, Docker Discovery, Network Discovery, Network Scan, Agent)

• Schedules (Template: Scale, Cloudsec, Cloud Discovery, Docker Scan, Docker Discovery, Network Discovery, Network Scan)

• Request Filter (Template: Scale)

• Authentication (Template: Scale)

• Host Maps (Template: Scale)

• Reporting Settings (Template: Cloud Discovery, Network Discovery)

Settings

The Settings tab allows you to configure the scope of the scan.

General Settings

Infrastructure scanning is a process where other ports are checked for available services. If any active ports are found, they are tested for vulnerabilities, which are then displayed in the findings section. It is recommended to allow at least 2 hours for the port scan to finish, as otherwise the scan can terminate early leading to missing some of the open ports and services running on them.

Scan Intensity

The Scan Intensity determines the behavior and the impact of the scanner on the target application.

Vulnerability Testing (Fuzzing)

Select one of the options, depending on type of scan that needs to be performed on the target application.

User Agent

Schedules

In the Schedules tab, schedules can be created when a scan should run. The schedule is also accessible through Automation > Schedules in the main menu to the left.

Blocked Time Slot can not be set in Scan Configuration. To set Blocked Time Slot, open the schedule in Automation > Schedules.

Add a Schedule

1. Click on the green plus icon located on the bottom right corner of the screen to open the Add schedule window.

2. Fill in the schedule form.
   
   

   

Option	Description
Schedule name	Provide a name for the schedule.
Time	Set a time when the schedule must be triggered. The time value is saved in UTC (Coordinated Universal Time) and the offset corresponds to the system time in the user web browser and therefore might differ for users accessing the schedule options in different time zones. For example, a schedule time set to 10:00 in July (summertime) by a user located in Copenhagen (UTC+2) appears as 09:00 to a user located in London (UTC+1) at the same time.
Scan window	How long is the period where scanning is allowed. Minimum period is 1 hour and maximum is 7 days.
Recurrence	Determines the frequency of the scheduled scan. Select one of the available options in the menu: None - The scan will never run. Once - The scan is scheduled to run only once on a select start date.  Hour - Set the recurrence window by providing the Number of hours in this field.  Day - Set the recurrence window by providing the Number of days in this field. Example: If set to 2, it means that the scan is scheduled to run once in every 2 days. Week - Select on which days of the week the scan should run. Month - Select the occurrence of days, weekday, day of the month when the scan should run. Year - Select on which the day of year the scheduled scan should run. Tip A scan is not restarted when a schedule is triggered while it is still running. It starts when the next schedule time ticks.
Every	N-th Depending on recurrence, Every sets the amount of Hour, Day, Week, Month, Year. Example. N-th=1, Recurrence=Day = Every day. N-th=3, Recurrence=Month = Every third month. N-th=2, Recurrence=Week = Every other week.
Starts on	Set the start date for the schedule.
Ends on	Set an end date for the schedule. The schedule becomes inactive after this date.
Ends after_occurrences	Set the number of occurrences the schedule must be triggered before it becomes inactive.
Never ends	If set, the schedule never becomes inactive.

3. Click on the ADD button to schedule the configuration.

Edit a Schedule

Click on an existing schedule to open the edit function. Follow the same steps as Add a Schedule and click the Save button.

Removing a Schedule

To remove a schedule either:

1. Right click on the schedule that shall be removed to open a menu.
   

   

2. Then click Delete.

or

1. Select the schedule you want to remove by ticking the box to the left on the row.

2. Click on the bin icon at the bottom right of the screen to delete the schedule.

In both cases, confirm by clicking the red DELETE button.

Scan Calendar

To see the schedule click on the Scan Calendar tab You can select between a Month or Week view.

The scheduled scans are displayed in blue and the Blocked Time Slots in red. To adjust the view to other time zone than saved in the schedule, select above Month/Week toggle desired time zone.

The Blocked Time Slots are time periods where scanning is not allowed. If a scan interfere with a blocked time slot, the scan is set to pending during that time and resumes after the time slot is over.

Blocked Time Slots

To block specific time slots click in the calendar to add or remove blocks. To select or deselect multiple block, click and drag across desired area to mark on unmark blocks.

The blocked time is displayed in the Scan Calendar tab as red blocks.

The number in the tab name indicates the number of days that have Blocked Time Slots.

Example Schedule

1. A schedule is set to run only once on 2023-02-02 at 2:00 PM: 
   
   

   

   
   
   
   

2. A schedule is set to run everyday at 11:00 AM, starting on 2023-01-20:
   
   

   

3. A schedule is set to run every week on Tuesday and Thursday at 9:00 AM, starting on 2023-01-20:
   
   

   

   
   
   

4. A schedule is set to run continuously on every second Tuesday of every third month at 9:30 AM, starting on 2023-01-20:
   
   

   

5. A schedule is set to run on 18th of every month at 10:00 PM, starting on 2023-01-20:
   
   

   

6. A schedule is set to run on 18th of every month at 10:00 PM, starting on 2023-01-20 and disabled after 4 occurrences in other words, the scan runs only four times:
   
   

   

   
   
   

7. A schedule is set to run on 18th of every month at 10:00 PM, starting on 2023-01-20 and disabled from 2024-01-01, 00:00:
   
   

   

Request Filter

Request filter is used to limit the scanner from visiting resources which can disrupt normal behavior of a web application, or to limit the scan scope within given parameters. The request filter can, for example, disallow all POST based requests to avoid sending too many repetitive requests which in turn could affect availability of the web application.

To add a filter click the green plus  icon in the lower right corner to display the filter configuration.

Filter Type

Can't match - Requests that are excluded from the scan. If any of the options are empty, like Method or Body type, the filter matches all types of methods and body types. The more granular the filter is, the narrower the filter is, thus potentially leading to more requests getting through the filter and being visited during crawling stage. 

This type of filter applies to both directly visited resources like links within web application scope, as well as resources required to properly render the web application. 

The latter is not in direct scope at the crawling phase such as:

• Externally hosted images

• Media players

• Widgets

• JavaScript libraries

and other resources included in the web application. 

Use the Can't match filter when the scanner needs to be limited visiting certain pages or performing certain types of requests such as:

• Checking out in web-shop

• Finalizing booking

• Preventing sending logout request when authentication procedure is defined

• Avoiding web activity trackers and analytics from logging scanner's activity

Must match - Requests that must match the specified rules to be included in the scan. Any requests not matching the given rules are considered out-of-scope at crawling phase and thus never visited. This type of filter is useful whenever a scan must be performed at certain depth or path within the scanned web application.

Must match filter applies only to resources directly found in the rendered web application such as links and buttons. The filter does not limit external resources required to properly render the web application like:

• JavaScript libraries

• Externally hosted images

• Widgets

and other indirectly requested resources. 

To limit requests of that nature, use a Can't match type of filter instead.

Method: Optional

Select any of the supporting HTTP request methods or leave the field empty (unspecified).

The available methods are:

• GET

• POST

• DELETE

• PATCH

• PUT

Body Type: Optional

Select the desired content type from the drop-down menu, so that the request body also use the same format as query string. If you leave the field empty, it matches all the requests.

• application/json - https://tools.ietf.org/html/rfc4627

• application/x-www-form-urlencoded - https://tools.ietf.org/html/draft-hoehrmann-urlencoded-01

• multipart/form-data - https://tools.ietf.org/html/rfc7578

• multipart/mixed - https://tools.ietf.org/html/rfc2046#section-5.1.3

• text/plain - https://tools.ietf.org/html/rfc2646#page-4

URL

Provide the URL to which the filter settings must be applied (RE2 regex matching). 

Body: Optional

Provide the body to which the filter settings must be applied (RE2 regex matching).

After filling the desired settings into filter configuration dialog, click the ADD button. 

Authentication

Here you can configure authentication for an asset.

SSL Authentication

Certificate

X.509 PEM certificate

The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “---BEGIN …” line.

Private key

PEM encoded signature. Accepted types: RSA, DSA, ECDSA

Starting with: -----BEGIN RSA PRIVATE KEY-----

Passphrase

Passphrase used for private key.

Web Authentication

None

Choose None if you wish not to have any authentication.

Basic

Choosing Basic authentication is appropriate when establishing initial state of the crawled application using the WWW-Authenticate HTTP header as specified in RFC1945.

To terminate a scan due to logged out state, it is recommended to specify Scan abort pattern. The pattern should be in RE2 format or as simple text matching the response that indicates logged out state of the application to the scanner. The pattern is being matched against all responses coming from the scanned application, both headers and body, and if the response matches the specified pattern, the scan stops. This is used to prevent crawling of application outside of its desired state and to make sure that reported findings belong to correct application state.

Login Form

This configuration allows to set up an authentication procedure based on a login form present on the website:

Review the rendered HTML of login page to locate the form input element. This can be done by right clicking on the page and choosing Inspect or Inspect element. See the example guide for Firefox for more information.

Below you can see an example code snippet and where the required value would be found:

<form action="/user/login" method="post" id="user-login" accept-charset="UTF-8">
    <div>
        <div class="form-item form-type-textfield form-item-name">
            <label for="edit-name">Username or email <span class="form-required" title="This field is required.">*</span></label>
            <input type="text" id="edit-name" name="user" value="" maxlength="60" class="form-text required"> 
       </div>
        <div class="form-item form-type-password form-item-pass">
            <label for="edit-pass">Password <span class="form-required" title="This field is required.">*</span></label>
            <input type="password" id="edit-pass" name="pass" size="60" maxlength="128" class="form-text required">
        </div>
        <div class="form-actions form-wrapper" id="edit-actions">
            <input type="submit" id="edit-submit" name="op" value="Log in" class="form-submit">
        </div>
    </div>
</form>

In this example, the name of the username input field is user.

and password input field is pass and that's what should be submitted in the authentication configuration.

Selenium

This functionality allows you to add a Selenium script that is executed during the scan.

Install the Selenium IDE plugin to record scripts in the web browser.

Follow the below procedure to install Selenium IDE plugin:

1. Go to https://www.seleniumhq.org/selenium-ide/

2. Select "CHROME DOWNLOAD" or "FIREFOX DOWNLOAD".

More information about installing and using the Selenium IDE plugin is available on https://www.seleniumhq.org/selenium-ide/docs/en/introduction/getting-started/ .

To record a script:

Important

Before recording a test (and before a test run ), make sure that the browser is completely clean of any cookies or other saved data for that webpage. In other words, clean web cache before each recording/run of selenium.

1. Open the plugin by navigating to the Selenium IDE in your web browser:
   

   

   

   
   

2. Select Create a new project.

3. Enter the project name and click OK.
   

   

   
   

4. Click the Start recording (REC) button.
   

   

   
   

5. Enter the URL of the app you want to login to.
   

   

   
   

6. Click START RECORDING.

7. The plugin now opens the URL in a new web browser window.
   

   

   
   
   You can see the Selenium IDE is recording notice at the bottom of the page.

8. Follow the necessary steps to log in to that web application.

9. Once authentication is succeeded, click the Stop recording button.
   

   

   
   

10. The script appears in the Selenium IDE console:
    

    

The script must be automatically added to the Default Suite upon its creation. Otherwise, follow the instructions on https://www.seleniumhq.org/selenium-ide/docs/en/introduction/getting-started/  to add the test suite and organize your tests.

11. Click the Save project button to save the script as a .side file:
    

    

It is recommended to add a verification in the script to make sure that the script was successfully logged in. By adding a command to check for an element to be accessible will verify if that the login procedure has finished and was successful and the scanning can proceed, else the script will start scanning the login page.

Example of useful test commands.

• Wait for element editable

• Wait for element visible

• Wait for element present

To add a script to Scale authentication:

1. Log in to the new Outpost24 portal.

2. Go to Configurations > Scan configurations.

3. Select Authentication from the menu on the left-hand side.
   

   

   
   

4. Select Selenium.
   

   

   
   

5. Open the .side script file previously saved in Selenium IDE:

   

   
   

6. Click SAVE.

The saved .side script is executed before scan starts and the output from the script is used to establish authenticated state.

Make sure that the private IP range 10.88.0.0/16 is not used in your environment, since this is used to communicate with a restricted container on the scanner. Having targets in this range while using the side scripts feature may cause issues while scanning them.

Custom

The basic concept of a Custom authentication flow is to create instructions for the scan to follow so it can establish a desired initial state before an actual scan starts on application specified Seed URLs. The custom authentication flow provides an environment for executing Lua scripts for exchanging HTTP messages over the network, recording cookies and providing dynamically generated seed URLs.

Some script examples are added to make it easier with Lua custom authentication script. The script input is populated depending on the chosen example from the drop-down.

The available examples include:

• Cookie based

• XPath

• Wordpress

Information regarding Lua can be found at https://lua.org. Web application scanner specific documentation can be found by selecting the Custom authentication radio button.

To terminate a scan due to logged out state, it is recommended to specify Scan abort pattern. The pattern should be in RE2 format or as simple text matching the response that indicates logged out state of the application to the scanner. The pattern is being matched against all responses coming from the scanned application, both headers and body, and if the response matches the specified pattern, the scan stops. This is used to prevent crawling of application outside of its desired state and to make sure that reported findings belong to correct application state.

After selecting the preferred authentication, click SAVE.

Host Maps

A host map defines a map between names and addresses to a map of other addresses. They can be used to force certain DNS resolutions or to scan vhosts on an HTTP server where there are no DNS records for the vhosts. An entry in the To field must be a valid IPv4/IPv6 address. An IPv6 address must not be enclosed with square brackets.

Examples:

When using multiple entries in the To section, a round-robin selection is applied to these entries.

To add a host map, click on the green plus icon in the lower right corner.  

The bin icon next to the To section marks the entered host map for deletion when saving.

After entering the host map, click SAVE.

Reporting Settings

Report settings manage how assets are reported after a scan. They allow the addition of tags to rediscovered, or newly discovered assets, as well as the import of tags from external platforms like Amazon Web Services. They also determine how assets are reported and made visible in the assets view, or whether asset creation should be skipped entirely.

Automatic tagging and tag import simplify asset management and organization by offering a hands-off approach, making it easier to manage assets at scale. In addition to reducing manual effort, these settings provide essential customization options to ensure consistency across scans and systems, enhancing asset accessibility and supporting consistent compliance reporting.

Tags

The tags function automatically adds tags to newly discovered assets, streamlining the management process, reducing manual effort, and enhancing accessibility. By using the automatic tagging functionality, you can assign relevant information to each asset, such as its environment (e.g., production, staging, development), department (e.g., marketing, finance, engineering), or compliance status (e.g., PCI-DSS compliant).

Using tags like production or development enables you to quickly distinguish between different environments, facilitating resource management based on their intended purpose. If an issue arises with resources belonging to a specific department, support teams can easily filter assets by tags, allowing for faster and more effective incident response.

Preset the tag to be added either by selecting one from the expanded list

or create a new tag.

Asset Creation

In Asset creation assets can be created automatically when new machines are discovered.

The first option allows users to create assets for found hosts, which streamlines the process of integrating newly identified resources into the existing asset inventory. By automatically creating assets after the scan, organizations can ensure that all discovered resources are accounted for and readily accessible.

The second option provides a useful alternative for scenarios where organizations may want to monitor potential resources without immediately integrating them into their asset management system. This option is particularly beneficial for environments that are undergoing changes or assessments, as it allows teams to gather information about new hosts without overwhelming their inventory. Results will only be visible in the scans view, giving teams the flexibility to evaluate assets before deciding to create formal entries in the asset inventory.

Network Discovery Template

Packet filter (advanced usage)

This feature is for advanced users!

When running a Network Discovery scan, a packet filter can be applied to filter the result of the scan.

Packet filters allows for the ability to capture targeted data, making it possible to specify which packets to collect based on different criteria like IP addresses, protocols, or port numbers. This reduces the amount of irrelevant data and makes it easier to analyze the result.
Filtering packets also reduces both CPU and memory overhead, which is important during scans with a high volume of network traffic. By capturing only the relevant packets, you can speed up the scanning process and avoid delays associated with processing unnecessary data.
Focusing on specific protocols or devices of interest allows you to gain a clearer understanding of your network topology, active hosts, and available services making it easier to capture suspicious activities. Many network scanning tools, support BPF syntax, enabling seamless integration into your workflow.

The packet filter uses Berkeley Packet Filter syntax and a BPF expression in the filter looks like:

Cloud Discovery Template

External Tags

Enabling the External tags feature allows you to import the external tags from the source of the discovery scan. You can filter these to only import specific tag keys from the source. This ensures consistency between systems and enables quick filtering options for reporting and compliance, using familiar tags from the external system.

Manage a Configuration

Select one or more configurations, to view the available actions in the bottom tool row:

• Click on the Edit Tags icon to manage tag on the selected configuration.

See Tags for more information.

• Click on the Scan Now icon to initiate a scan instantly. 

• Click on the Delete icon to remove the selected configuration.

Removing scan configurations will not remove any other associated data like assets or schedules.

The same tools are available by right clicking the configuration.

Preconditions for a Configuration to Run

1. It is enabled.

2. It has a schedule. 

3. The schedule has remaining Occurrences > 0 or not set at all.

4. The seed URLs must pass all request filters.

References

1. https://tools.ietf.org/html/rfc7231#section-5.5.3

2. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent.

3. application/json - https://tools.ietf.org/html/rfc4627

4. application/x-www-form-urlencoded - https://tools.ietf.org/html/draft-hoehrmann-urlencoded-01

5. multipart/form-data - https://tools.ietf.org/html/rfc7578

6. multipart/mixed - https://tools.ietf.org/html/rfc2046#section-5.1.3

7. text/plain - https://tools.ietf.org/html/rfc2646#page-4

8. https://www.seleniumhq.org/selenium-ide/

9. https://www.seleniumhq.org/selenium-ide/docs/en/introduction/getting-started/

10. https://lua.org

Related Articles

_Copyright

_{© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.}

_Trademark

_{Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.}