Scan web applications

Use DAST Essentials Enterprise mode to configure authentication for web applications using login scripts, scanner variables, and client certificates. Veracode systematically crawls one or more URLs to perform a comprehensive scan of the application and identify security vulnerabilities. The scan results highlight issues that require prompt resolution.

Create a scan

You can create a web application scan in the Veracode Platform using DAST Essentials.

Before you begin:

• You must have a Veracode account with the Administrator, Creator, Submitter, or Security Lead role.

To complete this task:

1. Sign in to the Veracode Platform.
2. Select Scans and Analysis > DAST Essentials.
3. Select ADD TARGET.
4. Select A web application.
5. Select Next.
6. For Target Name, enter a name for the analysis. Ensure the name is unique to your organization and provides a human-readable description of the analysis.
7. For Protocol, select the required option.
8. For URL or IPv4, enter the base URL.
9. For Team, select a team from the options available.
10. Select Enterprise mode.
11. Select NEXT.
12. Select Full Scan.
13. To certify that your organization has the right to scan the content, select the checkbox.
14. Select CREATE TARGET.

Configure a scan

After you create a web application scan in the Veracode Platform in DAST Essentials, you can configure it. Use Internal Scanning Management (ISM) if the server is behind a firewall.

Before you begin:

• You must have a Veracode account with the Administrator, Creator, Submitter, or Security Lead role. Any member of the team associated with the web application scan can view the analysis and its results.

To complete this task:

1. Sign in to the Veracode Platform.
2. Select Scans and Analysis > DAST Essentials.
3. Locate the web application you want to configure. In the Actions column, select Configure.
4. Select the URL Configuration tab.
5. To add or update URLs that you want to allow the crawler and scanners to access, in the Allowed URLs section, select ADD URL. Select the required Protocol and provide URL. Select OK.
6. To add or update URLs that you do not want to allow the crawler and scanners to access, in the Blocked URLs section, select ADD URL. Select the required Protocol and provide URL. Select OK.
7. To ensure a comprehensive scan, in the Enterprise mode section, you can upload a crawl script.
8. In the Duration tab, you configure the maximum scan duration.
9. In the Scanners tab, you select the scanners that should be executed for this web application scan and exclude the ones that you do not want to execute.
10. In the Authentication tab, you configure the authentication methods that the analysis uses to access your URLs.
11. In the Automation tab, you create a schedule to run the analysis.
12. Use ISM to access internal servers that are behind a firewall or not exposed to the public internet.
13. Select SAVE. All the configuration changes that you save will take effect with the next scan.

Upload a crawl script

Provide Veracode with a crawl script containing the necessary input for the DAST Essentials scan engine to access all areas of the application. This ensures a comprehensive scan of your URL.

Before you begin:

• Ensure you have recorded the crawl script using the Selenium IDE with supported Selenium commands and saved it as an HTML or SIDE (JSON format) file. The file cannot be larger than 5 MB.
• Review Selenium script best practices.
• See example Selenium scripts.

The following tasks continue from step 7 of configure a scan.

To complete this task:

1. In the Enterprise mode section, for Crawl Script, select the crawl script file from the File Explorer and upload it.
2. For Crawl options, select Use the automated crawl engine in addition to the crawl script. To limit the scan to only the actions defined in the crawl script, select Scan only what is specified in the crawl script.
3. Select SAVE.

DAST Essentials runs the crawl script during prescan and provides information about commands that might fail during the URL scan.

Review the scan results

You can review the scan results for web application scans in the Veracode Platform.

Before you begin:

• You must have a Veracode account with the Creator, Reviewer, or Security Lead role unless the results are linked to an application profile that you have permission to view.
• You have created a web application scan and run it.
• The analysis run must have finished.

To complete this task:

1. Sign in to the Veracode Platform.
2. Select Scans and Analysis > DAST Essentials.
3. Locate the web application you want to review and select the target using the hyperlink.
4. To review the web application scan history, select the hyperlink in the Url column of the table.