Scan web applications

Use DAST Essentials Enterprise mode to configure authentication for web applications using login scripts, scanner variables, and client certificates. Veracode systematically crawls one or more URLs to perform a comprehensive scan of the application and identify security vulnerabilities. The scan results highlight issues that require prompt resolution.

Create a scan

You can create a web application scan in the Veracode Platform using DAST Essentials.

Before you begin:

• You must have a Veracode account with the Administrator, Creator, Submitter, or Security Lead role.

To complete this task:

1. Sign in to the Veracode Platform.
2. Select Scans and Analysis > DAST Essentials.
3. Select ADD TARGET.
4. Select A web application.
5. Select Next.
6. For Target Name, enter a name for the analysis. Ensure the name is unique to your organization and provides a human-readable description of the analysis.
7. For URL or IPv4, enter the base URL with protocol (http:// or https://). By default, the DAST scanner follows http:// or https:// URLs regardless of the protocol in your target URL.
8. For Team, select a team from the options available.
9. Select Enterprise mode.
10. Select NEXT.
11. Select Full Scan.
12. To certify that your organization has the right to scan the content, select the checkbox.
13. Select CREATE TARGET.

Configure a scan

After you create a web application scan in the Veracode Platform in DAST Essentials, you can configure it. Use Internal Scanning Management (ISM) if the server is behind a firewall.

Before you begin:

• You must have a Veracode account with the Administrator, Creator, Submitter, or Security Lead role. Any member of the team associated with the web application scan can view the analysis and its results.

To complete this task:

1. Sign in to the Veracode Platform.
2. Select Scans and Analysis > DAST Essentials.
3. Locate the web application you want to configure. In the Actions column, select Configure.
4. To configure the base URL, select the General tab. To edit the base URL and configure (http:// or https://) protocol support, when both protocols are allowed, the DAST scanner follows http:// or https:// URLs regardless of the protocol in your target URL.
5. To manage crawler access to specific URLs, select the URL Configuration tab:
   • To add or update URLs that you want to allow the crawler and scanners to access, in the Allowed URLs section, select ADD URL. Select the required Protocol and provide the URL. Select OK.
   • To add or update URLs that you do not want to allow the crawler and scanners to access, in the Blocked URLs section, select ADD URL. Select the required Protocol and provide the URL. Select OK.
6. To ensure a comprehensive scan, in the Enterprise mode section, you can upload a crawl script.
7. In the Duration tab, configure the maximum scan duration.
8. In the Scanners tab, select the scanners that should be executed for this web application scan and exclude the ones that you do not want to execute.
9. In the Authentication tab, configure the authentication methods that the analysis uses to access your URLs.
10. In the Automation tab, create a schedule to run the analysis.
11. Use ISM to access internal servers that are behind a firewall or not exposed to the public internet.
12. Select SAVE. All the configuration changes that you save take effect with the next scan.

Upload a crawl script

Provide Veracode with a crawl script containing the necessary input for the DAST Essentials scan engine to access all areas of the application. This ensures a comprehensive scan of your URL.

Before you begin:

• Ensure you have recorded the crawl script using the Selenium IDE with supported Selenium commands and saved it as an HTML or SIDE (JSON format) file. The file cannot be larger than 5 MB.
• Review the best practices.

The following tasks continue from step 6 of configure a scan.

To complete this task:

1. In the Enterprise mode section, for Crawl Script, select the crawl script file from the File Explorer and upload it.
2. For Crawl options, select Use the automated crawl engine in addition to the crawl script. To limit the scan to only the actions defined in the crawl script, select Scan only what is specified in the crawl script.
3. Select SAVE.

DAST Essentials runs the crawl script during prescan and provides information about commands that might fail during the URL scan.

Review the scan results

You can review the scan results for web application scans in the Veracode Platform.

Before you begin:

• You must have a Veracode account with the Creator, Reviewer, or Security Lead role unless the results are linked to an application profile that you have permission to view.
• You have created a web application scan and run it.
• The analysis run must have finished.

To complete this task:

1. Sign in to the Veracode Platform.
2. Select Scans and Analysis > DAST Essentials.
3. Locate the web application you want to review and select the target using the hyperlink.
4. To review the web application scan history, in the URL column of the table, select the hyperlink.

For more information, see understanding the scan results.

Selenium scripting

Record scripts that the scanners run during scanning. For example, to ensure that DAST Essentials or Dynamic Analysis can scan all areas of the target URLs of your web application, record crawl scripts. Or, record login scripts that the scanners use to authenticate with areas of your application.

You record a script with the Selenium IDE and the supported Selenium commands, save it as an HTML or SIDE (JSON) file, then upload the file to your analysis using the Veracode Platform or the REST API.

We recommend using tools such as Chrome DevTools Recorder, Playwright, or Cypress to capture the desired browser interactions. You can then manually convert these recordings or test files into the required SIDE file format for use as login or crawl scripts.

note

Crawl scripts are not supported for analyses of API specifications or Postman Collections.

Supported Selenium commands

The following table lists the Selenium commands that Veracode supports in sequence scripts. You can save these scripts as HTML or SIDE files and upload the files to Dynamic Analysis or DAST Essentials for use in a web application scan. Your version of Selenium IDE might not support all listed commands. Review the best practices before running your scan.

For more information about these commands, see the Selenium documentation.

Command	Description
assertAlert, assertPrompt, or assertConfirmation	These commands have identical implementations. They switch focus to the current alert box on the page and determine if the user-provided text matches the alert text. If it does not match or there is no alert box on the page, these commands fail.
assertChecked	This command succeeds when you select the targeted checkbox or radio button and fails when when you do not select them.
assertElementPresent	This command always uses the timeout period of 30 seconds. If you cannot locate the targeted element within that amount of time, the command times out and fails.
assertText or verifyText	assertText and verifyText have identical implementations.
assertTextPresent or verifyTextPresent	Veracode checks the provided text against the HTML source of the currently rendered page, not the original source. Therefore, HTML elements you add to the page through JavaScript can be matched with this command only if the JavaScript code mutating the DOM finishes executing before this command is executed. This command requires the scan engine to fully serialize the page currently loaded in the browser. It can be extremely time-consuming for complex pages.
check or uncheck	check can operate on checkbox and radio button types of form inputs, but uncheck can only operate on checkboxes.
click or clickAndWait	These commands have identical implementations and functionality.
clickAt
deleteAllCookies
doubleClick or doubleClickAndWait	doubleClick and doubleClickAndWait have identical implementations and functionality.
fireEvent or focus	focus fails if the element to be focused is not focusable, such as an <img> or <br /> element. Elements that are not focusable might have focus events bound to them. In this case, you can use the fireEvent command to force an event that you want to fire to focus on elements that are not focusable.
keyUp
keyDown
keyPress
mouseDown or mouseUp	mouseDown and mouseUp are always fired together when the simulated mouse left button clicks on an element.
mouseOver or mouseMove	mouseOver and mouseMove are always fired together when the simulated mouse moves on an element.
mouseOut
open or close	If you must manage multiple windows, we recommend explicitly selecting them by name or title before attempting to execute any commands. If more than one window is still open after you close the originally selected window, selection of the new main window is unpredictable.
pause	There is no need for long, duplicated pause commands.
refresh
runScript	Runs custom JavaScript code within the context of the currently loaded web page that allows you to manipulate the DOM or retrieve dynamic values for use during the scan.
select
selectAndWait	This command fails if the targeted dropdown menu does not load within the timeout period, which is 60 seconds by default.
selectFrame
selectPopUp	When there is only one window currently open, this command fails because the only open window must be the main window.
selectWindow	If there is only one window currently open, this command always succeeds.
submit
type
typeKeys or sendKeys	typeKeys and sendKeys have identical implementations.
verifyHtmlSource	Veracode checks the provided text against the HTML source of the currently rendered page, not the original source. Therefore, HTML elements you add to the page through JavaScript can be matched with this command only if the JavaScript code mutating the DOM finishes executing before you execute the command. This command requires the scan engine to fully serialize the page currently loaded in the browser. This process can be extremely time-consuming for complex pages.
waitForElementToLoad, waitForTitle, waitForTextPresent, or waitForElementPresent	You can provide an optional timeout value in the value element of these Selenium IDE commands. If the value element does not have a value, the default timeout is 30 seconds. If the scan engine cannot locate the element within that amount of time, the command times out and fails.
waitForFrameToLoad	Support for this command only includes the name and ID string locators.When this command returns successfully, it automatically switches to the loaded frame, as if the selectFrame command was called. In place of this command, a generic pause is often a better solution.
waitForPageToLoad	You can provide an optional timeout period in the target element of the command. The default value is 30 seconds. The maximum value is 60 seconds. If the page does not load within the configured timeout period, the command fails.

Scripting best practices

This section provides best practices for recording and optimizing your crawl scripts.

General

• To ensure that a webpage finishes loading before interacting with it, such as signing in, include a wait command, such as waitForPageToLoad, at the beginning of the script.
• Always include a command in the script that validates successful sign in to the application. For example, waitForElementVisible. See Targeting elements and the example login scripts.
• To find text that is visible on a webpage before successfully signing in, include a text verification command, such as assertTextPresent or verifyTextPresent, at the end of the script.
• Where possible, avoid including pauses in the script.
• Where possible, ensure each target in the script refers to the ID parameters in the HTML of each webpage. For example, "target": "id=username". See Targeting elements and the example login scripts.

When to use crawl scripts

You do not need a crawl script to perform a complete Dynamic Analysis or DAST Essentials scan of a web application. Create crawl scripts only if you need to access features or functionality in your web application that require specific inputs in a multistep process.

For example, a website might display different features depending on the region a user selects from a dropdown menu, or it might restrict access to certain features based on the data a user enters into a specific area of the application. You might also want to provide a crawl script to Dynamic Analysis or DAST Essentials if the results show that certain pages or functionality were not crawled.

A Dynamic Analysis or DAST Essentials scan can use heuristics to navigate an application. However, to fully understand the business logic around how data is exchanged between the database and the user interface, you must use crawl scripts or augment the analysis with Manual Penetration Testing.

Remove pre-populated values

• Cache and cookies: Always clear your browser cache and cookies. If Dynamic Analysis or DAST Essentials is scanning a web application for the first time, it cannot use any information saved in cache, cookies, or local storage.
• Input fields: if the browser autopopulates any of the input fields, such as a username, Selenium does not record them in the script.

Targeting elements

• Input fields: the scan engine typically runs events on an input field while filling in the field. Adding additional mouse selections to the script, such as onFocus and onBlur events, is unnecessary and might cause problems.
• Multiple methods: if a step fails when the script executes, use an alternate method to identify targets.
• Elements with long waits: any command that targets an element, such as a mouse click or type command, automatically has an implicit waitForElementPresent process that runs with a 30-second timeout. If an element takes longer than 30 seconds to load, you might need to add additional waits. We recommend adding these additional waits sparingly as they can increase your scan duration or cause other scan issues.

Recording sequence

When recording your script, we recommend you use the following sequence in this order:

1. Open the webpage.
2. Wait for the sign in page to load.
3. Enter the username and password. If the username and password fields are on different pages, after entering the username, include a step, such as selecting Next on the page with the username field, to go to the next page, then enter the password.
4. Select Submit.
5. Wait for the next page to load and validate that a specific element is visible.

Reference a variable in a script

Before you begin:

• You have created a scanner variable using DAST Essentials or Dynamic Analysis.
• You have a Selenium script. To create a login script from a template, you can use the example login scripts.

To complete this task:

1. Open your script in the Selenium IDE or a code editor.

2. Add a command or edit an existing command in which you want to reference the scanner variable.

3. For the command value, enter the scanner variable reference key as ${<My_variable_key>}, where My_variable_key is your reference key name. This must match the Reference Key field under Scanner Variables in the Veracode Platform.

   For example, in this example script, the referenced variable ${TOTP_SECRET} defines the TOTP secret for a URL that requires multifactor authentication. That command uses the variable to type the TOTP secret on the sign in page of a web application.

4. Save your Selenium project or script.

5. When the script is complete, you can upload it to your analysis.