Skip to main content

Scan web applications

Use DAST Enterprise mode to configure authentication for web applications using login scripts, scanner variables, and client certificates. Veracode systematically crawls one or more URLs to perform a comprehensive scan of the application and identify security vulnerabilities. The scan results highlight issues that require prompt resolution.

Create a scan

You can create a web application scan in the Veracode Platform using DAST.

Before you begin:

  • You must have a Veracode account with the Administrator, Creator, Submitter, or Security Lead role.

To complete this task:

  1. Sign in to the Veracode Platform.

  2. Select Scans and Analysis > DAST.

  3. Select ADD TARGET.

  4. Select A web application.

  5. Select NEXT.

  6. Select Full scan.

  7. Select NEXT.

  8. For TARGET NAME, enter a name for the analysis. Ensure the name is unique to your organization and provides a human-readable description of the analysis.

  9. For URL or IPv4, enter the base URL with protocol (http:// or https://). By default, the DAST scanner follows http:// or https:// URLs regardless of the protocol in the target URL.

    note
    • To scan an internal IP address with Internal Scanning Management (ISM), enter the base URL in URL or IPv4. After you create the target, set up ISM on the target configuration page.
    • The following targets are invalid:
      • http://localhost
      • https://localhost
      • http://127.0.0.1
      • https://127.0.0.1

  10. For TEAM, select a team from the available options.

  11. To certify that your organization has the right to scan the content, select the checkbox.

  12. Select CREATE TARGET.

Configure a scan

After you create a web application scan in the Veracode Platform in DAST, you can configure it. Use Internal Scanning Management (ISM) if the server is behind a firewall.

Before you begin:

  • You must have a Veracode account with the Administrator, Creator, Submitter, or Security Lead role. Any member of the team associated with the web application scan can view the analysis and its results.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > DAST.
  3. Locate the web application you want to configure. In the Actions column, select Configure.
  4. To configure the base URL, select the General tab. To edit the base URL and configure (http:// or https://) protocol support, when both protocols are allowed, the DAST scanner follows http:// or https:// URLs regardless of the protocol in your target URL.
  5. To manage crawler access to specific URLs, select the URL Configuration tab:
    • To add or update URLs that you want to allow the crawler and scanners to access, in the Allowed URLs section, select ADD URL. Select the required Protocol and provide the URL. Select OK.
    • To add or update URLs that you do not want to allow the crawler and scanners to access, in the Blocked URLs section, select ADD URL. Select the required Protocol and provide the URL. Select OK.
  6. To ensure a comprehensive scan, in the Enterprise mode section, you can upload a crawl script.
  7. In the Duration tab, configure the maximum scan duration.
  8. In the Scanners tab, select the scanners that should be executed for this web application scan and exclude the ones that you do not want to execute.
  9. In the Authentication tab, configure the authentication methods that the analysis uses to access your URLs.
  10. In the Automation tab, create a schedule to run the analysis.
  11. Use ISM to access internal servers that are behind a firewall or not exposed to the public internet.
  12. Select SAVE. All the configuration changes that you save take effect with the next scan.

Upload a crawl script

Provide Veracode with a crawl script containing the necessary input for the DAST scan engine to access all areas of the application. This ensures a comprehensive scan of your application.

Before you begin:

The following tasks continue from step 6 of configure a scan.

To complete this task:

  1. In the Enterprise mode section, for Crawl Script, select the crawl script file from the File Explorer and upload it.
  2. For Crawl options, select Use the automated crawl engine in addition to the crawl script. To limit the scan to only the actions defined in the crawl script, select Scan only what is specified in the crawl script.
  3. Select SAVE.

DAST runs the crawl script during prescan and provides information about commands that might fail during the URL scan.

URL configuration

The DAST crawlers have various intelligent algorithms that aim to reduce the number of pages crawled automatically. You can manage crawler access to specific URLs using the URL Configuration tab in the target configuration.

Allowed URLs

DAST only scans pages and requests that are subpaths of your target URL to avoid scanning additional targets that are out of scope for your target. However, modern applications often send requests to various back-end APIs, primarily through JavaScript. If these APIs are not a subpath of the target URL, they will initially not be scanned, but you have the option to allow scanning by adding URLs to the allowed URLs list.

The allowed URLs will also be considered for navigational links in your web application during crawling, for redirects, and to check if a request should be scanned or not. You can specify allowed URLs in the configuration of your target on the URLs tab. By default, you will be allowed to add allowed URLs that are subdomains of your target URL. However, if you require a different URL to be allowed for scanning, contact Veracode Technical Support to verify that you are entitled to perform scans against the domain you want to add.

Blocked URLs

To improve scanning speeds for web applications with a large number of pages, you can add page URLs to the Blocked URLs list to exclude the pages from the scan.

By adding a URL to the blocked URLs in a target, you can ensure that this URL and all subpaths are no longer crawled and scanned. This might, for example, make sense if your application has one or multiple modules which should be excluded.

Review the scan results

You can review the scan results for web application scans in the Veracode Platform.

Before you begin:

  • You must have a Veracode account with the Creator, Reviewer, or Security Lead role unless the results are linked to an application profile that you have permission to view.
  • You have created a web application scan and run it.
  • The analysis run must have finished.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > DAST.
  3. Locate the web application you want to review and select the target using the hyperlink.
  4. To review the web application scan history, in the URL column of the table, select the hyperlink.

For more information, see understanding the scan results.

Last updated on