URL configuration for web application scans
In the Veracode Platform, you can configure Dynamic Analysis scan settings for each web application.
On the Configuration page for a web application URL, provide detailed information about the URL scan.
URL information
Enter a starting URL for your scan, including any custom ports. Select the checkbox if you want to include both the http://
and https://
address in the scan.
The scan starts at this webpage and then searches the entire website. Choose a URL that enables the scan to crawl all the pages on the site and adheres to these rules:
- You must precede URLs with
http://
orhttps://
- You must end directory names with a slash (/)
- Acceptable formats are full hostname, such as
http://www.example.com
, or hostname and directory, such ashttp://example.com/dir/
- Do not use wildcards in the target URL
- You are not allowed to use wildcards in the Allowlist and Exclude URLs fields to include or exclude multiple pages or portions of a site all at one time
- You can specify a page as a target URL, for example,
http://www.example.com/dir/my_page
Directory Restrictions
Select the dropdown menu to choose how to restrict the scan of the directories at the URL:
- Directory and Subdirectories: allow the scan to crawl within the specified directory and any subdirectories, but not to crawl up from the starting point.
- Directory Only: allow the scan to stay within the specified directory and not crawl up or down from it.
- No Restrictions: allow the scan to crawl up and down from the specified directory.
Authentication
If the URL requires authentication, such as sign in credentials, select Required and an authentication method.
Scanner Variables
You configure scanner variables in the Veracode Platform to define information that you can reference in your login scripts for web application scans. The variables consist of a reference key and value. You typically create scanner variables that define sign in credentials you want to keep safe and reuse in multiple scripts.
To indicate that the variable defines a time-based one-time password (TOTP) secret for multifactor authentication, select TOTP seed. For more information, see Configure scanner variables.
Scan Controls
Number of Concurrent Browsers
In the Browsers field, enter the maximum number of browsers that can run Dynamic Analysis scan processes at the same time. The scan processes include crawling and auditing the URLs for your web applications. The value range is 1
to 12
and the default is 4
.
Reducing the number of concurrent browsers can significantly increase the time for scans to complete.
Similarity Threshold
Select a threshold to control which web pages the analysis ignores based on the similarity of the content on each page. Ignoring similar pages excludes them from the analysis results. The scanner compares each web page with the other pages it previously scanned to identify pages with similar content. It uses the selected threshold to determine which similar pages to ignore during the analysis.
For example, if the web application contains several similar pages, and you select Most Strict, the analysis is more likely to include these pages. If you select Least Strict, the analysis is more likely to ignore these similar pages and exclude them from the results. Depending on the number of pages and their size, an analysis with a more strict threshold might take longer to complete.
URL-Specific Blocklist and Allowlist
Exclude URLs that you do not want the Dynamic Analysis to scan. You can also change the scope of the blocklist by excluding the HTTP or HTTPS versions.
By default, the Dynamic Analysis scan engine scans all subdirectories under the top-level domain. Because Veracode does not automatically scan the subdomains, you can include them in the scope of the scan by specifying them in the Allowlist tab. You can also change the scope of the URL scan by excluding the HTTP or HTTPS versions.
Crawl Script
To ensure a comprehensive scan, you can upload a login script as an HTML file or SIDE (JSON format) file (<5 MB) containing a single script or test suite.
Internal Scanning
If you want to scan an internal application hosted behind a firewall, you need to select a gateway and endpoint that can reach it. To use Veracode Internal Scanning Management, you must have already configured an ISM gateway and endpoint.
Gateway
Select the gateway associated with an endpoint that can access the URL. If you select a gateway that is not associated with an accessible endpoint or is not ready for scanning, the Dynamic Analysis fails.
Endpoint
Select an endpoint that can access the URL. If you select an endpoint that is not reachable by the URL or is not ready for scanning, the Dynamic Analysis fails. The scan identifies the endpoints as Ready
, Pending
, or Offline
.
All of your configured gateways and endpoints are available for selection. If you do not know which gateways and endpoints are reachable by the URL, work with your ISM administrators to identify them.
Advanced Options
User Agent
Enter customized details of your browser to ensure the scan crawls for known vulnerabilities for that specific browser and returns information specific to the respective environment.
Custom Host
If you do not want Veracode to perform a DNS lookup to obtain the IP address for the target host of your scan or if your target host does not have a DNS entry, you can enter one or more custom host-to-IP resolutions. Wildcards, slashes, or filepaths are not permitted. Private or internal IP addresses are only allowed if you have selected a gateway and endpoint in the Internal Scanning section.