Advanced Mode

Run a scan with advanced settings

In the NEW SCAN dialog box, select the Advanced tab to create a scan with expanded settings.

📘

Note

The required settings fields are marked with *. The tabs which include the required fields provide counters where the first digit is the number of completed required fields, and the second one is the total number of the required fields in this tab. Once you complete all the required fields in a tab, the counter next to the tab name turns green. Additionally, the number of missing or incorrect settings are shown as the REMAINING ERRORS at the bottom of the dialog box.

Specifying Scan Details

In the Scan Details tab, do the following:

  1. In the Scan name field, enter any free-text name for this scan.
  1. From the Project dropdown list, select the Nexploit project you want to use for the scan.

📘

Note

You can start a scan ONLY if a project is selected. If you do not have any projects in the NeuraLegion App, select the Default one.

  1. (Optional). If you have integrated the selected project with a ticketing system, you can connect the associated repository for the scan in the Integrations field. The detected issues will be automatically opened as tickets/issues/messages in the integrated repository.
  1. (Optional). In order to make the scanning definition process faster, in the Templates tab, you can select a predefined set of scan settings. NeuraLegion provides the following types of predefined scan settings:
  • OWASP Top 10 (2017) – The engine only runs the tests for the vulnerabilities included into the "OWASP Top 10" list for 2017.
  • MITRE Top 25 (2019) – The engine only runs the tests for the vulnerabilities included into the "MITRE Top 25" list for 2019.
  • MITRE Top 25 (2020) – The engine only runs the tests for the vulnerabilities included into the "MITRE Top 25" list for 2020.
  • API Scan – Predefined tests that are relevant for API targets.
  • Light Scan – This is a preconfigured optimized scan, during which the engine automatically determines which tests to run, based on the data types that are detected. Some tests will be skipped in favor of speed.
  • Deep Scan – All possible tests are performed during the scan. This is the most thorough scan, which takes the longest time to complete.
  • Passive Scan – The engine selects only host-based passive tests to be run.
  • (Optional) Custom (own) templates - The scans configured by a user manually and saved as templates.

Once you select a template, you can view the predefined scan settings below the Scan Templates field. To apply these settings for a new scan, click Apply next to the selected template.

👍

Tip

In addition, you can define your own scan templates. See Managing Scan Templates for more information.

Defining Scan Targets

In the Scan Targets tab, do the following:

  1. In the Discovery Types field, select one of the following ways your application attack surface should be mapped (depending on your subscription) – Crawler, Recording (HAR) or Open API:
  • Crawler – This is the simplest option. Simply enter a URL (target host) to scan the whole or a part of the specified application. The crawler will map the entire application attack surface automatically.

    To scan only specific parts of your application or add multiple hosts, click at the right side of the Targets section . In this case, only the specified sections of the application and everything downstream from them will be scanned.

    Note that some hosts may be unreachable or unauthorized for a direct scan from the cloud. If a host cannot be reached by the engine, select a running Repeater for the scan in the Network Settings section. If a host is unauthorized for a direct scan from the cloud, either select a running Repeater for the scan or add a .nex file to the host root directory (read more information here).

    See Scanning a website with a crawler for detailed information.

  • Recording (HAR) – Use a pre-recorded session of your application (HAR file), which has been created either manually or automatically (using QA tools, such as Selenium to scan your application). This discovery type enables you to define the scope of a scan and store login information in order to scan areas in your application that require authentication.

    See Creating a HAR File to learn how to create a HAR file.

    Note that some hosts may be unreachable or unauthorized for a direct scan from the cloud. If a host cannot be reached by the engine, select a running Repeater for the scan in the Network Settings section. If a host is unauthorized for a direct scan from the cloud, either select a running Repeater for the scan or add a .nex file to the host root directory (read more information here).

    See Scanning a website with a HAR file for detailed information.

👍

Tip

To enjoy both full automation and deeper attack surface analysis, you can combine Crawling and Recording (HAR) in a single scan!

  1. (Optional) If you are going to scan a target on a local network, select a Repeater to use it for the scan. The list includes the global Repeaters and the Repeaters created for the selected Project. The Repeater is created in the Repeaters section and serves as a request-proxy between NeuraLegion and the target hosted on a local network. See On-Premises Repeater (Agent) for more information.
  1. (Optional) In the Coverage Exclusions section, enter the URLs and parameters that NeuraLegion should ignore during scanning.
  1. (Optional) In the Attack Surface Optimization section, you can use the following options to optimize the scanning flow:
  • Stop scan, if target does not respond for – Set a limit to response duration for the scan target globally. If the specified duration is exceeded, the scan will be stopped automatically. The default value is 5 min.
  • Smart scan – Specify whether to use automatic smart decisions (such as parameter skipping, detection phases and so on) in order to minimize scan time. When this option is turned off, all tests are run on all the parameters, that increases coverage at the expense of scan time.
  • Skip static parameters – Specify whether to skip static parameters to minimize scan time.
  • Skip entry points, if response is longer than – Set the limit to response duration for entry points to minimize scan time. If the specified duration is exceeded, the entry point will be skipped. The default value is 1000 ms.
  • Target Parameter Locators – Specify the URL scope to be scanned, as follows:
    • URL Path – The main part of the URL, after the hostname and before the query parameters is used to identify the specific resource in the host that the client wants to access. In some cases (such as API endpoints), it may contain dynamic parameters (for example, object id). Enabling parsing and testing of URL path will significantly increase the attack surface, as well as the overall scan time.
    • Headers – Request Headers are used to provide additional information from the client to the server in each HTTP request, such as cookies, information formats, security settings and so on. Enabling parsing and testing of all possible headers will significantly increase the attack surface, as well as the overall scan time. But you can optimize this by specifying the custom headers manually. To enable selection of custom headers, you need to select both the Headers and Smart scan checkboxes. This will open an additional field where you can enter a comma-separated list of custom headers that should be parsed and tested for injections within the scan scope.
    • URL Query – The query parameters string (after the question mark (?) and, if relevant, before the hash sign (#)) is used to provide additional information from the client to the request, such as data to search for in the target resource.
    • URL Fragment – The last part of a URL, after the hash sign (#), is used as an internal page reference or by DOM elements such as JavaScript, only used on the client side.
    • Body – A Request Body can contain anything. In many cases, it contains data bytes transmitted from the client to the server, such as files.
    • Artificial URL Query - A URL Query added artificially to check if it can be manipulated for attacks.
    • Artificial URL Fragment - A URL Fragment added artificially to check if it can be manipulated for attacks.

In the Network section, you can configure the following options:

  • Custom Host Placeholders – Defines host placeholders with specific addresses. For example, replacing localhost with a specific IP address.
  • Concurrent Requests – Specify the maximum concurrent requests allowed to be sent by the scan in order to control the load on your server.

Configuring Application Settings

In the Application Settings tab, do the following:

  1. Select the authentication option you want to apply for the scanned target:
  • None - Select if the scan target does not include any authenticated resources.
  • Authentication object - you can find a full description about how to use an authentication object in the Managing Your Authentications section.
  1. In the Additional Headers section, define any custom headers to be appended to or replaced from each request. If you need to add some authentication headers, see Header Authentication.

👍

Tip

If you need to add several Additional headers, you can copy-paste them in a single Name field. The headers will be distributed among the fields automatically.

Selecting Tests for a Scan

In the Scan Tests tab, do the following:

  1. In the Modules section, select one of the following scan types (depending on your subscription):
  • DAST – Scans your application for OWASP Top 10+ issues (vulnerabilities) and many different CVEs. This is the default option.
  • Fuzzer – Scans your application for OWASP Top 10+ issues (vulnerabilities), as well as business logic vulnerabilities, 0-Days and many unknown issues.

❗️

Warning

This type of scan may harm your system and so must only be used on a testing environment.

  1. In the Tests section, select the tests to be performed during the scan by checking their checkboxes.

Sceduling a Scan

In the Scheduling tab, you can schedule a scan by selecting the Enable scheduling option and then defining the scan as follows:

  • Single scan – Select date and time to schedule the scan to run once automatically.
  • Recurring scan – Define the frequency and schedule of the scan to run repeatedly automatically.

Starting a Scan

Once you complete the setup, you can run the scan immediately or save it as a template. The template will be saved to the templates list in the Templates tab. You can select any template when creating a new scan.

  • Click Save as Template to save the scan template.
  • Click Start Scan to run the preconfigured scan immediately.

📘

Note

If the maximum number of scans that can be run simultaneously is exceeded, the scan is placed in the queue. The concurrent scans limitation can be set either for the entire organization or for this particular project in the project settings. The new scan will start as soon as you manually stop another running scan or when the current scan is completed.

You can also use the Restore Default button to reset the custom settings.


Did this page help you?