Adding web applications

Add the web applications you want to scan for security risks - vulnerabilities, malware and sensitive contents.

A few things to consider...

Have you thought about the web application settings you should use? We can help you sort this out quickly - review the basics for some ideas.

Web Applications - The Basics

I'm ready to add a web application. What are the steps?

Go to Web Applications and click the New Web Application button. Select Blank and our wizard will help you build the web asset from scratch.

Are there other ways to add web applications?

Yes, there are 3 other ways to add a web application to your account.

Import a web application in a CSV file - Go to Web Applications and select the Import option above the list. Follow the instructions to create your CSV file, and tell us where the file is located. Be sure to click the Import button.

Select web applications from your catalog - Your catalog shows you web applications found in your vulnerability scans and maps (from the VM application). Go to Web Applications > Catalog to select web applications that you want to add to your subscription.

Save and edit a copy of an existing web application - Go to Web Applications, select a web application and choose Save As from the menu (or edit the web application and click Save As in the wizard). Give the new web application a name and then edit the settings as you wish.

I need help with the web application settings

Tell me more about:

Tags

Tagging is a good way of organizing your web applications (and other objects in your subscription. You can use tags to choose target web applications for scans and reports. By assigning a web application tag to the scope of a user, you give that user access to the web application.

Want to define tags? It's easy - just go to the CyberSecurity Asset Management (CSAM) application.

The crawl scope

The crawl scope settings you select determines where the scan will go. You can limit crawling to:

The URL host name

The scope will be limited to the hostname within the URL (example: http://10.10.26.238), using HTTP or HTTPS and any port. All links discovered on the 10.10.26.238 domain will be in scope. For example, all links discovered in http://10.10.26.238/support/ and https://10.10.26.238:8080/logout/ will be in scope. Links outside the 10.10.26.238 domain are out of scope.

Links located at or below the URL subdirectory

The scope will be limited to the URL subdirectory (example: http://10.10.26.238/), using HTTP or HTTPS and any port. All links starting with http://10.10.26.238/ will be in scope. For example, http://10.10.26.238/headlines/ and https://10.10.26.238:8080/ will be in scope.

URL hostname and a specified sub-domain

The scope will be limited to URL (example: http://10.10.26.238/), using HTTP or HTTPS and any port. All links discovered in 10.10.26.238 will be in scope. For example, links like these will be in scope: http://10.10.26.238/support/, and https://10.10.26.238:8080/logout/. Any link whose domain does not match the web application URL hostname will be out of scope.

URL hostname and specified domains

The scope will be limited to the URL hostname (example: http://10.10.26.238/), using HTTP or HTTPS and any port. All links discovered in 10.10.26.238 will be in scope. This means these links will be included: http://10.10.26.238/support/ and https://10.10.26.238:8080/logout/. Links whose domain does not match web application URL hostname or one of the domains specified will be out of scope. For example, http://cdn. will not be included.

Crawl settings

You have the option to upload Selenium scripts to further configure crawl settings for the web application. Use Selenium scripts to record paths you want crawled in addition the scan's standard crawling. This enables us to crawl complex workflows, such as selecting user input combinations that require certain knowledge and/or user interaction. Use Qualys Browser Recorder to create a Selenium scripts. Learn more

Authentication records

You'll want to choose authentication records to be used during scans. Authentication enables our service to do a more in-depth assessment of your web application. The authentication records available to you are listed in the drop-down. To create an authentication record, go to Web Application > Authentication > New Record. Learn more

Malware Monitoring

We can perform regular checks for malware on your external web applications if you enable Malware Monitoring. Once enabled, we'll run a daily malware scan. You'll see a information about any malware detections on your dashboard. Learn more

Tell me about web assets

What are web assets?

When you add a web application we'll build a web asset in your subscription if it doesn't already exist. This asset has a name, URL and tags (optional) and it can be easily configured for other web applications like WAF.

Where can I see my assets? You'll see an inventory of all the assets you have access to in the CyberSecurity Asset Management (CSAM) application.

Permissions to web assets

Users who are not Managers need to be granted access to web assets. A Manager can do this by going to the Administration utility, editing the users' accounts, and assigning web application tags to the user scopes.

Why tag web assets?

Tagging web assets lets you grant users access to them. It also gives you a convenient way to manage large volumes of web applications. For reports, for example, you can select web application tags as the report target.