Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Quick Requests
• Phones on mute
• Exam
• LAB Exercises
• Presentation Slides
• Selenium Scripts
• BURP Results
• Certification Exam
• Click “Forgot your password?”
link to reset your password
Qualys Student Trial Account
• The Learning Management System (LMS) will not send trial accounts to
public email domains (e.g., gmail.com, yahoo.com, hotmail.com, etc...).
• Check your email inbox (and SPAM folder) for your student trial account
credentials.
• The WAS lab exercise document provides instructions for activating and
setting up your student trial account.
Web Application Scanning Overview
1. Define the
Application
4. Report 2. Discovery
Scan
3.
Vulnerability
Scan
Qualys Cloud Platform
IaaS Providers
Web App
QUALYS
Internal Scanner
PLATFORM
ü Strong Data
Encryption
ü Firewalls
ü IDS
ü TLS communications
External
Web App
Qualys User
Corporate Environment
Qualys Browser Recorder and Chrome
Benefits
• Dynamic List updates when new QIDs meet the
search criteria
• No limitation to the number of QIDs in search list
Example:
Run a scan for only SQLi
Exclude a vulnerability from a scan
Build a report for only XSS
Account Setup
An application is:
• A business function typically requiring login
• Running unique code
• Typically supported by a single or team of developers
Example site:
http://site/admin/
http://site/hr/
http://site/finance/
Scenario 1: Scenario 2:
• Each directory is • Authentication
part of a single credentials are
app if they are different for each,
part of an Intranet with different
Portal business functions
• (1 app total) • (3 apps total)
Example site:
http://intranet:80/index.cgi
http://intranet:8080/index.cgi
Scenario 1: Scenario 2:
• If the app on port • If app on port 80
80 has links to app doesn’t have links
on port 8080 to port 8080
• Links are same • Links are different
business function business functions
(1 app total) • (2 apps total)
Example site:
http://production.domain:80/
http://qa.domain:80/
Bulk Edit:
• Owner
• Scope
• Option Profile
• Scanner Appliance
• Header Injection
• Authentication Record
Select this to crawl the hostname within the URL using http or https and
any port
Example: http://www.example.org/new
• All links in the http://www.example.org domain will be crawled
http://www.example.org/support
http://www.example.org:8080/news
• Links from www.example.org will not be followed
http://video.www.example.org
http://cdn.example.org
Discovery Scan
• Validate Scope settings
• Crawl and ensure right coverage
What is a form?
Forms are used to pass data to a server**
• SmartScan Support
Form Records
• Standard Login
• Custom
• Selenium Script / Qualys Browser Recorder
Server Records
• Basic
• Digest
• NTLM
White list
- Crawl specific directories or pages (within application scope).
- Content outside of ‘white-list’ is black-listed by default.
- Target a specific area of modified/updated code.
Black list
- Prevent WAS from crawling sensitive or protected locations.
Post Data Black List
- Prevent WAS from posting HTTP forms on sensitive pages (i.e.,
Contact Us page).
Logout Regular Expression
- WAS scanner will not crawl to specified ’logout’ links.
www.yourwebapp.com: 64.39.106.246
64.39.106.249
QUALYS CLOUD PLATFORM
PRODUCTION 1
External Scanner Pool
64.39.106.246
57 Qualys, Inc. Corporate Presentation
DNS Override Settings
DNS Override:
• Configure if DNS not yet
configured for your app that’s
currently in Dev or QA
• Tag to manage assignment of
DNS Override
Web Application - Form Training
Use case: For testing sites that use URL re-writing (asp.net MVC)
The Authentication tab provides a convenient place for managing both Form
and Server authentication records.
No Web Service
The scan will give “No Web Service” status if the scanner:
• Cannot get a DNS lookup on the site
• Cannot reach the target because of routing
• Cannot get a web service to respond to a GET request
WASC www.webappsec.org
divides Web vulnerabilities into
six categories
Authentication
Authorization
Client-side Attacks
Command Execution
Information Disclosure
Logical Attacks
<script>…</script>
https://forum.corp.com
GET /page1.html
2
<script>…</script>
https://drop.hacker.com
1 Hacker injects code into database
2 User requests page, stored hacker code sent
3 Client executes code
/q?=<script>…</script>
“Error: <script>…</script>”
https://forum.corp.com
GET /q?=<script>…</script>
2
johndoe ` OR 1 = 1; /*
qualys */--
• By asking the server true and false questions and getting different results
we are able to determine if vulnerability.
/login
/transfer?from=mine&to=yours 3
https://account.mybank.com
4
Directory discovery
Discovered directories are analyzed
Pages are read for mime types and content
• Results listed by
vulnerability, link, type,
app
• Redundant results are
condensed to a base
cause
• Create Templates to save
report formats
• Four report types
• Schedule Reports to run
when you need them
77 Qualys, Inc. Corporate Presentation
Web Application Report
• Statistics on all
applications tagged in
UI
• Top 10 most vulnerable
applications
• OWASP breakdowns
• Create, download,
run reports
• Filter existing
reports
• Add tags to
reports
The scan
diagnostics data
provides technical
details about the
crawler's
performance and
behavior.
Troubleshoot
Selenium script
WAS Reporting
Qualys Virtual
Machine Farm
Malware Detection
Lab 7
Malware Detection
training@qualys.com