Web Application Vulnerability Scanner

Frequently Asked Questions

The Web Scanner attempts to discover vulnerabilities in your Web site. It begins by indexing your entire site looking for Web pages,then determines which tests it needs to run based on the type of Web site/pages present.

Please see the following frequently asked questions.

How do I request a scan?

Please note: We prefer you scan test or development servers. The scanner will not impact performance on a production site. However it will attempt to submit data using forms on your site. This may insert unwanted data into your database, or flood you with form generated emails. 

Send email to scanner-admin@uiso.iu.edu with the following information

  • The URL you wish to scan.
  • Any additional URLs not linked to the first URL.
  • If the site uses IU login, provide access to username “uisoscan”
  • If the site uses its own login, provide a username and you will be contacted for the password.
  • Indicate if the site is Production or Development. If Production, indicate why you are scanning it rather than a development site. 
  • Indicate if the site has forms which generate email. If it does, ujnderstand that the scanner can produce quite a lot of email by testing those forms.


What application is UISO using for Web Scanning?

UISO uses an application by WatchFire called AppScan.


What does the Web Scanner do?

The Web Scanner attempts to discover vulnerabilities in your Web site in the same way the Network Scanner looks for vulnerabilities on your host. The application starts by indexing your entire site looking for Web pages. It then determines which tests it needs to run based on the type of Web site/pages present.


How long does a scan usually take?

A scan can take anywhere from 10 minutes to 10 hours, depending on the size of the site and how many advanced features the site employs. Generally speaking, the more complicated the site, the longer it will take.


From what IP address does my website need to be accessible?

Web scans currently only originate from one server, iu-uiso-webscan.ads.iu.edu ( Please be sure your website is accessible from that address.

Please note, if your host is regularly scanned by the network scanner then you should already have exempted this IP address.

You do have your host regularly scanned by the network scanner, right? :)


My application requires a login credential. Is that OK?

Yes. If you are authenticating IU users (either via CAS or LDAP/Kerberos), please ensure you grant access to the username uisoscan (ads\uisoscan).

If your access control is local, please create a local username (preferably named uisoscan) and password/passphrase for the scanner. You may reply to the confirmation email you receive upon submission of the scanner request form with the appropriate credential.

Important: please ensure that you assign the uisoscan user permissions at whatever privilege level you would like the scanner to scan. For instance, if you have an admin interface that you want scanned, uisoscan must be able to access it, as any other user would.


Why should I have my Web site scanned?

A better question might be Why wouldn't you want it scanned? What would be the damage if someone broke into your Web site? Is there sensitive data present? Would you be liable under the law? What would happen if your Web site were defaced? What if it were used to distribute illegal content?

System administrators face these sorts of concerns every day. A vulnerability scan doesn't completely eliminate the risks, but better that you're aware of any system flaws first, before an attacker. Additionally, any action you take to increase security on your systems will help secure the entire IU network overall.


Are there any risks associated with running a Web Scan?

As with any sort of vulnerability scan, there are some inherent risks — including performance reductions, denial of service and aggregation of garbage data.

These risks are minimal, however, and the advantages of discovering security in holes in your Web application clearly outweigh temporary variations arising from a scan. Further, remember that anyone with access to your site can perform the same procedures that UISO offers — meaning it's better for everyone to catch vulnerabilities upfront, rather than have them exploted by someone with nefarious intentions.


Can I have my Web site added to the Web Scanner?

Because of the number of variables associated with Web application vulnerability testing, all scans performed are currently done manually. If you would like to schedule one of these scans please email scanner-admin@UISO.iu.edu.


Will the Web Scanner submit data to our site?

Yes. As part of the process the scanner will actively try to fill out Web forms and submit data. This is so that it can try to identify vulnerabilities including SQL injection and cross site scripting. The testing data submitted should be obvious to the site owner.


Should this scan be run on our production server or a development server?

It can be run on both. While UISO has no problem scanning a production server, variables such as slower traffic may exist during regular hours — which may necessitate a less convenient off-peak scan. Conversely, scanning a development server can eliminate possible problems before they reach the production environment, but if