Web Application Vulnerability Scanner
Frequently Asked Questions
The Web Scanner attempts to discover vulnerabilities in your Web site. It begins by indexing your entire site looking for Web pages,then determines which tests it needs to run based on the type of Web site/pages present.
Please see the following frequently asked questions.
- How do I request a scan?
- What application is UISO using for Web Scanning?
- What does the Web Scanner do?
- How long does a scan usually take?
- From what IP address does my website need to be accessible?
- My application requires a login credential. Is that OK?
- Why should I have my Web site scanned?
- Are there any risks associated with running a Web Scan?
- Can I have my Web site added to the Web Scanner?
- Will the Web Scanner submit data to our site?
- Should this scan be run on our production server or a development server?
- What kinds of reports can I get from the Web Scanner?
- How often should I have our Web site scanned?
- Who can help me resolve issues found by the Web Scanner?
- Where can I find more information about 'Web Application Security' and ways to prevent it?
- Any miscellaneous advice you can give?
Please note: We prefer you scan test or development servers. The scanner will not impact performance on a production site. However it will attempt to submit data using forms on your site. This may insert unwanted data into your database, or flood you with form generated emails.
Send email to firstname.lastname@example.org with the following information
- The URL you wish to scan.
- Any additional URLs not linked to the first URL.
- If the site uses IU login, provide access to username “uisoscan”. I will need to know if it uses CAS, CAS-STAGE, or some other login form.
- If the site uses its own login, provide an account (preferably named uisoscan). You may relay the password over Lync (you will be contacted when ready)
- Indicate if the site is Production or Development. If Production, indicate why you are scanning it rather than a development site.
- If the site has forms which generate email, understand that the scanner can produce quite a lot of email by testing those forms.
UISO uses an application by Qualys called Qualys Web Application Scanning (WAS)
The application starts by indexing your entire site looking for Web pages. It then determines which tests it needs to run based on the type of Web site/pages present.
A scan can take anywhere from 10 minutes to 24 hours, depending on the size of the site and how many advanced features the site employs. Generally speaking, the more complicated the site, the longer it will take. The scan will stop when it reaches 24 hours.
Web scans can originate from any of the following IU IPs
Additionally, any public website will most likely be scanned from a remote scanner located in the following block:
Yes. If you are authenticating IU users (either via CAS or LDAP/Kerberos), please ensure you grant access to the username uisoscan (ads\uisoscan).
If your access control is local, please create a local username (preferably named uisoscan) and password/passphrase for the scanner. Passphrases can be sent securely through Lync chat with Jason Abels.
Important: please ensure that you assign the uisoscan user permissions at whatever privilege level you would like the scanner to scan. For instance, if you have an admin interface that you want scanned, uisoscan must be able to access it, as any other user would.
A better question might be Why wouldn't you want it scanned? What would be the damage if someone broke into your Web site? Is there sensitive data present? Would you be liable under the law? What would happen if your Web site were defaced? What if it were used to distribute illegal content?
System administrators face these sorts of concerns every day. A vulnerability scan doesn't completely eliminate the risks, but better that you're aware of any system flaws first, before an attacker. Additionally, any action you take to increase security on your systems will help secure the entire IU network overall.
As with any sort of vulnerability scan, there are some inherent risks — including performance reductions, denial of service and aggregation of garbage data.
These risks are minimal, however, and the advantages of discovering security in holes in your Web application clearly outweigh temporary variations arising from a scan. Further, remember that anyone with access to your site can perform the same procedures that UISO offers — meaning it's better for everyone to catch vulnerabilities upfront, rather than have them exploted by someone with nefarious intentions.
Yes. As part of the process the scanner will actively try to fill out Web forms and submit data. This is so that it can try to identify vulnerabilities including SQL injection and cross site scripting. The testing data submitted should be obvious to the site owner.
You should run scans against a test or development server with a mirrored configuration to your production server. UISO can scan production server, but misconfigurations can lead to data corruption in a Web Application Scan.
The Web Scanner is able to create reports with as little or as much information as you would like. Generally speaking you'll get an overview of the issues found and a list of remediation tasks. However, more information can be included such as code samples and verbose explanations.
UISO also offer reports that will show regulatory compliance including PCI DSS. Please note that this is different than a full PCI DSS audit, but should give you a good idea of where you stand.
All reports are currently offered in PDF format, and can be created in Qualys in a variety of formats.
There is no standard answer, as it depends on a number of factors. Have there been any significant changes made to the Web site? Have you performed any operating system/server updates? Have you had any recent security incidents? How much traffic does your site get on a daily/weekly/monthly/annual basis? How sensitive is the data stored on your server? As a standard, we recommend sites be scanned at least once a year.
Answering these questions should make some sort of time frame self-apparent. For more information, feel free to e-mail email@example.com for additional assistance.
Also, if you are looking for anything specific please let us know. Since this is a hands on process we are able to give a lot of attention to these scans and somewhat customize it for you.
Your first line of support should come from your department's IT Pro). If you are an IT Pro , you should consult with Support Center Tier 2, who can guide you to various resources, documents and available training sessions.
SANS is always an excellent resource for Internet security, as is the Web Application Security Consortium (WASC).
Yes. Please be sure to notify your supervisor, colleagues, LSPs and anyone else who has a stake in the Web site/service being scanned. This will appear to be an attack and you might cause some unintentional panic if people are not properly informed.