McAfee Vulnerability Manager Web Application Scanning

     

     

    Introduction

     

    This guide will walk you through the McAfee Vulnerability Manager Web Application feature.

     

    Video

     

    This video takes you step by step through MVM Web Application Scan Configuration and Report. For reference steps and additional information are provided below.

     

     

     

     

    Prerequisites

     

    We advise reviewing the McAfee Vulnerability Manager 7.5 Getting Started Guide or watching the 'How to Install, Update and License McAfee Vulnerability Manager 7.5' video found at https://www.youtube.com/watch?v=WIfYJJYLtxM and the McAfee Vulnerability Manager 7.5 scan Configuration and Status video found at https://www.youtube.com/watch?v=Qm_Wx71M9io

     

     

    Web Application Scan Configuration

    McAfee Vulnerability Manager provides a scan configuration, vulnerability checks, and scan reports for web applications. The web application scan searches for vulnerabilities that include buffer overflows, cross site scripting, and unauthorized access. When the web application scan creates an asset, the asset is associated with the URL and not with the IP address of the web server. Because a web server can host multiple web applications, associating the web asset with the URL provides a unique identifier. A web asset is created when you create a web asset manually, add a URL to a web application scan configuration, or run a discovery scan that discovers the web server.

     

    Providing credentials to a web application scan allows authorized access to the site. Links on the logon page are also tested for vulnerabilities. If you do not provide credentials to a web application scan, the scan runs checks for unauthorized access to the site. Links on the logon page are also tested for vulnerabilities.

     

    Note: Web asset information includes the IP address for the web server, on things like the asset page and in reports. Deleting the web server also removes the IP address from the web asset information. Also, it is possible to create asset filters using the web server IP address to search for web assets running on that server, but deleting the web server asset breaks that asset filter.

     

     

     

    Creating a web application scan is similar to other McAfee Vulnerability Manager scan configurations. The Web App Config settings are different on the Settings tab of a scan configuration. Tip: If you want to use the asset settings in a scan configuration (like the port number), scan the asset instead of a URL that matches the asset.

    Select Scans -> New scan.

    new scan.PNG

    On the Scan details page, select Use a McAfee Vulnerability Manager template.

    scan config wizard.PNG

    Select a web scan template, then click Next.

    •   CWE/SANS Top 25 Scan – Searches for the CWE/SANS Top 25 most dangerous programming errors/vulnerabilities in web applications.

    •   Deep Web Scan – Performs the most thorough web application assessment possible without constraints such as time limitations.

    •   Informational Web Crawl – Indexes your web application and provide informational level vulnerabilities.

    •   Light Web Scan – Performs a quick web application assessment of the most critical vulnerabilities within a two hour time period.

    •   OWASP Top 10 Scan – Searches for a broad consensus of what are considered the most critical web application security flaws listed in the OWASP Top 10 list.

    •   PCI DSS Compliance Scan – Searches for vulnerabilities that would impact compliance with the Payment Card Industry (PCI) Data Security Standard.

     

    On the Targets tab, type a unique scan name. Typing a description is optional.

     

    scan name and targets.PNG

     

    Type the URL of the web application you want to scan, then click Next. You can also browse or search for a web application asset.

     

    •   Type the full URL (example: http://www.hostname.com), otherwise the product scans this system as an asset and not a web application.

    •   You should scan one web application per scan configuration because one web application could lead to multiple web pages, with scan data returned for each page.

    •   A URL is validated when the scan runs, not when the scan is created. During a scan, if a URL resolves to an IP address that is outside your IP range, it is not scanned.

     

    Click Next >> to continue to the Settings tab.  Click WEB APP CONFIG. 

     

     

    Web App Config settings

     

    Override asset settings (use scan's settings against all targets) - If any of the web applications in the scan configuration have an existing web application configuration, selecting this option will override that configuration and use the web application configuration on this page.

    Use asset settings (use scan's settings as defaults for targets without their own settings) - Any web application in the scan configuration without an existing web application configuration will use the settings on this page. All web applications with an existing web application configuration will use the existing configuration.

     

    Existing web app config - All existing web application configurations will appear in a drop-down list.

     

    Entry Path - The web path to use as a starting point for the scan configuration. Adding entry paths ensures the web application scan covers all the paths you want, especially if the entry path is not linked to the web application you entered on the Targets tab. Enter one path per line. Press Enter to add a line. Entry paths are case-sensitive.

     

    The entry path is added to the web application target you entered on the Targets tab. The scan will not scan any folders above the path specified on the Targets tab. For example: If you entered http://webappname.com/consumer/product/ on the Targets tab, and then you add /admin/ to the Entry Path field, the scan will not scan the path http://webappname.com/admin/, because this is above the path specified on the Targets page.

     

    Exclude Path - Any web folder or page within the web application that you do not want to scan are typed in here. Enter one path per line. Press Enter to add a line. Exclude paths are case-sensitive.  Entries in the Exclude Path field will exclude anything that contains that text.  Entries in the Exclude Path field are added to the URL included with a web application scan. Do not type a full URL as an excluded path.

     

    For example: If you want to exclude the Admin folder from your scan (http://webappname.com/admin/), entering the following examples will produce the described results.

    admin - This will exclude anything that has "admin" in it, including any files or pages (http://webappname.com/registration/administrationform.php would be excluded, even if you wanted it as part of your scan results).

    /admin - This will exclude anything that has "/admin" in it, including any files or pages (http://webappname.com/registration/administrationform.php would be excluded, even if you wanted it as part of your scan results).

    /admin/ This will exclude any folders labeled "/admin/".

     

    Exclude parameters - Any web parameters within the web application that you do not want to scan are typed in here. Enter one parameter per line. Press Enter to add a line.

    For example: If you use a session ID, you should exclude that parameter from the scan configuration. Otherwise, McAfee Vulnerability Manager will attempt to change the session ID, to check for vulnerabilities, and web application could terminate the session before the scan completes.

     

    Port pairs - If you have specific HTTP and HTTPS ports for the web application, type those ports here.  The results from these ports will be reconciled into one web application asset. Only one HTTP port and one HTTPS port per scan configuration.

     

    web app config.PNG

     

    Click the OPTIMIZE option to configure Web Application Assessment parameters.  Some fields allow typing in numbers from 1 through 999,999. For fields with a No Limit checkbox, clear the checkbox before typing in a number.

     

    **It is recommended that you use the McAfee Vulnerability Manager defaults

    optimize web app.PNG

     

    Max scan time (minutes):  The maximum amount of time allowed for a scan to run (in minutes) per web application asset.

    **This time does not include running FSL scripts or processing results at the end of a scan.

     

    Max number of requests:  The maximum number of requests a scan can issue to a web server.

    **A web application scan sends requests for directory and file enumerations (listings). Setting this limit too low will result in a limited amount of web crawling and injection data.

     

    Max site failures:  The maximum number of network failures allowed when connecting with a web server before the scan is terminated.  Max response size (KB) The maximum size of a web page scanned by McAfee Vulnerability Manager, in kilobytes.  Some web pages do not separate the amount of data contained on the page into different pages (i.e. blog pages can be a long thread of responses). Limiting the data size scanned can improve the overall scan performance.

     

    Request timeout (seconds):  The maximum number of seconds allowed for a web server to either respond or close a connection before McAfee Vulnerability Manager closes the connection.

     

    Inter-request delay (ms): The number of milli-seconds a scan must wait between requests sent to a target.  This time does not affect the response time (the time it takes for a target to respond to a request).

     

    Max directory depth: The maximum number of directory levels a scan is allowed to go before the scan is terminated.

     

    Thoroughness:  Some web vulnerability checks have two settings: Exhaustive and Time Optimized.  Exhaustive searches for all items identified in the vulnerability check, including items that do not occur very often. Time Optimized searches for frequently occurring items identified in the vulnerability check.

     

    Determine URL uniqueness:  This option is used to avoid the repeated check of identical web pages based on the page's URL, to make scanning more efficient.

     

    Determine form uniqueness: This option is used to avoid the repeated check of identical forms based on form's action URL, to make scanning more efficient.

     

    Reports

     

    The web report looks like a traditional scan report additional web sections.

     

    Web Application Summary

     

    The web vulnerability details page provides a complete report of the various web pages with vulnerabilities discovered during a web application scan.  

     

    web app report.PNG

     

    Web Site Map

     

    The web site map contains an overview of your website discovered during a scan.

     

    web site map.PNG

     

    Web Vulnerability Details

     

    The web vulnerability details page provides a complete report of the various web pages with vulnerabilities discovered during a web application scan.

     

    web app vuln summary.PNG

     

    Drilling deeper will provide evidence of the vulnerability

     

    web app evidence.PNG

     

    Contact Us

     

     

    For additional information including a demo of McAfee Vulnerability Manager go to:

     

    http://www.mcafee.com/us/products/vulnerability-manager.aspx

     

    or contact us at:

     

    http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales