3 Replies Latest reply: May 29, 2013 5:00 PM by jvalverd RSS

    Help with Web Application Scanning

    tony.lin

      Hi

       

      The New version of Foundstone have Web Application Scanning option. I can't find any informations for it! Is there have documents talk about can to do it?

        • 1. Re: Help with Web Application Scanning

          Hi Tony,

           

          There's an entire section in the MVM 7.0 Product Guide:

          How web application scans work

           

          If you have any specific questions let us know.

           

          I hope that help!
          Cathy

          • 2. Re: Help with Web Application Scanning
            sharat

            Hi

             

            Even I am trying to use McAfee FS for detecting web application vulnerabilities.

             

            I scanned a web server by providing "application URL" and credentials which are used to manage that site. But the scan did not detect any vulnerabilities reg web application.

             

            I want to know what kind of credentials can be used to get vulnerabilities reg web application

             

            Pls help.

            • 3. Re: Help with Web Application Scanning

              This is configured under credentials in the scan configuration. 

               

              from the online help

              Web application credentials

              McAfee Vulnerability Manager 7.5 can use credentials to authenticate itself to a Windows, UNIX, or infrastructure host. This allows the FSL scripts to access web applications.

              Web application credential details

              Setting

              Description

              Web Domain

              Select this account type to use domain credentials for accessing web applications within the specified domain.

              Type a domain name (e.g. yourdomain.com).

              Web Server

              Select this account type to use credentials for a specific server running a web application.

              Web Default

              Select this account type to use credentials when either the Web Domain or Web Server credentials do not work.

              Web Application URL

              Select this account type to use credentials for a specific web application URL.

              The Web Application URL field requires a URL (example: http://www.hostname.com). To ensure the credentials are applied to the correct asset, the URL in the Web Application field should match the URL entered on the Targets page of the scan configuration.

              HTTP Basic

              Access authentication by using a username and password, where the password is sent unencrypted.

              HTTP Digest

              Access authentication by using a username and password, where the password is encrypted.

              NTLM

              A Microsoft authentication protocol.

              Form

              Form based authentication that could include a number of fields and values for authentication.

              Certificate

              Certificate authentication, which includes attaching the certificate to the scan configuration.

               

              Form however has some limitations if Javascript is used.