QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

QualysGuard WAS Getting Started Guide Version 3.3 March 21, 2014

Copyright 2011-2014 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. Qualys, Inc. 1600 Bridge Parkway Redwood Shores, CA 94065 1 (650) 801 6100

Contents Welcome to WAS... 4 QualysGuard WAS Features... 4 About the Platform: Benefits for Users... 5 Let s Begin... 6 Let s go to WAS... 6 Add a new web application... 7 Launch a discovery scan... 8 View your discovery scan results... 9 Launch a vulnerability scan... 10 View your vulnerability scan results... 11 Configure scan schedules... 13 Check out your dashboard... 14 View a sitemap of your web application... 15 Using the Catalog... 17 Do you want to import Burp findings... 18 Reporting... 19 Account Management... 23 Contact Support... 24 3

Welcome to WAS QualysGuard Web Application Scanning (WAS) enables organizations to assess, track and remediate web application vulnerabilities. Delivered on demand, the service allows users to: Crawl web applications and scan them for vulnerabilities Identify web applications handling of sensitive or secret data Customize: authentication, black/white lists, robots.txt, sitemap.xml and more View reports with recommended security coding practice and configuration QualysGuard WAS provides several major enhancements to help customers catalog their web applications on a global scale and scan them for vulnerabilities that can lead to exploitation. Delivered via the QualysGuard Cloud Platform and its Java-based backend, the WAS user interface (UI) raises the bar in terms of ease-of-use, flexible reporting and automation of scanning tasks. Web Application Scanning Lifecycle The web application scanning lifecycle assists users with managing security and compliance through web application creation, scanning, reporting and remediation. QualysGuard WAS Features Major features in QualysGuard WAS include: Scanning of web applications (Intranet, Internet) Fully interactive UI with flexible workflows and reporting Supports scanning HTML web applications with JavaScript and embedded Flash 4

Welcome to WAS Comprehensive detection of custom web application vulnerabilities including: OWASP Top 10 Vulnerabilities: SQL injection, cross-site scripting (XSS), source disclosure, directory traversal Checks web applications handling of sensitive or secret data Reports on recommended secure coding practice and configuration Differentiates exploitable fault-injection problems from simple information disclosure Customizable scanning options Customized crawling using Black/White lists, Robots.txt and Sitemap.xml files Supports common authentication schemes Performs brute force attacks using pre-defined and custom password lists Profiles custom web application behaviors Configures scanning performance with customizable performance level About the Platform: Benefits for Users New technologies implemented in the Java-based backend offer many benefits for users: UI with dynamic and interactive interfaces, wizards and new report templates to present scan data with a wide range of presentation options. Customizable template-driven reporting engine outputs reports in a variety of formats (html, pdf, encrypted pdf, ppt, xml, cvs). Fast searching of several extensive Qualys data sets, including scan results, asset data, scan profiles, users and vulnerabilities. Create and manage tags (static and dynamic) to group and organize web applications. Dynamic distribution of scans on multiple scanners based on availability and load to optimize scanning of large networks, drastically reducing the overall scan time required to complete large scan jobs. 5

Let s Begin Welcome to WAS. As you are getting started we recommend you first review the WAS features and become familiar with the user interface. Let s go to WAS It s easy. Just log in to QualysGuard and select WAS from the application picker. Your WAS dashboard will be blank until you (or another user) adds a web application and scans are completed in your account. It will be automatically updated as new scan results are ready. 6

Let s Begin Add a new web application Use the wizard to add your first web application. Enter the web application details and configure scan settings. Turn on Malware Monitoring for an external site if you want us to perform automatic daily malware scans. Tip: Turn help tips on in the title bar and get help for each setting as you mouse over a field name. Your web application appears in the Web Applications tab, where you can edit the application or launch a scan on it. Why use authentication? Using authentication allows our service to access to all parts of your web application during the crawling process. This way we can perform more in-depth assessment of your web application. Some web applications require authenticated access to the majority of their functionality. Authenticated scanning can be configured for HTML forms like login pages and server-based authentication (HTTP Basic, Digest, NTLM, or SSL client certificates). Just go to the Authentication tab, select New Record and configure an authentication record with access credentials. Form and server authentication may be combined as needed - we ll monitor the session state to ensure an authenticated scan remains authenticated throughout the crawl. Warning about scans and their potential impact Web application scans submit forms with test data. If this is not desired you should add configurations for black lists, POST data black lists, and/or select the GET only method within the option profile. Keep in mind when these configurations are used, testing of certain areas of the web application is not included and any vulnerabilities that exist in these areas may not be detected. 7

Let s Begin Launch a discovery scan We recommend that you start by running a discovery scan. A discovery scan finds information about your web application without performing vulnerability testing. This is a good way to understand where the scan will go and whether there are URIs you should blacklist for vulnerability scans. Select Web Applications (on the top menu). Click the Web Applications tab and then select New Scan > Discovery Scan. Enter your scan settings using the launch scan wizard. A scan name is provided and you can enter a custom one. Select a web application. If the application has defaults, these appear for Option Profile (scan settings) and Scanner Appliance. If there are no defaults, you must make selections. Want to use authentication? Be sure to select an authentication record that you ve configured for your application. Tell me about the option profile An option profile is a set of scan configuration options. We recommend Initial WAS Options to get started. Editing options in the profile allows you to customize crawling and to use password bruteforcing. Do I need a scanner appliance? Our security service provides cloud scanners for external scanning on the network perimeter. For internal scanning you need to setup a scanner appliance (physical or virtual). Go to VM > Scans > Appliances and select an option from the New menu and we ll walk you through the steps. (Do you have Express Lite? Your account may be enabled with External scanning, Internal scanning or both). 8

Let s Begin View your discovery scan results There are multiple ways to view discovery scan results. Check out the scan view Double click the finished discovery scan in the scan list to display the scan view. Overview shows the scan findings. Click Scan Details to see details like the date and time of the scan and the target web application. Click Scan Settings to see the crawling settings, detection scope, other settings you may have configured. Check out the full scan report Click View Report in the View Scan window to view the interactive scan report. You can view the report online, change its settings to update it and then save it to multiple formats. The Results section shows the scan findings. Each QID represents a security check from the KnowledgeBase. The Severity icons indicates the level of severity: minimal, medium and serious. While viewing the report, be sure to check QID 150009 Links Crawled and QID 150021 Scan Diagnostics. 9

Let s Begin Click a row to view details. Launch a vulnerability scan A vulnerability scan performs vulnerability checks, information gathered checks and sensitive content checks (if configured in the option profile). Vulnerability checks may include: cross-site vulnerability checks (persistent, reflected, header, browser-specific) and SQL injection vulnerabilities (regular and blind). Sensitive content checks may include: social security numbers - US Format, credit card numbers and custom strings. Let s get started. Select Scans on the top menu. Click the Scan List tab and then select New Scan > Vulnerability Scan. 10

Let s Begin The target for a vulnerability scan is the same as for a discovery scan. Review your settings.when you re ready to launch the scan, click Finish. View your vulnerability scan results There are multiple ways to view vulnerability scan results. Check out the scan preview Select the finished vulnerability scan in the scan list to display a preview of the scan results below the list area. 11

Let s Begin Check out the scan view To view the results of a completed vulnerability scan, double click the scan. For this demo application WAS was able to take a screenshot of the application and you ll see a thumbnail image. Click the image to go to the web application. A bar graph shows you a breakdown of the scan findings - vulnerabilities, sensitive content detections and information gathered. Tip: Want to see the scan report? Click the View Report button. The vulnerability checks (QIDs) performed by a web application scan are listed in the KnowledgeBase. We constantly update the KnowledgeBase as new security information becomes available. Click KnowledgeBase on the top menu. Vulnerability checks (in Red) include OWASP Top 10 Vulnerabilities: SQL injection, cross-site scripting (XSS), source disclosure and directory traversal. Information gathered checks (in Blue) identify information gathered during the scan process. This includes information about the web application and about the scan process itself. Red vulnerability severity levels 1-5: minimal, medium, serious, critical, urgent Blue information gathered severity levels 1-3: minimal, medium, serious 12

Let s Begin Check out the full scan report Here s the Results section of the scan report including the details of a selected vulnerability. Vulnerabilities are sorted by group. Click a vulnerability row to view all detected instances of that vulnerability. Click a vulnerability instance to display details. Configure scan schedules By scheduling scans you ll get results on a regular basis (daily, weekly or monthly) and during a time window convenient for your organization. You can also run one-time only scans. It s easy to schedule a scan. Just go to Scans > Schedules and select New Schedule. Select Scans on the top menu and then click the Schedules tab. 13

Let s Begin Check out your dashboard Your dashboard helps you understand the overall security status of your web applications and provides an interactive way to take actions within your account. The dashboard shows current security risks based on the most recent scan results on all your web applications. 1 View current vulnerability counts for your web applications. High Severity shows levels 4 and 5, Med Severity shows level 3, and Low Severity shows levels 1 and 2. Click an option to see details and further explore the findings 2 You ll see the number of malware detections if you ve enabled malware monitoring for your web applications (and we ve detected malware). You ll also see the highest severity level (High, Med or Low) of your detections. Click to see details in the MDS application. 3 Check out your most vulnerable web applications. 4 View discovered web applications in your Catalog. (This option is not available to Express Lite users.) 5 Check out your latest scans. Mouse over the Scan Date to view complete date and time information. 6 Check out your upcoming scans (your scan schedules). 7 Check out the latest reports. 14

Let s Begin View a sitemap of your web application The sitemap gives you an up-to-date view of the security of your entire web application based on the latest scan results. You can drill down to see nested links and explore the security of different parts of your application. Go to Web Applications > Web Applications, hover over a web application and choose View Sitemap from the Quick Actions menu. Here s a sample sitemap for a web application that has 271 total pages crawled, 306 total vulnerabilities and 8 sensitive content detections. 15

Let s Begin Filter the Sitemap Click one of the page view filters such as Crawled for crawled pages or Vulnerabilities for current vulnerabilities. Drill down to see nested links Double click a parent folder to display child links. Take actions on links You can create a new web application from a link, or add a link to a black list or white list. Just hover over a row and choose an action from the menu. You can view a link in your browser - just select that row then click the link in the right pane. Move the sitemap to a new browser window If you want to keep the sitemap open while you continue working in the WAS UI, click the icon in the upper right corner to move the sitemap to a new browser window. All the sitemap functionality remains available in the new window. 16

Let s Begin Using the Catalog The Catalog is the staging area for web applications you can choose to add to your subscription. Catalog entries are processed from completed maps and vulnerability scans in your account. (The Catalog feature is not available to Express Lite users.) How do I get started? Your catalog will be empty until you (or another user) launches maps and/or vulnerability scans using the VM application. Once they are complete you are ready to process the results. - For vulnerability scans, go to Web Applications > Catalog and select Update above the list. You can safely close the window and track the progress in the Catalog section. - For maps, go to Web Applications > Maps, select one or more maps and then select Process Results. You can safely close the window and track the progress in the Catalog section. You ll see new catalog entries for the newly discovered web applications. You can easily choose to add these web applications to your account and scan them for security risks. 17

Let s Begin Do you want to import Burp findings We recognize that there's a place for both automated scanning and attack proxies. To combine the best of both approaches, we've integrated the Burp Suite toolkit into WAS. Click the Burp option on the top menu to access the Burp Management feature. (This feature is not available to Express Lite users.) The Burp section gives you a way to store the findings discovered by the Burp Suite scanner with those discovered by WAS and share this information with multiple users. To learn more about this and future integrations refer to this blog article at the Qualys Community. Go to Burp > Reports and click Import to get started. You can manage your imported Burp reports in the Burp reports list. You ll see the issues from your imported reports in the Burp issues list. 18

Reporting Create and manage reports on your web applications within the Reports section. You can create various reports -Web Application Report, Scan Report, Scorecard Report and Catalog Report - and download them in various formats. All reports are interactive. You can create them online, change the parameters and settings and see results instantly. Create your first report Select Reports and then select New report, or click the + button (on the right, below your user name). How do I get started? Select a report type. In this example we ve selected Scan Report. Choose a target for your report. For a scan report, you can choose any number of scans that have the same target web application. Click Finish to create the report. Your report will appear on its own tab. 19

Reporting Here s a sample scan report. Click Edit Report if you want to change the report settings and apply filters to the report content. You might want to save the report, so that it s available to other users and available to you the next time you log in to WAS. To save the report, click Downloaded and select the format. The summary displays graphs showing the findings of the scans you reported on. 20

Reporting Scroll down to view the results. You ll see the detected vulnerabilities (QIDs) with their severity levels. Click a vulnerability row to view the instances of that vulnerability. Click an instance to view the Vulnerability Details window. Move your report to a new browser window If you want to do side-by-side comparisons or work with multiple reports at one time, click the icon in the report header to move your report to a new browser window. You can edit and download your report in the new window just as you would within the UI. 21

Reporting Manage your reports The Report List is where you view your reports, create new reports, and download them. 1 Launch new reports, save and download reports to the local file system in one of many formats or delete selected reports. 2 View your report history. Click column headings to sort reports by name, format, type, status and generation date. Mouse over a report to take quick actions. 3 Select one report and view it in the preview pane below the list. Use the actions menu in the preview pane to download or delete the selected report. 4 Search and filter your results. Search and apply filters to quickly find reports you re looking for. 22

Account Management How do I manage the web applications and users in my account? Tell me about tags The tag management feature allows you to create tags (static and dynamic) to group and organize your web applications. When your account has the Asset Tagging feature turned on you can manage tags within the Asset Management application - select AM from the application picker. Contact Support or your Account Manager if you are interested in using the Asset Tagging feature. You can manage tags for web applications and other configurations, for example option profiles and search lists. Express Lite users can manage tags for web applications only. What tags do I start with? You ll see certain asset tags in your account when you first log in. These are provided as a convenience, and you can add child tags to them to create tag trees. You can also create other toplevel tags, edit tags and assign them to tag trees and hierarchies. An Asset Group tag appears for each asset group in your account. An Unassigned Business Unit tag appears. All users are assigned to the Unassigned Business Unit tag unless your organization has configured custom business units. A Business Unit tag appears for each custom business unit in your account. Business units can be defined using the VM application. (Custom business units are not available for Express Lite users.) Where do I manage tags? You can manage tags by going to Configuration > Tag Management. If your account has the Asset Tagging feature turned on, you can manage tags within the Asset Management application - select AM from the application picker. Tell me about users Users are created in the VM application. Once a new user logs in to our security service and goes to the WAS application the user is automatically assigned WAS roles (what the user can do) and scope (what the user can access). We ll assign one or more WAS roles to each user, depending on the user's roles and permissions within the VM application. Are you an Express Lite user? If yes then all users will be Manager users. When these users go to the WAS application they will be assigned the Manager role with full scope (access to all configurations, scans and reports). 23

Contact Support Do you have another service type? We ll assign an initial WAS role automatically, based on the user's role within the VM application. You can edit user settings, including roles, scopes and permissions, using the Administration utility. You ll see this option in the application picker. What about the user scope? We ll assign each user an initial scope automatically, and this can be changed using the Administration utility. Users with the Manager role are granted full permissions and full scope. Other users (Scanners, Readers) are assigned the tag "Unassigned Business Unit or a custom business unit tag. Here s a summary of the initial user settings: Contact Support Qualys is committed to providing you with the most thorough support. Through online documentation, telephone help, and direct email support, Qualys ensures that your questions will be answered in the fastest time possible. We support you 7 days a week, 24 hours a day. Access online support information at www.qualys.com/support/. 24