WhiteHat Security Sentinel Service

WhiteHat Security Sentinel Service User Guide Version 3.0 September 2010

Contents Preface... 4 Intended audience...4 How to use this guide...4 Administrators...4 Security Operators...4 Developers...4 Viewers...5 Need help?...5 Resources...5 WhiteHat Security Customer Support...5 Getting Started... 6 Task overview...6 Logging in to Sentinel...7 Navigating in Sentinel...8 Creating and managing site groups...10 Setting up and managing user accounts...11 User roles... 11 Managing users... 12 Creating a new user... 13 Modifying a user s settings... 14 Deleting a user... 14 Editing your Sentinel account settings...15 Email preferences... 15 Public Key... 15 API Web Key... 15 Managing Your Sites... 17 Interpreting site findings...19 Site Summary info boxes... 19 Hostnames and links... 19 Setting up your site credentials...20 F5 Web Application Firewall (WAF) Credentials... 22 Adjusting a site's priority level, scan speed, and industry...22 Managing Sentinel Scans... 24 WhiteHat Security IP Addresses...24 How long do scans take to complete?...24 Scheduling scans...25 Editing a scan... 27 Stopping a Scan... 27 Exporting scan schedules...27 Viewing recent scan activity...28 Scan status indicators... 29 If a site has not been scanned... 34 Managing Your Site Vulnerabilities... 35 What vulnerabilities does Sentinel scan for?...35

Viewing site vulnerabilities...37 Retesting site vulnerabilities...39 Generating Reports... 40 Creating a new vulnerability report...41 Using the Sentinel Open XML API... 44 Glossary... 45 Sentinel interface terms...45 Business logic vulnerabilities...48 Technical vulnerabilities...52 F5 Web Application Firewall (WAF) terms...57 General web application security terms...57

Preface Intended audience This guide shows assigned Administrators, Security Operators, Developers, and Viewers how to use WhiteHat Sentinel to find and fix vulnerabilities on their website. How to use this guide Depending on your assigned role, this guide helps you: Get in and around WhiteHat Sentinel Set up Sentinel user accounts Manage your sites and user site access Schedule scans and manage scan credentials Interpret scan reports Perform optional operations, such as managing your F5 WAF credentials and using the WhiteHat Sentinel open XML API Administrators If you are an assigned Administrator, you have full control of all of your Sentinel operations and this entire guide applies to your activities. Security Operators If you are a Security Operator, you may want to read: Getting Started: Logging in to Sentinel, Navigating Sentinel Editing your Sentinel account settings Developers Managing Your Sites Managing Sentinel Scans Managing Your Site Vulnerabilities Generating Reports Using the Sentinel Open XML API If you re a Developer, you may want to read: Getting Started: Logging in to Sentinel, Navigating Sentinel, Editing your Sentinel account settings Managing Your Site Vulnerabilities: Retesting site vulnerabilities Generating Reports page 4 of 58

Viewers If you re a Viewer, you may want to read: Getting Started: Logging in to Sentinel, Navigating Sentinel, Editing your Sentinel account settings Generating Reports Need help? Resources For more help, you can: Look up terms in the Glossary at the end of this user guide. Log in to your Sentinel account and click the Resources tab for a complete glossary, FAQs, white papers, API integration instructions, and other information about web security. Click the info buttons on each web page for help on certain topics. WhiteHat Security Customer Support To contact WhiteHat Security Customer Support: Go to the WhiteHat Support Portal: https://whitehatsec.supportportal.com Send us email at: support@whitehatsec.com Call 408-343-8340 from 6:00 AM 7:00 PM Pacific Time, Monday through Friday (excluding holidays). WhiteHat Support Plus is available in three service levels the Standard Support level is free, and you can upgrade to Silver Support or Gold Support according to your needs. To see what level is best for you, go to: http://www.whitehatsec.com/home/supportplus/supportlevels.html page 5 of 58

Getting Started Ensure scanning success in 3 steps! Who can do this? Administrator and Security Operator You have received your confirmation email and created a password you re in! Right? Well, yes. But scanning doesn t start until you tell it to and let us in. There are three important steps you absolutely must take to get scans running on your sites. Be sure to: Log in to the Sentinel Interface. Configure your sites, including setting up credentials to allow us to scan. (Administrator only) Set up a scan schedule for each site to start and continue scanning. Task overview The basic steps for setting up and using WhiteHat Sentinel are: 1. Log in as a new user. This is initially done by the first assigned Administrator and by additional users as defined by their roles. 2. Manage your sites, including setting up credentials and site groups. (Administrator) 3. Set up user accounts. (Administrator) 4. Schedule and start scans. (Administrator and Security Operator) 5. Review vulnerabilities. (All users) 6. Generate reports. (All users) 7. Integrate our open XML API into your ticketing system. (Optional Administrators and Security Operators) 8. Manage F5 WAF credentials. (Optional Administrators and Security Operators) Getting Started takes you through steps one through four. page 6 of 58

Logging in to Sentinel Who can do this? All users, after the initial Administrator logs in and sets up user accounts (For browser requirements, from Resources, click the FAQ link.) Here is how to log in to Sentinel when your organization subscribes and assigns you as the initial Administrator or the Administrator has assigned you a user role. 1. You receive an email from WhiteHat Security Support to establish access to your account. 2. Follow the link and instructions in the email. Your username is the email address the Administrator used in setting up your access. Note: This link is valid for 48 hours from the time the email was sent. 3. To ensure username security, you receive a second email with a URL to establish your password. 4. Follow the link and. enter your password information. Note: Your username and password are case sensitive. After set-up, here is how to log in: 1. Go to: https://sentinel.whitehatsec.com 2. Enter your username and password. If you have problems logging in, check: Username and password. Both are case-sensitive in the Sentinel login screen. Spam filter settings. If you changed your password recently, make sure your spam filter settings in your email account do not filter out the do-not-reply@whitehatsec.com address that sends the password confirmation email. page 7 of 58

Navigating in Sentinel Who can do this? All users When you log in to Sentinel, you land on your Summary page. The options and menus on your page depend on your role. (For example, only Administrators see an Admin tab, and only Administrators and Security Operators see the scan schedule as a menu.) Summary Page page 8 of 58

Click a tab to take you to: Summary: An overview of your sites security. Findings: A list of all security problems Sentinel found in your sites. Schedule: A list of all scheduled events (such as scans). Reports: A place to input criteria for vulnerability reports. Account: Your Sentinel account information, including email options. Admin: Editable user details such as roles and site accessibility. (Only Administrators can see this tab.) Resources: An API Reference, white papers, a glossary, and other help and industry references. The Pending Messages link, located next to the subject tabs and also under the Admin tab, takes you to the Account Messages page. Here you ll find info about the latest on releases and other general messages from WhiteHat Security, along with any alerts you may have about the status of your scans. page 9 of 58

Creating and managing site groups Who can do this? Administrators You can create site groups and manage user roles according to your organization s needs. Note: The Rename Group and Delete Group buttons appear when you select a group name. 1. Click the Admin tab. 2. Click Site Management. Grouping Sites 3. Below Site Groups, click Add New Group. A new entry is added to the Site Group list. 4. Name the site group. 5. Drag and drop sites from the All Sites list to the new group. The added sites appear below the group name. page 10 of 58

After you create a group name, you can: Add or remove sites to or from a site group: Drag the site name to or from the site group. Rename a site group: Select the group name and click Rename Group. Delete a site group: Select the group name and click Delete. Note: If an administrator deletes a site group, users no longer have access to that site group. Setting up and managing user accounts User roles Who can do this? Administrators The Administrator defines user roles with corresponding site access and privileges, as described below: Administrator (Admin) Security Operator Developer Viewer User Privileges Task Admin Security Operator Developer Viewer Manage users X Manage roles X Create site groups X Schedule/start scan X X Configure scan X X Retest vulnerabilities X X X Generate reports X X X X Schedule reports X X X X View vulnerabilities X X X X Set up F5 WAF credentials X X Set up open API XML X X Each service subscription can include multiple administrators. The highest privilege level within Sentinel is an administrator with All Sites access. Administrators who do not have access to all sites are limited to creating site groups and granting site access to sites that they administer. When your organization subscribes to Sentinel, WhiteHat Security creates an administrator with access to all sites, and that administrator can give all-site permissions to other administrators. Depending on your Sentinel set-up and organizational needs, access to all sites may not be required. page 11 of 58

Each user can have only one role and corresponding privileges to one or more sites. For example, if you are an Administrator, you have admin privileges for all sites you access; if you are a Viewer, you have Viewer privileges for all sites you access, and so on. Managing users You can add, edit, and remove the following user information from Admin > User Management. User email (used as the username and is case sensitive) Title Phone number Cell phone number Time zone Country Vulnerability summary email options Role (defines privilege level) Sites (that this user can access) page 12 of 58

Creating a new user To create a new user: 1. Click the Admin tab. Creating a New User 2. In the User List, click New. 3. In Add New User, enter the new user s information, including the role and site(s) the user can access under that role. page 13 of 58

The user s email address must be unique. Once set up, an account email address cannot be edited or reused. However, if the account is deleted, it can be reactivated by having the account main point of contact call WhiteHat Security Support. Select All, None, or one or more site name. To select more than one site: On a PC, press the Control key and select the site names. On a Mac, press the Command key and select the site names. 4. Click Create User. Modifying a user s settings You can modify any settings other than the user s email address: 1. Click the Admin tab. 2. In the User List, click the username. 3. In User Details, enter the new information. 4. Click Save. Since the user s email address is used as their username, to change the email address, you need to delete the account and create a new one with the correct email address: 1. Click the Admin tab. 2. In the User List, click the username. 3. Click Delete. 4. Follow the instructions for creating a new user, including re-establishing their roles and sites. Deleting a user Once deleted, a user cannot access Sentinel. If the user tries to log in and clicks the Forgot Username or Password? link on the log in screen, they are granted access to a WhiteHat Security demo account with no displayed websites. The administrator must create an account with a new email address or contact White Hat Security Support to reestablish the previous account. To delete a user: 1. Log in to your Sentinel account. 2. Click the Admin tab. 3. In the User List, click the username. 4. Click Delete. page 14 of 58

Editing your Sentinel account settings Who can do this? All users From the Account tab, you can modify your account information, including: Contact information Time zone Email preferences Password Public key (Administrators and Security Operators only) Open XML API web key (Administrators and Security Operators only) To edit your account settings: 1. Log in to your Sentinel account. 2. Click the Account tab. 3. Modify your account information and click Save. If you re generating a Web API key, click Save and Generate Web API Key. You can use session cookies as an alternative to using a Web API key. For details, go to Resources > API Reference > API Cookie Authentication or go here: https://sentinel.whitehatsec.com/help/api.html#whid_cookie Email preferences In the Email Preferences field, choose how often you want to receive status email summaries. Select Daily to receive email summaries every day, including weekends. Select Weekly to receive email summaries once a week. Public Key Select Monthly to receive email summaries once a month. Select whether to include your host names in your e-mail summaries. (Deselect this option for added security.) In the Public Key field, you can create or edit a key that allows you to send a scheduled report via encrypted email. If your mail server uses PGP (Pretty Good Privacy) keys to send secure data across unsecured networks, click Edit Key to paste or edit your PGP key. API Web Key Who can do this? Administrators and Security Operators If you are integrating the open XML API into your system, you need a Web API key to authenticate your API requests. Your key is generated automatically when you go to Account and click Save and Generate Web API Key. Never share your Web API key with anyone. This key could allow others to access your vulnerability information. Our support team will never ask for your Web API key. page 15 of 58

You can also validate API requests by presenting a valid authentication cookie in your API requests. Upon a successful login, the browser returns a cookie named APID. The APID cookie expires at the end of a session (upon logout). For more about using our open XML API, go to Resources > API Reference. page 16 of 58

Managing Your Sites Who can do this? Administrators Before scheduling your first vulnerability scan, review your account site information. Additional information may be required before Sentinel can scan your sites, such as a set of credentials to gain access to secure sites. You can set the scan schedule and time zone for all sites from Summary > Executive Summary > Site Overview. For individual site information and activity, from the Summary page, click the site name. This brings you to the Site Summary page, where you can view and adjust the site s summary, including site credentials, vulnerability findings, and site-specific activities. page 17 of 58

Site Summary Page page 18 of 58

Interpreting site findings Site Summary info boxes The boxes at the top of each site s summary page give you a quick overview of your site s completed scan number, priority, global rank, and industry rank. Scans completed in last 30 days: The number of scans that have finished in the preceding 30 days. Priority: The site s importance to your business, on a scale of 1 to 10. A change in priority affects the score of all vulnerabilities found on this site. Global rank: Indicates your site s approximate percentile rank against all sites that have been scanned at least twice. The percentage represents the percentage of sites that contain more vulnerabilities than your site. For example, if your site s global ranking is 20%, then 80% of all WhiteHat-scanned sites are more secure. Sites that have not yet been globally ranked are labeled Unranked. Industry rank: Indicates your site s approximate rank against all sites within your vertical market that have been scanned at least twice. Note: This box appears only if WhiteHat Security has scanned at least 10 sites in your industry more than once. To change the priority, scan speed, or industry rank: 1. From the Site Summary page, click the Settings link. 2. Adjust the settings. 3. Click Update. Hostnames and links The hostname is the base URL that we have under contract for a site. The scanner finds and tests only links that have the same base URL. This keeps scanning for your account to approved sites. For example, if a site has a hostname of www.site.com, only links that follow the www.site.com structure are tested. (For example: www.site.com/login, www.site.com/contact, and so on.) A site may also have one or more associated hostnames. An associated hostname is a URL that is different from the base URL, but is part of or the same as the application found on the main hostname. For example, a site may have sign-on and user account management pages on a URL such as secure.site.com, when the main hostname we have for the account is simply www.site.com. In this case, secure.site.com must be added as an associated hostname since it is considered to be part of the same account. To create an associated host name, contact WhiteHat Security Support. As your website continues to add features and functions, when you create links from the original site, the scanner finds them and marks them for testing during the next scheduled scan. All findings from this testing are reported in the next scan. For this and other reasons, we strongly recommend that you set scan schedules to run frequently and until completion. This ensures ongoing site coverage as you add new web code. page 19 of 58

Setting up your site credentials WhiteHat Security uses credential sets to log in to your sites and reach pages and forms that are not accessible to unauthenticated end users. Credential sets include: Username Password Login Entrance URL Destination URL (after a successful login) Other Login Notes (information about this site or users that WhiteHat Threat Research Center (TRC) engineers will need when setting up scanning or doing business logic testing) There are two uses for the credential sets: Scanning Credentials (all users). WhiteHat's automated scanning technology covers pages and forms throughout the site. Scans are limited to only one credential, so we encourage you to provide a super user login that allows us to visit the entire site. Business Logic Credentials (Sentinel PE users only). WhiteHat s Threat Research Center (TRC) engineers use these credentials to manually verify vulnerabilities, examine interactions among user roles, and see if website information leaks from one user to another. For instance, your site may behave differently for admin users, returning customers, prospects, or high-value shoppers. Labeling each credential pair ( admin, gold-card-customer, and such) helps our TRC engineers match credentials to business situations. The number of credentials you enter and how they are used depends on whether you have a Sentinel BE, SE, or PE account. Credentials should allow maximum access (such as admin or super user) to the site functions. Credentials are optional, but provide better scan coverage than having no credential. We strongly recommend assigning credentials. Sentinel Basic Edition (BE) account users enter one credential. This is used for automated scanning. Sentinel Standard Edition (SE) account users can enter one or two credentials, both used for automated scanning. The second credential is recommended as back up in case the first credential isn t accepted during scanning. Sentinel Premium Edition (PE) account users can enter one or more credentials. The first is used for automated scanning; the second is recommended as back up in case the first credential isn t accepted. Subsequent credential sets are used by WhiteHat s TRC engineers to perform Business Logic analysis. To create site credentials, follow these steps after logging in: 1. Click the Summary tab. 2. From Site Overview, select the site. 3. In the Site Summary page, click the Credentials link. page 20 of 58

Entering Credentials 4. Enter a Username and Password. 5. In the Login Entrance URL field, enter the URL where the scanner will enter these credentials. 6. In the Destination URL field, enter the URL that displays after a successful login, if applicable. (Not all websites change the URL as part of their authentication methodology.) 7. (Optional) In the Other Login Notes field, enter information to distinguish this account from others that have varying levels of access to the web application. (Examples: You need to have cookies turned on or Site asks for your pet s name. Answer: Lassie. ) 8. Click Done, or click Add a Credential if you have more than one credential for the scanner to use. You can now enter the second half of the pair, with a different username and password but similar permissions. PE users can also assign roles and credential pairs for Business Logic testing. page 21 of 58

Site Credentials (Example) After you have set up credentials, the Credential page includes the following state information: Valid means we have confirmed that these credentials work. Under Review means we have not yet tested these credentials or put them to work in automated scans. Invalid means we have had trouble logging into your site, or otherwise cannot get the login to work. The last user to change/edit information, and when changes were made. F5 Web Application Firewall (WAF) Credentials Who can do this? Administrator, Security Operator WhiteHat Sentinel integrates with the F5 Application Security Manager (ASM), a web application firewall that applies a security policy to protect against website attacks. Sentinel users can update their F5 ASM security policy on a per-vulnerability basis from within the Sentinel interface, which mitigates the risk of website exploitation while the vulnerability is addressed with an application code or system update. To add or modify F5 WAF credentials, go to Account > Manage F5 Credentials link. To add a new F5 ASM device and proper credentials, click the New credential link. To modify credentials, from the Actions column, click Edit. Adjusting a site's priority level, scan speed, and industry You can specify your site s priority level, scanning frequency, and the industry to which your site belongs. To edit your site settings: 1. Log in to your Sentinel account. 2. From Summary > Executive Summary > Site Overview, click the site name. page 22 of 58

3. Click the Settings link. 4. In the Priority field, select a level from 1 (Low) to 10 (Urgent). Level 5 is the default for all sites added to Sentinel. Note: Changing this number also affects the Score of all individual vulnerabilities discovered on this site. 5. In the Scan Speed field, select whether you want the scanner to send: Slow: Up to two HTTP requests per second Medium: Up to four requests per second (default) Fast: Unlimited requests per second 6. In the Industry field, select the closest match to your site's vertical market. 7. Click Update. page 23 of 58

Managing Sentinel Scans Who can do this? Administrators and Security Operators WhiteHat Security IP Addresses To enable us to scan your website, your security team may need our IP addresses: 209.10.217.224/27: This is a range of 30 addresses for Sentinel Service PE testing, disaster recovery ranges, and so on. 63.251.227.208/30: This is a range of two addresses. These IP ranges are used for backup/disaster recovery: 64.94.92.240/28: This is a range of 14 addresses. 67.207.113.224/28: This is a range of 14 addresses. How long do scans take to complete? WhiteHat Sentinel scans run "low and slow," meaning they should have no discernible effect on your website's performance. WhiteHat Security scans some of the most complex and mission critical websites in the world without causing performance issues. Scan time depends on various factors, such as: Size and complexity of the website Input number The number of pages to assess Web server speed (page load time) Amount of business logic within the website Length of scan windows provided by the customer Initial scans for the average WhiteHat-monitored site may take a day or less, but very large sites may take as long as a few weeks to complete. Note: Sentinel SE and PE users, keep in mind that findings appear in your interface after they have been verified by a TRC engineer. page 24 of 58

Scheduling scans For your first few scans, we recommend scheduling your scans to run during non-peak hours and continuously during the weekend. Once you have confirmed that there is no impact by scans during those time periods, we recommend running scans continuously, which means 24 hours a day, with a fresh scan starting as soon as the current one completes. Schedules take effect right away. If your schedule allows scanning in the current hour, it will start (or continue). It can take up to 10 minutes for scans to stop or start. You will see the current scan status (after you refresh your browser window) as it changes. If you turn off scanning in the current hour, it will start again the next time an allowable hour arrives. There are no options for fractional hour scheduling or setting scans to start on a future calendar date. For simplicity, we have included primary global time zones, but not every unique combination of time zone/savings time. Contact support@whitehatsec.com to log an enhancement request for additional time zones. To schedule a scan: 1. Go to one of the following areas: Summary > Executive Summary Summary > Executive Summary > Site Overview <site name> Schedule 2. For the selected site, in the Scan Schedule column, select a schedule. Continuous: Enables scanning at all times. This is the recommended option. Nights and Weekends, 8P-6A: Enables scanning between 8:00 PM and 6:00 AM during weekdays and continuously during weekends. Be sure you select a corresponding time zone to determine exactly when 8:00 PM is in that geography. The time zone option defaults to the time zone you picked for yourself on the Account tab, but can also be set for each site from the Time Zone column to the right of the Scan Schedule column. Not Scheduled/Stopped: When you first set up your sites, they are set to Not scheduled/stopped. Be sure to schedule regular scans for each site, so WhiteHat Sentinel can continue to monitor for any threats. Customize: You can create your own custom scan schedule, as follows. When you select Customize, you can either create a schedule (recommended) or run the scan once. Schedule scanning time A grid shows all of the hours in a week. The rows represent days (starting with Sunday) and the columns represent hours (starting with 0:00-0:59, or Midnight to 1:00 AM). page 25 of 58

Customizing Scan Times By default, all hours show a green check mark, specifying that scanning is permitted during that hour. If you leave all cells with green check marks, this is the same as a continuous scan. You can click individual cells, changing them to red X's. Red X's signify that scanning is not permitted during that hour. To change multiple cells, you can: Click and drag your mouse around the interface. Click a row or column header to change an entire row/column. Click a second time to toggle between green check marks and red X s. The time zone selected should match where your system is or the clock to which your hours refer. The default is the time you chose in your user profile on the Account page. For example: You work in New York and the time zone under the Account tab is set for Americas/New York. Your web server is in Americas/Los Angles. If you leave the setting defaulted to New York, the scan will run/not run in Eastern Standard Time. If you change it to Los Angeles, the scan will run/not run in Pacific Standard Time, regardless of your default setting. Name the scan schedule something meaningful, such as NYSE non-trading hours. page 26 of 58

Once you create a schedule, it appears on the list as long as one or more sites are using it. Custom schedules created for one site can be re-used for additional sites. Editing a scan To edit an established scan: 1. From the Scan Schedule list, select Customize. 2. Edit the schedule as necessary. 3. Save the schedule under the previous name or give it a new name. Scanning only once Note: We recommend against scanning once without an ongoing schedule, since this leaves your site unprotected after that single scan completes. When you select this option, all hourly/daily scheduling windows are disabled. The scan starts immediately and runs continuously until it completes, for one time only. To run one scan, from Scan Schedule > Customize, click Run scan once continuously until completion. Stopping a Scan To disable all scanning for a site, or stop a running scan, select Not scheduled/ Stopped. You cannot pause and restart a scan while it is running. A status of Not scheduled/stopped leaves your site unprotected, so we do not recommend leaving sites in this state. You may get frequent reminders that this site needs a new scan schedule. Exporting scan schedules For a comma-separated values (CSV) file with schedule information for all of your sites: 1. Click the Schedule or Summary tab. 2. Below the Site Overview, click the Download CSV link. Download CSV Link By default, the file is named scheduled_scans.csv. This file may show more than one row for each site, since it lists each contiguous block of hours that the scan will run. For instance, each nightly scan window may have its own entry. page 27 of 58

Viewing recent scan activity As described below, you can view the following scan activity details for all of your sites or each site individually: Vulnerability scan started indicates a newly scheduled scan cycle has begun. Vulnerability scan completed indicates the total scan cycle has finished. Vulnerability scan paused, end of scan period reached appears only for scans that run during limited hours, and indicates the scheduled time duration has reached its limit for the day. For instance, a scan scheduled to run from midnight to 6 a.m. pauses at 6 a.m. It automatically resumes during the next window of time in your scan schedule (such as midnight in the above example). Vulnerability scan paused by WhiteHat Security means that the WhiteHat Security TRC team paused the scheduled scan. Vulnerability scan resuming is also used for limited-hour scans, and indicates the scheduled time in which the paused scan picked up where it left off. All sites WhiteHat Sentinel tracks all activities and events related to your account. To view a list of activities for all sites on your account in the last 90 days: 1. Click the Summary tab. 2. Click the Recent Activities link. 3. View your list of activities, listed by date. For a full archive, click the see complete history link. Individual sites To view activities for individual sites: 1. From the Summary page, click the name of the site. 2. From the Site Summary page, either: Click the Activities link. You see the site's scan activity over the past 90 days. To view all activity, click see complete history. Scroll to the bottom of the page to view the site's 10 most recent activities. To view the 90-day history, click the show all... see complete history link. From there, to view the complete archive, click see complete history. Tested URLs and additional hostnames Sentinel discovered 1. Go to Summary > [site name]. 2. On the site summary page, in the box next to the last chart (the site name is at the top of the list), scroll down to the Link Info section. 3. To see if a particular part of your site has been tested, click View all links found in your current scan or View all pages tested in your current scan. If the section of the site you are concerned with appears in any of these URL lists, it has been tested. page 28 of 58