Web Application Scan Settings

Provide web application scan settings when starting a new web application scan. Underlying scan settings are optimized to test the security of web applications per PCI Requirement 6.6.

Best Practice - The Crawl Only option allows you to define a scan that will crawl the web application without performing security vulnerability checks. We strongly recommend that you use the Crawl Only option for your first scan.

I do not have any web applications. What should I do?

See Managing Web Applications

Do I need to use authentication?

Select an authentication record if the web application you're going to scan  has login forms. If not, select the option "No Authentication". See Managing Authentication Records.

Tell me about the form submission option

The web crawler follows links to form actions that it encounters when the form method attribute matches the selection. This configuration does not apply to authentication. If an authentication record is selected for the scan, the scanning engine will attempt to authenticate no matter which form submission option you select.

What is the maximum links that can be crawled during a scan?

The default is 300, and the maximum is 5,000.

What is "Limit crawling to starting URI"?

When selected, the web crawler follows links down the web site branch in the same directory as the starting URI. It will not follow links across the web site branch to pages parallel to the starting URI.

What is the Bandwidth option?

Several bandwidth levels are provided, and each level represents multiple settings. It's recommended that you use the default bandwidth level (Medium) to get started. Learn more

Tell me about the header injection option

See Advanced Options