Web Application Scanning

Training Labs

Contents
LAB 1: Account Setup and WAS Overview (20 min.) ........................................................................................ 4
Login to Qualys ....................................................................................................................................................... 4
Service User Agreement ..................................................................................................................................... 6
Update User Profile .............................................................................................................................................. 8
General Information .......................................................................................................................................... 8
User Role .............................................................................................................................................................. 9
Notification Options ........................................................................................................................................ 9
Security .............................................................................................................................................................. 10
Account Settings ................................................................................................................................................. 11
Browser Setup ..................................................................................................................................................... 12
Qualys Browser Recorder .......................................................................................................................... 12
WAS KnowledgeBase ........................................................................................................................................ 13
Search Lists ...................................................................................................................................................... 15
WAS Workflow ...................................................................................................................................................... 17
LAB 2: Basic Web App Setup and Discovery (30 min.) ........................................................................... 18
First Web App - Bodgeit Store ...................................................................................................................... 18
Asset Details .................................................................................................................................................... 19
Application Details ........................................................................................................................................ 20
Explicit URLs to Crawl ................................................................................................................................. 20
Scan Settings .................................................................................................................................................... 21
Crawl Settings ................................................................................................................................................. 21
Redundant Links ............................................................................................................................................ 22
Authentication ................................................................................................................................................ 22
Exclusions ......................................................................................................................................................... 22
Advanced Options ......................................................................................................................................... 22
Malware Monitoring .................................................................................................................................... 23
Comments ......................................................................................................................................................... 23
Review and Confirm ..................................................................................................................................... 23
Second Web App - Bank of Qualys .............................................................................................................. 25
Scheduling Scans ................................................................................................................................................ 27
LAB 3: Advanced Web App Setup and Scanning (60 min.) ................................................................... 28
First Web App - Bodgeit Store Sitemap .................................................................................................... 28
Second Web App – BoQ Sitemap .................................................................................................................. 30
Option Profile ....................................................................................................................................................... 32
2


Qualys Browser Recorder Crawl Script .................................................................................................... 35
Qualys Browser Recorder Authentication ............................................................................................... 38
Modifying the Web App for Qualys Browser Recorder ..................................................................... 40
Crawl Settings ................................................................................................................................................. 40
Authentication ................................................................................................................................................ 41
Crawl Exclusion Lists ........................................................................................................................................ 42
Vulnerability Testing ........................................................................................................................................ 45
Vulnerability Scan of First Web App – Bodgeit Store .................................................................... 45
Vulnerability Scan of Second Web App - BoQ ................................................................................... 47
LAB 4: Web Application Reporting (30 min.) ............................................................................................. 48
Create a Template .............................................................................................................................................. 53
LAB 5: Tagging (20 min.) ..................................................................................................................................... 61
LAB 6: User Creation and Scope (15 min.) ................................................................................................... 66
Activate the New User ...................................................................................................................................... 71
LAB 7: Burp Integration (10 min.) ................................................................................................................... 73
Web Applications and BURP Issues ........................................................................................................... 74


LAB 1: Account Setup and WAS Overview (20 min.)
This lab will address the steps needed to setup your Qualys student account, followed by steps
to setup and configure your Web browser. Please complete all the Lab 1 exercise steps, before
advancing to subsequent labs.

Login to Qualys
Student account credentials for Self-Paced training classes are automatically generated and sent
to your email inbox, within 2 business days (please enroll with your business or company email
address…public email accounts are not supported).
Student account credentials for Instructor-Led training classes are provided by the Qualys class
instructor.
Your student account is active for 14 days (from the date it was created). Please contact
[email protected] with account credential issues or questions.


1. Open your Qualys student trial account message/document.
2. Record the USERNAME from this document and save it in a secure place.
**The period at the end of the sentence is NOT a part of the USERNAME.
3. To obtain the password, click the link found in the registration document.

4. On the activation page, enter the OTP code found from the registration document and
click Submit (If it’s been over 30 minutes since you received the registration
document, the OTP code will not work; use the Resend button to generate a new OTP
code.

For security, the Login username on this page appears partially obfuscated with ******.


5. Record the PASSWORD from this document and save it in a secure place.

6. Use the link provided to login and activate your Qualys student trial account.

Service User Agreement

7. For now, leave the default values unchanged, and select the check box to accept the
“Service Agreement” and click the “I Agree” button.

8. Enter your current password, and then chose a new password (record your new
password).
9. Click the “Save” button, followed by the “Close” button.
10. Log back in to your student trial account using your new credentials.


Update User Profile
The steps that follow will help to personalize your student user account, and make other
adjustments that will provide a more effective training environment.

1. Click on your User ID (located between “Help” and “Logout”) and select the “User
Profile” option.

General Information
Please make any necessary adjustments to the “General Information” section of your user
profile.

2. Update the “E-mail Address” field with your current e-mail address (notifications and
password reset information will be sent to the address you provide).


User Role
Different Qualys user accounts, take on different user roles.

3. Click “User Role” in the navigation pane (left), and make note that your student
account “User Role” is: Manager, and you can access your account using the Graphical
User Interface (GUI) or the Application Program Interface (API).

Notification Options
All notifications will be sent to the e-mail address specified in the “General Information” section.

4. Click “Options” in the navigation pane (left), and make the appropriate selections for the
type of notifications you would like to receive.


Security
Individual security settings can be configured for two-factor authentication, and Security
Questions are provided to facilitate any attempt to reset a user password.

5. Click “Security” in the navigation pane (left), and take a moment to complete the
Security Questions.
6. Click the “Save” button.

Completing these Security Questions is a requirement for using the “Forgot Password” link
found on the Qualys Login page.
10


Account Settings
Changes made to account settings will affect all user accounts in your Qualys subscription.

1. Click on your User ID (located between “Help” and “Logout”) and select the “Account
Settings” option.

2. Click the “Security” setup option.

3. Increase your Session Timeout value to the maximum (240 min.)

This adjustment will help you to maintain an ACTIVE session throughout the entire
training class.
4. Click the “Save” button, followed by the “Close” button.

11


Browser Setup
The recommended browser for Qualys WAS training is Google Chrome. Google Chrome is
required to support the Qualys Browser Recorder (QBR) extension which will be used
throughout this lab. If you already have QBR installed in Chrome, you can skip these steps.

Qualys Browser Recorder

1. Open the Chrome web browser and go to the Chrome web store
https://chrome.google.com/webstore/

2. Enter Qualys Browser Recorder into the search box.

3. Select the Qualys Browser Recorder.

4. Click “ADD TO CHROME”.

5. When the installation is complete the Qualys Browser Recorder button will be
displayed

12


WAS KnowledgeBase
Qualys Web Application Scanning (WAS) enables organizations to assess, track, and remediate
Web application vulnerabilities. With BURP integration, manual Web application testing results
can be combined with the automated findings produced by WAS. The Qualys Malware
Detection (MD), is a standard component in WAS, providing malware monitoring on top of
vulnerability detection.

The Open Web Application Security Project (OWASP) Top 10 list has become the industry
standard for categorizing the most critical risks faced by Web apps. Qualys WAS allows you to
accurately find these vulnerabilities – including SQL injection, cross-site scripting (XSS), cross-site
request forgery (CSRF) and URL redirection – and learn how to mitigate them.

All detectable vulnerabilities can be viewed from the Qualys KnowledgeBase. The Search and
Filtering pane (left) will allow you to locate Web application vulnerabilities.

1. Use the Application Picker to open Qualys Web Application Scanning (WAS).

2. Click A) the “KnowledgeBase” section.

3. Under B) the “KnowledgeBase” tab, click to C) expand the “Identification” filter.

13

4. Click the “Category” dropdown menu, and select “Web Application”.

Only Web Application vulnerabilities are now displayed, which are in the 150,000 QID
range.

5. Type “150012” (omit quotes) into the “Search” field, and click .
6. Use the “Quick Actions” menu to view the vulnerability details.
7. Click Threat, Impact, and Solution in the “View Mode” pane (left).
Take advantage of the Qualys KnowledgeBase to view details and research all types of
Web Application vulnerabilities.
8. Close the KnowledgeBase Entry View.

14


Search Lists
A “Search List” is an extension of the Qualys KnowledgeBase, and is a powerful customization
tool within Qualys Web Application Scanning. The name “Search List” is derived from the
KnowledgeBase “Search” tool that is used to create a list of vulnerabilities. A Search List is a
grouping of QIDs that can be used in various capacities in Qualys Web Application Scanning.
You can add a Search List to an Option Profile to customize your scan. For instance, you can run
a scan for just a specific vulnerability. Or, you can use a search list to omit vulnerabilities from a
scan.
You can also add a Search List to a Report Template to help prioritize which vulnerabilities will
be addressed first. For example, you can build a report containing only XSS vulnerabilities or
only your most severe vulnerabilities.
In this section, you are going to build a Search List, which will be used later in the lab.

1. Navigate to A) the “Configuration” section, and click B) the “Search Lists” tab.

2. Click the “New List” button, and select C) the “Dynamic List” option.

3. Type “Worst Vulnerabilities” in the “Name” field, and click “Continue”.

15

4. For Search List Criteria, use the “Category” of “Web Application”, along with
Confirmed and Potential Vulnerability Levels 4 and 5.

HINT: click the “Category” and “Severity” check boxes, to view additional options.

5. Click “Continue”, “Continue” and “Finish”.

This search list will be used later during reporting to show only the most severe
vulnerabilities that need to be addressed.

16


WAS Workflow
The workflow for analyzing a Web application involves five simple steps: 1) Define Web
Application, 2) Perform Discovery Scan—Crawl, 3) Perform Vulnerability Scan, 4) Create Reports,
and 5) Fix Vulnerabilities

Here is a detailed view of this workflow:

1. Define Web Application
• Identify the location (URL) of the Web App
• Define the “scope” of the Web App Crawl
• Choose from various scanning options—Option Profile:
• Select a scanner appliance
• Include “crawling hints” and/or header injection
• Use optional DNS Override
• Provide authentication credentials
- Form records
- Server records
• Identify areas to “white list” or “black list”
• Enable malware monitoring
2. Perform Discovery Scan (Crawl)
3. Perform Vulnerability Scan
4. Create reports to identify links crawled and vulnerabilities detected
5. Fix vulnerabilities

17


LAB 2: Basic Web App Setup and Discovery (30 min.)
Before a Web Application can be scanned, it must first be added to your WAS subscription. This
exercise will use the “Web Application Creation” wizard to define your first Web application.
This lab will focus on adding an application using mostly default settings within the wizard. This
will show you how easy it is to set up and scan a Web application.

First Web App - Bodgeit Store

1. Navigate to the “Web Applications” section and click the “Web Applications” tab.

2. Click the “New Web Application” button.

3. Select the “Blank” option, to “build the new web asset from scratch”.

18


Asset Details
4. Give the new Web Application a name: “First Web App - Bodgeit Store”.
Many of the exercises in this lab will target this “vulnerable” web application called “The
BodgeIt Store.”

5. In the upper right-hand corner of the window, turn on “help tips”. This will provide
useful “pop-ups” and information, when moving from field to field.
6. In the Web Application URL field, type: 54.173.177.208:8080/bodgeit/
Notice this Web application is running on port 8080. You can toggle (click) between http
and https easily. Keep this one http for now.
7. Under Custom Attributes, in the “Name” field enter “Business Function”. In the value,
enter “Online Store”, and click “Add”.
8. Leave the tagging section blank for now.
You will tag this application later.
9. Click “Continue” to move to the “Application Details” section.

19


Application Details
A single web application can span multiple domains, IP addresses, and port numbers (including
sub-domains and subdirectories). The scope of an application defines its boundaries.

The “Crawl Scope” field provides a few options:

• Limit at or below URL hostname - Select to limit crawling to the hostname within the
URL, using HTTP or HTTPS and any port.
• Limit to content located at or below URL subdirectory - Select to crawl all links starting
with a URL subdirectory using HTTP or HTTPS and any port.

• Limit to URL hostname and specified sub-domain - Select this option to crawl only the
URL hostname and one specified sub-domain, using HTTP or HTTPS and any port.
• Limit to URL hostname and specified domains - Select this option to crawl only the URL
hostname and specified domains, using http or https and any port.

10. Choose the “Limit to content located at or below URL subdirectory” scope.
The BodgeIT Store Web application begins in the “bodgeit” subdirectory.

Explicit URLs to Crawl

This is useful for pages not directly linked to other pages within the application. For
example, a registration link sent to the user via email. You can also include WSDL URLs
for web services you want the service to crawl. Enter each URL on a separate line. Each
entry must be a valid http or https URL. You can enter a maximum of 2048 characters
for each URL. The URLs you enter must be consistent with the selected scope.

11. Click “Continue” to move to the “Scan Settings” section.

20


Scan Settings
The Option Profile drop-down menu can be found at the top of the “Scan Settings” page. An
Option Profile contains the type of web app scan settings that are commonly changed or
adjusted.

12. Use the drop-down menu to select the “Initial WAS Options” Option Profile.
13. Leave the Scanner Appliance set to “External”.
A scanner appliance can be locked to prevent other users from changing your scanner
appliance selection, when launching a scan.
14. Leave the “Duration” set to “Do not Cancel Scan”.
This option can be used if you have a window in which you do not want to scan, or if you
only want an application scanned for a specific amount of time.
15. Do not provide “Crawling Hints” ( i.e., robot.txt or sitemap.xml).
16. Leave the Header Injection field blank.
The following provides an example that could be used to inject an HTTP Cookie Header to
bypass multi-step authentication or CAPTCHA:

Cookie: mwf_login=2-e3b930b2cf6549d0351346d3cf56e9ae

**Note: mwf_login is the session identifier for the application.

17. Click the “Continue” button.

Crawl Settings
Import Qualys Browser Recorder scripts to be used for scanning this Web application.
Each script runs one time, when its trigger is encountered by our crawler.

18. Click the “Continue” button. Qualys Browser Recorder crawl scripts are addressed in a
later lab.

21


Redundant Links
Save scan time (i.e., crawling and assessing URLs) by identifying ‘redundant links’ that
WAS only needs to scan once. Links are specified as regular expressions so that you can
construct an expression to match a list of links.

19. Click the “Continue” button. Our present lab targets do not illustrate Redundant links.

Authentication
Select one or more authentication records to be used for scanning this web application.
Each record will define one of multiple authentication methods.

20. Click the “Continue” button. Authentication will be addressed later.

Exclusions
White List - Set up a White List to allow links to be scanned even if a Black List would
normally block it. If you define a White List and no Black List, all URLs outside of the White
List are blacklisted by default.
Black List - Set up a black list to prevent those URLs or their sub-directories from being
scanned. Any link that matches a black list entry will not be scanned unless it also matches
a white list entry.
POST Data Black List - Set up a list of regular expressions to block POST form submissions
from undesired URLs.
Logout Regular Expression - Set up a regular expression to identify and avoid crawling to
logout links.

21. Click the “Continue” button. Crawl Exclusion Lists will be addressed later.

Advanced Options

DNS Override is especially useful when scanning more than one instance of an application (e.g.,
one instance resides in a test environment, while another lives in production). Simply override
the production DNS settings, when you want to scan the instance in TEST.

Form Training allows you to fill in values for form fields to allow the crawler to crawl and fuzz
the next page.

22. Click the “Continue” button. DNS Override and Form Training will not be used in this
lab.

22


Malware Monitoring

23. Click the check box to enable monitoring. Schedule as a single occurrence. Launch the
first malware scan in 10-15 minutes (be sure to select the correct time zone).

24. Click “Continue” to advance to the “Comments” section.

Comments

25. In the “Comments” section enter, “First Web App - Bodgeit Store with Default WAS
Option Profile”. Then click “Continue”.

Review and Confirm

26. Click the “Finish and Scan” button and select the option to launch a “Discovery” Scan.

23

27. Under “Scan Target” verify your app (“First Web App - Bodgeit Store”) appears as the
target.

28. Click “Continue”.

29. Verify your settings and click “Continue” followed by the “Finish” button.

A Discovery Scan will locate links in the web application but will not test for vulnerabilities.

You can monitor the progress of both discovery and vulnerability scans from the “Scan
Lists” tab, under the “Scans” section.

24


Second Web App - Bank of Qualys
1. Navigate to the “Web Applications” section and the “Web Applications” tab.
2. Click the “New Web Application” button, followed by the “Blank” option.
3. Give this one a title of “Second Web App - BoQ”.
4. For the “Web Application URL” enter http://demo06.s02.sjc01.qualys.com/ and click
“Continue”.
5. Leave the Crawl Scope set to “Limit at or below URL hostname” and click “Continue”.
6. For your Option Profile, select the “Initial WAS Options” Option Profile.
7. Use the “Cancel Scan After” Cancel Option and set it to 1 hour. Click “Continue”.
8. Leave “Crawl Settings” blank and click “Continue”.
9. Leave “Redundant Links” blank and click “Continue”.
10. On the Authentication Records step, click the “Create” link.
A wizard will walk you through the creation of the authentication record.
11. Give it a name of “BoQ Authentication” and click “Continue”.

12. Under “Type” dropdown, select the “Standard Login” option. Use the following
credentials:
User Name: admin
Password: abc123
13. Click “Continue”, “Continue”, “Continue”, and “Finish”.

25


Now that your authentication record is complete, you are returned to the Web
Application wizard.
14. Set the BoQ Authentication record as the ‘Default’ auth record.
15. Keep clicking the “Continue” button, until your reach the “Comments” page.
16. In the “Comments” field, enter “BoQ Web application” and click “Continue.”

17. Click the “Finish and Scan” button and select the option to launch a “Discovery” Scan.

18. Under “Scan Target” verify your app (“Second Web App - BoQ”) appears as the target.

19. Click “Continue”.

20. Verify your settings and click “Continue” followed by the “Finish” button.

26


Scheduling Scans
Any scan that can be performed manually, can also be scheduled to run daily, weekly, or
monthly. WAS Progressive Scanning was designed with scheduled scanning in mind.

1. To schedule either a Discovery or Vulnerability scan navigate to the “Scans” section and
click the “Schedules” tab.
2. Click the “New Schedule” button and select either the “Discovery Scan” or
“Vulnerability Scan” option.
3. Choose an appropriate name for your scheduled scan and click “Continue.”
4. Select your scanning targets, using Web application names or Asset Tags and click
“Continue.”
5. Verify the Option Profile and Authentication Record settings and click “Continue.”
6. Configure your preferred scan dates and times, along with the scanning frequency
(daily, weekly, monthly, single occurrence), and click “Continue.”
7. Configure “Notification” options and click “Continue.”
8. Click “Finish” to schedule the scan.

27


LAB 3: Advanced Web App Setup and Scanning (60 min.)
After running a Discovery Scan, the Web Application Sitemap will allow you to easily review the
structure of your Web app and easily apply exclusion rules (i.e., whitelist and/or blacklist).

First Web App - Bodgeit Store Sitemap

1. Navigate to A) the Web Application section and click B) the Web Application tab. Use
the Quick Actions menu to C) View the Sitemap of “First Web App - Bodgeit Store”
application.
If the “View Sitemap” option is not available, your scan may still be running. Please wait
for the scan to complete before viewing the Sitemap.
Presently, the Web Application Sitemap displays the “crawl” data collected from the
BodgeIt Store application. After completing a Vulnerability Scan, the Sitemap will be
updated with the relevant vulnerability data for each URL.
The Sitemap can be navigated in the same fashion as a file system’s directory structure.
Simply “double-click” the URLs (folders) you wish to expand.

2. Double-click (expand) the BodgeIt Store URL found on port 8080

(54.173.177.208:8080/).
3. Then, double-click the “bodgeit” subdirectory folder.

28


Selecting pages that appear in the Sitemap Link pane (left) will display their corresponding
URLs within the File Information pane (right).

The Quick Actions menu for Sitemap objects can be used to easily create entirely new
Web applications, as well as adding URLs to an application’s Black List or White List.

4. Click the “about.jsp” page to display its corresponding URL in the File Information pane.
5. Click the “about.jsp” URL in the File Information pane (right) to view this page in a Web
browser.
6. Close the bodgeit store page when you are done viewing it.
7. Close the Sitemap for “First Web App - Bodgeit Store”.

29


Second Web App – BoQ Sitemap
1. Use the “Quick Actions” menu to view the Sitemap of your second application.

Notice that there are “External” links that were discovered but not crawled, because
they fall outside of the application’s scope:
• www.fdic.gov
• www.qualys.com
These external links are also identified in QID 150010 of your scan results.

2. Expand (double-click) the “demo6.s02.sjc01.qualys.com” folder of your Sitemap.

3. Expand the “boq” folder, followed by the “protected” folder.

The link was rejected because this app’s Option Profile is set to exclude .doc, .pdf, or .zip file
extensions.
30

4. Click the “demo06.s02.sjc01.qualys.com” link in the “Link in view” portion of your

Sitemap.

5. Use the gear icon (displayed in the above screenshot) and click the “Download web app
links…” option.
6. Select the PDF file format and click the “Download” button.
7. Click “Continue” and allow your Sitemap to download.
The downloaded links came from the page you were on. You can view statistics from any
Sitemap page.
8. Close the Sitemap.

31


Option Profile
Create a custom Option Profile and configure advanced scanning options, before launching a
vulnerability scan against the “Bodgeit Store” and “Bank of Qualys” applications.

1. Navigate to A) the “Web Applications” section, and B) the “Web Applications” tab. Using
the “Quick Actions” menu, C) “Edit” the “First Web App - Bodgeit Store” application.

When modifying an existing application in “Edit” mode, all individual application

components are listed in the left navigations pane. The Scan Settings section identifies the
Option Profile selected for the application, along with the options to select a new profile,
view the existing profile, or create an entirely new Option Profile.

2. Go to the Scan Settings and click the link to “Create” a new Option Profile.

3. Type “WAS Custom Option Profile” in the “Name” field.

4. Make this profile your default Option Profile for the subscription. Click “Continue”.

Once selected, Qualys will select the default profile automatically for each time you launch
a scan, unless another option profile is defined for the target web application. (You can still
choose to override the default for your scan settings.)
5. Leave “Form Submission” set at “Post & Get”.

32


When forms are submitted, http(s) uses GET or POST methods. The crawl can be limited to
either type of form submission, both, or none. It is considered best practice to select “Post
& Get” for the most thorough vulnerability analysis. If “none” is chosen, the only forms
WAS will submit will be for authentication.
6. Leave the “Maximum crawl requests” at 300.
WAS can crawl up to 8000 links. The overall scan time will increase as more links and forms
are tested.
7. Do not modify the “User Agent” field.
This field will override the client HTTP “user agent” header.

8. Do not modify the “Request Parameter Set” field.

The Request Parameter Set allows you to set default values for common input form fields.

9. For “Document Type”, keep the check box checked to ignore common binary files.

This option can reduce the time it takes to scan an application that contains many of these
types of files. When enabled, scans will ignore files with these extensions: .pdf, .zip, and
.doc.

10. Leave “SmartScan” and “Behavior Settings” at their default settings.

11. Keep the “Scan Intensity” set at “Low”.

Best practice is to start with low intensity when scanning a web application for the first
time. Moving forward, the intensity can be raised based on network bandwidth
availability, and the current load on the target host.
Note Qualys also hints at what the “Scan Intensity” means as follows:

12. Password Bruteforcing is enabled by default. Keep the “Minimal” System list and click
the “Continue” button to move to the “Search criteria” page.

13. Use the “Core” setting for Detection Scope.

When a new WAS QID is published in the KnowledgeBase, it may or may not be included in
the “Core” detection scope. It will depend on the nature of the vulnerability and the
detection logic. If it is an uncommon or obscure issue or a time-consuming vulnerability to

33


test for, it may not be put into the “Core” detection scope. You can still perform a complete
detection using a dynamic search list in the “custom” detection scope.
The “Categories” option can be selected to scan for specific vulnerabilities defined in the
categories. To view the detections/QIDs included in a particular category, click on the
number highlighted for it.
The “Custom” option can be selected with a search List if you want to limit the scan to QIDs
contained within the custom list. Also, specific QIDs can be omitted from the scan by
adding a search list under the “Exclude vulnerabilities associated in search lists” section.
Under “Sensitive Content” the service can check for Social Security Numbers or Credit Card
Numbers. Further, the service can look for other sensitive content using a customized
regular expression.

14. Click “Continue”.

15. Enter comments for this Option Profile: “POST&GET submissions, Low Bandwidth
settings, and full WAS KnowledgeBase.” Click “Continue”.
16. Click “Finish” to save the Option Profile.
The newly created Option Profile now becomes the default for the Web Application. An
Option Profile can also be created and edited from the Option Profile tab (within the Scans
section) and then associated with a Web application at a later time.

17. Click the “Save” button to update the Web app with the new Option Profile.

34


Qualys Browser Recorder Crawl Script
Web applications often contain pages that require input from a knowledgeable application user,
like the “Shopping Basket” page found in the BodgeIT Store.
The QBR allows you to record your input decisions (e.g., keystrokes and mouse clicks) while you
navigate the pages of any Web application. The script that is generated by QBR can then be
replayed during your WAS scans, to perform your navigation steps and input decisions.

1. Using your Chrome browser, open the Bodgeit Store, and navigate to the “Shopping
Basket” page: http://54.173.177.208:8080/bodgeit/basket.jsp
2. Click the Qualys Browser Recorder icon in the Chrome toolbar.

Click the record button (in the upper right-hand corner), to begin the recording session.

35

4. Return to the Bodgeit Store basket page, and click A) Widgets, followed by B) Weird
Widget.

5. Click the “Add to Basket” button.

6. Click the “Update Basket” button.

**NOTE: The application displays the message, “Your basket has been updated”. This is an
important page change, that will be used as a condition to validate a successfully
completed script.

36

7. Go back to the QBR window and stop the recording (upper-right corner).
8. Click the “Save” icon.

9. Leave the “Selenium IDE HTML” format selected and click the “Save As” button.

10. Enter “crawlscript” in the text field and click OK.

11. Save the script file to your desktop as crawlscript.txt.
12. Close the “Save Test Case” window.
13. Close Qualys Browser Recorder.

37


Qualys Browser Recorder Authentication
1. Open the BodgeIt Store application
(http://54.173.177.208:8080/bodgeit/) in a separate browser tab.

2. Click on the “Login” link at the top of the screen and click the “Register” link.
3. Enter a ‘fictitious’ email address in the “Username” field and choose a password.
Remember: This is a vulnerable Web application. Do NOT use credentials you do not wish
to expose. Both username and password must contain at least 5 characters.
4. Click the Logout link to log out of the account you just created.
5. Now, click the “Login” link to begin the login process.

6. Before entering your new credentials, start QBR once more to create a new test case.

7. Ensure QBR is in ‘Record’ mode, and then navigate back to the BodgeIt Store “Login”
page, and take the following steps:

a. Fill in the Username (the one you just created)

b. Fill in the Password

c. Click the “Login” button

38


The BodgeIT Store will display a message: “You have logged in successfully.” This
information will be used later, when adding the Selenium script to your WAS application.

8. Navigate back to the QBR window and click the red button to stop recording.

9. Right click on the line above the first “sendKeys” command (id=username) and select
the “Insert New Command” option.

10. Click the new “blank” line and type “waitForElementPresent” in the “Command” field.
The “waitForElementPresent” command, will force this script to pause until all page
components have been rendered within the client browser. This will prevent the script
from entering authentication credentials before the page is ready.

11. Enter “id=submit” in the “Target” field.

12. Click the “Save” button and save your “Selenium IDE HTML” script as “authscript”
(filename = authscript.txt)

39


Modifying the Web App for Qualys Browser Recorder
Update the “First Web App – Bodgeit Store” settings to use the crawl script and authentication
script, constructed with Qualys Browser Recorder (QBR).

Crawl Settings
The next few steps require the crawl script file that was created with the Qualys Browser
Recorder, in the previous lab exercise.

1. Navigate to the “Web Applications” section and “Edit” the “First Web App - Bodgeit
Store” again.

2. Click on “Crawl Settings” and click “Add Script”.

3. Click the “Choose File” button and add the “crawlscript” you saved to the desktop earlier.

Next, the service needs to know when it’s supposed to run this crawl script. It needs a URL
trigger.

4. Use the “Basket” page as the trigger – http://54.173.177.208:8080/bodgeit/basket.jsp

Remember, the final note received from the Bodgeit Store app indicated, “Your basket has
been updated” when the crawl completed. Use one of the words in that sentence as the
regular expression for confirming the crawl script worked.

5. Enter the word “updated” in the second field.

40


Authentication
The next few steps create an authentication record using the script file constructed with Qualys
Browser Recorder (QBR). If you do not have access to Chrome and QBR, you may opt to create a
“Standard Login” record (as seen in the “Second Web App – BoQ” at the end of Lab 2).

6. Click “Authentication” in the navigation pane (left) and click “Create”.

A new wizard appears for creating an authentication record.

7. Give it a title of “QBR Authentication Record” and click “Continue.”

8. From the drop-down menu, select “Selenium script”.

9. Click the “Choose File” button and add the “authscript” created earlier.

Qualys also requires a regular expression to confirm authentication happened successfully.

When the script was recorded earlier, the word “successfully” appeared in the response.

41


10. Add the word “successfully” to the “Validation Regular Expression” field.

11. Click “Continue”.

Notice there is a location to tell the application to only authenticate if it’s using a secure
SSL connection.
There is also a location to plug in a client-side certification if the application requires it.
A server authentication record can be created if necessary, using basic, digest, or NTLM
records.
Leave them as they are for now without making any modifications.

12. Click “Continue”, “Continue”, and then “Finish”.

This will save the authentication record and bring you back to the “Web Application Edit”
window.

13. Click the “Save” button to save your app.

Crawl Exclusion Lists

Crawl exclusion lists ensure certain links are crawled and tested for vulnerabilities, while
excluding other links from being tested. Furthermore, POST data can also be black listed for a
certain page.

Here are the options:

White List: Set up a white list to allow links to be scanned even if a black list would normally
block it. If a white list is created, but no black list has been created, then a default black list
equivalent to "block all URLs" is assumed.

Black List: Set up a black list to prevent those URLs or their sub-directories from being scanned.
Any link that matches a black list entry will not be scanned unless it also matches a white list
entry.

POST Data Black List: Set up a list of regular expressions to block any form submission for URLs
matching any of these entries.

Logout Regular Expression: Set up a regular expression to identify and avoid crawling to logout
links.

42

1. Return to “The BodgeIt Store” (in your Web browser) and click on the “Contact Us” link at
the top of the page.

2. On the Contact Us page there is a form a user can fill out to submit feedback. Right click
within that form and click “Inspect Element”.

The view should look something like the below screen shot when finding the location of the
contact us form:

Scroll up from the blue highlighted area, and see this form will use a POST to submit this
data back to the server. Because Qualys submits forms multiple times to test for XSS and
SQLi, perhaps POST data should be black listed for this URL so that the marketing team
doesn’t get an email every time the service submits a Cross-Site Scripting check.

Up in the address bar, part of the URL contains the word “contact”. That word can be used
as the regular expression for black listing post data from that page.

3. Navigate back to your “Web Applications” tab (within Qualys WAS) and Edit the “First
Web App - Bodgeit Store” application once more.

43

4. Click “Crawl Exclusion Lists” in the navigation pane (left).

5. Remove the “Use Global Settings assigned” option and click the “Add Exclusions” link.

6. Under the “Post Data Black List” section, click the check box next to “Regular
Expressions”.

7. Enter the word “contact”.

8. Scroll up to the “Black List” section, click the check box next to “Regular Expressions”.

9. Enter the word “about”.

10. Save the application.

44


Vulnerability Testing
Up to this point, you’ve run a Discovery Scan. Then you modified the Web Application record
and created a new Option Profile, Authentication Record, Crawl Script, and added black lists. All
of that set up can be done initially when setting up an application. The exercises broke up the
tasks just to explain the individual parts to the puzzle.

Now, it’s time to run a vulnerability scan, that checks for vulnerabilities. Based on the Option
Profile, the WAS engine will either do a complete vulnerability scan, or one customized to the
requirements we specify in a Search List.
Better defined: Vulnerability Scan = Crawl + Vulnerability Assessment

Vulnerability Scan of First Web App – Bodgeit Store

1. Under A) the “Scans” section, click B) the “Scan List” tab and choose C) “New Scan”à
“Vulnerability Scan”.

2. Title the scan, “First Web App - Bodgeit Store - Vulnerability Scan”.

3. Select the “First Web App - Bodgeit Store” from the drop-down menu and click the
“Continue” button.

4. Use the WAS Custom Option Profile (you created earlier).

5. Select your QBR Record from the drop-down menu.

Leave all other settings as they appear.

6. Click “Continue” and then “Finish”.

After successfully submitting the scan, the scan must finish before the results can be
viewed. Monitor the scan status from the “Scan List” tab.

45


Here are the different scan statuses:

Submitted - A scan request was submitted, and the scan is not started yet. (Appears
only in the Scans section.)

Running - The scan is running. (Appears only in the Scans section.)

Finished (green) - The scan completed successfully. For a vulnerability scan, the full
scan results include vulnerability detection data, if any. For a discovery scan, the full
scan results include discovery detection data, if any.

Finished (orange) - The scan is finished, but authentication was requested and was
not successful.

No Host Alive - The scanning engine did not find the host to be up and running. Scan
results are empty.

No Web Service - The scanning engine did not detect the target web service. Scan
results will include any information gathered data collected.

Time Limit Reached - The scan duration reached the time limit. Partial scan results
are available.

Service Errors Detected - The scan stopped before completion due to service errors
related to timeouts during the scan, for example exceeding connection timeouts or
error threshold.

Canceling - The scanning engine is in the process of canceling the scan. (Appears only
in the Scans section.)

Canceled - The scan was canceled successfully. Partial scan results may be available.

Error - The scanning engine failed to process the scan results. Scan results are empty.
Please contact Support for assistance.

46


Vulnerability Scan of Second Web App - BoQ

1. Go to the “Web Applications” Section, and the “Web Applications” tab.

2. Find the Second Web App, and using the “Quick Actions” menu, select “Scans” >
“Vulnerability”.

3. Ensure the “Second Web App – BoQ” is the Scan Target and click “Continue.”

4. Use the “Initial WAS Options” Option Profile, and ensure you’ve selected your “BoQ
Authentication” record.

5. Click “Continue” and “Finish” to launch a vulnerability scan on your Second Web App.

47


LAB 4: Web Application Reporting (30 min.)
Currently, the Qualys Web Application Scanning service offers 4 types of reports: Web
Application Report, Scorecard Report, Scan Report, and a Catalog Report.

Before proceeding with this lab, make sure the vulnerability scan on “First Web App - Bodgeit
Store” has completed.

1. From the “Scan List” tab, use the “Quick Actions” menu to “View” the vulnerability
statistics for your completed Vulnerability Scan (First Web App - Bodgeit Store).

How many vulnerabilities did the scan find? ____________

What was the total number of links crawled? ___________

2. Close the Scan View window, and use the “Quick Actions” menu again to “View
Report” for the Bodgeit Store scan.

48

The service moves over to the “Reports” section and automatically opens a tab with the
“Scan Report” details. At the top of the report are three graphs, “Findings by Severity”,
“Vulnerabilities by Group”, and “OWASP Top 10”.

Findings by Severity: This graph indicates the number of vulnerabilities in each severity
category.

Vulnerability by Group: This graph shows vulnerability breakdown by major category.

3. Scroll to the bottom and find the “Results” section.

4. Open the Information Gathered > Information Gathered section and find QID 150009.

Was the “about.jsp” link crawled? Did you add this link to the Crawl Exclusion Lists? You
may have to click the “download” link to view all the links crawled.
5. Close the results for that QID.

6. Expand the “Vulnerabilities” section of your results, and then expand “Cross-Site
Scripting”.

49


7. Click “Reflected Cross-Site Scripting” and open up the vulnerability found (see screen
shot below).

Notice the parameter “q” of the form located at /bodgeit/search.jsp is what is vulnerable.

8. Copy the full “Request”, after the word “GET”.

9. Return to the “BodgeIt Store” Web page, and click on the “search” link at the top of the
screen.

10. Right click on the search form on the page, and “Inspect Element”.

50

Notice the name of the form is “q”, as indicated in the scan results report, and it’s a GET
request. With a GET request, the parameters will show in the URL bar.

11. Take the URL you copied, and paste the full URL in the address bar. Carefully inspect
what’s being submitted and press enter.

The page will display something along the following: “You searched for: No Results
Found”.

12. Right click on the page and click “View Page Source”.

13. Scroll to the bottom of the page, and see the browser has rendered the payload!

It took the HTML encoded string and processed it. This means the server isn’t properly
sanitizing input and the browser will render JavaScript plugged into the search field.

51


14. From the “BodgeIt Store,” click on the “Search” link at the top of the page. In the
search box, try the following payload:

<script>alert(document.cookie)</script>

Now the session id is presented in an alert box. Obviously, the user has to be convinced to
click on the search button to give up their session id. Maybe not.

Please note that this command may not work on all web browsers. Browser that are
known to work are, Firefox ESR and Microsoft Internet Explorer.

15. Click the “Search” link at the top of the BodgeIt Store instance again. Try the next
payload (in the Search box):

<b onmouseover=alert(document.cookie)>Important Information, click here</b>

Please note that this command may not work on all web browsers. Browser that are
known to work are, Firefox ESR and Microsoft Internet Explorer.

16. Mouse over the line that appears on the page “Important Information, click here”.

This is another instance where you used an intrinsic event to display the session id.

17. Navigate back to the scan results in Qualys WAS, and close the window for the XSS
vulnerability.

18. Under Vulnerabilities, click on “Information Disclosure”.

What is the Slow HTTP POST vulnerability? How is it fixed? HINT: expand this vulnerability
and click its link to “Show” details.

52


Create a Template
Report templates can be used to save the format of how you’d like a report to look.

1. Navigate to A) the “Reports” section and B) the “Templates” tab.

2. Click C) the “New Template” button.

3. Give it a title of “Only the Worst” and use the Report type of “Web Application
Report”.

4. Click “Continue” to go to the “Filter” section.

53

5. Scroll-down to the “Search List” filter options, click the “Add Search List” link, and
select “Worst Vulnerabilities” from the drop-down list.

6. Click “Continue” to get to the “Display” section.

7. Click to display “All results” and “Most vulnerable URLs.”

8. Click “Finish”.

9. Use the “Quick Actions” menu, click “Run Report” to run a report using the “Only the
worst” Template.
54


10. Click “Continue” and add both of your apps to the report.

11. Click the “Finish” button to create the report.

The top of the report indicates the criteria used for the report. You can see the total
number of apps included in the report. The graphs at the top break down vulnerabilities
by status and severity. You can see a list of your most vulnerable URLs.

The bottom of the report indicates “Results” and “Appendix” section.

The “Results” section is where the bulk of the report information resides. It’s sorted by
Vulnerability then app.

The “Appendix” section provides information on each application scanned, like the OS,
owner, and scope.

How many vulnerabilities did the scan service find combined for both applications?
______________________________________________________________________

How about Information Gathered? _________________________________________

12. Click on Cross-Site Scripting > 150001 QID > Second Web App - BoQ.

13. Click on one instance of this vulnerability to see its details.

The Qualys service tracks the status of a vulnerability. Here are the different
possibilities for status:

New – Vulnerabilities discovered for the first time in the very last scan.

Active – Open vulnerabilities discovered more than one time.

Fixed – Vulnerabilities not found in the latest scan.

55


Re-opened – Vulnerabilities marked as fixed but discovered again in the very last scan.

Ignored – Vulnerabilities marked as ignored.

What is the status of the 150001 vulnerabilities on the Second Web App - BoQ?
_________________

What is the specific parameter being exploited in this particular case? _____________

What is the payload being used? ____________________________________________

Vulnerabilities can be ignored. There should be a conversation with developers in the

organization to understand what the risk is that’s being ignored.

14. Click the “View History” link.

56


Within the “History” section, you’ll see the date the finding was detected, and the
specific scan instance that discovered it.

15. Click the “Back” link to take you back to the results.

16. Click on the “Ignore” link right next to the status.

Once “Ignore” link is clicked, a window provides the opportunity to ignore the
vulnerability with a reason and comment.

17. For now, keep the status of the vulnerability as “Active” by clicking “Cancel.”

18. Scroll to the bottom of the vulnerability and click the “Export” icon.

57

19. Save the results to your Desktop. This allows you to share just the response with
someone (like a Developer) instead of having to email a whole report.

20. Close the window for this vulnerability.

21. Scroll to the top of the report and click on the “Edit Report” button.

58

Four sections of the report can be altered:

Details – Change the name of the report and its description.

Target – Fully change the targets (applications) within the report.

Filter – Build a Search List or sort the report by a URL. Status displayed in the report can
also be altered, in case we need to view just the new or active vulnerabilities. We can
also generate a report on what vulnerabilities have been fixed.

Display – Modify the report to include or exclude information graphs and sorting
options.

22. Click on “Display” and add the “Most vulnerable web applications” graph to the
report.

23. Click “Save”. The report will regenerate with your new preferences.
What are the top two most vulnerable URLs? _________________________________

How many “High” vulnerabilities are posted for the apps in this report? ____________

24. Click the “Download” button and select “Encrypted Portable Document Format (PDF)”
as the format.

59

25. The service will ask for a password, which will need to be entered when a user wants
to see the report. Enter a password. An email address can also be entered if the
report should be sent to users outside of Qualys who need to see the report.

26. Click “Save”.

27. Navigate back to the “Report” tab. It shows the recently created report and gives the
ability to View, Download, Tag, or Delete the report. Download the report and open it
up, to see how the password feature works.

Notice you can also run the report again using the same settings, using the “Run Again”
option.

60


LAB 5: Tagging (20 min.)
Another configuration feature in Qualys is called “Tagging”. Manual or Dynamic tags can be
associated with assets. Child tags can be nested under parent tags. The next step is building
some useful tags in the subscription.

1. Navigate to the AssetView application in Qualys.

2. Click A) the “Assets” section, followed by B) the “Tags” tab.

3. Click the “New Tag” button, and name it “Web Application Assets”.
4. Pick a color and associate it with the tag. Click “Continue”.
5. Select “No Dynamic Rule,” click “Continue” and then “Finish”.
6. Build two more tags, just like the first one. Name them “Prod” and “Non-Prod” and
nest them under “Web Applications Assets” Parent tag.
There should now be two tags under the “Web Applications Assets” tag. (See the
screenshot below.)

61

7. Navigate back to Qualys Web Application Scanning, and the Web Applications tab.
8. Using the Quick Actions menu for “First Web App - Bodgeit Store”, click “Add Tags”.

62

9. Click the triangle next to “Web Application Assets”, to see the newly created child tags
underneath it. Tag this app with the “Non-Prod”.
10. Click Save.
11. Tag the “Second Web App - BoQ” in the same way but use the “Prod” tag.
Now each app should be tagged. One is a production app, the other is not. On the left-
hand side of the screen is a filtering section.
12. Under “Filter Results”, click the “Web Application Assets” tag to pull up all
applications with this tag.

Notice the two applications tagged with individual child tags inherited the parent tag.
While the lab only has two web applications built, imagine if there were a few hundred.
The interface can sort through the applications based on tag.
13. Navigate back to the AssetView application in Qualys. Click on the “Assets” section
and the “Tags” tab.
Basic tags have been created. Next, you’ll create more functionally dynamic tags.
What if there was a need to tag all applications with Reflected Cross-Site Scripting
vulnerability?
14. Create a new tag and name it “Reflected XSS”. Make it a child of “Web Application
Assets”. Click “Continue”.

63

15. From the Rule Engine drop down menu, click “Vuln (QID) Exist”, and enter the QID for
Reflected XSS, which is 150001.
16. Click the checkbox next to the selection to “Re-evaluate rule on save”.
This tells WAS to go back through the existing assets in the subscription and review each
of them to verify whether the asset should be tagged. Normally, a scan has to occur for
the tag rule to be evaluated. In this case, no additional scan needs to be run.
17. The tag can be tested under the “Test Rule Applicability on Selected Assets” section.
Select an app from the drop down to test whether it would be tagged.
18. Click “Continue” and “Finish” to save the tag.
19. Navigate back to the “Web Application Scanning” service in Qualys.

20. Move your mouse pointer to the area to the right of the word “Dashboard”. Click on
the word “Change…”.
21. Click “New Dashboard”.

64

22. Give it a name of “Production Applications” and select your “Prod” tag.
23. Save the Dashboard, and click the “Display Now” link next to it.
This is one example where you can create a separate dashboard to show only your
production vulnerabilities and applications.

65


LAB 6: User Creation and Scope (15 min.)

Currently, the creation of a user is set up from within the VM (Vulnerability Management)
application. Additional user access is then granted so they can access WAS.

Once the user is created and activated, they will need to be given a scope and set of permissions
from the interface.

In the following section, a user will be created, activated, and given a scope to scan and modify
an individual web application.

1. Navigate to A) the Vulnerability Management Application in the user interface. Click

on B) the “Users” section and C) the “Users” tab and D) click “New” > “User…”
2. Fill in information for an imaginary user, but make sure to use a valid email address.
(The new user will be emailed to that address.)
3. Next, move to the “User Role” tab, and make the user a “Scanner.”
4. Do not grant the user any access to any Asset Groups. This role is exclusively for Web
Application Scanning.
5. Click “Save”.
A new user account will be sent to the email address you specified. Do not activate the new
user yet. Now you will modify the newest user you created to alter what they can see and
have access to from the UI.

66

6. Navigate to the “Administration” utility using the application picker.

NOTE: It may take a few minutes for your users to appear in the “Administration”
utility. You can use the refresh option to update the view.

67

7. Find the new user you created in the user list (above), and “Edit” that user using the
“Quick Actions” menu.

8. From within the “Profile Settings” tab, change the time zone to reflect where you are
currently located. Change your default download format to PDF.
9. From the “Roles and Scopes” tab, click the “Remove” link next to the “Scanner” role.

68

10. Find the “WAS Scanner” role in the list of “Unassigned roles” and use the “Quick
Actions” menu to “Edit” the role.

11. Click “Edit” to change the granted modules.

69

12. Use the “Modules” dropdown menu, to add the “Reporting” module.
13. Click “Change” for “Web Application Scanning”.
14. View, but don’t change any of the permissions for WAS. Do the same thing for the
“Reporting” module.
The user (who might be a developer) should be able to build reports off of the scan
results for the application they are building.
15. Click the “Update” button, followed by the “Save” button.
16. Click “Add” next to the “WAS Scanner” role, so the new user will have those abilities
within the User interface.
You granted specific permissions for this user. On what objects can the user act? This is
where “Scope” becomes relevant.
Remember, not just applications can be tagged in WAS. You can tag option profiles,
users, scanner appliances, etc. This all can go into what is defined and permitted within
a user’s scope.

70

17. Edit the Scope for this user by providing access, to the “Prod” tag you tagged on the
Second Web App - BoQ.
18. Click “Save” to save the user.

Activate the New User

1. Log into the email account you provided when you created the new user, and activate
the user using the email you received.
2. Using a separate browser, log in to the new user account in Qualys, and navigate to
the Web Application Scanning application.
Notice how the Dashboard has changed. It only contains information on the specific
application that’s within the scope for this user.
3. Go to the “Scans” section and click the button to launch a new Vulnerability Scan.
4. Give it a title of “Developer Scan” and select the “Tags” radio button.
5. Add your “Prod” tag, and click “Continue”.
6. Click “Create” next to the “Option Profile” drop down menu.
7. Call this Option Profile, “Developer Option Profile” and click “Continue”.
8. Turn off the Bruteforcing option, and click “Continue”.
In this section, you’ll build a customized search list to scan just for SQLi.

71

9. Click the “Custom” from the dropdown, and “Create static list”.
10. Call it “SQLi Search List” and “Continue” to the selecting your QID List.
11. Click the “Add” button and enter the QID for SQLi, which is 150003. Press “OK” and
“Continue”.
12. Enter the following comments, “This search list just contains the SQL Injection
vulnerability”.
13. Click “Continue” and “Finish”.
From here, the service will bring you back to the Option Profile wizard, with the new
search list populated.
14. Click “Continue” through to the end and save the Option Profile by clicking “Finish”.
15. Click “Continue” to launch the scan on the application and let it finish.
How long did this scan take? _______________________________
How long did the “assessment” portion of the scan take? ______________________

72


LAB 7: Burp Integration (10 min.)
Qualys now offers integration with Burp. Burp is an attack proxy used for automated and
manual penetration testing. This can be used in tandem with Qualys for sensitive applications
that need thorough testing.

With this integration, Burp Suite Professional (BSP) results can be uploaded to Qualys. This
allows Qualys to act as a centralized storage location for scan results from Burp, to go along with
the results already obtained by the Qualys WAS service.

Below you will look at how this integration happens.

1. Navigate to the “Detections” section of the interface (log back in with the Manager
account if you haven’t already done so). Then select the Burp tab.
2. Retrieve the Burp scan results shared with you by your instructor, and save them to
your Desktop.
3. Click on the “Import” button, and import the file you just saved to your Desktop and
associate it with “First Web App - Bodgeit Store”.
Note, the results need to be in XML format.

Once your results are uploaded, you can see an entry for them. You can use the Quick
Actions menu to download the results, or tag them.
4. Click on the “Detection List” tab.
5. Find the vulnerability for Cross-site scripting (reflected).

73


What was the payload submitted during the test? _____________________________
6. Copy the payload from the results and find the form on the Bodgeit Store application
where you can submit it.
What happens when you submit the payload into the form? _____________________

Web Applications and BURP Issues

When importing BURP results into WAS, the BURP results must be associated with a specific
Web Application. This association provides one more option for viewing BURP issues.
1. Navigate to the “Web Applications” section and click the “Web Applications” tab.
2. Use the Quick Action menu to find the BURP issues associated with “First Web App -
Bodgeit Store”.

You will be redirected to the Detection List tab, and all issues associated with “First Web
App - Bodgeit Store” will be listed. You can filter which issues to display by selected the
relevant “Findings Type”.

74