Once the domain was successfully verified, you can trigger ArmourZero's Web Scan to scan and find weaknesses and vulnerabilities on the web application. Depending on your subscription plan, you can trigger multiple scans at the same time. However the time to complete the scan depending on the size of web application.
ArmourZero's Web Scan support both normal and authenticated website. You must first add and verify your domain before scan is activated. Please refer to How to trigger Web Scan (normal website) for normal website scan. Authenticated scan required uses valid login credentials (normally test users' credential) to scan a running web application from the perspective of a logged-in user. ArmourZero uses a propriety technology of "recording" to capture login credentials to support complex authentication website.
Step 1: Capture Authentication
1. Go to left menu and select Domains under Manage section. All verified domains will be listed here. On the verified domain, click the Capture Authentication icon .
Notes: Please take note that if your popup blocker is blocked, please allow it and then refresh the page. Start the capturing again. The recorder does not track mouse movements or hover actions. It only records clicks and text input.
2. Click on Capture New Authentication button.
3. Click Start Recording button to behind.
4. Your website will now open in a new window tab.
Initially, you may see a black screen for a short period—please wait until the browser fully loads your website.
5. You can now begin the capture process. A capturing control panel with red circle button will appear. The red circle button indicates the capturing is already started and in progress. Do not click any of its buttons during the session to prevent interruptions. Navigate to the pages you want to include in the scan.
Notes: Avoid switching URLs manually or using the browser’s address bar, as this will disrupt the recording. Interact only with the currently opened website.
Example of how it works:
E1. Sample website. Fill up the Email and Password and click Log In.
E2. Once logged in, navigate to the pages you want to include in the scan. In this example, we will visit the Profile page and the Order History page. Hover over Orders and Payment to display a submenu, and click on it. This ensures the submenu opens properly, allowing the recorder to capture the action.
E3. Once you complete, it's important to click the red circle button to stop the recording once you have finished crawling your site, the circle will then turns black, it indicates that the capturing has been stopped.
E4. Close the capturing noVNC tab browser to trigger the save.
6. All capturing that saved will be listed accordingly. You can click on the Play Icon to replay your recordings or edit the name of the recording by clicking on the edit button.
7. Rename the recording to represent a user text credential if needed.
8. The capturing process is now complete. You may trigger authenticated website scan now with he captured test users' credential.
Step 2: Authenticated website scan
1. Go to left menu and select Web under VULNERABILITY SCANNER section. All verified domains will be listed here.
2. Click on the three dots action icon on the domain you intend to scan and select Scan with Authentication.
3. Select the capturing (user's credential) you wish to scan with the website and press Scan.
Notes:
Depending on your subscription plan, you can add more than 1 domain to scan at the same time.
ArmourZero's Web Scan will immediately scan and find weaknesses and vulnerabilities on the web application once you have triggered the scan. However the time to complete the scan depending on the size of web application. You can view the scanned results once the scan is completed.
As this scan is a penetration assessment tool, simulating real-time attack to find weaknesses and vulnerabilities, each scan have to trigger on-demand.