How can we help you?

Find help articles, troubleshooting guides, and tutorials

Search

Web scan

Enable web scan

See all articles
Introducing ArmourZero Web Scan

ArmourZero's Web Scan is an AI-powered penetration assessment tool that helps developers and security professionals to detect and find weaknesses and vulnerabilities in web application.

 

This Web Scan is categorised under Dynamic Application Security Testing (DAST), allowing you to assess and test the web application from an external perspective can help you to identify vulnerabilities that an attacker may find.

 

ArmourZero's Web Scan support both normal and authenticated website. Authenticated website DAST scan a security test that uses valid login credentials (normally test users' credential) to scan a running web application from the perspective of a logged-in user. This approach reveals vulnerabilities in protected areas of an application that unauthenticated scans would miss, such as those related to user-specific data, custom features, or privilege escalation issues.

 

The scanned results of all possible vulnerabilities detected will then be compared with industry Common Weakness Enumeration (CWE) and Common Vulnerability and Exposures (CVE) to determine the vulnerabilities' severity levels. Each of these possible vulnerability detected will then be mapped into OWASP Top 10 List (2021) compliance which is the latest standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. 

 

There are 5 categories of CWE and CVE vulnerabilities' severity levels.

  1. Critical
  2. High
  3. Medium
  4. Low
  5. Information

Add a domain to start with ArmourZero's Web Scan immediately, find all possible vulnerabilities faster than attackers.

 

See more
How to add and verify domain

To start with ArmourZero's Web Scan, simply add a domain that you intend to find any possible weaknesses and vulnerabilities in that web application.

 

Step 1: Add a domain

1. Go to left menu and select "Web" under VULNERABILITY SCANNER section and click "Add Domain" or straight to select Domain under MANAGE section.

Notes: Depending on your subscription plan, you can add more than 1 domain.

2. Click "Add Domain" and add the domain with https:// or http:// or IP address that you intend to scan for vulnerability. You have to read the procedure carefully as this scan is a simulation of attacks in order to identify possible vulnerabilities in your domain.

3. Click on the acknowledgement box and "Add Domain" once you confirmed. 

 

Step 2: Verify domain

After you add a domain, you need to verify that you are the owner or authorised domain admin before the scan is allowed to execute.

1. Click on the verify icon on the domain that you intend to scan, select "Verify Domain".

2. There are 2 methods to verify the domain.

Verify Over HTTP/HTTPS

a. An unique verification token will be automatically create for you.

b. Use a Text Editor or Notepad to create a file named based on the unique verification token provided.

c. Upload the file to your web server.

Verify Over DNS Record

a. An unique verification token will be automatically create for you.

b. Create a new DNS Record with the unique verification token provided.

3. Accept the terms and conditions and click "Verify Domain" once you confirmed.

 

Step 3: Check domain verification status

1. If step 2 is successfully completed and done, the status will be automatically changed to Verified

Notes: ArmourZero will automatically reach out to the domain to verify the permission and authorisation before perform the Web penetration assessment scan to the web application.

 

You can trigger the Web penetration assessment scan once the domain verified. However the time to complete the scan depending on the size of web application.

 

Notes: If the status remain Pending Verification, please check again the Step 2 especially on the unique verification token. 

 

See more
How to trigger Web Scan (normal website)

Once the domain was successfully verified, you can trigger ArmourZero's Web Scan to scan and find weaknesses and vulnerabilities on the web application. Depending on your subscribed plan, you can trigger multiple scans at the same time. However the time to complete the scan depending on the size of web application.

 

ArmourZero's Web Scan support both normal and authenticated website. You must first add and verify your domain before scan is activated. Please refer to How to trigger Web Scan (authenticated website) for authenticated scan.

 

Normal website scan

1. Go to left menu and select "Web" under VULNERABILITY SCANNER section. All verified domains will be listed here.

2. Click on the three dots action icon on the domain you intend to scan.

3. Select Scan Now, the scan will start immediately.

or

1. Click on the "Scan Domain". 

2. Select the verified domain that you intend to scan. Please read in details of the recommendation provided. If your domain have yet to verify, please visit how to add and verify domain.

4. Once you confirmed to scan the selected domain, accept the terms and conditions and click "Scan Domain".

 

Notes:

Depending on your plan, you can add more than 1 domain to scan at the same time.

ArmourZero's Web Scan will immediately scan and find weaknesses and vulnerabilities on the web application once you have triggered the scan. However the time to complete the scan depending on the size of web application. You can view the scanned results once the scan is completed.

As this scan is a penetration assessment tool, simulating real-time attack to find weaknesses and vulnerabilities, each scan have to trigger on-demand.

 

 

See more
How to trigger Web Scan (authenticated website)

Once the domain was successfully verified, you can trigger ArmourZero's Web Scan to scan and find weaknesses and vulnerabilities on the web application. Depending on your subscription plan, you can trigger multiple scans at the same time. However the time to complete the scan depending on the size of web application.

 

ArmourZero's Web Scan support both normal and authenticated website. You must first add and verify your domain before scan is activated. Please refer to How to trigger Web Scan (normal website) for normal website scan. Authenticated scan required uses valid login credentials (normally test users' credential) to scan a running web application from the perspective of a logged-in user. ArmourZero uses a propriety technology of "recording" to capture login credentials to support complex authentication website.

 

Step 1: Capture Authentication

1.  Go to left menu and select Domains under Manage section. All verified domains will be listed here. On the verified domain, click the Capture Authentication icon  .

Notes: Please take note that if your popup blocker is blocked, please allow it and then refresh the page. Start the capturing again. The recorder does not track mouse movements or hover actions. It only records clicks and text input.

2. Click on Capture New Authentication button.

3. Click Start Recording button to behind.

4. Your website will now open in a new window tab.

Initially, you may see a black screen for a short period—please wait until the browser fully loads your website.

5. You can now begin the capture process. A capturing control panel with red circle button will appear. The red circle button indicates the capturing is already started and in progress. Do not click any of its buttons during the session to prevent interruptions. Navigate to the pages you want to include in the scan.

Notes: Avoid switching URLs manually or using the browser’s address bar, as this will disrupt the recording. Interact only with the currently opened website.

Example of how it works:

E1. Sample website. Fill up the Email and Password and click Log In.

E2. Once logged in, navigate to the pages you want to include in the scan. In this example, we will visit the Profile page and the Order History page. Hover over Orders and Payment to display a submenu, and click on it. This ensures the submenu opens properly, allowing the recorder to capture the action.

E3. Once you complete, it's important to click the red circle button to stop the recording once you have finished crawling your site, the circle will then turns black, it indicates that the capturing has been stopped.

E4. Close the capturing noVNC tab browser to trigger the save.

6. All capturing that saved will be listed accordingly. You can click on the Play Icon to replay your recordings or edit the name of the recording by clicking on the edit button.

7. Rename the recording to represent a user text credential if needed.

8. The capturing process is now complete. You may trigger authenticated website scan now with he captured test users' credential.

 

Step 2: Authenticated website scan

1.  Go to left menu and select Web under VULNERABILITY SCANNER section. All verified domains will be listed here.

2. Click on the three dots action icon on the domain you intend to scan and select Scan with Authentication.

3. Select the capturing (user's credential) you wish to scan with the website and press Scan.

 

Notes:

Depending on your subscription plan, you can add more than 1 domain to scan at the same time.

ArmourZero's Web Scan will immediately scan and find weaknesses and vulnerabilities on the web application once you have triggered the scan. However the time to complete the scan depending on the size of web application. You can view the scanned results once the scan is completed.

As this scan is a penetration assessment tool, simulating real-time attack to find weaknesses and vulnerabilities, each scan have to trigger on-demand.

 

See more
How to view and mitigate vulnerabilities

You can easily view ArmourZero's Web Scan scanned results after you have triggered the scan. Reminder that as this scan is a penetration assessment tool, simulating real-time attack to find weaknesses and vulnerabilities, each scan have to trigger manually. All scan results will be listed in Latest Overall Scan Reports.

 

Step 1: Select the domain

1. Go to left menu and select "Web" under VULNERABILITY SCANNERS section. Click on the Domain ID or the three dots action icon mceclip0.png on the domain, select "View Scan Details". 

 

Step 2: View details of vulnerabilities detected 

All scanned results of all possible vulnerabilities detected will be automatically compared with industry Common Weakness Enumeration (CWE) and Common Vulnerability and Exposures (CVE) to determine the vulnerabilities' severity levels.

Each of these possible vulnerability detected will be automatically mapped into OWASP Top 10 List (2021) compliance which is the latest standard awareness document for developers and web application security.

 

1. A Latest Overall Scan Report of Web Scan will be auto generate for you after each scan.

2. You can also see past scanned reports under "Scan History" button to compare the previous results and current results. This is very useful if you have make correction or remediation on your web application; or simply to compare with the latest possible vulnerabilities found.

The scan report will be summarised into 5 categories of CWE and CVE vulnerabilities' severity levels; Critical , High , Medium , Low and Information.

All scanned results of all possible vulnerabilities detected will be automatically compared with industry Common Weakness Enumeration (CWE) and Common Vulnerability and Exposures (CVE) to determine the vulnerabilities' severity levels.

Each of these possible vulnerability detected will be automatically mapped into OWASP Top 10 List (2021) compliance which is the latest standard awareness document for developers and web application security.

You can easily view your latest web application's compliances based on this each scanned results.

 

Step 3: Mitigate vulnerabilities

1. Click on "Mitigation & Task Assignment". Here you can sort the list based on severity that you intend to focus on.

2. Select and open the vulnerability detected, click  to view the details of vulnerability and how you and your team can mitigate it with AI-remediation suggestions. Also you can assign the mitigation task across team members and follow the mitigation status. 

 

There are 2 main parts of mitigation:

Part 1 : Informations

  • Vulnerability's type and information - to list in details information the found vulnerability.

  • Vulnerability related instances - which instances (sub-domain or web pages) of your web application that causing the vulnerability.

Part 2 : AI Assistance

  • AI Assistance False Positive Detector - to check with AI's analysis in real-time to ensure the detected vulnerability won't mistakenly identified as a threat or risk.
  • Task management - to assign the task across team members to fix and track the mitigation progress and status.

  • AI Assistance Remediation Suggestion - AI's analysis in real-time and recommend remediation against the vulnerabilities.

Notes:

Each vulnerability detected or found have it own characteristic, type, severity and risk to you and company. That's why each vulnerability have it's own remediation to work on.

 

 

See more

Get in touch

image

Email us

Reach out to our team on any matters

image

Request demo

Request a demo from our consultant

image

Blog

Welcome to ArmourZero Blog

Can't find what you're looking for?

Have you any question which is not answered?

SUBMIT A REQUEST