AnsweredAssumed Answered

WAS scan with SSO across web applications

Question asked by jincao on Jul 14, 2016
Latest reply on Jul 26, 2016 by jincao

Dear Community,

 

I am new to Qyalys and would appreciate any help to get the WAS scan running:

  1. Web portal (portal.domain) on port 443 needs Windows authentication
    1. I am able to pass the authentication using "login as another user" with Selenium script
  2. Authenticated user is able to see a link to web application "WCP"
  3. click the WCP link user gets to WCP application (wcp.domain)
  4. directly type the (wcp.domain) URL into browser without authenticated via portal, user will see error page with one line of text "please go to portal to authenticate", there are no links, no auto redirect, etc.

I need to run vulnerability scan on WCP.domain.

 

What I have done:

  1. created portal.domain web application
  2. run discovery scan and vulnerability with authentication
  3. WCP.domain is identified as external link from the sitemap
  4. created WCP.domain web application from sitemap
  5. ran multiple discovery scan inclided both portal and WCP, without "Random order" option

 

What I got: WCP scan crawled the error page only.

 

Has any one in this community experienced similar cases?

Outcomes