Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)
Managed WAF Start at $99

Indusface Web Application Scanning Product Update

Posted DateApril 11, 2019
Posted Time 3   min Read

On the WAS side, our effort was to build upon the new scanner that we recently released and add features that would provide

Some of the major advances made on WAS side are as follows:


Signatures were added to find the following vulnerabilities:

  1. Session ID scoped to parent domain: The session cookie is scoped to the parent domain instead of a sub-domain. if a cookie is scoped to a parent domain, then this cookie will be accessible by the parent domain and also by any other sub-domains of the parent domain. This could lead to security problems.
  2. XML RPC Vulnerability: XML-RPC is a remote procedure calling using HTTP as the transport and XML as the encoding. An attacker can abuse this interface to brute force authentication credentials using API calls.
  3. HSTS Missing From HTTPS Server: HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTP (HTTPS) connections. The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named “Strict-Transport-Security”. HSTS Policy specifies a period of time during which the user agent shall access the server in an only secure fashion. if this is missing then insecure agents would be able to connect.


Config-driven guided scan support was introduced. Guides are lists of actions that will be taken automatically when all elements defined in that set of actions are encountered during the crawl. Multiple guides can be defined per site. This will help the crawler go to pages which it could not go before because of the need for special actions. For example, say there is a multi-step wizard, where certain fields and inputs need to be provided to reach the next step unless the crawler knows what these actions are there is no way it goes further.

Now in such cases, a guided scan config can be added which tells the crawler exactly what actions need to be taken. For customers needing such ability are requested to contact our support team, they would write the necessary config for your site and add it.


Also, we had enabled the ability to add certain site-specific configs which would help customers create certain exceptions like

  • Exclude URI from Attack: We have seen cases where there can be certain URI’s that customers want to crawl to as it is through this that other pages can be reached but do not want the attack to happen. in such cases, customers can get certain URI whitelisted from attacks. This can be done by reaching out to
  • Crawl to foreign domain: By default, crawler does not crawl foreign domain, but in cases of SSO logins, etc, it becomes important to crawl certain foreign domain URI’s. Now, this can be done through a special config for a website. Please reach out to support to enable this.


We have added the Aging Summary widget for AA, MM and VA scans. With this customers can easily identify vulnerabilities that are older than a certain time period. Which would help customers prioritize the fix for vulnerabilities?

aging summary


With this customers can clearly see the vulnerabilities found through Manual PT vs Automated scans in the application audit widgets in the portal using the Manual PT & Automated scan filters available in the widgets The changes are done both in the Dashboard page and application audit page



Bifurcation Dashboard

web application security banner

Spread the love

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

What is penetration testing?
Penetration Testing: A Complete Guide

Penetration Testing, also called pen testing, is a process to identify, exploit, and report vulnerabilities in applications, services, or operating systems.

Spread the love

Read More
Indusface How to Maintain Security with Remote Workers
How Do You Maintain Secure Remote Working?

79% of organizations agreed that remote working had negatively impacted their cybersecurity. You must be prepared to address remote work security risks. Follow these best practices for secure remote working.

Spread the love

Read More
Web Vulnerability Scanning
How Indusface Web Vulnerability Scanner Works?

The average cost of data breaches in 2021 stands at a massive USD 4.24 million! What makes data breaches and cyber-attacks possible is the presence of unpatched/ unprotected vulnerabilities on the website/ web application. Vulnerabilities provide gateways to attackers to.

Spread the love

Read More


Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Know More Take Free Trial


Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!