Cyber Hygiene Web Application Scanning


CISA’s Cyber Hygiene Web Application Scanning is “internet scanning-as-a-service.” This service assesses the “health” of your publicly accessible web applications by checking for known vulnerabilities and weak configurations. Additionally, CISA can recommend ways to enhance security in accordance with industry and government best practices and standards.

SCANNING OBJECTIVES

  • Maintain enterprise awareness of your publicly accessible web-based assets
  • Provide insight into how systems and infrastructure appear to potential attackers
  • Drive proactive mitigation of vulnerabilities to help reduce overall risk

SCANNING PHASES AND OVERALL PROCESS

Scanning Phases

  • Discovery Scanning: Identify active, internet-facing web applications
  • Vulnerability Scanning: Initiate non-intrusive checks to identify potential vulnerabilities and
  • configuration weaknesses

Overall Process

Web Application Scanning Process

GET STARTED

Email us at vulnerability@cisa.dhs.gov with the subject line “Requesting Cyber Hygiene Services” to get started.

Frequently Asked Questions

Understanding Web Application Scanning (WAS)
 

  1. What is spidering/crawling? 

    Spidering/crawling is this act of scanning a domain by traversing the site, starting at the top and working downwards. The tool will begin with the domain's starting page, which is typically the main page (e.g., www.cisa.gov). After scanning the starting page, the tool will scan each page it finds linked from the starting page and will go on to scan each page it finds linked from those pages, etc. The spidering/crawling process is analogous to starting at the bottom of a tree and tracing each limb out to branches that have sprouted off of that limb and, further, to additional branches that have sprouted off the secondary branches, and so on.   
     
  2. What is the difference between a web application and a website? 

    A web application is a software or program; a website is a group of interlinked web pages that are all under one domain.   
     
  3. How is WAS different from CISA's Remote Penetration Testing (RPT) web scan service? 

    The WAS service does not attempt to identify domains/web services; it only scans domains/web services provided by the customer. Additionally, primarily using a commercial tool, it will identify and crawl all links on the website and identify any potential vulnerabilities or misconfigurations without attempting to exploit the service. Whereas RPT web scanning typically stops once it discovers a vulnerability that can result in a breach, WAS continues to crawl all of the pages/links on a website.  
     
  4. What is OWASP? 

    The Open Web Application Security Project® (OWASP) is a nonprofit foundation and online community that helps improve web application security. According to https://owasp.org/, "The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications."  

Scanning Logistics 

  1. What are the source IPs for the WAS scans?  

    Source IPs for scans can be found at: https://rules.ncats.cyber.dhs.gov/was.txt.  
     
  2. My web application is connected to a backend database. How will scanning impact my database?

    The scanner will attempt to autocomplete forms. In these instances, you will see entries logged into your backend database and "noise" from Qualys. If you suspect this will be an issue, we can provide two options: 

    a) We can set up your WAS service in a manner where no POST traffic is sent to your web applications.

    b) We can block entire pages of your web application URL from being scanned.

    Please note, if you choose either of these options, the scanner will not be able to capture and report all vulnerabilities, which may lead to false negatives. 
     
  3. How can I add or remove web applications from my list of targets?

    Send an email to vulnerability@cisa.dhs.gov requesting the changes. 
     
  4. Can you manually scan my assets? If so, what are some additional items you might find?

    CISA analysts will manually schedule a scan at a date and time of the customer’s choosing. The WAS service is automated and, like most scanning tools, is regularly updated with the most current vulnerabilities—primarily through the Common Weakness Enumeration (CWE) list. Once the manual scan is scheduled and runs, WAS will provide the results to CISA analysts, who will review and consolidate into a report and for the customer.  
     
  5. Can I add my third-party hosted/managed web apps?  

    Yes. To do so, you must inform CISA of the third party and have received explicit permission from the third party to scan the third-party hosted site. Typically, scanning a site hosted by a third party requires slight changes in the configuration of the WAS tool, hence the need for notification and coordination between you, CISA, and the third party.  
     
  6. Why are your scans not picking up my web application?

    If the website cannot be reached via a web browser, then it most likely cannot be reached with the scanner. Additionally, you may have to allowlist our scanner’s IP address. 
     
  7. How can I change who receives my Cyber Hygiene report?  

    Email vulnerability@cisa.dhs.gov to make changes to the recipients of the reports.  
     
  8. Can I change the password for my report?

    Yes. You can change the password in the Document Properties. To do so:

    a. Open the document in Adobe Acrobat 
    b. Select File > Properties > Security  
    c. Next to Security Method: Password Security, select Change Settings...  
    d. Change the Document Open Password to a password of your choice and click OK. 
    e. You will receive a popup asking you to confirm the password. Enter the new password in the Document Open Password field and click OK. 
    f. Save the PDF. Note: open the PDF with the new password to confirm the changes have been made.  
     
  9. Are there risks associated with this type of scanning?

    Your systems are not at risk from the scans themselves. However, depending on the number of web applications being scanned, you may experience temporary latency issues. 
     
  10. Can the testing be scheduled to run at a particular time period? (e.g., only after hours?)

    Yes. You can provide a preferred time period for the scan(s) to run by emailing vulnerability@cisa.dhs.gov.   
     
  11. How should I handle your scanning traffic? Should I allowlist your source IP addresses? 

    You will be notified of the date the scans will begin. We recommend allowlisting our scanner’s source IP addresses. 
     
  12. How was this information collected?

    See Appendix A: Methodology in your latest scan report. 
     
  13. Do you perform authenticated scans?

    No. However, we are working on adding this option in the future.
     
  14. Can I request a specific password for each of my reports?

    Yes. Send an email to vulnerability@cisa.dhs.gov indicating you would like each of your WAS reports to be encrypted with the specified password.  

Scan Report and Findings 

  1. I think a finding in my report is a false positive. Can you remove it from my report? 

    If the finding is in a scheduled, recurring scan, we can mark it in the tool so that the next scan will ignore it. If you make changes to the website, which is often different than patching, it may be good to leave the finding there even if you believe it is false.   
     
  2. Can I get the report data in a comma-separated values (CSV) file? 

    We do not provide the report data as a CSV file because the reports are very detailed and include links to CWE and OWASP, which provide even greater details regarding the finding as well as mitigation best practices. Additionally, the reports include the actual request/response from the website and link to the actual page that generated the finding. 
     
  3. I fixed a vulnerability listed in my report. Can you rescan to verify? 

    Yes, however, we recommend not scanning immediately in order to maximize the effectiveness of the next scan based on various changes you may be making to the site. However, we will gladly schedule a follow-up scan at your request.  
     
  4. CISA's CyHy vulnerability scanning shows potentially mitigated vulnerabilities. Can WAS do so too? 

    Currently, WAS does not report on potentially mitigated vulnerabilities. However, a future version of the WAS report is being developed that will include an attachment for potentially mitigated vulnerabilities. 
     
  5. Can you walk me through mitigating vulnerabilities found in the scan results? 

    Each web application and infrastructure is unique. As such, we cannot provide specific mitigation steps at this time. However, Attachment 1 Findings Report (embedded in the PDF report) provides a high-level solution for each vulnerability discovered. 
     
  6. Why would a vulnerability appear in one report but not another? 

    If a vulnerability does not appear in your latest report, you should determine if any actions were taken to mitigate that vulnerability. If a new vulnerability appears on your latest report, this implies that the vulnerability was recently discovered as a whole, or a configuration change was made to your system leading to the vulnerability.   
     
  7. Why does my WAS Scan Results report not include an attachment with the vulnerability findings? 

    If there are over 35 web applications scanned, the report will not contain a PDF detail report. The size of the report becomes very large beyond that point and is excluded.    
     
  8. Our last report listed a vulnerability that is either not applicable or is a false positive. Can I allowlist the vulnerability? 

    Yes. If your web developers have performed analysis and determined the vulnerability does not pose a risk, it can be ignored and will not appear on your future reports. Note: in Qualys, this would be listed as "Not Applicable."  
     
  9. There was a vulnerability listed on our last report that we would like removed from future reports. Can I allowlist the vulnerability? 

    Yes. If you accept the risk of the vulnerability, we can ignore it and it will not appear on your future reports.  
     
  10. The scan report has a list of "rejected links." What does this mean? 

    You will likely notice all the links are of media (e.g., .PNG, .MOV, etc.) or documents (e.g., .PDF). Certain elements of a web application cannot be scanned. For example, an image on your web application cannot be scanned for vulnerabilities.   
     
  11. The scan report has a list of "emails found." What does this mean? 

    As the scanner goes through the crawling process, it will capture any email addresses that are publicly displayed. You should determine if these emails were intentionally published.   
     
  12. The report shows several attachments in the file. Why can’t I access them? 

    The attachments in the file can only be viewed using a full PDF reader. Programs like Preview are inadequate, whereas Adobe Acrobat will allow you to either double click the paperclip icon next to the attachment name or open it from the attachment sidebar. 

Was this webpage helpful?  Yes  |  Somewhat  |  No