wvs profile
Use this command to configure web vulnerability scan profiles.
A web vulnerability scan (WVS) profile defines the web server to scan, as well as the specific vulnerabilities to scan for. The WVS profiles are associated with WVS policies, which determine when to perform the scan and how to publish the results of the scan defined by the profile.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wvsgrp
area. For details, see Permissions.
Syntax
config wvs profile
edit "<wvs_profile_name>"
set scan-target <scan-target_str>
set scan-template <scan-template_id>
set request-timeout <request-timeout_int>
set ignore-session-cookies {enable | disable}
set user-agent-type {custom | random}
set custom-user-agent <custom-user-agent_str>
set custom-header0 <custom-header0_str>
set custom-header1 <custom-header1_str>
set custom-header2 <custom-header2_str>
set custom-header3 <custom-header3_str>
set custom-header4 <custom-header4_str>
set custom-header5 <custom-header5_str>
set custom-header6 <custom-header6_str>
set custom-header7 <custom-header7_str>
set custom-header8 <custom-header8_str>
set custom-header9 <custom-header9_str>
set sub-path-limit <sub-path-limit_int>
set max-scan-time <max-scan-time_int>
set max-crawl-time <max-crawl-time_int>
set max-params-limit <max-params-limit_int>
set max-file-size <max-file-size_int>
set max-http-retries <max-http-retries_int>
set specify-urls-for-scanning {enable | disable}
set follow-regex <follow-regex_int>
set ignore-regex <ignore-regex_int>
set http-basic-authentication {enable | disable}
set basic-username <basic-username_str>
set basic-password <basic-password_str>
set form-based-authentication {enable | disable}
set form-based-username <form-based-username_str>
set form-based-password <form-based-password_str>
set form-based-auth-url <form-based-auth-url_str>
set username-field <username-field_str>
set password-field <password-field_str>
set cookie-jar-file <cookie-jar-file_str>
set session-check-url <session-check-url_str>
set session-check-str <session-check-url_str>
set data-format <data-format_str>
end
Variable | Description | Default |
Type a unique name for the profile name. The maximum length is 63 characters. |
No default. | |
Enter the URL that you want to scan, such as |
No default. | |
Select an existing scan template that you want to use in the profile. |
No default. | |
Type the number of seconds for the vulnerability scanner to wait for a response from the website before it assumes that the request will not successfully complete, and continues with the next request in the scan. It will not retry timeout requests. |
0 | |
If enabled, the scanner will ignore all session cookies sent by the target web application. |
disable
|
|
|
custom
|
|
Enter the custom user-agent value. |
No default. | |
You can define the host, user agent, and other common headers in the request. |
No default. | |
You can define the host, user agent, and other common headers in the request. |
No default. | |
You can define the host, user agent, and other common headers in the request. |
No default. | |
You can define the host, user agent, and other common headers in the request. |
No default. | |
You can define the host, user agent, and other common headers in the request. |
No default. | |
You can define the host, user agent, and other common headers in the request. |
No default. | |
You can define the host, user agent, and other common headers in the request. |
No default. | |
You can define the host, user agent, and other common headers in the request. |
No default. | |
You can define the host, user agent, and other common headers in the request. |
No default. | |
You can define the host, user agent, and other common headers in the request. |
No default. | |
Enter the maximum number of requests for sub path of each URL. |
75 | |
Enter the maximum scanning time. |
120 | |
Enter the maximum crawling time (minutes). |
60 | |
Enter the maximum number of requests for each URL, and parameter set. |
25 | |
Indicate the maximum file size (in bytes) that the scanner will retrieve from the remote server. |
400,000 | |
Indicate the maximum number of retries when requesting an URL. The valid value range is 1–10. |
2 | |
Enable to specify the URL to be scanned. |
disable
|
|
|
No default. | |
An empty string (nothing to be ignored), when crawling, only follow that matches this regular expression. |
No default. | |
Enable the HTTP basic authentication. |
disable
|
|
Enter the username of the web application. |
No default. | |
Enter the password for the username. |
No default. | |
Enable the form based authentication. |
disable
|
|
The username parameter name, for example, "uname" if the HTML looks like |
No default. | |
The password parameter name, for example, "pwd" if the HTML looks like |
No default. | |
Enter the target URL for security auditing, and the URL shall include |
No default. | |
Enter the username for using in the authentication process. |
No default. | |
Enter the password for the username. |
No default. | |
Designate a cookie jar file. The cookie jar file must be in mozilla format. |
No default. | |
Enter the URL where the packets are sent to. |
No default. | |
Enter the string in the response message. If the string can be checked, the authentication succeeds; otherwise, the authentication will be re-launched. |
No default. | |
Add extra parameters here for authentication as required by some websites, for example, |
No default. |