Vulnerability Scan Service. User Guide. Issue 20 Date HUAWEI TECHNOLOGIES CO., LTD.

Transcription

1 Issue 20 Date HUAWEI TECHNOLOGIES CO., LTD.

2 Copyright Huawei Technologies Co., Ltd All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Website: Huawei Industrial Base Bantian, Longgang Shenzhen People's Republic of China Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. i

3 Contents Contents 1 Overview Vulnerability Scan Service Functions Application Scenarios Charging Standards Accessing and Using VSS How to Access VSS How to Use VSS Related Services User Permissions Audit Auditable Operations Viewing an Audit Trace One-Click Scan Website Vulnerability Scan Adding a Domain Name Deleting a Domain Name Authenticating a Domain Name Creating a Scan Job Viewing Website Scan Details Viewing the List of Website Assets Host Vulnerability Scan Adding a Host Performing Host Authorization Canceling Host Authorization Viewing Host Scan Details Viewing the List of Host Assets Downloading a Report Security Monitoring Adding a Monitoring Job Configuring the Notification Function Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. ii

4 Contents 6.3 Viewing Job Details Viewing the Security Monitoring List Dashboard Frequently Asked Questions About the Service Can I Delete an Added Domain Name? Can I Use VSS After It Expires? What Are the Changes in the Billing Mode? What Should I Do If a Pay-Per-Use Scan Job Fails? Is There Anything I Need to Know Before Purchasing Professional Edition? About Functions What Are the Differences Between VSS and Conventional Vulnerability Scanners? Which Vulnerabilities Can Be Scanned by VSS? Does VSS Provide a Scan Report? How Do I View Vulnerability Fixing Suggestions? What Does the Score Mean? What Are the Scan Job Statuses? Why Does the Automatic Login During a Scan Job Fails? How Can I Quickly Detect Website Vulnerabilities? Can I Use the Automatic Login Function of VSS If a Dynamic Verification Code Is Required for Website Login? When Are Advanced Scan Settings Required? What Should I Do If a Website Scan Job Fails to Be Created or Restarted? About Website Scan How Long Does a Scan Take? Why Is a Job Automatically Canceled in the Job Scan Process? How Do I Set a Scheduled Scan? Can the Authenticated Document in the Root Directory of the Website Be Deleted After Domain Name Authentication Is Complete? Why Is the Authenticated Document Not Displayed After I Click Download Authenticated Document? Why Am I Frequently Prompted that the Domain Name Format Is Incorrect During Job Creation? What Is the Authenticated Document Used For? Why Does Domain Name Authentication Fail? How Do I Upload an Authenticated Document to the Root Directory of a Website? How Do I Authenticate the Domain Name of a Website? Why Does My Website Scanning Fail? Which Websites Are not Supported by VSS? How Do I Enable Website Vulnerability Scan? What Should I Do When a Website Scan Fails with a Message Displayed Indicating Connection Timeout? About Host Scan How Do I Perform Host Authorization? Why Is Authorization Failed Displayed When Scanning?...74 Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. iii

5 Contents How Do I Solve the Problem of Host Unreachable (Security Group Restricted)? Why Does My Host Scanning Fail? Does Host Scan Support Non-Huawei ECSs? What Operating Systems Does Host Scan Support? A Change History Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. iv

6 1 Overview 1 Overview 1.1 Vulnerability Scan Service 1.2 Functions Vulnerability Scan Service (VSS) is designed to protect your servers and websites by scanning vulnerabilities. It provides services such as web vulnerability detection, vulnerability lifecycle management, and scan customization. After you create a scan job, you can manually start it to detect vulnerabilities in the website and obtain recommended actions. By scanning websites/hosts, VSS can detect any potential vulnerabilities and provide vulnerability details as well as fixing suggestions. VSS provides the following functions: Preliminary scan New users can experience a preliminary scan without authenticating your domain name to estimate website risks. Host vulnerability scan In-depth scanning Connects to servers for operating system (OS) detection, multi-dimensional detection, and configuration checking after verification. Intranet scanning Allows access to servers where services are running using the password, perfect for needs in enterprise networks. Weak password scan Multi-scenario applicability Offers weak password detection for standard web services, all OSs, and 90% of all middleware, including databases. Built-in weak password library Simulates hacker detection of weak passwords in various scenarios. You can also use your own weak password library to detect passwords. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 1

7 1 Overview Middleware scan Diverse scenarios Supports vulnerability scanning of mainstream web containers, foreground development frameworks, and background microservices, as well as configuration compliance scanning. Multiple scan methods Chooses standard scan or custom scan to identify the middleware and its version in the server and discover vulnerabilities and risks. Website vulnerability scan VSS can detect over 22 types of vulnerabilities, including OWASP Top 10 vulnerabilities and WASC vulnerabilities. Scan rules can be automatically updated on the cloud and take effect across the entire network against the latest vulnerabilities. VSS supports HTTPS scanning. One-stop vulnerability management VSS supports short message notification (SMN) upon job completion (professional edition only). VSS provides vulnerability fixing suggestions (professional edition only). VSS allows you to download.html scan reports and view vulnerability details in offline mode (professional edition only). VSS supports re-scanning. Customized scanning VSS supports the scheduled job scan function. VSS supports port scan. 1.3 Application Scenarios VSS supports weak password detection (professional edition only). VSS allows customization of login methods. VSS supports scanning of Web 2.0 crawlers. Perfectly designed used to detect potential vulnerabilities in your websites, VSS is a groundbreaking new technology from Huawei that thoroughly scans your websites for even the smallest of data vulnerabilities. For detected vulnerabilities, it provides suggestions to remove these issues, helping ensure website security. The application scenarios of VSS are as follows: Formal environment scanning By optimizing the scanning mechanism, VSS avoids risky operations (such as misdeletion of data or writing of dirty data) while discovering security vulnerabilities. This optimization helps enhance the security of users' formal environments during a vulnerability scan. Test environment scanning VSS accesses test environments by domain names (bound to IP addresses) or IP addresses. This allows you to provide IP addresses for scanning if you have no domain names. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 2

8 1 Overview 1.4 Charging Standards VSS consists of the basic edition and professional edition. The basic edition can be used free of charge, but some of its functions and specifications are limited. The professional edition is available on a pay-per-use basis. 1.5 Accessing and Using VSS How to Access VSS How to Use VSS You can access VSS using the management console. If you have registered with the public cloud, log in to the management console directly. On the homepage, choose Security > Vulnerability Scan Service to access VSS. Table 1-1 describes the process for using VSS. Table 1-1 Process for using VSS Step Purchase VSS. Authenticat e domain names. Create a scan job. View the scan result. Description VSS consists of the basic edition and professional edition. The basic edition can be used free of charge, but the functions and specifications are limited. The professional edition is available on a pay-per-use basis. For details, see the Vulnerability Scan Service Purchase Guide. For details, see Authenticating a Domain Name. You can create a scan job to scan your website. For details, see Creating a Scan Job. You can view the scan result on the Job Details page after the scan is complete. For the website scan result, see Viewing Website Scan Details. For the host scan result, see Viewing Host Scan Details Related Services IAM Identity and Access Management (IAM) provides the permission management function for VSS. Only users granted VSS Administrator permissions can use VSS. To apply for VSS Administrator permissions, contact a user with Security Administrator permissions. For details, see the Identity and Access Management. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 3

9 1 Overview User Permissions The system provides two types of default permissions: user management and resource management. User management refers to the management of users, user groups, and user group rights. Users with resource management permissions can control the operations performed on cloud service resources. For permissions of VSS users, see Permission Description. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 4

10 2 Audit 2 Audit Cloud Trace Service (CTS) records all operations on VSS, including requests initiated from the management console or open APIs and responses to the requests, for tenants to query, audit, and trace. 2.1 Auditable Operations Table 2-1 lists VSS operations recorded by CTS. Table 2-1 VSS operations that can be recorded by CTS Operation Resource Type Trace Name Creating a pre-scan job SCAN createprescantask Creating a scan Job SCAN createscantask Creating a domain name Deleting a domain name DOMAIN DOMAIN createdomain deletedomain 2.2 Viewing an Audit Trace After you enable CTS, the system starts recording operations on VSS. Operation records for the last seven days can be viewed on the CTS console. Viewing a VSS Trace on the CTS Console Step 1 Step 2 Log in to the management console. Click Service List in the upper part of the page and select Cloud Trace Service under Management & Deployment. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 5

11 2 Audit Step 3 Step 4 Choose Trace List in the navigation pane. Click Filter in the upper right corner to set the corresponding conditions. The following four filters are available: Trace Source, Resource Type, and Search By Select the filter from the drop-down list. Set Trace Source to VSS. When you select Trace name for Search By, you also need to select a specific trace name. When you select Resource ID for Search By, you also need to select or enter a specific resource ID. When you select Resource name for Search By, you need to select or enter a specific resource name. Operator: Select a specific operator (a user rather than tenant). Trace Rating: Available options include all trace status, normal, warning, and incident. You can only select one of them. Start time and End time: You can specify the specific period to query traces. Step 5 Click Query. Step 6 Click on the left of a trace to expand its details, as shown in Figure 2-1. Figure 2-1 Expanding trace details Step 7 Click View Trace in the Operation column. On the displayed View Trace dialog box shown in Figure 2-2, the trace structure details are displayed. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 6

12 2 Audit Figure 2-2 Viewing a trace ----End Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 7

13 3 One-Click Scan 3 One-Click Scan Scenario This section guides new users to experience VSS for free. Prerequisites Viewing the Service Process An account and its password have been obtained for logging in to the management console. Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service. The new user experience page is displayed. Step 3 View the service process (see Figure 3-1). Figure 3-1 Service process 1. Add an asset. Adds information about the asset (website or host) that you want to scan, such as the website domain name, website IP address, and host IP address. For details about how to add an asset, see Adding a Domain Name and Adding a Host. 2. Authenticate the asset. Authenticates your asset by referring to Authenticating a Domain Name. Only assets that are successfully authenticated can be scanned. Besides, you can detect the urgent vulnerability at the earliest moment after an urgent vulnerability was discovered. 3. Scan. Starts a scan or periodic scanning based on the default setting or custom setting. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 8

14 3 One-Click Scan 4. View the result. ----End First-Run Experience Views the scan progress online in real time. Notifies you by SMS or and produces a professional scanning report as soon as the scan is complete. Step 1 Step 2 Step 3 Log in to the management console. Choose Security > Vulnerability Scan Service. The new user experience page is displayed. Enter the domain name/ip address to be scanned, as shown in Figure 3-2. Click Try Now. Figure 3-3 displays the Authenticate Asset page. Figure 3-2 New user experience page Figure 3-3 Authenticating the asset If you do not want to authenticate your domain name, perform the following operations: a. Click Skip displayed on Figure 3-3 to experience a free scan. You can view the scan progress (see Figure 3-4). Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 9

15 3 One-Click Scan Figure 3-4 Scanning b. View the scan results in Figure 3-5. Table 3-1 lists each part of the scan results. Figure 3-5 Scan details Table 3-1 Scan results Area Description Operation Type Item The scan results are displayed by type. Items to be scanned, which are scan subtypes. - - Result Scan results. If your website is safe, the result is displayed as. If there is a risk, the corresponding risk level is displayed. Click View details to view details. displays the sample risk level. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 10

16 3 One-Click Scan If you want to authenticate your domain name, perform the following operations: a. There are two authentication methods: Document Authentication and One-Click Authentication. b. Method 1: Select Document Authentication (see Figure 3-6). Figure 3-6 Document authentication NOTE Perform document authentication following the procedure. After the authentication is complete, the domain name status becomes Authenticated. c. Method 2: Select One-Click Authentication (see Figure 3-7). If the server of your site to be detected is deployed on HUAWEI CLOUD and the server is the asset of your current login account, you can select one-click authentication. Figure 3-7 One-click authentication ----End d. Select I have read and agree to the HUAWEI CLOUD Vulnerability Scan Service Disclaimer and click Authenticate. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 11

17 4 Website Vulnerability Scan 4 Website Vulnerability Scan 4.1 Adding a Domain Name Scenario Prerequisites Procedure This section describes how to add a domain name. An account and its password have been obtained for logging in to the management console. Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed (see Figure 4-1). Figure 4-1 Asset list NOTE In the upper right corner of the list, you can view the number of domain names that can be added. Step 3 In the upper left corner of the asset list, click Add Domain Name. The Add Domain Name dialog box is displayed, as shown in Figure 4-2. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 12

18 4 Website Vulnerability Scan Figure 4-2 Adding a domain name Step 4 Click OK. Then, authenticate your domain name. For details, see Authenticating a Domain Name. NOTE You can also add domain names on the purchase page. ----End 4.2 Deleting a Domain Name Scenario This section describes how to delete a domain name. NOTICE After a domain name is deleted, the historical scan data of the asset will be deleted and cannot be restored. Therefore, exercise caution when performing this operation. Prerequisites An account and its password have been obtained for logging in to the management console. A domain name of Basic Edition is available. An unauthenticated domain name of Professional Edition is available. Procedure Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service. In the navigation pane, choose Asset List. The Asset List page is displayed, as shown in Figure 4-3. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 13

19 4 Website Vulnerability Scan Figure 4-3 Asset list Step 3 In the Operation column of the target domain name, click More and choose Delete from the short-cut menu. In the dialog box that is displayed, read the message carefully. An unauthenticated domain name of Professional Edition is used as an example. Figure 4-4 displays the Delete Asset dialog box. Figure 4-4 Deleting an asset Step 4 Click OK. If Domain name deleted successfully is displayed, the domain name is deleted successfully. NOTE ----End Only domain names of Basic Edition and unauthenticated domain names of Professional Edition can be deleted. After domain names of Basic Edition and unauthenticated domain names of Professional Edition are deleted, the domain name quota is not affected. If you want to delete authenticated domain names of Professional Edition, please send an application to cloudvss@huawei.com. The staff will reply and process your application as soon as possible. 4.3 Authenticating a Domain Name Scenario This section describes how to authenticate a domain name. Prerequisites An account and its password have been obtained for logging in to the management console. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 14

20 4 Website Vulnerability Scan The domain name status is Not authenticated. Procedure Step 1 Step 2 Step 3 Step 4 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed. In the Operation column of the desired domain name to be authenticated, click Authenticate. In the Authenticated domain name dialog box, there are two authentication methods: document authentication and one-click authentication. Method 1: Select Document Authentication (see Figure 4-5). Figure 4-5 Document authentication 1. Click Download Authentication Document. 2. Upload the document to the root directory of the website and ensure that the following network address can be accessed: target network address/hwwebscan_verify.html. 3. Select I have read and agree to the HUAWEI CLOUD Vulnerability Scan Service Disclaimer. 4. Click Authenticate. After the operations are complete, the domain name status becomes Authenticated. Method 2: Select One-Click Authentication (see Figure 4-6). Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 15

21 4 Website Vulnerability Scan Figure 4-6 One-click authentication Select I have read and agree to the HUAWEI CLOUD Vulnerability Scan Service Disclaimer and click Authenticate. After the operations are complete, the domain name status becomes Authenticated. ----End 4.4 Creating a Scan Job Scenario This section describes how to create a scan job. Prerequisites An account and its password have been obtained for logging in to the management console. The domain name status is Authenticated. Procedure Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed, as shown in Figure 4-7. Figure 4-7 Asset list Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 16

22 4 Website Vulnerability Scan Step 3 Click Scan Now. The Create Job page is displayed. Set the scan parameters by referring to Table 4-1. Figure 4-8 displays the settings. Figure 4-8 Scan settings Table 4-1 Parameter description Parameter Job Name Target Network Address Whether to Upgrade This Scan to Professional Edition Description The value is specified by the user. Enter the website address or IP address to be scanned. Select an authenticated domain name from the drop-down list. After the function is enabled, fees are deducted as required during the scan. Move the cursor to know the upgrade impact. You can also see Differences Between VSS Basic and Professional in the upper right corner of the page (see Figure 4-8). If you keep Edition. unchanged, you will continue using Basic If you set to, you will automatically upgrade from Basic Edition to Professional Edition. NOTE If you have subscribed to Professional Edition, the system does not prompt the upgrade. Basic Edition supports common vulnerability scan and port scan. You can create a maximum of five scan jobs each day. One job lasts at most two hours. Professional Edition supports common vulnerability scan, port scan, weak password scan, and SMS notifications. You can create up to 60 scan jobs each day. Step 4 (Optional) Expand Advanced Settings. Figure 4-9 displays the Advanced Settings area. Set the parameters by referring to Table 4-2. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 17

23 4 Website Vulnerability Scan Figure 4-9 Advanced settings Table 4-2 Advanced settings parameters Parameter Description Instruction More Scan Settings Scan Mode The options are Quick Scan, Standard Scan, and Deep Scan. You are advised to select Deep Scan to detect root website vulnerabilities. Select a scan mode from the dropdown list. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 18

24 4 Website Vulnerability Scan Parameter Description Instruction Scan Complete Notification Port Scan Weak Password Scan Web Page Content Monitoring You can enable or disable the SMS notification function. To accept SMS notifications, set Whether to Upgrade This Scan to Professional Edition to on. You can enable or disable port scan. You can enable or disable weak password scan. To accept SMS notifications, set Whether to Upgrade This Scan to Professional Edition to on. You can enable or disable the monitoring of regulation compliance by web page content. : enabled : disabled : enabled. : disabled. : enabled : disabled Website Login Settings If your web page can be accessed only after login, configure login parameters so that VSS can discover more vulnerabilities for you. There are two login methods. To improve the login success rate, you are advised to set both of them. Method 1: Login Page Username Password Confirm Password Method 2: Cookie value Crawler Simulate Browser Address of the website login page Username for logging in to the website Password for logging in to the website Cookie value of the logged website Web browser used by crawlers Select a browser from the drop-down list. Currently, only Firefox and Chrome are supported. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 19

25 4 Website Vulnerability Scan Parameter Description Instruction Exclude Link Links to pages that you do not want to include in the scan You can add a maximum of five links. Click to add links and to remove them. Self-Define HTTP Request Header NOTE Some pages have further authentication requirements (such as requiring the user to enter a verification code). If you want to scan these pages, enter HTTP request headers. You can add a maximum of five request headers. Click to add headers and to remove them. Name Value Name of an HTTP request header Value of an HTTP request header Example: Cookie Example: phpsessionid=asdfsadfsadfsadfsadf; sdfs=asdfasdfasdf; uid=1 Step 5 After the settings are complete, select Timing for a scheduled scan or click Start Scan to immediately start a scan. Scheduled scan Select Timing to set a time. Then, click Start Scan. The system starts the job at the scheduled time. Immediate scan Click Start Scan. If the switch of Whether to Upgrade This Scan to Professional Edition is turned on, the Payment Notification window is displayed. If you agree the upgrade, click Agree and Scan. Figure 4-10 Payment notification NOTE ----End If the server is not fully occupied, the newly created job can be performed immediately and the job status is In progress. If the server is fully occupied, the job waits in the queue and its status is Waiting. If a scan job takes more than two hours and its progress is greater than 20%, the system displays a message indicating that the extra part beyond the free quota has been billed on a pay-per-use basis. You decide to cancel this job or not as required. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 20

26 4 Website Vulnerability Scan 4.5 Viewing Website Scan Details Scenario This section describes how to view the scan details of a website, such as scan summary, risk list, vulnerability list, port list, and site structure. Prerequisites An account and its password have been obtained for logging in to the management console. Procedure Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed. Click the Website tab. Figure 4-11 displays the Website tab page. Figure 4-11 Website tab page Step 3 Click the score in the Latest Scan Details column. Figure 4-12 displays the job details page. On this page, you can see Scan Details. Table 4-3 lists each area on the job details page. NOTE In the upper right corner, click Download Report to download the job report in HTML format. The job details page displays the latest scan job by default. Choose a job that you want to see from the Historical Scan Report drop-down list. Figure 4-12 Scan details Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 21

27 4 Website Vulnerability Scan Table 4-3 Parameter description Area Description Operation Scan Address Job Information Scan Details This column shows the page from which the scan starts. The default value is the Target Network Address value that you set when creating the job. Displays basic information about a job, including: Score: score of the website. The initial score is 100, which will be deducted according to the numbers and levels of vulnerabilities discovered. If no vulnerability is detected, the score remains 100. Website Security Level: Determine the website security level based on the scan results. If no vulnerability is found, Website Security Level is displayed as Safety. If vulnerabilities are found, it is displayed as medium risk, high risk, or low risk. Total: total number of vulnerabilities and numbers of vulnerabilities of different levels. Started: time to start the scan job. Scan Duration: time consumed to complete the scan. Scan Strength: scan strength of the website selected when you create a scan job. The deeper the scan strength is, the slower the scan speed is. Scan results: result of a scan job, scanned successfully or failed. Displays the scan types, specific scan items, and the scan result of each scan item. Click to view basic information about the website, including: IP Address Server Language You can click Scan Again or Cancel Scan to re-scan or cancel the scan job. Click More to perform the following operations: Query details of advanced settings. Edit a scan job. Scan result: Safety. Danger. In this case, click View details. Unknown. Scan fails as the domain name is not authenticated. Click Authenticate Now. Step 4 Click View details to learn more (see Figure 4-13). Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 22

28 4 Website Vulnerability Scan Figure 4-13 Scan overview Step 5 Click the Content Risks tab. Figure 4-14 displays the Content Risks tab page. Figure 4-14 Content Risks tab page NOTE After you confirm that a type of risks does not pose danger, click Ignore in the Operation column to ignore it. When you find that an ignored risk type is dangerous, click Unignore in the Operation column to unignore it. Step 6 Click the Vulnerability List tab. Figure 4-15 displays the Vulnerability List tab page. Figure 4-15 Vulnerability list NOTE The vulnerability list shows the vulnerabilities detected in a job. One page displays five entries. You can go to the next page for more entries. Click View on the right to go to the Vulnerability List page. Click a vulnerability ID to view vulnerability details. Step 7 Click the Port List tab. Port information of the target website is displayed (see Figure 4-16). Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 23

29 4 Website Vulnerability Scan Figure 4-16 Port list Step 8 Click the Site Structure tab. Figure 4-17 shows the Site Structure tab page. NOTE The Site Structure tab page shows locations of vulnerabilities in the target website. If no vulnerabilities have been detected, this page is empty. Displays basic information about a target website, including: IP Address: IP address of the target website Server: Name of the server used for deploying the target website (for example: Tomcat, Apache httpd, and IIS.) Language: Development language used by the target website (for example: PHP, Java, and C#.) Figure 4-17 Site Structure tab page ----End 4.6 Viewing the List of Website Assets Scenario This section describes how to view the list of website assets. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 24

30 4 Website Vulnerability Scan Prerequisites An account and its password have been obtained for logging in to the management console. Procedure Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed. Click the Website tab. Figure 4-18 displays the Website tab page. Table 4-4 lists related parameters. NOTICE In the row containing the desired domain name, click More in the Operation column to edit, scan, or delete a domain name. Figure 4-18 Website tab page Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 25

31 4 Website Vulnerability Scan Table 4-4 Parameter description Parameter Domain Information Latest Scan Details Operation Description Displays the domain name/ip address and authentication status. Authenticated The target domain name has been authenticated. Click Scan Now in the Operation column to create a scan job. For details, see Creating a Scan Job. Not authenticated The target domain name has not been authenticated. Click Authenticate in the Operation column to authenticate the domain name. For details, see Authenticating a Domain Name. Expired and cannot be renewed If the purchase duration of the professional edition has expired, Expired and cannot be renewed is displayed. Click Re-purchase to renew the domain name. For details, see the Vulnerability Scan Service Purchase Guide. Job Name Package Version: Indicates the current VSS edition, which can be either Basic or Professional. Expiration Time If you are using the basic edition, the expiration time is displayed. If you are using the professional edition, the expiration time is also displayed. If the purchased package has expired, click Repurchase. Displays information about the latest website scan job, including the score, time, and number of vulnerabilities at each level. Click the score to view scan details. Click Authenticate to authenticate the domain name, and then click Scan Now to create a scan job. Click More and choose Edit, Scan, or Delete from the shortcut menu. Click Edit to modify the domain name that has not been authenticated. Click Scan to scan the domain name again that has been authenticated. Click Delete to delete the domain name that is not being scanned. ----End Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 26

32 5 Host Vulnerability Scan 5 Host Vulnerability Scan 5.1 Adding a Host Scenario This section describes how to add a host. Prerequisites An account and its password have been obtained for logging in to the management console. A Huawei ECS is available. Procedure Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed. Click the Host tab. Figure 5-1 displays the Host tab page. Figure 5-1 Host tab page Step 3 Click Add Host. Figure 5-2 displays the Add Host window. Set Host Type to Huawei ECS, and select the host that you want to add. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 27

33 5 Host Vulnerability Scan Figure 5-2 Adding a host Step 4 Click OK. ----End 5.2 Performing Host Authorization Scenario This section describes how to perform host authorization. After the authorization is complete, VSS can detect more threats to your hosts. Prerequisites An account and its password have been obtained for logging in to the management console. A host has been added. Procedure Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed. Click the Host tab. Figure 5-3 displays the Host tab page. Figure 5-3 Host tab page Step 3 Click perform authorization. The Host Authorization page is displayed (see Figure 5-4). Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 28

34 5 Host Vulnerability Scan Figure 5-4 Host Authorization page Step 4 Step 5 Click Copy. Use a remote management tool, such as Xshell, SecureCRT, or PuTTY, to log in to the desired ECS (by its EIP). NOTE You can also remotely log in to the ECS. Step 6 Run the copied command on the ECS to which you log in using SecureCRT. If the command output shown in Figure 5-5 is displayed, the command is successfully executed. Figure 5-5 Command output ----End 5.3 Canceling Host Authorization Scenario This section describes how to cancel host authorization. After host authorization is canceled, VSS cannot completely detect vulnerabilities in your hosts. Therefore, exercise caution when performing this operation. Prerequisites An account and its password have been obtained for logging in to the management console. A host has been added. A preset account has been created. HUAWEI CLOUD is authorized to connect to the corresponding host over the network while creating a host scan job. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 29

35 5 Host Vulnerability Scan Procedure Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed. Click the Host tab. Figure 5-6 displays the Host tab page. Figure 5-6 Host tab page Step 3 Click perform authorization. Figure 5-7 displays the Cancel Host Authorization area. Select the host type. Figure 5-7 Canceling authorization Step 4 Step 5 Click Copy. Use a remote management tool, such as Xshell, SecureCRT, or PuTTY, to log in to the desired ECS (by its EIP). NOTE You can also remotely log in to the ECS. Step 6 Step 7 Run the copied command to cancel authorization. Click Cancel Entrustment on Figure 5-7 to cancel the entrustment. ----End 5.4 Viewing Host Scan Details Scenario This section describes how to view host scan details. Prerequisites An account and its password have been obtained for logging in to the management console. A scan job has been completed. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 30

36 5 Host Vulnerability Scan Procedure Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed. Click the Host tab. Figure 5-8 displays the Host tab page. Figure 5-8 Host tab page Step 3 Click the score in the Latest Scan Details column. Figure 5-9 displays the job details page. On this page, you can see Scan Details. Table 5-1 lists each area on the job details page. NOTE The job details page displays the latest scan job by default. Choose a job that you want to see from the Historical Scan Report drop-down list. Figure 5-9 Scan details Table 5-1 Parameter description Area Description Operation Destination IP Address Host IP address - Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 31

37 5 Host Vulnerability Scan Area Description Operation Job Information Scan Item Displays basic information about a job, including: Score: score of the website. The initial score is 100, which will be deducted according to the numbers and levels of vulnerabilities discovered. If no vulnerability is detected, the score remains 100. Vulnerabilities: total number of vulnerabilities and numbers of vulnerabilities of different levels. Baseline Risks: total number of risks and numbers of risks of different levels. Started at: time to start the scan job. Duration: time consumed to complete the scan. Scan Result: result of a scan job, scanned successfully or failed. Displays the category of the scan job, scan item name, scan statistics, severity, and scan status. - - Step 4 Click the Scan Item tab. Figure 5-10 displays the Scan Item tab page. Figure 5-10 Scan items Step 5 Click the Vulnerability List tab. Figure 5-11 displays the Vulnerability List tab page. Figure 5-11 Vulnerability list Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 32

38 5 Host Vulnerability Scan NOTE Step 6 The vulnerability list shows the vulnerabilities detected in a job. One page displays five entries. You can go to the next page for more entries. Click Ignore to ignore the vulnerability. Click a vulnerability ID to view vulnerability details. Click the Baseline Check tab. Figure 5-12 displays the Baseline Check tab page, showing baseline check information of the target website. Figure 5-12 Baseline check results NOTE ----End Click Ignore to ignore a check item. 5.5 Viewing the List of Host Assets Scenario This section describes how to view the list of host assets. Prerequisites An account and its password have been obtained for logging in to the management console. A Huawei ECS is available. Procedure Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed. Click the Host tab. Figure 5-13 displays the Host tab page. Table 5-2 lists related parameters. Figure 5-13 List of host assets Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 33

39 5 Host Vulnerability Scan Table 5-2 Parameter description Parameter Host Information Latest Scan Details Operation Description IP Address Host Name VPC Group: Choose a group from the drop-down list in the upper right corner of the page. Click to add a group or to edit group information. Displays information about the latest host scan job, including the score, time, and number of vulnerabilities at each level. Click the score to view scan details. Click Start Scan to create a scan job. NOTE To perform batch scanning, select multiple hosts and click One-Click Scan in the upper left corner of the list. Click More and choose Edit, Change Group, or Delete from the shortcut menu. Click Edit to modify the host name. Click Change. On the displayed Change Group window, select an existing group from the drop-down list, or click Create Group to create a new group. NOTE To perform batch change, select multiple hosts and select Change Group from the Batch Operation drop-down list. Click Delete to delete the host that is not being scanned. NOTE To perform batch deleting, select multiple hosts and select Delete from the Batch Operation drop-down list. ----End 5.6 Downloading a Report Scenario This section describes how to download a scan report. Prerequisites An account and its password have been obtained for logging in to the management console. A scan job has been completed. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 34

40 5 Host Vulnerability Scan Procedure Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed. Click the Host tab. Figure 5-14 displays the Host tab page. Figure 5-14 Host tab page Step 3 Click Download Report above the host list to download scan reports to the local PC. ----End Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 35

41 6 Security Monitoring 6 Security Monitoring 6.1 Adding a Monitoring Job Scenario This section describes how to add a monitoring job. Prerequisites An account and its password have been obtained for logging in to the management console. The domain name status is Authenticated. Procedure Step 1 Step 2 Step 3 Log in to the management console. Choose Security > Vulnerability Scan Service > Security Monitoring. Click Add Monitoring Job. Figure 6-1 highlights the area. Figure 6-1 Adding a monitoring job Step 4 Specify parameters in Table 6-1. Figure 6-2 shows the settings. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 36

42 6 Security Monitoring Figure 6-2 Scan settings NOTE If you have already subscribed to the professional edition, you will not be prompted to upgrade. Table 6-1 Parameter description Parameter Job Name Target Network Address Scan Interval Description The value is specified by the user. Enter the website address or IP address to be scanned. Select an authenticated domain name from the drop-down list. Select a value from the drop-down list. Start Time Click to set the time when this job starts. Whether to Upgrade Each Scan to Professional Edition After the function is enabled, fees are deducted as required during the scan. Move the cursor to know the upgrade impact. You can also see Differences Between VSS Basic and Professional in the upper right corner of the page (see Figure 6-2). If you keep Edition. unchanged, you will continue using Basic If you set to, you will automatically upgrade from Basic Edition to Professional Edition. Step 5 (Optional) Expand Advanced Settings. Figure 6-3 displays the Advanced Settings area. Set the parameters by referring to Table 6-2. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 37

43 6 Security Monitoring Figure 6-3 Advanced settings Table 6-2 Advanced settings parameters Parameter Description Instruction More Scan Settings Scan Mode Port Scan The options are Quick Scan, Standard Scan, and Deep Scan. You are advised to select Deep Scan to detect root website vulnerabilities. You can enable or disable port scan. Select a scan mode from the dropdown list. : enabled : disabled. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 38

44 6 Security Monitoring Parameter Description Instruction Weak Password Scan You can enable or disable weak password scan. If you want to enable weak password scan, set Whether to Upgrade Each Scan to Professional Edition to on. Website Login Settings If your web page can be accessed only after login, configure login parameters so that VSS can discover more vulnerabilities for you. There are two login methods. To improve the login success rate, you are advised to set both of them. Method 1: Login Page Username Password Confirm Password Method 2: Cookie value Crawler Setting Simulate Browser Excluded Link Address of the website login page Username for logging in to the website Password for logging in to the website Cookie value of the logged website Web browser used by crawlers Links to pages that you do not want to include in the scan Select a browser from the drop-down list. Currently, only Firefox and Chrome are supported. You can add a maximum of five links. Click to add links and to remove them. Self-Defined HTTP Request Header NOTE Some pages have further authentication requirements (such as requiring the user to enter a verification code). If you want to scan these pages, enter HTTP request headers. You can add a maximum of five request headers. Click to add headers and to remove them. Name Name of an HTTP request header Example: Cookie Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 39

45 6 Security Monitoring Parameter Description Instruction Value Value of an HTTP request header Example: phpsessionid=asdfsadfsadfsadfsadf; sdfs=asdfasdfasdf; uid=1 Step 6 Click OK. NOTE ----End If the server is not fully occupied, the newly created job can be performed immediately and the job status is In progress. If the server is fully occupied, the job waits in the queue and its status is Waiting. If a scan job takes more than two hours and its progress is greater than 20%, the system displays a message indicating that the extra part beyond the free quota has been billed on a pay-per-use basis. You decide to cancel this job or not as required. 6.2 Configuring the Notification Function Scenario This section describes how to configure the SMS notification function. Prerequisites An account and its password have been obtained for logging in to the management console. You have subscribed to Professional Edition. Procedure Step 1 Step 2 Step 3 Step 4 Log in to the management console. Choose Security > Vulnerability Scan Service > Security Monitoring. Click Notification Setting above the security monitoring list. (Optional) Click Setting in the displayed Notification Setting dialog box if you want to send notifications to another phone number. The default phone number is the one that you entered when you performed real name authentication. Figure 6-4 displays the Notification Setting dialog box. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 40

46 6 Security Monitoring Figure 6-4 Notification setting Step 5 (Optional) Specify the parameters by referring to Table 6-3 (see Figure 6-5). Figure 6-5 Notification setting Table 6-3 Notification setting parameters Parameter Description Operation Phone Number Enter the phone number that you want to receive notifications from. Click Verification Code. Verificatio n Code Enter the obtained verification code. - Using SMS Options are as follows: Notification sent only when vulnerabilities are detected. Do not accept any notification. Notification sent as soon as the scan is complete. - Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 41

47 6 Security Monitoring Step 6 Step 7 Select a notification method from the Using SMS drop-down list. Click OK. ----End 6.3 Viewing Job Details Scenario Prerequisites Procedure This section describes how to view job details. An account and its password have been obtained for logging in to the management console. Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service > Security Monitoring. Figure 6-6 shows the monitoring list. Figure 6-6 Monitoring list Step 3 Click the score in the Latest Scan Information column. Figure 6-7 displays the job details page. On this page, you can see Scan Details. Table 6-4 lists each area on the job details page. NOTE In the upper right corner, click to download the job report in HTML format. The job details page displays the latest scan job by default. Choose a job that you want to see from the Historical Scan Report drop-down list. Figure 6-7 Scan details Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 42

48 6 Security Monitoring Table 6-4 Parameter description Area Description Operation Scan Address Job Information Scan Details This column shows the page from which the scan starts. The default value is the Target Network Address value that you set when creating the job. Displays basic information about a job, including: Score: score of the website. The initial score is 100, which will be deducted according to the numbers and levels of vulnerabilities discovered. If no vulnerability is detected, the score remains 100. Website Security Level: Determine the website security level based on the scan results. If no vulnerability is found, Website Security Level is displayed as Safety. If vulnerabilities are found, it is displayed as medium risk, high risk, or low risk. Total: total number of vulnerabilities and numbers of vulnerabilities of different levels. Started: time to start the scan job. Scan Duration: time consumed to complete the scan. Scan Strength: scan strength of the website selected when you create a scan job. The deeper the scan strength is, the slower the scan speed is. Scan results: result of a scan job, scanned successfully or failed. Displays the scan types, specific scan items, and the scan result of each scan item. Click to view basic information about the website, including: IP Address Server Language You can click Scan Again or Cancel Scan to re-scan or cancel the scan job. Click More to perform the following operations: Query details of advanced settings. Edit a scan job. Scan result: Safety. Danger. In this case, click View details. Unknown. Scan fails as the domain name is not authenticated. Click Authenticate Now. Step 4 Click View details to learn more (see Figure 6-8). Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 43

49 6 Security Monitoring Figure 6-8 Scan overview Step 5 Click the Vulnerability List tab. Figure 6-9 displays the Vulnerability List tab page. Figure 6-9 Vulnerability list NOTE The vulnerability list shows the vulnerabilities detected in a job. One page displays five entries. You can go to the next page for more entries. Click View on the right to go to the Vulnerability List page. Click a vulnerability ID to view vulnerability details. Step 6 Click the Port List tab. Port information of the target website is displayed (see Figure 6-10). Figure 6-10 Port list Step 7 Click the Site Structure tab. Figure 6-11 shows the Site Structure tab page. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 44

50 6 Security Monitoring NOTE The Site Structure tab page shows locations of vulnerabilities in the target website. If no vulnerabilities have been detected, this page is empty. Displays basic information about a target website, including: IP Address: IP address of the target website Server: Name of the server used for deploying the target website (for example: Tomcat, Apache httpd, and IIS.) Language: Development language used by the target website (for example: PHP, Java, and C#.) Figure 6-11 Site Structure tab page ----End 6.4 Viewing the Security Monitoring List Scenario Prerequisites Procedure This section describes how to view the security monitoring list. An account and its password have been obtained for logging in to the management console. Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service > Security Monitoring. Figure 6-12 shows the monitoring list. Table 6-5 lists related parameters. Figure 6-12 Security monitoring list Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 45

51 6 Security Monitoring Table 6-5 Parameters in the security monitoring list Parameter Job Name Monitoring Interval Monitored Asset Scan Mode Latest Scan Information Operation Description Name of the monitoring job How frequently you want the scan job to run Target website address The options are Quick Scan, Standard Scan, and Deep Scan. You are advised to select Deep Scan. Displays information about the latest scan job, including the score, start time, and number of vulnerabilities at each level. Click the score to view scan details. Suspend Monitoring Start Job Edit Job Delete Job ----End Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 46

52 7 Dashboard 7 Dashboard Scenario This section describes how to view the scanning overview, including the asset information, latest scan result, latest scan job list, and one-click detection notice on the Dashboard page. Prerequisites An account and its password have been obtained for logging in to the management console. A website or host has been added. Taking an Overview Step 1 Step 2 Step 3 Log in to the management console. Choose Security > Vulnerability Scan Service > Dashboard. The Dashboard page is displayed. View the scanning overview. Click One-Click Detection to enter the One-Click Detection of the Latest Critical Vulnerability page to view details. View the assets (see Figure 7-1). Table 7-1 lists asset parameters. Figure 7-1 Asset information Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 47

53 7 Dashboard Table 7-1 Asset parameters Parameter Description Operation Website/Host Quantity Most Vulnerable Website/Host Website/Host Risk Statistics Displays the total number of websites and hosts, and the number of authenticated/unauthenticated websites and hosts. NOTE If the total number of websites or hosts is 0, click Add Asset to go to the asset list page to add a website or host. The website with the lowest score is the most vulnerable website. If two websites have the same score, the website with the maximum number of high-risk vulnerabilities is the most vulnerable website. If the score of all scanned websites is 100, there is no most vulnerable website. This field is displayed as --. Displays the number of website/host risks in different levels. Displays risk details of all websites or hosts. Click the number to go to the corresponding asset list. Displays the number of authenticated/ unauthenticated sites and hosts. Click Most Vulnerable Website or Most Vulnerable Host. The latest scan job details of the website or host are displayed. Risk levels are: High, Medium, Low, and Informational -- View the latest scan information (see Figure 7-2). Table 7-2 lists related parameters. Figure 7-2 Latest scan information NOTE Click to switch between the latest scanned website and host. If a scan job is not finished, only its status is displayed, such as Waiting and In Progress. If a scan job fails, details about the last successful scan job are displayed. Table 7-2 Parameter description Parameter Description Operation Target Website or host to be scanned Click the website or host to view job details. Started Time when a scan job begins -- Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 48

54 7 Dashboard Parameter Description Operation Duration How long a scan job lasts -- Vulnerabilities Top Risks Displays the number of website/ host risks in different levels. Sorts from high vulnerabilities to low in a descending order. Risk levels are: High, Medium, Low, and Informational -- View the list of the latest scan jobs (see Figure 7-3). Table 7-3 lists the parameters. Figure 7-3 List of the latest scan jobs Table 7-3 Job list parameters Paramete r Description Operation Target Website or host to be scanned Click the website or host to view job details. Number of Vulnerabil ities Status Displays the total number of vulnerabilities detected in a website or host. The options are Waiting, In Progress, and Completed Started Time when a scan job begins -- Duration How long a scan job lasts End Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 49

55 8 Frequently Asked Questions 8 Frequently Asked Questions 8.1 About the Service Can I Delete an Added Domain Name? After a domain name is deleted, the historical scan data of the asset will be deleted and cannot be restored. Therefore, exercise caution when performing this operation. The domain names that can be deleted by yourself are as follows: Domain names of Basic Editions. If you delete one, you still have 5 free quotas. Unauthenticated domain names of Professional Edition NOTE Only domain names of Basic Edition and unauthenticated domain names of Professional Edition can be deleted. After domain names of Basic Edition and unauthenticated domain names of Professional Edition are deleted, the domain name quota is not affected. If you want to delete authenticated domain names of Professional Edition, please send an application to cloudvss@huawei.com. The staff will reply and process your application as soon as possible Can I Use VSS After It Expires? After VSS expires, you can use all functions provided by Basic Edition What Are the Changes in the Billing Mode? The Edition is bound with the tenant rather than domain names. You cannot use Basic Edition and Professional Edition at the same time. Changes for existing users are as follows: Existing users can continue using functions of Basic Edition. Each user can add a maximum of five domain names. If you have purchased Professional Edition and Basic Edition, all domain names of Basic Edition will be upgraded to Professional Edition. The expiration time of the domain name with the maximum usage duration prevails. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 50

56 8 Frequently Asked Questions What Should I Do If a Pay-Per-Use Scan Job Fails? Click Scan Again Is There Anything I Need to Know Before Purchasing Professional Edition? If you have used Basic Edition before purchasing Professional Edition, set Domain Names to a number greater than or equal to the existing number of websites in the asset list. If you do not want to upgrade an existing domain name to Professional Edition, delete it before purchasing Professional Edition. If you only want to upgrade all domain names of Basic Edition to Professional Edition, set Domain Names to a number equal to the existing number of websites in the asset list. If you want to scan more websites, set Domain Names to your desired number, which must be greater than the existing number of websites in the asset list. Once purchase succeeded, all existing domain names of Basic Edition are upgraded to Professional Edition by default. 8.2 About Functions What Are the Differences Between VSS and Conventional Vulnerability Scanners? Item Conventional Scanner VSS Usage Install clients in advance. Users do not need to install clients. Instead, users can start a scan simply by creating a job on the console (enter a domain name or IP address), saving O&M costs. Vulnerability database update The vulnerability database is updated manually, which means that the latest information cannot be synchronized in a timely manner. The vulnerability database is updated on the cloud, with the latest vulnerabilities covered. VSS can check for the latest vulnerability in users' websites Which Vulnerabilities Can Be Scanned by VSS? Currently, the following vulnerabilities can be scanned: Weak passwords SSH, RDP, SMB, MySQL, Microsoft SQL Server, MongoDB, Redis, Oracle, DB2, GaussDB, Postgres, and Telnet Front-end vulnerabilities Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 51

57 8 Frequently Asked Questions SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and URL redirection Information leakage Port exposure, directory traversal, backup files, insecure files, insecure HTTP methods, and insecure ports Web Injection Command injection, code injection, XPath injection, Server-Side Request Forgery (SSRF), and deserialization File inclusion Arbitrary file read, inclusion, and upload, and XML External Entity (XXE) attack Does VSS Provide a Scan Report? Currently, the website scan report is available and can be downloaded. The download function of the host scan report is available soon. Perform the following operations to download a website scan report: Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed. Click the Website tab. Figure 8-1 displays the Website tab page. Figure 8-1 Website tab page Step 3 Click the score in the Latest Scan Details column. Step 4 On the page displaying details of a job (see Figure 8-2), click in the upper right corner to download the job scan report. Currently, only the.html format is supported. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 52

58 8 Frequently Asked Questions Figure 8-2 Scan details ----End How Do I View Vulnerability Fixing Suggestions? To view suggestions on how to fix website vulnerabilities, perform the following steps: Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed. Click the Website tab. Figure 8-3 displays the Website tab page. Figure 8-3 Website tab page Step 3 Step 4 Click the score in the Latest Scan Details column. Click the Vulnerability List tab. Figure 8-4 displays the Vulnerability List tab page. Figure 8-4 Vulnerability list Step 5 Click the ID of the desired vulnerability (see Figure 8-5). Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 53

59 8 Frequently Asked Questions Figure 8-5 Vulnerability ID Step 6 View vulnerability fixing suggestions on the Vulnerability Details page, as shown in Figure 8-6. You can rectify the vulnerabilities based on the recommendations. Figure 8-6 Vulnerability Details page ----End To view suggestions on how to fix host vulnerabilities, perform the following steps: Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed. Click the Host tab. Figure 8-7 displays the Host tab page. Figure 8-7 Host tab page Step 3 Step 4 Click the score in the Latest Scan Details column. Click the Vulnerability List tab. Figure 8-8 displays the Vulnerability List tab page. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 54

60 8 Frequently Asked Questions Figure 8-8 Vulnerability list Step 5 Click the ID of the desired vulnerability (see Figure 8-9). Figure 8-9 Vulnerability ID Step 6 View vulnerability fixing suggestions on the Vulnerability Details page, as shown in Figure You can rectify the vulnerabilities based on the recommendations. Figure 8-10 Vulnerability Details page ----End What Does the Score Mean? After a scan job is created, the initial score is 100 points. After the scan job is complete, the corresponding score is deducted based on the vulnerability level. Website scan: 10 points deducted for high risk, 5 points for medium risk, 3 points for low risk, and no point for no vulnerability. Host scan: 3 points deducted for high risk, 2 points for medium risk, 1 point for low risk, and 0.5 point for information (the final score will be rounded up). If there is no vulnerability, no score will be deducted. NOTE A higher score means a more secure website. For a low score, you are advised to ignore nonthreatening vulnerabilities, fix vulnerabilities, or enable Web Application Firewall (WAF) to protect your website. After you fix vulnerabilities, you are advised to scan your website again to confirm that your website is now protected. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 55

61 8 Frequently Asked Questions What Are the Scan Job Statuses? Status Completed In progress Waiting Canceled Description The scan job is completed. The scan job is in progress. The scan job is waiting to be executed. NOTE If the server is not fully occupied, the newly created job can be performed immediately and the job status is In progress. If the server is fully occupied, the job waits in the queue and its status is Waiting. If a scan job takes more than two hours and its progress is greater than 20%, the system displays a message indicating that the extra part beyond the free quota has been billed on a pay-peruse basis. You decide to cancel this job or not as required. The scan job is canceled. NOTE Only jobs in the In progress or Waiting status can be canceled. The change of a job's status may be: Waiting > In progress > Complete Waiting > Canceled Waiting > In progress > Canceled Why Does the Automatic Login During a Scan Job Fails? VSS automatically finds the username and password text boxes and the login button on the login page submitted by the user for login. After the login is successful, VSS also finds the logout link to prevent it from logging out from the website. The success rate of finding these elements depends on the page complexity. If your web page can be accessed only after login, configure login parameters so that VSS can discover more vulnerabilities for you. You can select either of the following login methods (see Figure 8-11). To improve the login success rate, you are advised to set both of them. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 56

62 8 Frequently Asked Questions Figure 8-11 Setting the login method How Can I Quickly Detect Website Vulnerabilities? VSS obtains the URL list of the user website through the crawler and then scans all the URLs in the list. If you want quick scan, select Quick Scan from the Scan Mode drop-down list in the Advanced Scan Settings area. Figure 8-12 highlights the area. NOTE Scan modes are: quick scan, standard scan, and deep scan. Deep scan can discover root vulnerabilities. Figure 8-12 Setting the scan mode Can I Use the Automatic Login Function of VSS If a Dynamic Verification Code Is Required for Website Login? The automatic login function of VSS cannot be used in this case because the verification code is used to prevent automatic tool operations. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 57

63 8 Frequently Asked Questions In this case, you are advised to manually log in to the website using a browser, and then fill the cookie after login in the Self-Define HTTP Request Header of Advanced Scan Settings When Are Advanced Scan Settings Required? Advanced scan settings can be performed for special website pages that: Require port scan or weak password detection. Can only be accessed after authentication (username and password). Do not need to scan. Can only be accessed after a verification code is entered. Figure 8-13 shows the advanced settings page and Table 8-1 describes the parameters. Figure 8-13 Advanced settings Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 58

64 8 Frequently Asked Questions Table 8-1 Advanced settings parameters Parameter Description Instruction More Scan Settings Scan Mode Scan Complete Notification Port Scan Weak Password Scan Web Page Content Monitoring The options are Quick Scan, Standard Scan, and Deep Scan. You are advised to select Deep Scan to detect root website vulnerabilities. You can enable or disable the SMS notification function. To accept SMS notifications, set Whether to Upgrade This Scan to Professional Edition to on. You can enable or disable port scan. You can enable or disable weak password scan. To accept SMS notifications, set Whether to Upgrade This Scan to Professional Edition to on. You can enable or disable the monitoring of regulation compliance by web page content. Select a scan mode from the dropdown list. : enabled : disabled : enabled. : disabled. : enabled : disabled Website Login Settings If your web page can be accessed only after login, configure login parameters so that VSS can discover more vulnerabilities for you. There are two login methods. To improve the login success rate, you are advised to set both of them. Method 1: Login Page Username Password Confirm Password Method 2: Address of the website login page Username for logging in to the website Password for logging in to the website Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 59

65 8 Frequently Asked Questions Parameter Description Instruction Cookie value Crawler Simulate Browser Exclude Link Cookie value of the logged website Web browser used by crawlers Links to pages that you do not want to include in the scan - Select a browser from the drop-down list. Currently, only Firefox and Chrome are supported. You can add a maximum of five links. Click to add links and to remove them. Self-Define HTTP Request Header NOTE Some pages have further authentication requirements (such as requiring the user to enter a verification code). If you want to scan these pages, enter HTTP request headers. You can add a maximum of five request headers. Click to add headers and to remove them. Name Value Name of an HTTP request header Value of an HTTP request header Example: Cookie Example: phpsessionid=asdfsadfsadfsadfsadf; sdfs=asdfasdfasdf; uid= What Should I Do If a Website Scan Job Fails to Be Created or Restarted? Perform the following operations: Step 1 Step 2 Step 3 Step 4 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed. Check whether the domain name has been authenticated for the target website. If yes, contact Huawei technical support. If no, perform Step 3 to Step 4 to authenticate the domain name. Click Authenticate. In the Authenticated domain name dialog box, there are two authentication methods: document authentication and one-click authentication. Method 1: Select Document Authentication (see Figure 8-14). Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 60

66 8 Frequently Asked Questions Figure 8-14 Document authentication 1. Click Download Authentication Document. 2. Upload the document to the root directory of the website and ensure that the following network address can be accessed: target network address/hwwebscan_verify.html. 3. Select I have read and agree to the HUAWEI CLOUD Vulnerability Scan Service Disclaimer. 4. Click Authenticate. After the operations are complete, the domain name status becomes Authenticated. Method 2: Select One-Click Authentication (see Figure 8-15). Figure 8-15 One-click authentication Select I have read and agree to the HUAWEI CLOUD Vulnerability Scan Service Disclaimer and click Authenticate. After the operations are complete, the domain name status becomes Authenticated. ----End Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 61

67 8 Frequently Asked Questions 8.3 About Website Scan How Long Does a Scan Take? Duration of a website scan depends on the website size. Typically, scanning a 200-page website takes approximately 30 minutes. A certain number of detection requests are sent to the website being scanned, slightly increasing the load of the website. NOTE The duration of re-scanning the same job is shorter than the initial scan Why Is a Job Automatically Canceled in the Job Scan Process? If a job is automatically canceled in the job scan process, there are two possible reasons: The website login settings are not configured. You did not configure website login settings and VSS cannot perform in-depth access, leading to automatic job scan cancelation. You are advised to configure website login settings and perform the scan job again. Network exceptions occur during the job scan. If network exceptions occur, VSS cannot access the website and the job will be automatically canceled. You are advised to perform the scan job again when the network becomes normal How Do I Set a Scheduled Scan? When creating a job, select the Timing check box and set the scan time. Then, click the Timing button. The system will start the job at the set time. See Figure NOTE The start time must be within the coming one week. Figure 8-16 Setting a scheduled scan job Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 62

68 8 Frequently Asked Questions Can the Authenticated Document in the Root Directory of the Website Be Deleted After Domain Name Authentication Is Complete? No. VSS will read this document during subsequent scanning and check whether the ownership of the website is still valid. If the authenticated document is deleted, a failure message is displayed when the domain name is scanned again Why Is the Authenticated Document Not Displayed After I Click Download Authenticated Document? The downloaded authenticated document may be intercepted by the browser. Check the blocking settings of the browser to see whether it is so Why Am I Frequently Prompted that the Domain Name Format Is Incorrect During Job Creation? When creating a job, you need to enter the domain name format so that VSS can identify the protocol (HTTP or HTTPS) used by the website. The correct domain name format is either of the following: + domain name or IP address + domain name or IP address For example, if the HTTPS protocol is used and the IP address is , the target website needs to be set to during job creation What Is the Authenticated Document Used For? The authenticated document is used to verify the ownership of a user and a scanned website. To verify the ownership of the user and the scanned website, VSS generates a unique document. If the document is saved in the root directory of the website and the document can be accessed by external users, VSS considers that the current user is the owner of the website Why Does Domain Name Authentication Fail? Possible causes for domain name authentication failures are: The authenticated document is not saved in the root directory of the website. Save the authenticated document to the root directory of the website and perform authentication again. The domain name cannot be accessed. Ensure that the domain name can be accessed and perform authentication again. The domain name information does not comply with rules and regulations. Websites containing content that does not comply with laws and regulations do not support VSS. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 63

69 8 Frequently Asked Questions How Do I Upload an Authenticated Document to the Root Directory of a Website? Tomcat, Apache, and IIS Servers Step 1 Find the root directory of the server used by the website, that is, the directory at the same level as the index file. The root directories of common servers are as follows: Server Used by a Website Tomcat Apache IIS Root Directory Tomcat deployment address/webapps/root/ The default value is /var/www/html. Set the directory based on the site requirements. The default value is C:\inetpub\wwwroot. Set the directory based on the site requirements. Nginx Servers Step 2 Save the authenticated document to the directory found in Step 1. NOTE ----End Steps for other servers are similar. Specifically, you only need to save the authenticated document to the directory at the same level as the index file. For Nginx servers, perform the following steps: Step 1 Step 2 Step 3 Log in to the Nginx server as user root. Upload the authenticated document to any directory (the nginx process has the read permission on this directory). The following uses the /opt/mock directory as an example. Configure the location information of the Nginx http module, as shown in Figure The location information shows that the authenticated document can be obtained in /opt/mock. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 64

70 8 Frequently Asked Questions Figure 8-17 Configuration of location information Step 4 Run the nginx -s reload command to update the configuration. ----End How Do I Authenticate the Domain Name of a Website? Perform the following operations: Step 1 Step 2 Step 3 Step 4 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed. In the Operation column of the desired domain name to be authenticated, click Authenticate. In the Authenticated domain name dialog box, there are two authentication methods: document authentication and one-click authentication. Method 1: Select Document Authentication (see Figure 8-18). Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 65

71 8 Frequently Asked Questions Figure 8-18 Document authentication 1. Click Download Authentication Document. 2. Upload the document to the root directory of the website and ensure that the following network address can be accessed: target network address/hwwebscan_verify.html. 3. Select I have read and agree to the HUAWEI CLOUD Vulnerability Scan Service Disclaimer. 4. Click Authenticate. After the operations are complete, the domain name status becomes Authenticated. Method 2: Select One-Click Authentication (see Figure 8-19). Figure 8-19 One-click authentication Select I have read and agree to the HUAWEI CLOUD Vulnerability Scan Service Disclaimer and click Authenticate. After the operations are complete, the domain name status becomes Authenticated. ----End Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 66

72 8 Frequently Asked Questions Why Does My Website Scanning Fail? You may not have the required permission. Check your permissions. To purchase VSS, you must have the te_admin, bss_adm, bss_pay, or bss_ops permissions. To apply for such permissions, contact a user with Security Administrator permissions. For details, see the Identity and Access Management Which Websites Are not Supported by VSS? VSS does not support websites that are not accessible or do not comply with laws and regulations How Do I Enable Website Vulnerability Scan? Perform the following steps: Step 1 Step 2 Step 3 Step 4 Step 5 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed. In the upper right corner, click Purchase VSS Professional. For details about how to set purchase parameters, see the Vulnerability Scan Service Purchase Guide. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed. Click Add Domain Name or +Add Domain Name. Figure 8-20 displays the Add Domain Name dialog box. Figure 8-20 Adding a domain name Step 6 Step 7 Click OK. In the Authenticated domain name dialog box, there are two authentication methods: document authentication and one-click authentication. Method 1: Select Document Authentication (see Figure 8-21). Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 67

73 8 Frequently Asked Questions Figure 8-21 Document authentication 1. Click Download Authentication Document. 2. Upload the document to the root directory of the website and ensure that the following network address can be accessed: target network address/hwwebscan_verify.html. 3. Select I have read and agree to the HUAWEI CLOUD Vulnerability Scan Service Disclaimer. 4. Click Authenticate. After the operations are complete, the domain name status becomes Authenticated. Method 2: Select One-Click Authentication (see Figure 8-22). Figure 8-22 One-click authentication Select I have read and agree to the HUAWEI CLOUD Vulnerability Scan Service Disclaimer and click Authenticate. After the operations are complete, the domain name status becomes Authenticated. Step 8 Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed, as shown in Figure Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 68

74 8 Frequently Asked Questions Figure 8-23 Asset list Step 9 Click Scan Now. The Create Job page is displayed. Set the scan parameters by referring to Table 8-2. Figure 8-24 displays the settings. Figure 8-24 Scan settings Table 8-2 Parameter description Parameter Job Name Target Network Address Whether to Upgrade This Scan to Professional Edition Description The value is specified by the user. Enter the website address or IP address to be scanned. Select an authenticated domain name from the drop-down list. After the function is enabled, fees are deducted as required during the scan. Move the cursor to know the upgrade impact. You can also see Differences Between VSS Basic and Professional in the upper right corner of the page (see Figure 8-24). If you keep Edition. unchanged, you will continue using Basic If you set to, you will automatically upgrade from Basic Edition to Professional Edition. NOTE If you have subscribed to Professional Edition, the system does not prompt the upgrade. Basic Edition supports common vulnerability scan and port scan. You can create a maximum of five scan jobs each day. One job lasts at most two hours. Professional Edition supports common vulnerability scan, port scan, weak password scan, and SMS notifications. You can create up to 60 scan jobs each day. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 69

75 8 Frequently Asked Questions Step 10 (Optional) Expand Advanced Settings. Figure 8-25 displays the Advanced Settings area. Set the parameters by referring to Table 8-3. Figure 8-25 Advanced settings Table 8-3 Advanced settings parameters Parameter Description Instruction More Scan Settings Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 70

76 8 Frequently Asked Questions Parameter Description Instruction Scan Mode Scan Complete Notification Port Scan Weak Password Scan Web Page Content Monitoring The options are Quick Scan, Standard Scan, and Deep Scan. You are advised to select Deep Scan to detect root website vulnerabilities. You can enable or disable the SMS notification function. To accept SMS notifications, set Whether to Upgrade This Scan to Professional Edition to on. You can enable or disable port scan. You can enable or disable weak password scan. To accept SMS notifications, set Whether to Upgrade This Scan to Professional Edition to on. You can enable or disable the monitoring of regulation compliance by web page content. Select a scan mode from the dropdown list. : enabled : disabled : enabled. : disabled. : enabled : disabled Website Login Settings If your web page can be accessed only after login, configure login parameters so that VSS can discover more vulnerabilities for you. There are two login methods. To improve the login success rate, you are advised to set both of them. Method 1: Login Page Username Password Confirm Password Method 2: Cookie value Crawler Address of the website login page Username for logging in to the website Password for logging in to the website Cookie value of the logged website Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 71

77 8 Frequently Asked Questions Parameter Description Instruction Simulate Browser Exclude Link Web browser used by crawlers Links to pages that you do not want to include in the scan Select a browser from the drop-down list. Currently, only Firefox and Chrome are supported. You can add a maximum of five links. Click to add links and to remove them. Self-Define HTTP Request Header NOTE Some pages have further authentication requirements (such as requiring the user to enter a verification code). If you want to scan these pages, enter HTTP request headers. You can add a maximum of five request headers. Click to add headers and to remove them. Name Value Name of an HTTP request header Value of an HTTP request header Example: Cookie Example: phpsessionid=asdfsadfsadfsadfsadf; sdfs=asdfasdfasdf; uid=1 Step 11 After the settings are complete, select Timing for a scheduled scan or click Start Scan to immediately start a scan. Scheduled scan Select Timing to set a time. Then, click Start Scan. The system starts the job at the scheduled time. Immediate scan Click Start Scan. If the switch of Whether to Upgrade This Scan to Professional Edition is turned on, the Payment Notification window is displayed. If you agree the upgrade, click Agree and Scan. Figure 8-26 Payment notification Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 72

78 8 Frequently Asked Questions NOTE ----End If the server is not fully occupied, the newly created job can be performed immediately and the job status is In progress. If the server is fully occupied, the job waits in the queue and its status is Waiting. If a scan job takes more than two hours and its progress is greater than 20%, the system displays a message indicating that the extra part beyond the free quota has been billed on a pay-per-use basis. You decide to cancel this job or not as required What Should I Do When a Website Scan Fails with a Message Displayed Indicating Connection Timeout? The possible causes and solutions are as follows: 1. Your website is unstable. Open the website and check whether the connection is normal. Try scanning again. 2. Your website cannot be accessed from the Internet. As a result, VSS cannot access and scan your website. 3. A firewall or another security policy has been configured on your website. As a result, the IP addresses of VSS ( , , , , , , and ) are mistakenly intercepted as attackers. Add the IP addresses of VSS to the whitelist. NOTE If your website cannot be accessed, check whether it is working properly. If you have any questions, feel free to send your problem on the VSS console. 8.4 About Host Scan How Do I Perform Host Authorization? Procedure Step 1 Step 2 Log in to the management console. Choose Security > Vulnerability Scan Service > Asset List. The Asset List page is displayed. Click the Host tab. Figure 8-27 displays the Host tab page. Figure 8-27 Host tab page Step 3 Click perform authorization. The Host Authorization page is displayed (see Figure 8-28). Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 73

79 8 Frequently Asked Questions Figure 8-28 Host Authorization page Step 4 Step 5 Click Copy. Use a remote management tool, such as Xshell, SecureCRT, or PuTTY, to log in to the desired ECS (by its EIP). NOTE You can also remotely log in to the ECS. Step 6 Run the copied command on the ECS to which you log in using SecureCRT. If the command output shown in Figure 8-29 is displayed, the command is successfully executed. Figure 8-29 Command output ----End Why Is Authorization Failed Displayed When Scanning? Perform the following operations to locate and rectify the fault: You use an IAM user account. The scan fails due to limited permission of your account. The solution is to switch to the enterprise account. (Recommended) Use an enterprise account. If you use the enterprise account, but the system still displays a message indicating that the authorization fails, the possible cause is that the number of agencies reaches the upper limit. Check whether the number of agencies reaches the upper limit. a. Move the pointer to the username and click Identity and Access Management. Figure 8-30 highlights the area. The user page is displayed. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 74

80 8 Frequently Asked Questions Figure 8-30 Identify and access management b. Click Agency. On the displayed Agency page shown in Figure 8-31, view the agency number. A maximum of 10 agencies can be created. Figure 8-31 Viewing the number of agencies How Do I Solve the Problem of Host Unreachable (Security Group Restricted)? During scanning, the system displays a message indicating that the scan fails and your host is unreachable (cannot be accessed). Possible causes are as follows: Access control is enabled for the security group. The network malfunctions. In this case, Check whether access control is enabled for the security group to which your host belongs. If yes, create a policy to allow the following IP addresses to access your host: Why Does My Host Scanning Fail? The possible causes are as follows: The host is not authorized or unreachable. For the solution, see How Do I Perform Host Authorization? and How Do I Solve the Problem of Host Unreachable (Security Group Restricted)?. Issue 20 ( ) Copyright Huawei Technologies Co., Ltd. 75