Fine-tune a DAST profile

The default DAST profile is suitable for most use cases. If necessary, you can fine-tune your DAST profile in a scan-settings.json file and upload it to the Polaris web UI. Configuration options are available for the scan engine (for example, excluded URLs, attack depth, and crawl settings) and the supported authentication methods (Forms, SAML, and Selenium).

After you Create a DAST project, follow these steps to customize the project's DAST profile:

After you open the DAST project, go to DAST Profiles and select the project's profile.
Select Import scan-settings.json file.
Select DOWNLOAD TEMPLATE to download a template scan-settings.json file.
Open the scan-settings.json file in a text editor and modify it, as required.
The template file contains all the available configuration options and their default values.
Note: See Advanced DAST settings for descriptions of the most common settings. We recommend that you remove the configuration options that you don't want to modify.
Save the modified scan-settings.json file, then upload it to the Polaris web UI. You can drag and drop the file to the Upload .json file box or browse for it on your computer.
Click Save.

Advanced DAST settings

Table 1. Advanced DAST configuration reference
Setting	Description
`useSmartSetting`	When Smart Settings is enabled, fAST Dynamic crawls a limited section of the target web application to automatically detect several characteristics important to dynamic application security testing. These include (but are not limited to): The framework used in the web application, such as Angular, React, or Ember.js Whether the site is a Single Page Application (SPA) or a traditional, non-JavaScript website Whether pages must be fully loaded in the browser in order to navigate the site Whether the page structure is duplicated across the site, to determine the extent of page de-duplication the scan engine can perform Based on this data, the scan engine defines a set of optimal scan settings and applies them to the `scan-settings.json` file. Default: `true` Note: Be aware that enabling Smart Settings will override some pre-existing scan settings, if you have modified these in the `scan-settings.json` file.
`pageReadyConfig`	Configuration for "page readiness" heuristics; that is, how the scan engine determines if a page has finished loading in a browser and is ready for interaction. `pageReadyConfig` supports a single `mode` of `SPA` (Single Page Application). This mode is designed to help the scanner recognize when pages have loaded in JavaScript intensive web apps. Default: `"mode": "SPA"` The `pages` and `regexes` options are not supported in the initial release of fAST Dynamic.
`authSettings`	Configuration for authentication. Default: `"loginType": "none"` Note: See Authentication settings (authSettings) for more information.
`scanTimeout`	Maximum length of time before an incomplete scan times out. At the end of this period, the scanner will publish the partial results of the scan. Default: `72h`
`includedPaths`	Configuration for URL paths to include in scans of the target web application. If set, only URL paths matching the specified values are included in scans. Enter an array of regular expressions, for example: `"includedUrls": ["app", "about", "contact", "reports"],` Default: N/A
`excludedUrls`	Configuration for URL paths to exclude from scans of the target web application. If found on a URL path, the given URLs will be excluded from scans, including active attacks. Enter an array of regular expressions, for example: `"excludedUrls": ["logout", "signout"],` Default: `"logout", "signout", "log-out", "sign-out"`
`excludedAttackUrls`	Configuration for URL paths to exclude from active attacks of the target web application. Only applies if Perform Active Attacks is selected on the DAST project page. Default: `null`
`excludedParameters`	An array of values where any matching parameter names (for example, query parameters, form fields, or headers) will not be attacked. Only applies if Perform Active Attacks is selected on the DAST project page. Default: `"jsessionid", "__EVENTARGUMENT", "__EVENTTARGET", "__EVENTVALIDATION", "__VIEWSTATE", "X-WHS"`
`excludedStatusCodes`	A response with a matching status code will not be attacked. Only applies if Perform Active Attacks is selected on the DAST project page. Default: `401, 404`
`excludedHosts`	List of hosts to exclude from crawling and attacking. The scan engine will never send a request to any URL on these hosts, even through the browser. A list of regular expressions. Note: You might want to add internal services to the default list of excluded hosts, for example, application performance monitoring (APM) tools, ad servers, etc. Default: See `scan-settings.json`
`customHeaders`	Extra headers to add to all requests from the scan engine. Default: `Cache-Control, Accept-Language`
`customCookies`	Extra cookies to add to all requests from the scan engine. Default: `null`
`activeCheckers`	List of active checkers to enable in scans of the target web application. Active checkers change the values of parameters in requests to detect vulnerabilities. Reducing the amount of active checkers will speed up scans but reduce the depth and breadth of intrusive testing. Only applies if Perform Active Attacks is selected on the DAST project page. Default: See `scan-settings.json`
`passiveCheckers`	List of passive checkers to enable in scans of the target web application. Passive checkers are non-intrusive. They detect vulnerabilities by passively observing web traffic. Default: See `scan-settings.json`
`crawler.formValues`	Default values used by the scan engine when crawling pages that contain forms. You can customize these form values with specific names and types of form fields used in the target web application. Default: See `scan-settings.json`

Authentication settings (authSettings)

When you create a DAST project, you select an authentication method — either None, Forms, SAML, or Selenium — and configure basic settings through the Polaris web UI. Alternatively, you can configure authentication in the authSettings section of the scan-settings.json file. Here, you can configure the same options as in the UI and some additional advanced settings for each authentication method.

By default, no authentication method is set:

"authSettings": {
    "loginType": "none",
    "settings": {}
  },

The loginType field supports the following values: none, simple, SAML, and selenium. The structure of the settings object depends on this value, as described below.

Simple

Simple authentication is most appropriate for simple username/password login forms where both username and password fields are on a single page.

Note: If your application uses multiple pages for authentication (like Polaris), use Selenium.

Table 2. `scan-settings.json`, simple authentication reference
Setting	Optional/Required	Description
`loginURL`	Required	URL of the target login page.
`formCSSSelector`	Optional	A CSS selector for the login form if there is more than one form on the login page. A CSS selector can be generated using your browser's developer tools by highlighting the `<form>` HTML element and choosing Copy Selector from the context menu. For example: `#my-page-form, body > div:nth-child(5) > form`
`formValues`	Optional	Specifies the input field names and values for interacting with the target login form. You can specify one or more of the following: `nameValues`: select for exact matches on the `name` attribute of an `<input>` HTML element. Note: The rendered label used to identify an `<input>` element may not match its `name` attribute. For example: `<form> <input name="username"> <input name="password" type="password"> </form>` `"formValues": { "nameValues": { "username": "myuser", "password": "mypassword" } }` `typeValues`: select for an exact match on the `type` attribute of an `<input>` HTML element. For example: `<form> <input name="email-1234" type="email"> <input name="username-5678" type="text"> <input name="password-9999" type="password"> </form>` `"formValues": { "typeValues": { "text": "myuser", "password": "mypassword", "email": "myuser@example.com" } }` `nameRegexValues`: select for a regular expression match using the `name` attribute of an `<input>` HTML element. For example: `<form> <input name="username"> <input name="password" type="password"> </form>` `"formValues": { "nameRegexValues": { "username-\d+": "myuser", "password-\d+": "mypassword" } }` In this example, all three `formValues` settings are used: `"formValues": { "nameValues": { "username": "myuser", "password": "mypassword" }, "typeValues": { "text": "myuser", "password": "mypassword", "email": "myuser@example.com" }, "nameRegexValues": { "username-\d+": "myuser", "password-\d+": "mypassword" } }`
`headers`	Optional	An array of `Name,Value` pairs (note the capitalization). For example: `"headers": [ {"Name": "foo", "Value": "bar"} ]`
`cookies`	Optional	An array of Cookie objects as `Name,Value` pairs. Other cookie properties, such as `Path` or `Expires`, are supported too. For example: `"cookies": [ {"Name": "session", "Value": "123"} ]`

For example:

"authSettings": {
  "loginType": "simple",
  "settings": {
    "loginURL": "https://example.com/login",
    "formValues": {
      "nameValues": {
          "username": "myuser",
          "password": "mypassword"
      }
    }
  }
}

SAML

Authenticate via a SAML Identity Provider (IdP) to perform SSO to a target.

Table 3. `scan-settings.json`, SAML authentication reference
Setting	Optional/Required	Description
`ssoLoginURL`	Required	The URL of SAML SSO login page.
`formValues`	Optional	Specifies the input field names and values for interacting with the target login form. You can specify one or more of the following: `nameValues`: select for exact matches on the `name` attribute of an `<input>` HTML element. Note: The rendered label used to identify an `<input>` element may not match its `name` attribute. For example: `<form> <input name="username"> <input name="password" type="password"> </form>` `"formValues": { "nameValues": { "username": "myuser", "password": "mypassword" } }` `typeValues`: select for an exact match on the `type` attribute of an `<input>` HTML element. For example: `<form> <input name="email-1234" type="email"> <input name="username-5678" type="text"> <input name="password-9999" type="password"> </form>` `"formValues": { "typeValues": { "text": "myuser", "password": "mypassword", "email": "myuser@example.com" } }` `nameRegexValues`: select for a regular expression match using the `name` attribute of an `<input>` HTML element. For example: `<form> <input name="username"> <input name="password" type="password"> </form>` `"formValues": { "nameRegexValues": { "username-\d+": "myuser", "password-\d+": "mypassword" } }`
`headers`	Optional	An array of `Name,Value` pairs (note the capitalization). For example: `"headers": [ {"Name": "foo", "Value": "bar"} ]`
`cookies`	Optional	An array of Cookie objects as `Name,Value` pairs. Other cookie properties, such as `Path` or `Expires`, are supported too. For example: `"cookies": [ {"Name": "session", "Value": "123"} ]`

For example:

"authSettings": {
  "loginType": "SAML",
  "settings": {
    "ssoLoginURL": "https://mycompany.okta.com/app/12345",
    "formValues": {
      "nameValues": {
        "username": "admin",
        "password": "password123"
      }
    }
  }
}

Selenium

Authenticate using a Selenium .side file, generated from the Selenium IDE browser extension.

Table 4. `scan-settings.json`, Selenium authentication reference
Setting	Optional/Required	Description
`sideFileContents`	Optional	The contents of the .side file, in JSON format.

For example:

"authSettings": {
    "loginType": "selenium",
    "settings": {
      "sideFileContents": {
        "id": "629c40d4-ea61-42c3-9ce5-80e59da8a988",
        "version": "2.0",
        "name": "selenium-example",
        "url": "https://example.com",
        "tests": [...],
        "suites": [...],
        "urls": [
          "https://example.com/"
        ],
        "plugins": []
      }
    }
  },