Skip to main content

Running a Web Scan

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

info

This feature is only available to organizations that have signed up for the Web Application Scanning feature.

Setup

Here are the steps required before running a Web scan:

  1. Register a web application (see Registering a Web Application).
  2. Register endpoints to scan (see Identifying Endpoints to Scan).
  3. Verify ownership of the web application to be scanned.

Verifying Ownership of Your Web Application

Shisho Cloud requires proof of ownership of the application being scanned to prevent malicious use of this scanning feature. Shisho Cloud will verify ownership before running the scan, and if the verification fails, the scan will not start and the scan job will end. Verification is done for the host of the registered endpoint, and if the endpoint consists of multiple hosts, each host is verified.

There are two ways to verify ownership, and ownership is proven when either of these is satisfied for all hosts of the application:

  • The host of the web application to be scanned is on a cloud resource linked to Shisho Cloud.
  • The host of the web application to be scanned sends a request to a verification URL and receives the expected response.

The results of the ownership verification are displayed in the "Scan Jobs" tab (https://cloud.shisho.dev/[orgid]/applications/[appid]/jobs/scan). Verification is also performed when this page is opened, allowing you to check the latest verification results.

Verification Results of Scan Prerequisites

Verifying Through Cloud Resources Linked to Shisho Cloud

If the host of the application being scanned is on a cloud resource linked to Shisho Cloud, that host is considered to be owned. If the connection already exists, there is basically no need for action. To link cloud resources, see Configure external integrations.

Hosts detected by Shisho Cloud can be found in the "Applications > Attack Surfaces" tab.

Attack Surface List

warning

Depending on the configuration of your cloud resources, Shisho Cloud may not be able to correctly detect hosts even if they are linked to Shisho Cloud. In that case, please feel free to contact the operator (Flatt Security).

If you are not using a cloud service, or if you are using one but have difficulty linking resources, consider verifying through the verification URL.

Verifying Through a Verification URL

To prove ownership of the host of the application to be diagnosed through a verification URL, the specified URL must return the application verification token.

Requests sent by Shisho Cloud:

GET http[s]://<host>/.well-known/shisho-cloud/<application verification token>

Responses returned by the host of the application being scanned:

Status: 200 OK
Body: <application verification token>

The application verification token can be found on the "General" tab (https://cloud.shisho.dev/[orgid]/applications/[appid]).

Application Verification Token

For example, to verify the host of sample-app.com with the token 01J5TAXF0RV6G9DVH4BPM1SX1G, the following request will be sent by Shisho Cloud:

GET http://sample-app.com/.well-known/shisho-cloud/01J5TAXF0RV6G9DVH4BPM1SX1G

If sample-app.com returns a status code of 200 OK and the following body in the response, the ownership of this host is proven:

01J5TAXF0RV6G9DVH4BPM1SX1G

Customizing the Scan Schedule (Optional)

By default, web scans are run daily at 00:00 UTC (09:00 JST), but you can customize the scan schedule in cron format or disable scheduled execution and only allow manual execution.

Web application scans are run periodically by "Workflows." You can access the details screen of the workflow that runs the web scan here.

Web Application Scanning Workflow

If you want to change or disable the scan schedule, first click on the "Update" button on the right side of the screen.

The schedule is specified in .triggers.schedule[].cron as follows:

version: 0.1.0
id: "free-trial-web-scanning"
name: "Review Web application posture (Free Trial)"
triggers:
schedule:
- cron: "0 0 * * *"
# (abbreviated)

To change the schedule, simply type the desired schedule in cron format and click the "Save" button. For example, if you want to run the scan every day at 12:00 UTC (21:00 JST), set it as follows:

version: 0.1.0
id: "free-trial-web-scanning"
name: "Review Web application posture (Free Trial)"
triggers:
schedule:
- cron: "0 12 * * *"
# (abbreviated)
caution

The cron schedule is interpreted in UTC time. Please set the schedule in consideration of the time difference between your time zone and UTC.

To disable the schedule, make the following changes and click the "Save" button:

version: 0.1.0
id: "free-trial-web-scanning"
name: "Review Web application posture (Free Trial)"
triggers:
schedule: []
# (abbreviated)

For more information about the trigger settings for workflows, see here.

Running a Scan

Running a Scan from Workflow (Optional)

By default, web application scans are run daily at 00:00 UTC (9:00 JST). If you want to run the scan immediately without waiting for scheduled execution, you can do so by following the steps below.

Web application scans are run periodically by "Workflows." You can access the details screen of the workflow that runs the web scan here.

Web Application Scanning Workflow

This workflow runs the web scan. Clicking on the "Run" button on this screen will run the web scan against all registered web applications.

To check the status and progress of the scan, open the "Applications" in the top bar, click on the application you want to check from the list of applications, and open the details page. Then, open the "Scan Jobs" tab (https://cloud.shisho.dev/[orgid]/applications/[appid]/jobs/scan) to view the execution history of scans.

List of Scan Jobs

You can check the progress of the scan job by clicking on the running scan job and opening the job details screen (https://cloud.shisho.dev/[orgid]/applications/[appid]/jobs/scan/[jobid]).

Scan Job Details

Viewing Scan Results

Once the scan job is successfully completed, the assessment results will be reflected in the Dashboard and Resources. For details, see Reviewing Findings.