Using the Crawl Instructions

DynamicDS and DynamicMP

An important part of obtaining high quality results from a DynamicDS scan is ensuring that as many links as possible on the site are discovered through the scan engine's crawl. While Veracode's automated crawler is one of the best in the industry, in some cases you may need to provide a crawl sequence to manage the complex business logic in your application. For example, parts of your web application may only be accessible if a particular form is completed a certain way. Providing a pre-recorded crawl sequence to supplement the Veracode scan engine's automated crawl can increase the success of the DynamicDS scan.

Veracode supports using either Selenium IDE, Kantu for Chrome, or Burp Proxy to record a crawl sequence. Refer to the documentation for the respective tool you are using for additional information about how to record a crawl sequence.

Selenium

Selenium is an open source web testing framework that provides the ability to directly drive the actions of a web browser. You can use Selenium IDE, a Firefox plugin, to record your crawl sequence, including clicks that trigger JavaScript actions. If your site does not function in Firefox, you will need to use Burp Proxy to record your crawl sequence.

Troubleshooting Selenium Scripts

It is recommended that you run your Selenium script again prior to upload to ensure that it works correctly. If you are having trouble getting your Selenium script to run again, check the following:

  • Verify that the script uses supported Selenium commands.
  • Verify that the crawl sequence does not depend on elements of your page that may change frequently.
  • Ensure that you open Selenium IDE after the first page has finished loading.
  • Do not change tabs or do anything outside of the web application while recording a crawl script.
  • Be sure to stop the recording when done, and delete any steps at the end that might have been recorded by accident.

Burp Proxy

Burp Proxy, a component of the free edition of the Burp Suite, is an intercepting proxy that captures all traffic between your browser and a web application. Unlike Selenium, Burp Proxy records traffic at the HTTP protocol level, and cannot play back clicks on page elements.

Note: Burp Suite is a Java application.

To record a crawl sequence using Burp Proxy, do the following:

  1. Open Burp Suite and click the Proxy tab.
  2. If the Intercept is On button is visible, click on it to disable the Intercept option.
  3. Configure the proxy settings in your browser to point to the Burp proxy, which by default is available on port 8080 of the loopback interface (127.0.0.1:8080). Instructions for doing this are available in the online Burp Suite help.
  4. Use your browser to step through the part of the application you want the Veracode scan engine to visit.
  5. Switch to the Burp Suite UI and verify that the crawl recorded successfully. You should see a list of requests in the Crawl tab.
  6. Right-click on the list of requests and choose Save selected items.

You can upload the crawl instructions using the Crawl Sequence file upload control.


Upload crawl instructions