Skip to content
English
  • There are no suggestions because the search field is empty.

Definition of a Web Application

Edgescan licences per web application, we use logic and authentication workflows to define the scope of an application. Your account team will help you find the best fit for your business requirements.

Version Number: v1.0.0

Published Date: 14 Aug 2025

____________________________________________________________________________

A single web application includes one (or more) hostnames and may also include login credentials for systems with an authentication feature. If multiple hostnames exist, they must be functionally or logically related to be considered part of the same application. Sub-domains are considered part of the same application and managed under the same license if:

  • The sub-domains are functionally and/or logically related to the web application.
  • The established HTTP session (via authentication credentials) is valid for the sub-domains in the case of authenticated applications.

 

SSO Applications
Single Sign-On (SSO) applications introduce complexity. Even though users experience seamless access between systems, the SSO service may reauthenticate users in the background when switching URLs within the same session. This can make defining a "logical" application difficult, as separate URLs may still require independent reauthentication.

 

License Assignment and Coverage

  • Login Credentials: Authentication credentials can be provided to ensure comprehensive coverage of the application code base during the scanning process. An appropriate license type must be assigned to this asset.
  • Unauthenticated Licenses: Only the unauthenticated parts of the application are assessed.
  • Authenticated Licenses: Both unauthenticated and authenticated parts of the application (as granted by the user roles/permissions provided) are assessed.

 

Complex Applications: For applications requiring multiple user privilege levels or involving numerous hostnames or sub-domains, additional licenses may be necessary. The allocation of licenses for such applications is subject to fair usage policies.

 

Full-Stack Coverage: Vulnerability Management of Associated Hosting Infrastructure

  • Associated Hosting Infrastructure: Refers to systems directly connected to the primary web application.
    • External Web Applications (Public): Vulnerability management of the associated hosting infrastructure is provided where it is accessible from the public Internet. This includes the web server hostname/IP address and associated hostnames/IPs for sub-domains.
    • Internal Web Applications (Intranet): Vulnerability management of the associated non-public infrastructure is included in non-public assessments. This includes the web server hostname/IP address and associated hostnames/IPs for sub-domains.
  • Authenticated Vulnerability Scanning: Available only if the web application license includes authenticated testing.

 

Limitations and Considerations for Web Application Testing

  • Active Scans: Each asset can only run one active scan at a time.
  • Scan Profile: Each asset can have only one scan profile at any given time.

 

License Packages

Essentials

  • 1 Root URL: Example: https://acme.com
  • Max 1 Subdomain URL/Seed URL: Example: https://acme.com/hidden_pages/
  • Max 3 Hostnames/IPs: Example: acme.com123.456.0.1

Professional

  • 1 Root URL: Example: https://acme.com
  • Max 1 Subdomain URL/Seed URL: Example: https://www.acme.com/hidden_pages/
  • Max 3 Hostnames/IPs: Example: acme.com123.456.0.1

Advanced

  • 1 Root URL: Example: https://acme.com
  • Max 2 Subdomain URL/Seed URL: Example: https://content.acme.com, https://www.acme.com/hidden_pages/
  • Max 5 Hostnames/IPs: Example: acme.com, content.acme.com, 123.456.0.1

 

Key Terms:

Root URL: The starting point from which scanners begin crawling.

  • Can be the application root (e.g., https://acme.com), scanning every branch below it.
  • Can be a location below the root (e.g., https://acme.com/web_app1), scanning every branch below the starting branch.
  • Separate assets are created if distinct applications are found below the root URL (e.g., https://acme.com/web_app1 and https://acme.com/web_app2).

Subdomain URL: A separate starting point for scanning subdomains within scope. Should only be added if the main application references these subdomains.

Seed URL: A separate starting point below the root URL for scanners to initiate crawling. Useful for parts of the application not easily discoverable through standard crawling.

 

Clarification on Single Logical Application
A license covers a single logical application or API. For authenticated applications, reauthentication should not occur when switching between URLs within the same session. Despite SSO providing seamless access across sites, reauthentication still occurs behind the scenes, necessitating separate license management for each site.