Can someone brief me about Web Application Scanning for SSO enabled applications?
The scenario is -
1. The application possesses PingFed and HSTS and is accessible only to internal organization via SSO.
2. The functionality for the application is tested via Security Review and it depicts some of the best security practices.
The configurations set for scanning are -
1. Individual appliance (since application is accessible is restricted for internal use only).
2. Web Application crawling has been enabled and Selenium Script has been deployed for it.
3. Smart Scan is being advantaged for the purpose.
4. No authentication page is deployed within the application.
The challenges are -
1. Scan is taking long to be submitted sometimes. (I believe the scanner is trying to penetrate the 'Pingfed' pages to crawl the links/urls.)
2. The scan seems finished with some vulnerabilities detected (confirmed and potential ones), however, the scan report says no links/urls respective to web application have crawled in the process. The links crawled in the meantime are of 'Pingfed'. However, the backend code looks completely fine.
Now, the question is - If Qualys is unable to reach the application, how is it identifying the vulnerabilities, and those of level 2 and level 3?
Personally I think, the vulnerabilities (clickjacking, sql injection) arose during the scan depicts that Qualys tries to penetrate the links/urls, and the last link/url it crawls, it says to evaluate whether there are any identified vulnerabilities further.
I believe some limelight might help me in resolving this. Any amount of help would be highly appreciated.