Tag Archives: Qualys scanning

WebApplication Qualys Security Scanning: How to Find XPath query in HTML DOM?

When you do web application security scan, we need to do authentication of application to extend the coverage. In most of the scanning tools (i.e qualys) has chrome extension to write selenium script which could do authentication in the application.

Any login selenium script finds appropriate HTML DOM elements (login or password) and do as per script commands. In authentication security scan, One has to know how to find login form DOM fields via Selenium XPATH Query. Let’s understand basic of XPATH in selenium script.

The basic format of XPath in selenium is explained below with screen shot.

Basic Format of XPath

Syntax for XPath selenium:

XPath contains the path of the element situated at the web page. Standard XPath syntax for creating XPath is.


Some more basic xpath expressions:

Xpath=	//label[@id='message23']
Xpath=	//input[@value='RESET']
Xpath= //img[@src='//cdn.guru99.com/images/home/java.png']

How does Qualys vulnerability scanning work?


QualysGuard scanning methodology mainly focuses on the different steps that an attacker might follow in order to perform an attack. It tries to use exactly the same discovery and information gathering techniques that will be used by an attacker.

whole the scanning exercise is done in following steps:

1. Checking if the remote host is alive – This detection is done by probing some well-known TCP and UDP ports.  By default, we probe TCP Ports 21-23, 25, 53, 80, 88, 110-111, 135, 139, 443, 445 and UDP Ports 53, 111, 135, 137, 161, 500.  This can be changed by editing the option profile.  If the scanner receives at least one reply from the remote host, it continues the scan.

2. Firewall detection – The second test is to check if the host is behind any firewalling/filtering device. This test enables the scanner to gather more information about the network infrastructure and will help during the scan of TCP and UDP ports.

3. TCP / UDP Port scanning – The third step is to detect all open TCP and UDP ports to determine which services are running on this host. The number of ports is configurable, but the default scan is approximately 1900 TCP ports and 180 UDP ports.

4. OS Detection – Once the TCP port scanning has been performed, the scanner tries to identify the operating system running on the host. This detection is based on sending specific TCP packets to open and closed ports.

5. TCP / UDP Service Discovery – Once TCP/UDP ports have been found open, the scanner tries to identify which service runs on each open port by using active discovery tests.

6. Vulnerability assessment based on the services detected – Once the scanner has identified the specific services running on each open TCP and UDP port, it performs the actual vulnerability assessment. The scanner first tries to check the version of the service in order to detect only vulnerabilities applicable to this specific service version. Every vulnerability detection is non-intrusive, meaning that the scanner never exploits a vulnerability if it could negatively affect the host in any way.