TTechclick ⚡ XP 0% All lessons
Tenable · Vulnerability Management · Web App ScanningInteractive · L1 / L2 / L3

Tenable Web App Scanning — DAST, Crawling & OWASP Coverage

Tenable Web App Scanning (WAS) is a cloud-based DAST tool that crawls your running application, builds a complete site map, and probes every page, form and API endpoint for OWASP Top 10 vulnerabilities — including those locked behind a login. This lesson explains the crawl-to-finding pipeline, authenticated scan setup, REST/GraphQL/SOAP API coverage, and how WAS results plug into Tenable's unified vulnerability management platform.

📅 2026-06-20 · ⏱ 16 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Learn Tenable Web App Scanning (WAS) in 2026: how the DAST crawler builds a site map, detects OWASP Top 10 flaws, runs authenticated scans, and tests REST, GraphQL & SOAP APIs end-to-end.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

How WAS crawls

DAST engine, site map, page-by-page probing.

 2

OWASP coverage

XSS, SQLi, misconfiguration and Top 10 detection.

 3

Auth & API scans

Login sessions, OAuth, REST, GraphQL, SOAP.

 4

Findings & platform

Results in Tenable VM, severity, remediation.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does Tenable WAS test a running application or inspect static source code?

Answered in How WAS crawls.

2. What does the WAS crawler produce before it starts testing?

Answered in How WAS crawls.

3. How does WAS reach pages that need a login?

Answered in Auth & API scans.

Most engineers think…

Most engineers hear 'web app scanner' and picture a tool that just fires SQLi payloads at a login form. That mental model is far too narrow — and it will hurt you in a Tenable interview.

Tenable WAS is a full DAST pipeline: it first crawls the running application to build a site map of every page, link, form, and API endpoint; then it tests each one systematically. It authenticates into protected areas (OAuth, form login, Selenium recording), tests REST/GraphQL/SOAP APIs, maps findings to OWASP Top 10, and surfaces results directly in Tenable Vulnerability Management so you remediate web-app and infra risk in one place. Understanding that end-to-end pipeline is what separates operators who tune scans well from those who flood the queue with false positives.

① How Tenable WAS crawls a running application

Tenable Web App Scanning is a dynamic application security testing (DAST) tool — it interacts with your live, running application through the front end, exactly the way a real browser or attacker would. It never reads source code. Because it drives the actual application, it catches runtime vulnerabilities that static analysis misses.

The first thing WAS does on every scan is crawl: it follows links, fills forms, and explores navigation to build a site map. Every page, link, form, and API endpoint in that map becomes a test target in the next phase. Scope is tunable: maximum crawl depth, domain restrictions, URL include/exclude patterns, and rate limiting are all configurable, so you avoid hammering staging environments or drifting out of scope.

For applications built on modern single-page app (SPA) frameworks — Angular, React, Vue — WAS includes SPA-aware crawling. For highly complex flows, you can train the crawler by recording a Selenium session that walks the scanner through the tricky path, then replaying that recording as part of the scan configuration.

Figure 1 — The WAS DAST pipeline end-to-end
Every Tenable WAS scan runs the same four-phase pipeline: crawl, map, probe, report.The WAS DAST pipeline end-to-endCrawldrive app via browserSite mappages, forms, APIsProbeinject & test eachtargetReportfindings + remediation
Every Tenable WAS scan runs the same four-phase pipeline: crawl, map, probe, report.
Tune scope before you scan

Before running a full WAS scan, set crawl depth limits, domain restrictions, and URL exclusion patterns. Scanning without scope control can drift into third-party domains, overload a staging server, or generate hundreds of irrelevant findings from unrelated subdomains.

Quick check · Q1 of 10 · Understand

Why is Tenable WAS described as a DAST tool rather than a SAST tool?

Correct: b. DAST (Dynamic Application Security Testing) tests a live, running application through the front end — no source code access needed. SAST analyses source code statically. WAS crawls and probes the running app, which is the DAST model.
👉 So far: Tenable WAS = DAST: crawl the running app first (site map), then probe every page, form, and API endpoint — no source code required.

② OWASP Top 10 coverage — what WAS actually tests for

Once the site map is complete, WAS interrogates each target for vulnerabilities in two categories: flaws in the application's custom code (XSS, SQL injection, command injection, insecure direct object references, and so on) and known-vulnerable third-party components embedded in the application (outdated libraries and frameworks with published CVEs).

OWASP Top 10 classes WAS covers

A rapid scan template is also available for common hygiene checks — SSL/TLS certificate issues, HTTP security headers — that can complete in under two minutes, useful for CI/CD pipeline gates.

Figure 2 — OWASP Top 10 classes WAS tests
The WAS probe engine covers all major OWASP Top 10 vulnerability classes from a single scan configuration.OWASP Top 10 classes WAS testsWAS ProbeOWASP Top 10A01 Access CtrlA02 Crypto FailA03 InjectionA05 MisconfigurationA06 Vuln ComponentsA07 XSS
The WAS probe engine covers all major OWASP Top 10 vulnerability classes from a single scan configuration.
🕷️
DAST Crawler
tap to flip

Drives the live application like a browser, following links and filling forms to build a complete site map before any testing begins.

🔐
Authenticated Scan
tap to flip

WAS logs in using form credentials, OAuth tokens, or a Selenium recording so it can test protected pages and APIs behind the login wall.

🔌
API Scanner
tap to flip

Automatically discovers REST endpoints and accepts OpenAPI/Swagger, GraphQL, and SOAP specs to test the full API attack surface for injection and auth flaws.

📊
Tenable VM Integration
tap to flip

WAS findings flow into Tenable Vulnerability Management with VPR scores alongside infra/cloud findings, so the whole team remediates from one queue.

Quick check · Q2 of 10 · Remember

Which OWASP Top 10 category covers cross-site scripting (XSS)?

Correct: c. XSS is its own OWASP Top 10 category — A07. Injection (A03) covers SQL/command/LDAP injection. Broken Access Control (A01) covers privilege and access flaws. Misconfiguration (A05) covers default credentials and exposed endpoints.
👉 So far: WAS tests all major OWASP Top 10 classes — XSS, injection, access control, crypto failures, misconfigurations, and vulnerable third-party components — in one scan.

③ Authenticated scans and API security testing

Unauthenticated scans miss everything behind a login — which is most of the interesting attack surface in a real SaaS application. Tenable WAS solves this with authenticated scan configuration. You can supply a form-based username and password, configure an OAuth 2.0 token flow, provide API keys directly, or record a Selenium session that performs the login sequence — WAS replays the session to enter the authenticated area before crawling begins.

For API security, WAS automatically discovers REST endpoints, infers parameter types, constructs payloads, and tests for injection, authentication bypass, and data exposure. You can also import an OpenAPI / Swagger specification to guide the API scan, giving the tool explicit endpoint definitions rather than relying entirely on crawl discovery. GraphQL schemas and SOAP WSDLs are also supported, so WAS can probe modern and legacy API surfaces with equal depth.

The interview point: combining authenticated scanning with API specification import means WAS tests the full attack surface — not just the public-facing pages, but the authenticated SaaS screens and every API route the specification documents.

Figure 3 — Authentication methods WAS supports
Tenable WAS can authenticate into any app using the right method for the auth model in use.Authentication methods WAS supportsForm-based loginUsername + password on a login pageOAuth 2.0 / tokenToken flow for modern SaaS & API authSelenium recordingReplay complex login & MFA flows
Tenable WAS can authenticate into any app using the right method for the auth model in use.
'No auth needed — it is a public app' is wrong

Even apps with public landing pages have authenticated attack surfaces — account settings, API keys, transaction history, admin panels. Skipping authentication means your WAS scan is only testing the tip of the iceberg. Always configure auth for the realistic test.

▶ Watch WAS find an XSS flaw behind a login

An end-to-end authenticated DAST scan — from login to finding. Press Play for the healthy detection path, then Break it to see the classic miss.

① AuthenticateWAS replays the form-login sequence with test credentials to obtain a valid session cookie before crawling begins.
② CrawlWAS follows links and fills forms inside the authenticated app, building a site map that includes the user dashboard and comment input fields.
③ ProbeWAS injects an XSS payload into the comment field. The response reflects the payload unescaped — a stored XSS vulnerability confirmed.
④ ReportA High-severity finding is raised in Tenable VM: URL, parameter name, payload, HTTP request/response, and OWASP A07 mapping included.
Press Play to step through an authenticated XSS detection. Then press Break it.
Quick check · Q3 of 10 · Apply

A developer wants WAS to test all documented API routes, not just what the crawler discovers. What should they provide?

Correct: b. Importing an OpenAPI/Swagger spec gives WAS explicit endpoint definitions, parameters, and types — far more complete than crawl-only discovery. The crawler alone may miss endpoints not reachable from the UI.
👉 So far: Authenticated scans (form login, OAuth, Selenium) + API spec import = full attack surface coverage. Unauthenticated scans miss everything behind the login wall.

④ Findings, severity and the Tenable platform

WAS does not live in isolation. Results flow directly into Tenable Vulnerability Management (formerly Tenable.io), where web-app findings appear alongside network and cloud findings in a single remediation queue. Each finding carries a VPR (Vulnerability Priority Rating) and maps to a CVE or CWE so security and dev teams share the same language.

A finding record shows the URL, parameter, proof-of-concept payload, HTTP request/response, OWASP category, and remediation guidance — enough for a developer to reproduce and fix the issue without back-and-forth with the security team. Findings can be routed to ticketing systems (Jira, ServiceNow) via integrations, closing the loop from discovery to fix.

Scan configuration best practices

Start new scans in audit mode or with a low-rate configuration to measure false-positive volume, especially on staging. Tune scope and exclude patterns, then promote to full-rate. Use the rapid template for CI/CD gates and the full DAST template for scheduled deep scans. Keep API specification files updated — a stale Swagger import means new endpoints are missed.

Figure 4 — Standard DAST scan vs. Rapid scan template
Choose the right WAS template: deep DAST for full coverage, rapid for quick CI/CD hygiene checks.Standard DAST scan vs. Rapid scan templateFull DAST ScanCrawls entire applicationTests all OWASP Top 10 classesAuthenticated + API scanningBest for scheduled weekly scansRapid Scan TemplateSSL/TLS & security headersCompletes in under 2 minutesIdeal for CI/CD pipeline gatesFinds hygiene issues fast
Choose the right WAS template: deep DAST for full coverage, rapid for quick CI/CD hygiene checks.

Priya at a Pune fintech company faces this

The WAS scan of the company's customer portal returns only a handful of low-severity findings, but the dev team suspects there are injection flaws in the transaction history pages that require login.

Likely cause

The scan is running unauthenticated — WAS never gets past the login page, so it only tests the public-facing pages and misses all authenticated routes.

Diagnosis

Check the scan configuration: Authentication is set to None. The site map in the scan results only shows the login page and public marketing pages — zero authenticated paths.

Tenable VM ▸ Web App Scanning ▸ Scan Configuration ▸ Authentication
Fix

Add a form-based login configuration with test credentials (or a Selenium recording if MFA is involved). Re-run the scan and import the OpenAPI spec to also cover API endpoints explicitly.

Verify

The new scan site map now includes the dashboard, transaction history, and API routes. Findings include two SQL injection vulnerabilities in the transaction filter parameters — exactly what the dev team suspected.

Check the site map, not just the finding count

Before trusting a 'clean' WAS result, open the scan's site map and confirm it includes the authenticated paths and API routes you expected. A zero-finding scan from a scan that never crawled past the login page is not a clean app — it is a misconfigured scan.

Quick check · Q4 of 10 · Analyze

What is the main advantage of running WAS with authentication configured versus an unauthenticated scan?

Correct: c. Authenticated scans reach protected pages and APIs that require a valid session — the full application attack surface. Unauthenticated scans miss everything behind the login wall. Authentication configuration does not speed up scans or auto-fix issues.
👉 So far: WAS findings flow into Tenable VM with VPR scoring alongside infra findings — one queue, unified remediation. Always verify the site map before trusting a clean result.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What does DAST stand for, and what distinguishes it from SAST?

Correct: a. DAST = Dynamic Application Security Testing. It tests a live running application through the front end (no source code). SAST (Static AST) analyses source code or binaries without running the app. Tenable WAS is a DAST tool.
Q6 · Understand

Why does the WAS crawler phase come before the probe phase?

Correct: b. Crawling first builds the complete site map — the inventory of every target URL, form, and API endpoint. Only then does WAS probe each target for vulnerabilities. Without the site map, the scanner would have no structured list of what to test.
Q7 · Apply

A WAS scan of a banking portal returns zero findings, but security engineers suspect injection flaws in the fund-transfer form that needs login. What is the most likely cause?

Correct: c. Unauthenticated scans cannot reach pages behind a login wall. The fund-transfer form is only visible after authentication, so WAS never finds or tests it. Configuring form-based login or a Selenium recording would let the crawler reach and probe that form.
Q8 · Analyze

A developer imports a Swagger specification into a WAS scan config. What specific benefit does this provide over crawl-only API discovery?

Correct: b. Crawl-only API discovery misses endpoints not reachable from the UI (background services, hidden routes). An imported OpenAPI/Swagger spec gives WAS the full authoritative list of endpoints, parameter names, and types — enabling comprehensive, targeted API testing.
Q9 · Evaluate

A security team wants a WAS check on every code commit but cannot afford a 30-minute full DAST scan per build. What is the best Tenable WAS approach?

Correct: d. Rapid scan templates complete in under 2 minutes and catch hygiene issues (SSL/TLS, headers), making them practical for per-commit CI/CD gates. Full DAST scans run weekly or pre-release for comprehensive OWASP Top 10 coverage — a tiered approach that balances speed and depth.
Q10 · Evaluate

An interviewer asks how WAS findings help a developer fix an XSS bug. What is the strongest answer?

Correct: c. Tenable WAS findings are self-contained: URL, parameter, proof-of-concept payload, HTTP request/response, OWASP mapping, and remediation guidance. This lets the developer reproduce the issue immediately and fix it without needing a security team walkthrough.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what is the first thing Tenable WAS does when a scan starts, and why does it matter? Then compare with the expert version.

Expert version: The first thing WAS does is crawl the running application to build a site map — a complete inventory of every page, form, link, and API endpoint. This matters because the probe phase tests only what is in the site map: miss something in the crawl and you will never test it for vulnerabilities. That is why authenticated scans and API spec imports are so important — they expand the site map to include protected and documented surfaces that a naive crawl would miss.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

DAST
Dynamic Application Security Testing — tests a running application through the front end, the way a real attacker would, without access to source code.
Site map
The inventory of every URL, form, link, and API endpoint discovered by the WAS crawler — the input list for the probe phase.
OWASP Top 10
The Open Web Application Security Project's ranked list of the ten most critical web application security risk categories, including injection, XSS, and broken access control.
Authenticated scan
A WAS scan configured with login credentials (form, OAuth, or Selenium recording) so the crawler can reach and test pages behind the authentication wall.
OpenAPI / Swagger spec
A machine-readable API specification that WAS can import to get explicit endpoint definitions, parameter types, and operation details for comprehensive API testing.
VPR
Vulnerability Priority Rating — Tenable's unified severity score combining CVSS with threat intelligence (exploit availability, active exploitation) to prioritise what to fix first.
Rapid scan template
A WAS scan preset that checks SSL/TLS certificates and common HTTP security headers in under two minutes — suitable for CI/CD pipeline gates.
XSS (Cross-Site Scripting)
An injection vulnerability (OWASP A07) where an attacker injects malicious scripts into web pages viewed by other users — reflected, stored, or DOM-based.

📚 Sources

  1. Tenable — Tenable Web App Scanning product page. tenable.com/products/web-app-scanning
  2. Tenable Docs — Tenable Web App Scanning User Guide (May 2026). docs.tenable.com/web-app-scanning
  3. Tenable Docs — Getting Started with Tenable Web App Scanning. docs.tenable.com/web-app-scanning/Content/WAS/GettingStarted/GetStarted.htm
  4. Tenable — Comprehensive DAST Guide: Web App Vulnerability Scanning. tenable.com/whitepapers/getting-started-with-web-application-scanning
  5. Splunk Lantern — Identifying web application vulnerabilities with Tenable WAS. lantern.splunk.com/Security_Use_Cases/Threat_Investigation/Identifying_web_application_vulnerabilities_with_Tenable_WAS
  6. Cyber Risk Leaders — Tenable's Web Application and API Scanning. cyberriskleaders.com/tenables-web-application-and-api-scanning

What's next?

Got WAS? Next, explore Tenable Nessus and network-based vulnerability scanning to see how infra findings and web-app findings unite in Tenable One.

Next · All interview lessons → Practice on exam.techclick.in →