Parameter definition

Procedure

To add a new definition, click the plus button (or, to edit an existing parameter, select it and click the edit button).
The Add Parameter Definition dialog box appears.

Setting

Description

Type

Select a parameter type from the drop-down list:

Parameter: All parameters matching this name are included in the definition.

Cookie: All cookies matching this name are included in the definition.

Custom Parameter: This is a custom parameter (select one of the custom parameters from the Name drop-down list)

Name

The name of the parameter or cookie.

Select the adjacent check box if the name you enter is a regular expression. If you do this you can also open the Expression Test PowerTool by clicking the Regular Expression button, to help you verify the syntax of your regular expression.

See Parameter names for details.

Comments

You may optionally add a comment about the parameter in this field for your own reference.

Hosts

If a Host is specified: Use this parameter for the specified host only.

If left blank: Use this session ID for all hosts.

Path

If the application supplies cookies of the same name from different parts of the application, you can differentiate between them by defining the path for each one.

Blank or / will include all occurrences of the cookie.

Test Exclude

Select this check box only if you are sure you don't want AppScan® to test this parameter at all.

Tracking

This setting tells AppScan that this parameter or session ID should be updated during the scan whenever a new value is set by the application, so that a valid cookie/parameter is always sent in requests to the application.

Tracking Options...

(Click the link to open this optional section of the dialog box.)

These options let you fine-tune how the tracked parameter or cookie is treated.

Track Type
  • Login Value: (Default, and Recommended) Requests sent to the application that include this parameter use the value of the parameter received at the end of the login process.
  • Dynamic Value: Requests sent to the application that include this parameter use the most recent value received from the application.
  • Fixed Value: Requests sent to the application that include this parameter always use the value that you enter in the Value field.
See Session IDs for more details.

Send cookie on all requests: When selected, the cookie will be included in all requests, even if not explicitly set by the application.

Treat as Group: If the cookie name is a regular expression, define whether to treat different cookie names that match the regexp. as a group (and therefore update the name as well as the value, when there are changes) or as separate cookies.

Response Pattern: Generally, AppScan updates parameter or cookie values based on the content of links extracted from the response (parameters) or from the cookie header (cookies). If AppScan will not be able to extract the value unaided, you can supply the regexp. that AppScan can use to extract the value from the raw response. The regexp. must contain at least one group, and AppScan will extract the first match.
  • URL Filter: If you know that the parameter/cookie only appears in a specific URL, you can improve scan efficiency by defining it here.
  • Encoding: If the extracted value must be encoded when pasted into the request, define the method here. If you are unsure of the coding, select According to context; if you are sure, selecting the correct encoding is preferable. Options are: None, According to context, URL, XML, Json.
  • Match: Select Header and Body or Body only.

Redundancy Tuning...

(Click the link to open this optional section of the dialog box.)

These four check boxes let you fine-tune how AppScan relates to changes in the parameter (or even its existence) during the Explore and Test stages of the scan. See Redundancy tuning

Identifiers that define a parameter or cookie

A parameter or cookie is recognized as unique on the basis of certain identifiers. It follows that you cannot define two or more parameters or cookies with the same identifiers. The table below shows the identifiers for each kind of entry.

Parameter Parameter name, whether a regular expression, host
Cookie Parameter name, whether a regular expression, host, path
Custom parameter Extracted name (if one exists), reference name, host, occurrence index