Test Options
Test Options view of the Configuration dialog box.
This view lets you configure various settings that affect the length and thoroughness of the scan. However, the default settings are sufficient in most cases.
Setting |
Details |
|---|---|
Test Options: |
|
Use Adaptive Testing |
AppScan® can send many thousands of tests to a site. However, in order to reduce scan time, it can send preliminary tests that intelligently determine which are the appropriate tests to send and which can be dispensed with. This is "Adaptive Testing" and it can greatly reduce scan time, without sacrificing efficiency. Clear this check box if you want AppScan® to send all its tests to the site. |
Allow Multiphase Scanning |
AppScan® analyzes responses to the tests that it sends your application. From this analysis, AppScan® frequently discovers additional content, such as links that were invisible on the first "phase" of the scan. Multiphase scanning enables AppScan® to repeat the Explore and Test stages on this newly detected content. (The additional phase is usually shorter, as it involves the new links only.) Multiphase Scanning is configured by default to allow a maximum of 4 scan phases. Note that multiphase scanning applies only when you run a Full Scan. If you use the Explore Only and Test Only functions, the result will be a single-phase scan. |
Send tests on login pages |
It is recommended to allow AppScan® to test login pages, unless your application locks out users who provide illegal input, or the application flow would be altered by AppScan® testing these pages. |
Do not send session identifiers when testing login pages |
Active only if "Send tests on login pages" checkbox is selected. It is recommended to leave this checkbox selected, as session identifiers could limit test success when testing login pages. Clear it only if you are sure that valid session tokens are necessary to test your login pages. Note that even when this checkbox is selected, some tests are still sent with session identifiers to prevent false positive results. |
|
Send tests on logout pages |
It is recommended to allow AppScan® to test logout pages, unless your application locks out users who provide illegal input, or the application flow would be altered by AppScan® testing these pages. |
| Save only one variant per issue | By default, AppScan tests multiple variants per issue to ensure comprehensive vulnerability detection. To optimize scan time, you can enable this option that limits AppScan to testing only until the first variant of an issue is found. While this reduces scan time, it's important to be aware that some vulnerabilities with different variations might be missed. |
|
Analyze test responses for issues beyond the specific test scope |
When selected, AppScan analyzes each test response for additional security issues over-and-above the specific issue tested for. Deselect this option if the application is very large, or if scans produce a large number of false-positive results. |
| Analyze only one variant for issues beyond the specific test scope | By default, AppScan analyzes only one variant for broader issue types to improve efficiency and avoid redundancy. To analyze more variants, deselect this option, but note that doing so will increase the scan time. If you selected "Save only one variant per issue" and "Analyze test responses for issues beyond the specific test scope," this option will be selected by default and cannot be changed. |
|
Test for cookie security issues in form submission requests only |
When selected (default), AppScan® will submit cookie related tests only on cookies used in form submission requests. For higher accuracy (but increased scan time), deselect this check box, and AppScan® will submit cookie tests on all relevant HTTP requests. |
|
Report vulnerable components |
3rd-party components in your code are identified during the Explore stage and shown in Data view. When this option is selected (default), ADAC will report known vulnerabilities in those components in Issues view, and suggest updates. |