Creating a scan based on a template using AppScan Enterprise scan properties
A QuickScan crawls your site to discover its content using parameters set in a scan template created by an Administrator. After it is collected by the scan, the data is stored in a database for analysis by the reporting engine and made available to you through report packs, which are collections of reports. Most of your data analysis tasks will focus on the data provided in these reports.
Before you begin
- This task is completed by a developer with QuickScan User permissions. AppScan Enterprise has introduced a new scan creation method for consistent scan configuration and results. See Creating a scan based on a template using AppScan Standard scan properties.
- You might need to install a browser plugin to use the manual explore or recorded login features.
About this task
CAUTION: Do
not use any private information in your scan configuration because
this data might be viewed by a third party. To proceed with the browser
recording, ensure that you have logged out from any existing sessions.
Use a test user account during the manual explore to prevent usernames
and passwords from appearing in clear text in the Enterprise Console
interface.
Note:
- Depending on the template you are using, some of the options discussed in this task might not be available to you.
- If you need to configure some of the more advanced scan options, such as setting URL exclusions, click the Advanced Scan Configuration link at the bottom of the Setup tab.
Procedure
- In the Scans view, select a scan template from the QuickScan template list (under the toolbar), enter a starting URL in the field, and click the Create QuickScan icon. Depending on the template you choose, either the Setup tab or a recording browser will open.
- If the Setup tab opens, edit the Scan Name if necessary to something more meaningful to your organization. The scan name defaults to the name of the URL you entered on the previous page.
- (Optional) To import traffic data, see Capturing and Importing Traffic Data.
- If a recording
browser opens, follow these steps:
- Browse the site manually, entering data and clicking links. QuickScan will record all input until you click the Stop Recording button or close the recording browser.
- When you are done exploring your application, click Stop or close the browser. The Setup tab will open.
- Edit the Scan Name if necessary to something more meaningful to your organization. The scan name defaults to the name of the URL you entered on the previous page.
- Check the URLs to be scanned list to verify that QuickScan has accurately identified the login pages to your application and that you have permission to run security tests on the recorded URLs. All pages recorded before the login page are classified as part of the login sequence. Pages recorded after the login page are classified as regular pages.If you want to reclassify some URLs, select them and move them above or below the line in the URL list. You can rerecord the login sequence if necessary, or manually explore the site to add URLs to the scan.
- Select how you want the scan to be completed. If you set a scan to crawl without limiting the number of pages, the scan may take a long time to complete.
- (optional) Select Login Session IDs to add to the global list of domains as tracked session IDs. Session IDs in the list that appear grayed out already exist in the global list of domains. Session IDs that are not grayed out were found during the recorded login sequence.
- Proceed to Step 4.
- (optional) Configure Automatic Login. If the application requires a one-time login, use a user name and password so the scan can log in for you.
- (optional) Enable or disable In-session Detection. The in-session pattern details section displays the in-session pattern that the scan used during scanning to verify that it is logged in. If this is not the one you want to use, enter a different one and click Update to verify the pattern.
- Click More Scan Options to configure optional scan properties.
- Once you finish configuring your scan, click Save to save the scan options.
- Start the scan.
The Progress tab will open and display the scan statistics while the
scan is running. You can also choose to:
- Save current results and stop: Saves the current results and stops the job. The run will finish normally and save the data collected so far in the database, but the reports will be incomplete.
- Discard results and stop: Discards any data collected during the run and stops the job.
What to do next
When scan results are ready, you can view the reports on the Results tab. Reports display information about your website or application and provide the functionality to navigate to more details. Most of your data analysis tasks will focus on the data provided in these reports.