Review reference information for the product.
Learn about folder explorer topics.
Learn how to create scan in the folder explorer.
Use this task to configure an advanced scan with complex configuration. Use this method for web applications that require a lot of user interaction to navigate the application or if you would like to just test a specific area of your application.
Learn more about Glass Box scanning.
Learn about configuring wizard topics.
Learn how to use scan in folder explorer.
A QuickScan template comprises either a content scan job or an import job, plus a report pack. After you create scan templates in the Templates folder in the Folder list, they will automatically be available as scan templates to QuickScan users and to more advanced users who have their QuickScan View turned on in the Show Folder Explorer list. When a QuickScan user creates a scan, a job and report pack will be created based on the template, but will only appear to the QuickScan user as a scan.
Use this task to configure a basic scan with minimal configuration. This scan will automatically discover more URLs to test in your web application. Use this method for an application that has a lot of static links and does not require a lot of user interaction. This scan does not test for security issues, but helps you start exploring your site to determine complete site coverage.
Security scans should be performed in a preproduction environment, such as on a staging or Quality Assurance server. Doing so helps you contain the risks associated with performing security scans. Your preproduction environment should mirror the production environment as much as possible; the application should have the same executable files in both environments so that you know you are thoroughly testing your exposed applications. Security scans should also be integrated into your Software Development Life cycle (SDLC) process so that you can catch security issues before they make their way into your production environment.
A security scan has two distinct phases: Explore and Test.
A security scan requires careful configuration so that it can find all the URLs on your web application and then test them for vulnerabilities.
JavaScript™ Security Analyzer (JSA) performs static JavaScript source code analysis to detect a range of client-side issues, primarily DOM-Based Cross Site Scripting. JSA analyzes the HTML pages that AppScan® Enterprise collected during the Explore stage. JSA runs in parallel to the Test stage, or can be launched manually on existing Explore results at any time.
To account for additional domains and multiserver environments, add any additional servers and domains to the scan's What to Scan page.
An XRule is an XML script used to enhance the scanning of your website or application and to search the database for information that has been collected by a scan. When using it to enhance the ability of the job to scan a site, an XRule can find links inside a Flash file, find dynamically-created links inside JavaScript™, or get past a login routine.
Specify the portal to scan.
Set scan limits to focus the scan. You can limit the scan by the number of pages, the path of redundant content or click depth.
Exclusions are used to exclude specific files, directories or file types from being analyzed during the scan. You might have a section of your site that would negatively affect the overall scan results if it was included in the analysis, possibly because it is under construction and has known issues. By excluding this section of your site, you can prevent it from affecting the report and dashboard results.
Normalization rules help the scan job determine whether URLs and forms are unique so that they are not repeated incorrectly in your reports.
You might have parameters and cookies that require special treatment, such as Session IDs and parameters that you do not want the scan to manipulate.
Configure how the scan handles the login and logout pages of a web application. Use a login sequence to follow a complex login process or enter regular expressions for detecting logout pages that the scan will encounter. Logout pages are identified to prevent the scan from logging out of the application or website prematurely.
Use Automatic Form Fill to supply a content scan job with values for form fields that it encounters. Using the field values that you provide, the scan can continue uninterrupted to discover more URLs and content for analysis.
Define the scan job's behavior as it connects to your network.
When the scan job encounters a page that requires Windows™ NT® authentication, it automatically provides the user name and password that you choose. You can add user names and passwords for authenticated pages. Client side certificates dictate whether the scan engine and manual explore/recorded login rely on a particular client certificate file or the service account's certificate store for authentication with the server they are trying to scan.
Custom error pages are used on websites to ensure that a user does not hit a "dead end" when they encounter a broken link. Instead, the error page guides the user to another page, such as a home page.
It is important that a website visitor can easily determine how data is going to be used when a website asks for information. A website's privacy policy will describe why data is being collected, who will be given access to the data and what types of rights the website visitor has regarding that data after it is submitted. Providing a link from a page that contains a form collecting personal data to the privacy policy governing that data is the best way of providing information to the user when they need it.
A Manual Explore means you will be indicating the exact URLs for the scan to test in the configuration (the scan will not automatically crawl to discover new URLs). Use this method for web applications that require a lot of user interaction to navigate the application or if you would like to just test a specific area of your application.
Import data from AppScan® Source to correlate its findings with an existing dynamic analysis security scan (AppScan Enterprise Server content scan job or an AppScan Standard import job).
You can add web services to the scan for security testing. Use the Web Services Explorer to send requests to the service and then package up the corresponding URLs for testing in AppScan® Enterprise Server.
While regular scanning looks on the application as a "black box", analyzing its output without "looking inside" it, glass box scanning uses an agent installed on the application server to inspect the code itself during the scan.
Learn more about installing Glass Box agent on Java platforms.
Learn more about installing Glass Box agent on .NET platforms.
If the AppScan® security rules are older than the glass box agent rules, you must update them.
Test your application for malware and malicious external links.
Retesting a security issue provides a quick way to verify that you have indeed fixed an issue. Rather than running an entire job to see results, you can select one or more issues that you have fixed and retest them right away.
The action-based login capability in AppScan Standard produces the user's actual actions in the browser, rather than just the requests, and replays the sequence in the browser. Take advantage of this capability by creating an action-based login in AppScan Standard and importing it into AppScan Enterprise to help avoid out-of-session events during scanning.
You can import data that is exported from AppScan® Standard version 7.x (and later) into AppScan Enterprise. Importing this data can save you time and reduce redundant work effort. Only the URLs (parameters and domains) and HTTP requests from the AppScan .exd file are imported.
An import job takes the results from a data file, and integrates it into the AppScan® Enterprise Server database. Imported data can be used to create reports and dashboards. It can also be combined with data from content scan jobs to create a complete picture of your issues.
Reports are automatically generated after a job has run. They provide a way of managing issues so that you can helps you manage issues that are important to your organization and do so in a way that is supported both by the Enterprise Console's workflow and the workflows of other processes within your organization.
Help Center