Main tab
Scan Configuration > Explore Options > Main tab.
- Explore Method
- AppScan uses two distinct methods for the Explore stage of the scan. You can select either one, or both. Of the two methods, Request-based Explore is usually faster than Action-based Explore. When both are selected (default, and recommended), Action-Based Explore runs first, with a 30 minute time limit, followed by Request-Based Explore.
- Page Structure (DOM) Filtering
- These can greatly reduce scan time by identifying pages that are similar enough to pages already scanned, that they can safely be ignored.
- Scan Limits
- These determine how deeply (or how quickly) AppScan explores your application.
- Other Settings
- These are for configuring the client to recognize a specific server encoding and to send a specific user-agent header.
Setting |
Details |
---|---|
Explore Method |
|
Action-Based |
A version of the Google Chrome browser is used to scan the site, as a user would, clicking the links that are visible in the browser. This method is particularly effective where new technologies such as JavaScript and Session Storage are used, and for sites that are RIA, Single-page Application (SPA), or AngularJS. |
Request-Based |
Requests are sent based on all page content that AppScan discovers. This includes content that is not visible to users using a browser, such as links in comments, which an attacker would find. |
Page Structure (DOM) Filtering |
|
Filter similar pages based on structure (DOM) |
AppScan® compares new pages with those already scanned, for structural (DOM) similarity, which indicates the new page contains no new links or content that require additional testing. For example, on a commercial site there may be a catalog with individual pages for a thousand different items, that are in all other ways identical. There is usually no need to scan all those pages. Filtering based on DOM similarity can greatly reduce scan time. By default both check boxes are selected. After the scan you should examine the Filtered tab of the scan results to see whether unique requests were mistakenly filtered out of the scan. If this happened you should try the "Filter less pages" option, which maintains a steady, lower level of filtering, or disable DOM filtering altogether. Three kinds of filtered items will be found in the Filtered tab of the results:
|
Filter pages that are likely to be similar based on structure (DOM) |
This setting filters "Likely similar DOM" pages from the scan (see description above). If unique requests are mistakenly filtered out of the scan you should clear this check box. |
Scan Limits |
|
Redundant Path Limit |
AppScan will not access the same path more than the specified number of times. A particular path may be visited several times if it appears with different parameters. This limit is relevant mainly for scripts. It is deselected by default, as in most cases selecting the check box above, Filter duplicate pages based on structure (DOM), will sufficiently control scan time. |
Click Depth Limit |
AppScan will not scan pages that are accessed by clicking more than the specified number of links. |
Total Page Limit |
If selected, AppScan will access no more than the maximum number of pages defined. Note that there may be many URLs explored per page. |
Other Settings |
|
Encoding |
AppScan generally detects the application's encoding method automatically, and therefore Autodetect is selected by default. If the content of responses in the scan Results looks distorted, this may mean that the encoding method was not correctly identified. To solve this problem, select the correct encoding method from the drop-down list. |
User-Agent |
The user-agent header in an HTTP request tells the server what kind of client sent the request, and this may affect the content that the server returns. For example, there may be content that is specific to mobile phones that is sent only when the user-agent is a mobile phone browser. In order for AppScan to be able to test such content, you need to configure it to send the appropriate user-agent header. AppScan generally detects the user agent automatically, and therefore Autodetect is selected by default. However, if you use a browser other than the built in browser, and you do not record a login procedure, a multi-step operation, or a manual explore, AppScan will be unable to autodetect the user agent, and you must select it manually. To change the user-agent, select an agent from the drop-down list. To enter custom content, click the Edit button and type in the content. When you close the dialog box the button name changes to Custom User Agent. Note: If you change the default browser, refer to the conditions listed in Changing the default browser |