Parameters

These are requests that included one or more parameters.

The Result List shows all the parameters found during the Explore stage. The URLs in this list are the ones most likely to be vulnerable to malicious attacks. This list can be crucial in evaluating whether the scan has generated a useful set of test requests.

For each parameter in the Script Parameters list, AppScan shows the name, type, value, and URL (Results pane) and value (Detail Pane), and whether it is tracked. One parameter name may be listed more than once, if it is on different URLs, or if it has different values on the same URL.

The table below shows the options available when you right-click on an item in the list.

Table 1. Right-click options

Option

Function

Copy URL

To copy the selected URL to the clipboard.

Add to list in Parameters and Cookies tab

To add the selected parameter name (all values) to the list in the Configuration dialog box by right-clicking and selecting Add to Parameters and Cookies list. The Parameter Definition dialog box opens, to configure AppScan's treatment of this parameter.

Exclude this path-parameter-value combination from the scan

To exclude a specific parameter value from the scan when it occurs in a particular URL. When you select the option, the Edit Exclusion or Exception dialog box opens, with the relevant data filled in.

Example

Consider a site with the following URL: http://site/command and a post parameter named 'action'. Each value triggers a different response from the server:
  • action=login, redirects to login page
  • action=logout, session expires
  • action=clean, server deletes user data

For AppScan to be able to scan this site it must exclude http://site/command when action=logout or clean but not when action=login or other values. This can be done using this feature to exclude http://site/command with parameter name action and value logout or clean.

For more details, see Adding new exclusions or exceptions

Do not test selected parameter(s)

To exclude one or more parameter names (all values) from the Test stage of the scan. This setting applies to all values of the specified parameter. It does not affect the Explore stage.

The parameter name is added to the list in Parameters and Cookies view of the Configuration dialog box, with its Test Exclude value set as "Yes".

For more details, see Parameters, cookies & headers