Request/Response tab
The third tab of the Detail pane is the Request/Response tab.
The Request/Response tab provides information about the tests, and their specific variants, that were sent to your web application to discover where it has weaknesses. A test may have multiple variants. A variant is a slight change to the original test request that AppScan sends to your web application server. (AppScan first sends a request that is meant to be legal and to follow the business logic of your application. Then it sends a similar request, modified for the purpose of discovering how your application handles illegal or mistaken requests. Each test request may have a number of variants; as many variants as needed to cover all the security rules in the extensive AppScan database.)
For example, consider a test sent to check that you have enforced user input rules for a specific parameter. One variant might checks that apostrophes are not valid input, another that quotation marks are not allowed.
The variant itself is shown in red text, and the validation (the part of the response that indicates the existence of a security issue) is highlighted in yellow.
Besides a large amount of explanatory information, the Request/Response tab provides advanced features for understanding and using the results of a scan.
The Request/Response tab has two panes and its own toolbar along the top. The toolbar and tabs are shown below, and summarized in the table following.
Tool |
Function |
---|---|
Variant < > |
Indicates the number of variants of the current test. Clicking the < and > icons toggles to the previous and next variant respectively. |
Test/Original |
Toggles between the Original and Test information. |
Next Highlight |
(Available where validation text is highlighted). Moves cursor to the next highlighted text. |
Show in Browser |
Opens the built-in browser to show the current page, with the option of taking a screen capture from the browser. When the browser opens you can take a screen capture of the page by clicking the camera icon on the browser toolbar. The screen capture is added to the Issue Information tab. |
Options > Report False Positive |
Use to email the current variant to the AppScan® support team, or within your enterprise. (See Report false positive test results.) |
Options > Manual Test |
Modify test and save it as a manual test. (See Manual tests.) |
Options > Delete Variant |
Permanently deletes the selected variant from the test results (irreversible). This can also be done by right-clicking on the variant in the Result pane. |
Options > Set as non-vulnerable |
Changes the definition of the selected variant to non-vulnerable. Positive responses that were changed by the user to non-vulnerable are removed from the scan results, and do not appear in reports, but can be viewed via the Non-vulnerables list. (See Non-vulnerables list.) |
Options > Set as Error Page |
Adds the current page to the list of error pages (Scan Configuration dialog-box > Error Pages) and updates the results to reflect the fact that this response is an error page. |
Options > Add to Issue Information |
Runs Result Review on the current issue, and adds any new information available to the Issue Information tab. |
Find |
Type in text to search for a specific string. (See Filtering Security Issues in Result List.) |
Variant details |
The right pane shows details for the current variant: ID, Description, Difference (the difference between this variant and the original request), Reasoning, and CWE ID. |