Parameters, cookies and headers definition

You can define parameters, cookies and headers that you want to exclude from being tested during scans.

Procedure

  1. To add a new definition, click +Add.
    The Add Parameter Definition dialog box appears.

    Add Cookie definition dialog box

    Setting

    Description

    Type

    Select a parameter type from the drop-down list:

    Parameter: All parameters matching this name are included in the definition.

    Cookie: All cookies matching this name are included in the definition.

    Custom Parameter: This is a custom parameter (select one of the custom parameters from the Name drop-down list)

    Header: All headers matching this name are included in the definition.

    Name

    The name of the parameter, cookie or header.

    Select the adjacent check box if the name you enter is a regular expression. If you do this you can also open the Expression Test PowerTool by clicking the Regular Expression button, to help you verify the syntax of your regular expression.

    See Parameter names for details.

    Comments

    You may optionally add a comment about the parameter in this field for your own reference.

    Hosts

    If a Host is specified: Use this parameter for the specified host only.

    If left blank: Use this session ID for all hosts.

    Path

    If the application supplies cookies of the same name from different parts of the application, you can differentiate between them by defining the path for each one.

    Blank or / will include all occurrences of the cookie.

    Test

    Clear this check box only if you are sure you don't want AppScan® to test this parameter at all.

    Tracking

    This setting tells AppScan® that this parameter or session ID should be updated during the scan whenever a new value is set by the application, so that a valid cookie/parameter is always sent in requests to the application.

    This option is not available for headers.

    Tracking Options

    (Click the link to open this optional section of the dialog box.)

    These options let you fine-tune how the tracked parameter or cookie is treated.

    Track Type
    • Login Value: (Default, and Recommended) Requests sent to the application that include this parameter use the last value of the parameter received in the login process, not including the In-Session request itself.
      Tip: If you wanted to track the parameter in the In-Session response, you would need to set its Track Type to Dynamic Value, not Login Value, and verify that Scan Configuration > Advanced Configuration > Session Management: Parse in-session page is set to True (its default setting).
      Note: If your record login steps as part of a Multi-Step Sequence, defining a received parameter as Login Value will not affect how it is used. It will always be treated as Dynamic.
    • Dynamic Value: Requests sent to the application that include this parameter use the most recent value received from the application.
    • Fixed Value: Requests sent to the application that include this parameter always use the value that you enter in the Value field.
    See Session IDs for more details.

    Send cookie on all requests: When selected, the cookie will be included in all requests, even if not explicitly set by the application.

    Treat as Group: If the cookie name is a regular expression, define whether to treat different cookie names that match the regexp. as a group (and therefore update the name as well as the value, when there are changes) or as separate cookies. This function applies only to Request-Based Exploring.

    Response Pattern: Generally, AppScan® updates parameter or cookie values based on the content of links extracted from the response (parameters) or from the cookie header (cookies). If AppScan® will not be able to extract the value unaided, you can supply the regexp. that AppScan® can use to extract the value from the raw response. The regexp. must contain at least one group, and AppScan® will extract the first match.
    • URL Filter: If you know that the parameter/cookie only appears in a specific URL, you can improve scan efficiency by defining the full URL path here.
    • Encoding: If the extracted value must be encoded when pasted into the request, define the method here. If you are unsure of the coding, select According to context; if you are sure, selecting the correct encoding is preferable. Options are: None, According to context, URL, XML, JSON.
    • Match: Select Header and Body (default) or Body only.

    Redundancy Tuning

    (Click the link to open this optional section of the dialog box.)

    These four check boxes let you fine-tune how AppScan® relates to changes in the parameter (or even its existence) during the Explore and Test stages of the scan. See Redundancy tuning

  2. Define the item as needed, and click OK.
  3. To manage the defined parameters, click , and and select Edit to modify or Delete to delete the parameter.
    Tip: Hover over a parameter listed in the table, to view the vertical three-dot menu .

Identifiers that define a parameter or cookie

A parameter or cookie is recognized as unique on the basis of certain identifiers. It follows that you cannot define two or more parameters or cookies with the same identifiers. The table below shows the identifiers for each kind of entry.

Parameter Parameter name, whether a regular expression, host
Cookie Parameter name, whether a regular expression, host, path
Custom parameter Extracted name (if one exists), reference name, host, occurrence index