·¢²¼ÐÂÈÕÖ¾

  • Appscan crash senario collection

    2010-08-11 16:26:48

    PK64834: AppScan crashes in explore phase if a specific response is received

    Problem summary
    This crash occurs when AppScan receives a very specific
    response, so it is probably very rare.
    The response should follow the following conditions:
    It should contain two strings that matched by the Credit
    Card detection pattern and a null byte appears between them.
    Such response causes the Global Detection function that
    detects credit card patterns in responses to crash.

    Problem conclusion
    A bug that caused the crash was fixed in the following
    function:
    DetectionFunction::DetResponseMatchLUHNSum


    PK82534: AppScan crashing when JSX turned on explore phase
    Error description

    A specific js file the customer is trying to scan contains endle
    ss recursive function that is causing AppScan to get stuck in an endless loop.


    Problem summary
    AppScan with JSX enables crashed with stack overflow because
    recursive call in the customer javascript.

    Problem conclusion
    The workaround is exclude the recursive calls.


    PK81128: AppScan crashes/freezes when using long custome parameters
    Problem summary
    This doesn't have to be related to long regular
    expressions,but it is related to custom parameters found
    during the explore phase. The problem will happen if the
    pattern overlap.

    Problem conclusion
    The problem was easy reproducible with the given scan, the
    overlapping check was fixed.

    PM01545: Invalid characters in the automatic form. filler may cause AppScan to crash

    Problem summary
    If a manual explore discovers certain unusual characters and
    populates the automatic form. filler with them, AppScan may
    crash if paused during automatic scan.

    Problem conclusion
    Handle unusual characters in the Form. Filler correctly, to
    avoid crashing.

    This has been fixed in IBM Rational AppScan Standard Edition
    version 7.9.0.1

     

    PM11875: Scan crashes with non-critical thread error message due to CompressScan option

    Problem summary
    Scan crashes with a non-critical thread error message due to
    CompressScan option

    Performing a manual explore, saving the file, and then
    performing a manual explore again - with the CompressScan
    option enabled - will cause AppScan Standard to crash with a
    non-critical thread error.

    Problem conclusion
    Advance Option CompressScan changed to
    ScanReductionThreshold
    and some improvements made to it.

    Fixed in Rational AppScan (Standard) version 7.9.0.2.
    Download instructions can be found at

     

    PK99687: AppScan crash due to a huge amount of requests recorded in the Multi-step

    Error description
    Huge amount of requests in the multistep operation sequence can
    cause AppScan to crash when opening the internal browser when pe
    rforming manual explore or recorded login.

    Local fix
    Problem summary
    AppScan did not free memory correctly between loading scans
    or creating new scans

    Problem conclusion
    Add some collection function to free memory after loading
    scan or creating regular scan.


    PM13279: AppScan crashes in analysis-engine due to response missing.
    Problem summary
    The scan was corrupted, and when AppScan looked in the
    Explore results for responses to analyze, there were IDs
    with no related response. When trying to analyze these IDs
    AppScan crashes.

    Problem conclusion
    Avoid crashing by ignoring IDs with no related response.

    Fixed in Rational AppScan (Standard) version 7.9.0.3.
    Download instructions can be found at
    http://www.ibm.com/support/docview.wss?rs=3355?uid=swg240273
    19

    ²é¿´(844) ÆÀÂÛ(0) ÊÕ²Ø ·ÖÏí ¹ÜÀí

  • What determines the size of temp files required for AppScan

    2010-08-11 15:49:15

    Technote (FAQ)
     
    Question
    What is the criteria that determines the size of temp files placed in RAM and on the hard drive during the progress of a scan using IBM® Raitional® AppScan® Standard Edition?
     
    Answer

    The AppScan scan file size depends on the site content and structure (such as, number of parameters and their various values, responses size, number of cookies and their values, and so forth).

    AppScan holds most of the information on disk in the Microsoft® Windows® TEMP directory and only part of the scan in memory. Every component of the scan has an impact on the size of session while scanning and the final session file.

    This can affect the amount of data placed in the TEMP folder:

    • Explore responses: AppScan saves the full explore response
    • Test requests (potential vulnerabilities): not just the number of them but also the size of the requests (large POST requests will consume more space)
    • Test responses: AppScan saves the full test response for each test even if it is duplicate, as well as all the connections between the AppScan entities and responses

    When you save the scan, AppScan zips the temp files to a scan file that is between 12.5% to 25% of the open session file. Some of the redundant information will be removed after you save and open the session.

    These are the things that affect the memory consumption:
    • AppScan entities: hosts, directories, parameters, cookies
    • Strings: parameter names for example
    • A complex site with many hosts and complex directory structure will result in high memory consumption

    ²é¿´(561) ÆÀÂÛ(0) ÊÕ²Ø ·ÖÏí ¹ÜÀí

  • to track a Session ID located in the URL Path

    2010-08-11 15:44:18

    Technote (FAQ)
     
    Question
    How can IBM Rational AppScan Standard Edition be configured to track a URL that contains a Session ID in the path?
     
    Cause

    The SessionID appears in the URL, where 'abc34f3fa135' is the session ID, as seen here:
    http://domain.name/dir/subdir/abc34f3fa135/anotherdir?param=val
     
    Answer
    1. If Rational AppScan Standard does not track the Session ID correctly, it will frequently fall out of session. In order to be able to track this particular SessionID, the following steps need to be configured under Scan Configuration > Parameters and Cookies > Advanced: Custom Parameters:
      1. Add a new Custom Parameter (use the plus sign, + , in the top right)
      2. In the Add Custom Parameter dialog, enter a name for the Custom Parameter rule in the Reference Name field
      3. Enter the regular expression needed in the Pattern field (Example: (abc[a-zA-Z0-9]+) )
      4. Leave Value Group Index and Name Group Index settings as default
      5. Select Path as the Location value
      6. Click OK to save and apply the changes

    2. This creates the rule by which Rational AppScan Standard can recognize the Custom Parameter. Once this has been completed, it is now necessary to enter the parameter and set its value to be tracked under the Parameters and Cookies tab of the same Scan Configuration entry by doing the following:
      1. Add a new Parameter (using the plus sign, + , in the top right)
      2. Set the Type to Custom Parameter
      3. Select the Reference Name from the drop-down list for the previously defined rule
      4. Enable the Track this parameter during scan check-box
      5. Set Track Type to 'Login Value (Recommended)' or Dynamic as appropriate
      6. Click OK to save and apply the changes

    3. With both of these steps complete, a re-scan of the application is required from Scan > Re-Scan > (Full Scan or Re-Explore).
    4. Finally, if the login sequence includes a URL that contains the in-path SessionID, then it is necessary to set-up the Custom Parameter rule first before recording the login sequence. This may require that any existing login sequences be re-recorded so that Rational AppScan Standard can track the SessionID properly.

    ²é¿´(550) ÆÀÂÛ(0) ÊÕ²Ø ·ÖÏí ¹ÜÀí

  • Using AppScan with a SSO (Single Sign On)

    2010-08-11 15:27:48

    Technote (troubleshooting)
     
    Problem(Abstract)
    Sometimes when a user tries to access their application, they are redirected to a SSO to authenticate. How can AppScan be configured to handle this?
     
    Resolving the problem
    1) If the site is configured to redirect from the application to the SSO, then back to the application after login, follow these steps:

    - Set the starting point to the application.

    - Record a login sequence (includes the request to the first page, the redirect to the SSO login page, and the return to the first page).

    - Run the scan.

    2) If the site is configured in such a way that you first need to visit the SSO, then after logging in it redirects you to a page where a link exists for the target application, follow these steps:

    - Set the starting point to the SSO login page.

    - If the SSO is on a different domain, add the target application's domain to the "Additional Servers and Domains" list.

    - Restrict the scan in the Scan Configuration to the application you want to test if you do not want the SSO to be included as part of the test phase.

    - Record a login sequence.

    - If the SSO was excluded in the Scan Configuration, start the scan with a Manual Explore, navigate to your application, then continue with a Full Scan.

    - Note: Uou can avoid predefining your Exclusions and Inclusions before the explore phase. To do this, start with an explore and when complete, right-click the folders/pages that you would like to "Exclude from scan" or "Include in scan", then continue with the test phase which will respect the changes and only scan what has been included.

    ²é¿´(456) ÆÀÂÛ(0) ÊÕ²Ø ·ÖÏí ¹ÜÀí

  • Using Variables in Multi-Step Operations

    2010-08-11 15:24:06

    Technote (FAQ)
     
    Question
    How can variables be implemented in a multi-step sequence with IBM Rational AppScan Standard Edition? This technote provides a scenario for where a variable will be useful along with details on how to make it work.
     
    Cause

    When recording a multi-step sequence that requires a form. parameter, the parameter value cannot be changed. This means that once a value has been entered in a particular form. field, the value cannot be altered. This causes a problem during the testing phase, due to the same form. being submitted multiple times, leading to an error because the value is not unique.

    Example:

    On page A, there is a form. field that requires a unique value. If page A is visited again, the same value cannot be entered. If the value is not unique, then you do not get to page B.

    It will be helpful to get AppScan Standard Edition to enter a unique value every time it visits this page.

     
    Answer

    Overview

    AppScan has the ability to use Sequence Variables. These variables can be appended to a parameter's value, or replace the value, making AppScan enter a unique value each time it submits a form.

    Note: Currently, there is no way to define a configuration for sequence variables in AppScan. The only way to define such parameters is to manually edit a sequence file (using text editor).

    Manually edit the Sequence File

    To begin, perform. the following steps:
    1. Record the multi-step sequence in AppScan
    2. Export the result and save it locally
    3. Open up the saved file in a text editor


    Modifying the Values

    Setting a parameter as Sequence Variable is done by modifying the values of the problematic parameters in the sequence text file described above.

    Example:

    If the user wants to modify all pages in their sequence where "Nick0001" was entered as a value, they can then define a wildcard to say enter "Nick" followed by a random 4 digit integer as a value for any parameters that uses it in the sequence. The user will find and replace all relevant instances of the "Nick0001" with their "Sequence Variable" entry in the sequence file.

    The "Sequence Variable" will be a global setting so that when an instance of a particular explore sequence is running, the new value will be used throughout the sequence. The next time a new instance of the same sequence is running (for the next test), a new value will be generated, and so on.


    Parameter Definition Example

    Here is an example of parameter definition (from the sequence file) that contains "Sequence Variable":



    In this example, the name of the sequence variable is itemID and the value that will be sent is a 5 characters random string.

    To append a random string to the end of a parameter the definition would look like:



    When AppScan submits the _%24RokId parameter, its value looks like     BEGINNINGVALUEdfndo


    Types of Sequence Variables that can be used

    Note: Any reference below to [variable id] is meant to uniquely identify a group of variables so that two identical variables can generate two different values if required by the user defining a new id, otherwise if the same id exists, the exact same generated value will be associated with it for any given iteration of a sequence:
    1. __SeqVariable__[variable id]__random_integer(min,max)__

      This will permit the user to request a random integer to be used, as well as the minimum and maximum acceptable values.
    2. __SeqVariable__[variable id]__incrementing_integer(min,increment)__

      This will permit the user to request an incrementing integer to be used, as well as its starting value and the amount to increment (will be incremented from the value used in the previous instance of the explore).
    3. __SeqVariable__[variable id]__random_string(length)__

      This will permit the user to request a random string to be used, as well as its length.
    4. __SeqVariable__[variable id]__date_time()__

      This will permit the user to request a date/time stamp to be used. It will be in the following format and consist strictly of integers:       MMddyyHHmmss

      Where:
      MM is the 2-digit current month of the year (i.e. 04 for April)
      dd is the 2-digit current day of the month.
      yy is the 2-digit current year (i.e. 07 for 2007)
      HH is the 2-digit current hour of the day in 24 hour format (i.e. 17 for 5 pm.)
      mm is the 2-digit current minute of the given hour.
      ss is the 2-digit current second of the given minute.

      Example:

      If the current time is 30 seconds past 5:52 pm on April 9th, 2007, the string will be as follows:

      040907175230
    5. __SeqVariable__[variable id]__ date_time_milliseconds()__

      This will permit the user to request a date/time stamp with milliseconds to be used. It will be in the following format and consist strictly of integers:       MMddyyHHmmssSSS

      Where:
      MMddyyHHmmss is defined the same as the date/time stamp in iv) above.
      SSS is the 3-digit current millisecond of the given second.

    ²é¿´(623) ÆÀÂÛ(0) ÊÕ²Ø ·ÖÏí ¹ÜÀí

  • About In-Session Detection mechanism for Rational AppScan Standard

    2010-08-11 15:03:51

    Technote (FAQ)


    Question

    What is the purpose of the In-Session Detection mechanism, which provides the ability to mark an in-session page after recording a login sequence in IBM Rational AppScan Standard?

    Cause

    This technote provides an overview of the In-Session Detection functionality along with details on how to address common issues.

    Answer

    Overview of In-Session Detection

    Common Issues and how to address them
    Overview of In-Session Detection

    After recording a login sequence in the Scan Configuration, clicking on the Details tab will bring up a Session Information window which lists the detected URLs. Rational AppScan Standard will mark these pages as one of the following three Types:

    • Login
    • Regular
    • In-Session

    One of the pages will be marked as In-Session if it detects that the page content contains strings listed in its Logout Detection Pattern (the regular expression can be modified in Scan Configuration > Login Management).

    If no page is automatically detected, it is possible to set a page as in-session and mark its unique pattern using the Select In-Session pattern... button.

    With this information, Rational AppScan Standard will poll the application periodically during the automatic explore and test phases to see if it can reach the page in question and whether it is able to detect the marked pattern. If Rational AppScan Standard is unsuccessful (such as the response to request is a redirect to the login page or a customized error page) it will stop the scan, replay the login sequence, confirm its valid session state using the original In-Session Detection pattern and if successful, continue the scan.

    If an out-of-session state is detected in the test phase, Rational AppScan Standard will stop all of its testing threads, re-login, check its in-session state, and then re-run in single-threaded mode all the tests since the last point a valid session state was confirmed. After each test is performed, it will poll the in-session page and skip a test should it cause the session to be invalidated. Rational AppScan Standard will continue using one thread for the remaining tests until all have been performed, at which point it will return to the original thread configuration.


    Common Issues and how to address them

    There may be instances where Rational AppScan Standard detects it is out-of-session and is not able to successfully validate its marked in-session pattern. If this occurs, the following notification will be displayed in the UI followed by a 90 second countdown:

    "Rational AppScan Standard has detected it is out-of-session and is trying to re-login"

    During this time, the Scan Log will display multiple login requests until the scan eventually stops with this log entry:

    Stopping scan due to out of session detection

    There are several possibilities why this can occur:

    1. Server stopped responding:

      Rational AppScan Standard may not be able to get a response in a timely manner from the application due to it being overloaded or temporarily down. To test, try disabling the "In-Session Detection" check-box in the Session Information window, then continuing the scan. If it still stops due to communication issues, please see       Communication errors displayed when scanning with Rational AppScan Standard for more details.

    2. Required session cookies or parameters were not automatically detected by Rational AppScan Standard in the login sequence:

      Rational AppScan Standard will automatically try to detect cookies or parameters in the login sequence that it believes to be related to the session state (i.e. "ASP.NET_SessionId", "JSESSIONID"). These will be listed on the Scan Configuration > Parameters and Cookies window.

      If there are other session identifiers that were not detected, add them to the Session IDs list and try continuing the scan. If you are not sure, try first adding all that show up in the login sequence and if Rational AppScan Standard is then able to remain in-session, you can go back and remove some IDs until the specific cookie or parameter is isolated. All parameters and cookies related to the login are listed at the bottom of the Details tab on the Login Management section of the Scan Configuration.
    3. In-Session page is not accessible when requested out-of-sequence:

      Because Rational AppScan Standard polls the In-Session page periodically throughout the course of its scan, it does so while not necessarily visiting it in the same sequence as when then login sequence was recorded. If you suspect that the reason why Rational AppScan Standard is not able to remain in-session is caused by this type of configuration, try testing by exploring the sequence using your browser, copying the URL which Rational AppScan Standard is using as its In-Session page, continuing with a short explore of the application, then forcefully browsing to the page in question. If you are not able to see the text in the response that you had previously marked in Rational AppScan Standard browser (Example: You are redirected to a customized error page), try selecting other pages as your In-Session page until you find one that permits this type of behavior.
    4. Detected In-Session page is a POST with the login parameters:

      If Rational AppScan Standard automatically detects a page as its In-Session page and you notice that it is not able to remain in-session throughout the scan, examine the marked page in the Session Information window by highlighting it and hitting the View button. If the page contains the username and password parameters, try selecting another page further down in the list, marking its pattern in the browser, then continuing the scan. If there is no other page to select, try re-recording the login sequence and include one extra page in the explore, then mark that page as your In-Session page.

      NOTE: If the scan does not stop due to in-session detection but you notice quite a large number of "Performing login" entries in the Scan Log during the Test Phase, perhaps a particular test or group of tests are causing Rational AppScan Standard to go out-of-session. To investigate further, try enabling the negative tests in the Scan Log (Tools > Options > Scan Options tab > Customize Scan Log and selecting Test ID [ID] is negative on: url (param)) and continuing the Test Phase. If you see numerous occurrences of one test being performed followed by the login sequence, consider excluding a commonly displayed page or parameter from testing, or modifying the Test Policy according to a common test being performed.
    5. Recording the login does not capture login page:

      When trying to record a login sequence, sometimes upon opening the recorded login browser, you are already logged into the application. If this occurs, close the recorded login browser, go to Internet Explore and clear out the cookies (Tools > Internet Options > General) and delete all the cookies and temporary files. This should now allow you to record the complete login successfully.


    Related information

    ²é¿´(2521) ÆÀÂÛ(0) ÊÕ²Ø ·ÖÏí ¹ÜÀí

  • AppScan results differ from one scan to the next identical scan

    2010-08-11 14:39:32

    Technote (troubleshooting)
     
    Problem(Abstract)
    When using IBM Rational AppScan Standard Edition to perform. identical scans to complete formal QA reviews, why are the scan results different from scan to subsequent scan, even though the configuration and site content has not changed?
     
    Symptom

    Symptom 1

    Multi-threaded scanning and how it affects an automatic explore, which does not apply to a scan that strictly uses a Manual Explore.

    Symptom 2:

    Some tests were skipped in the Test Phase.

    Symptom 3:

    Inconsistent responses from identical requests.

     
    Cause

    Here are the most common causes for varying results between scans:

    Cause 1

    By default, AppScan runs its automatic explore in 10 threads. Sometimes, due to timing, the threads may explore the site in a slightly different fashion from one scan to the next.

    Cause 2:

    Communication problems can lead to scans tests being skipped.

    Cause 3:

    Sometimes an application may return a different response from an identical request.

    For example, AppScan may be testing a web application that is accessed through a proxy which for whatever reason periodically returns errors. This then causes inconsistent vulnerability results.

     
    Diagnosing the problem

    Diagnosing the problem for Cause 2:

    The easiest way to determine if tests are being skipped, is by opening AppScan's new real-time scan log (Scan > Scan Log) during the course of the scan. If tests were skipped, you will see entries similar to the following examples:

    • Cannot connect to host: [IP/HOSTNAME]
    • Test [TEST_NUMBER] [TEST_NAME] failed due to communication error: [PATH]
    • Connection established with host: [IP/HOSTNAME]

    Diagnosing the problem for Cause 3:

    The way to isolate the issue is to run two identical scans with the traffic log enabled (see Technote 1287440 for instructions), save the Traffic log after each scan, then determine the scan differences in the Issues view.

     
    Resolving the problem

    Solution for Cause 1:

    If the visited URLs displayed under Application Data > Visited URLs differ in two comparable scans, you can set up AppScan to run in 1 thread (Scan > Scan Configuration > Connection > Number of Threads). This will ensure that AppScan will traverse the site in the same fashion as a previous scan, permitting that the site content hasn't changed in the interim.

    Solution for Cause 2:

    If you notice excessive entries similar to the above, refer to technote 1283298 - How to address communication problems during a scan in AppScan

    Solutions for Cause 3

    1. Once one issue shows up in one scan, but not in the next, copy the exact test payload in the scan that came up positive. (For example, if the payload is delivered on a parameter and the Test Request is a GET, copy the first line of the Test Request to your clipboard; otherwise, if its a POST request, copy the parameters which include the payload.) Then search the Traffic log for the scan which the vulnerability was missed in and when you find the request, find the response which is the next one for the listed thread id (like the thread id for "---- Begin Thread 2768[132c] ----" is 132c) to determine why it is different from that listed in the vulnerable scan.
    2. If using AppScan 7.5 or higher, an alternate solution is to perform. a similar analysis by enabling the invulnerable Variants (under the Scan menu) and searching the results for responses which do not come up as vulnerable.

    ²é¿´(809) ÆÀÂÛ(0) ÊÕ²Ø ·ÖÏí ¹ÜÀí

  • AppScan cannot import manually generated explore data files (exd)

    2010-08-11 14:15:54

    Technote (troubleshooting)
     
    Problem(Abstract)
    AppScan cannot import manually generated explore data files(exd file - formally known as Business Process file).If the file has been manually modified, you will encounter this error message:"Import Explore Data Failed".AppScanSys.log will write the following error "System : Failed to load data from business process file."
     
    Resolving the problem
    The reason for AppScan's inability to import this explore data file is likely due to the following reasons :

    a) The exd file was generated manually. (The exd file should not be edited as it indicates in the file itself.)

    and

    b) The offending exd file contained characters from the high ascii range.

    Usually, when AppScan creates .exd files through the AppScan UI (that is, it is not generated manually), it converts high ascii characters, and only then writes them to the exd file.

    When they are generated manually there is a possibility that some of the high ascii characters were left un-encoded, therefore preventing the exd file from being imported into AppScan.

    First, open the offending exd in IE. It will load the file until it reaches such a character, and it will show you the line that contains it.

    Go to the line and see if the parameter value contains a character from the high ascii range.

    Use the AppScan "encode/decode" power tool to encode that value.

    We also add a direction in the exd to treat the value as encoded.
    Therefore, the line would look like this:

    <parameter encodeValue="True" name="someparametername" value="encoded parameter value=" type="BODY" linkParamType="hidden" />

    (You can do the same for parameter names ‡° add encodeName="True" and encode the parameter name with the encode/decode too)

    This will allow you to import the explore data file (exd) successfully.

    ²é¿´(686) ÆÀÂÛ(0) ÊÕ²Ø ·ÖÏí ¹ÜÀí

  • Guidelines for scanning large sites with Rational AppScan Standard

    2010-08-10 11:42:27

    Technote (FAQ)
     
    Question
    What are the guidelines for scanning large sites with IBM Rational AppScan Standard Edition and Express Edition?
     
    Cause

    Security auditors often face large and complex Web sites. Although AppScan has good explore filters that allow you to restrict and focus the site exploration. The usage of these filters often require a detailed knowledge of the structure of the site.

    IBM Rational recommends these measures to ensure a successful completion of a scan of such large and complex sites:

    System Requirements:
    • CPU - 1GHz and above
    • RAM - 2GB and above
    • Free Disk Space- 3-4GB

      Note: Ensure that the temp directory as defined in the environment variables is pointing to this drive.
    Scan Type:
    • Do not change the default explore settings (Redundant Path and Depth Limits), most of the site will be covered with default setting and increasing the limits might introduce redundancy and increase the size of the session.
    • Save the session after the Explore phase (One can even create a Business Process of the Explore phase).
    • Check the following parameters:
      1. Number of visited links
      2. Number of potential vulnerabilities
      3. AppScan memory consumption (In task manager)
      4. AppScan files in the Temp directory (Extensions - DBF, CDX, FPT)If any of these parameters are extremely high or the combination of them looks out of the ordinary, you should consider running the test phase by breaking them up into groups of smaller ones (see "How to Split the Test Phase" below).

    Large Session Indications:
    • Large number of visited links - greater than 10,000
    • Normal number of visited links but a large number of potential vulnerabilities
    • More than 100,000 potential vulnerabilities but no more then 500-1,000 visited links; this can be an indication of a large number of form. fields in the session.
    • Memory consumption of more than 500MB
    • Temp files larger than 1.5GB
     
    Answer

    How to Split the Test Phase:

    Note: The best practice is to break the scan into at least two scan files: 1 for Infrastructure Tests and 1 for Application Tests.

    **AppScan 7.0**
    • Change the name of the scan and save it again. This will create a copy so the baseline session will not be affected.
    • Go to Scan > Scan Configuration and click on Test Policy
    • For each scan file created (above), edit the test policy as applicable
    • Go to Scan > Re-Scan > Re-Test - there is no need to explore the site again
    • Run the test - you will notice that only the specified test groups are executed
    • Save the session

    ²é¿´(297) ÆÀÂÛ(0) ÊÕ²Ø ·ÖÏí ¹ÜÀí

  • When to perform a Re-Scan after making changes to the Scan Configuration

    2010-08-10 10:59:03

    Technote (FAQ)
     
    Question
    Upon making changes to the scan configuration after a explore phase, is it necessary to do a full Re-Scan?
     
    Answer
    Most changes to the scan configuration will require a full Re-Scan of the application. The only changes that will not require a full Re-Scan is:
    • Changing the Numbers of Threads (Scan Configuration > Communication and Proxy)
    • Changing the Timeout (Scan Configuration > Communication and Proxy)
    • Changing the Login Sequence (Scan Configuration > Login Management)
    • Adding a Custom Error Page (Scan Configuration > Error Pages)
    • Adding Exclusions (Scan Configuration > Exclude Paths and Files)


    Any other changes will require a full Re-Scan to take affect.

    To re-run a scan or scan stage:

    • On the Scan menu, click Re-Scan and then click an option from the sub-menu: Full Scan, Explore, or Test.

    ²é¿´(450) ÆÀÂÛ(0) ÊÕ²Ø ·ÖÏí ¹ÜÀí

  • Error and crash occur when Manual Explore is finished

    2010-08-09 17:18:54

    Error description

    • Crashing behavior. and errors may result when doing the following
:

1. Do a Manual Explore of a site in AppScan
2. Close the AppScan Browser
3. Click the OK button with Manual Explore Wizard
4. Crash occurs

In the AppScanSys.log the following message appear -
'Error : Failed to parse scan configuration XML, in line [line n
umber] position [position number]. Invalid unicode characer'

at around the same time, even though the characters in the Scan
Configuration ? EXPLORE ? Automatic Form. Fill do not display any
 unusual characters.

The GuiLog GuiLog.log will display a 'Starting onCriticalError.
AppScan internal error occurred' message as well.

The problem's cause is a character in the Form. Filler and the Ap
pScan engine's inability to handle it.

The workaround is as follows:

When closing the Manual Explore, do not add all parameters to th
e Form. Fill.  Choose the 'Select' option instead and manually se
lect which properties to add.

    Local fix

    Problem summary

    • AppScan may crash at the end of manual explore when the
application contains parameters with double-byte characters
in their name/value.

    Problem conclusion

    • We changed the way double-byte characters were transferred
to AppScan engine.

    ²é¿´(538) ÆÀÂÛ(0) ÊÕ²Ø ·ÖÏí ¹ÜÀí

  • Appscan memory spiking/crash opening manual explore

    2010-08-09 16:57:04

    Error description

    • AppScan memory spiking/crash opening manual explore

    Local fix

    Problem summary

    • Sometimes during manual explore the automatic form. filler is
being filled with huge number of parameters with huge
values, this results in large memory consumption which can
crash AppScan.

    Problem conclusion

    • A new advanced option was added
SpecialPattern.IgnoreParmetersFromFormFill to exclude
parameters from the form. fill. By default this setting
contains few parameters that we believe should not be added
to the form. filler.

    ²é¿´(219) ÆÀÂÛ(0) ÊÕ²Ø ·ÖÏí ¹ÜÀí

  • Manual Explore browser does not display webpage

    2010-08-09 16:15:40

    Technote (troubleshooting)
     
    Problem(Abstract)
    Attempts to explore an application using the IBM Rational AppScan Standard Manual Explore browser results in the webpage not loading successfully.
     
    Cause
    A configuration issue in the Scan Configuration can cause this behavior.
     
    Diagnosing the problem
    Check to see if the application is accessible using a third party web browser such as Internet Explorer.
     
    Resolving the problem
    If the page is displayed successfully, check the following settings in the Scan Configuration:
    1. Scan Configuration > Communication and Proxy

      Check to see if the proxy settings need to be entered, or if Rational AppScan Standard is using the Use Internet Explorer proxy settings option. If this is the case, try entering in the proxy information into the Use custom proxy settings option.

      Note: Your proxy settings can be found by going to Control Panel > Internet Options > Connections tab and clicking on the LAN Settings... button or contacting your Networking Administrator
    2. Scan Configuration > URL and Servers

      Double check your URL structure to see if the Treat all paths as case-sensitive option needs to be turned on. If this option is de-selected and the paths are case-sensitive, Rational AppScan Standard might not be able to access the page properly through Manual Explore.

    ²é¿´(448) ÆÀÂÛ(0) ÊÕ²Ø ·ÖÏí ¹ÜÀí

  • Optimizing job and scan configurations for large sites

    2010-08-09 16:05:51

    Question

    How can you speed up the scanning process and reduce the number of pages IBM Rational AppScan Standard, IBM Rational AppScan Enterprise, and IBM Rational Policy Tester is finding?

    Cause

    A job or scan that you are running is taking an excessive amount of time and is finding a large number of links.

    Answer

    This might come a little surprising at first but from the security perspective, big sites are very rare.

    Let us elaborate a bit what this statement means. If you go over 500 links in your scan, you should ask yourself: did the developers of this application really write 500 individual scripts (JSP/ASP/PHP files)? Actually, most of the time you will encounter sites that contain tens of thousands or even a million pages.
    There is no way that a development team no matter how large wrote a million pages.

    Redundant path limit

    From the security perspective, we are only interested in testing a limited set of instances for an individual script. (page).

    The redundant path limit setting (Rational AppScan Standard - Scan Configuration > Explore Options, Rational AppScan Enterprise / Rational Policy Tester - Edit job properties > Explore Options) restricts the number of requests to a specific URL, which does not include the query parameters.


    The path in this example URL
    http:// www.site.com/folder1/folder2/index.jsp?query=123


    is represented by the following section

    folder1/folder2/index.jsp

    The path usually specifies the name of the script. and its location on the servers file system.

    In Rational AppScan Enterprise, due to its integration with Rational Policy Tester where the focus is content scanning, the query is included in the redundant path limit calculations.

    Let us look at an example of a entertainment site that contains biography pages for different artists. The biography page is called biography.jsp, is based on the value of a query parameter called artist, and will display a different text and picture for each artist.

    As you can see, there is no difference in structure between

    biography.jsp?artist=madonna&session=123

    and

    biography.jsp?artist=britney_spears&session=123

    The only difference between the two is the text of the biography and the picture that are displayed in the page. So if there is a Cross-Site Scripting vulnerability on the session parameter, it will exist on both artist=madonna and artist=britney_spears, so it does not make sense to navigate to this page more than once.

    The redundant path limit allows the artist parameter to change only 5 times by default, preventing Rational AppScan Standard / Rational AppScan Enterprise / Rational Policy Tester from testing this page for every single artist on the site. However in this specific case, the redundant path limit of 5 is too much.

    Why then have the redundant path limit set to 5 instead of 1?

    There are situations where parameters have effect on the structure of the page. For example the navigational parameters that are encountered in MegaScript. applications. To learn more about MegaScripts and advanced redundancy tuning in Rational AppScan Standard, review Handling MegaScript. sites with Rational AppScan Standard.

    The restriction to 5 identical paths was set in an attempt to find a middle ground between parameters that affect the page content and parameters that affect the page structure. However, if the parameters only affect the page content and the site has 200 pages, Rational AppScan Standard / Rational AppScan Enterprise / Rational Policy Tester will discover 1000 pages and take 5 times longer to explore the site.

    So in certain cases the redundant path limit should be decreased or set to 1. If a limited number of pages that change their structure based on parameters values exists, manual explore or multi-step operations should be used for those pages .


    What if it is really hard to separate the path from parameters ?

    Web application developers often use a technology called URL Rewriting to hide parameters in the directory structure. Let us imagine that our entertainment site uses the following rewrite rule.

    RewriteRule ^biography/(.+).jsp biography.jsp?artist=$1

    This rule tells the web server to convert the URL that you see in the web browser, such as
    http:// www.site.com/biography/madonna.jsp


    to the following
    http:// www.site.com/biography.jsp?artist=madonna.jsp


    The main reason behind URL rewriting is to force Google and other search engines to index all the pages of the site. Another advantage of URL Rewriting is that questions marks and equal signs are removed from the URL making it easy to remember. The whole transformation is entirely hidden from the user.

    The problem posed by URL Rewriting for Rational AppScan Standard / Rational AppScan Enterprise / Rational Policy Tester is that it renders the redundant path limit useless. The parameters are now part of the path and the product has no way of automatically knowing which is the script. and which is the parameter.

    If there are ten thousands artists on our entertainment site you will now have ten thousand additional URLs in your scan when you should really have just one. Add to that another URL-rewrited parameter that handles the session and changes its value every time you login and you will now have a never ending scan. If this occurs, Rational AppScan Standard / Rational AppScan Enterprise / Rational Policy Tester will eventually run out of resources.


    How to identify URL rewriting ?

    Rational AppScan Standard

    If the scan goes past the 500 URL mark, perform. the following:

    1. Pause the scan
    2. Choose the Application Data view on the left
    3. Highlight each folder and look at the number of visited URLs displayed in the "Show" drop-down located at top-center of the screen to find the folder with the most URLs. In our example the folder biography would show ten thousand pages.
    4. Now that you located the problematic folder, you can check to see if all URLs in this folder follow a specific pattern. In our example you would notice that all the pages in the biography folder have celebrity names.


    Rational AppScan Enterprise / Rational Policy Tester

    If the job takes too long to execute and the number of pages scanned is very big in the status screen:

    1. Save current results and stop. It is very important to select Save current results and stop and not Discard results and stop since only the save option will also run the reports on the data gathered up to this point
    2. Examine the pages report to identify URL rewriting patterns using a similar process as in Rational AppScan Standard


    How to handle URL rewriting ?

    Rational AppScan Standard - Custom Parameters

    1. The first step is to identify the parameter values in the URL. This can be done by comparing the differences between the URLs that are part of the same folder

      Example:

      The difference between

      http:// www.site.com/biography/madonna.jsp and

      http:// www.site.com/biography/britney_spears.jsp is the page name. This difference could be comprised in the following regular expression:

      biography/(.+)\.jsp

    2. Once identified the URL-rewrited parameters can be added to the list of Custom Parameters under Scan Configuration > Parameters and Cookies > Custom Parameters

      If our example the Custom Parameter definition will be:

      Reference Name: artist
      Pattern: biography/(.+)\.jsp
      Location: Path



      Defining the parameter this way will actually allow Rational AppScan Standard to send application type tests to this entity. An example of a Cross-Site scripting attack for this site would look like this:
      http://www.site.com/biography/.jsp
    3. After defining the parameter, you need to edit its redundancy settings. To do that, click on the Parameters and Cookies tab and then click on the plus sign.

    4. In the "Type" drop down choose Custom Parameter and then choose the reference name you just defined.

    5. Under the redundancy tuning settings at the bottom choose When comparing explore requests ignore the parameter value and Do not retest adjacent parameters when the parameters value changes as per in the attached screenshot.



    Rational AppScan Enterprise / Rational Policy Tester - URL Substring Exclusions

    1. In the Job Configuration, go to Parameters and Cookies.

    2. Scroll to the bottom until you find the Normalization Rules category

    3. Add the pattern you have identified under Ignore the following URL substrings when applying normalization rules preceded by the "regexp:" prefix.


    For our example the pattern would be: regexp:biography/(.+)\.jsp . There is no need to add a delimiter for regular expressions.

    Alternatively ,you can simply enter a substring and a corresponding delimiter. For our example the substring would be biography/ and the corresponding delimiter would be .jsp.



    This will prevent the exploration and testing of the redundant URLs.

    ²é¿´(563) ÆÀÂÛ(0) ÊÕ²Ø ·ÖÏí ¹ÜÀí

  • Verifying site coverage performed during an automatic explore

    2010-08-09 16:00:35

    Technote (FAQ)
     
    Question
    When viewing the results of an automatic explore in IBM Rational AppScan Standard, what options can be used to determine if complete coverage of the site being explored was obtained?
     
    Answer

    The Rational AppScan Standard product provides users with several indications of the areas and parts of the web application that were covered during a scan.

    Application Tree

    The Application Tree (in the Rational AppScan Standard user interface), is a graphical representation of the areas that were discovered and explored by Rational AppScan Standard. Users can validate that the whole application was covered by viewing this tree and making sure that no application segments were left undiscovered.

    Application Data

    The Application Data view (View > Application Data), is a repository of information and data about the structure and contents discovered about the application during the explore phase. This data contains:

    • Visited URLs: URLs that were visited during the explore phase
    • Script. Parameters: Input parameters sent to the application, such as text fields, radio button values, hidden parameters, link parameters...
    • Interactive URLs: Forms which were not automatically submitted and require user interaction to be fully explored
    • Broken Links: Links that Rational AppScan Standard cannot retrieve (either because they are missing, or because the application returned an error during the explore phase)
    • Filtered URLs: URLs that were not explored due to explore filters (Example: path exclusions, file type exclusions, depth limit...)
    • Comments: HTML comments extracted from each page that were discovered during the explore phase
    • JavaScripts: JavaScript. code that was extracted from each page that was discovered during the explore phase
    • Cookies: HTTP cookies that were used during the explore phase (set either by a "Set-Cookie" header, or by client-side technologies such as JavaScript)


    Both the Application Tree and Application Data view enable users to easily understand if Rational AppScan Standard has covered all of the application during the scan.

    ²é¿´(313) ÆÀÂÛ(0) ÊÕ²Ø ·ÖÏí ¹ÜÀí

Open Toolbar