About In-Session Detection mechanism for Rational AppScan Standard
上一篇 / 下一篇 2010-08-11 15:03:51 / 个人分类:IBM Appscan Security Scan
Technote (FAQ)
Question
What is the purpose of the In-Session Detection mechanism, which provides the ability to mark an in-session page after recording a login sequence in IBM Rational AppScan Standard?
Cause
This technote provides an overview of theIn-Session Detectionfunctionality along with details on how to address common issues.
Answer
 | Overview of In-Session Detection |
| Common Issues and how to address them |
Overview of In-Session Detection
After recording a login sequence in theScan Configuration, clicking on theDetailstab will bring up a Session Information window which lists the detected URLs. Rational AppScan Standard will mark these pages as one of the following three Types:
- Login
- Regular
- In-Session
One of the pages will be marked asIn-Sessionif it detects that the page content contains strings listed in its Logout Detection Pattern (the regular expression can be modified inScan Configuration>Login Management).
If no page is automatically detected, it is possible to set a page as in-session and mark its unique pattern using theSelect In-Session pattern...button.
With this information, Rational AppScan Standard will poll the application periodically during the automatic explore and test phases to see if it can reach the page in question and whether it is able to detect the marked pattern. If Rational AppScan Standard is unsuccessful (such as the response to request is a redirect to the login page or a customized error page) it will stop the scan, replay the login sequence, confirm its valid session state using the original In-Session Detection pattern and if successful, continue the scan.
If an out-of-session state is detected in the test phase, Rational AppScan Standard will stop all of its testing threads, re-login, check its in-session state, and then re-run in single-threaded mode all the tests since the last point a valid session state was confirmed. After each test is performed, it will poll the in-session page and skip a test should it cause the session to be invalidated. Rational AppScan Standard will continue using one thread for the remaining tests until all have been performed, at which point it will return to the original thread configuration.
Common Issues and how to address them
There may be instances where Rational AppScan Standard detects it is out-of-session and is not able to successfully validate its marked in-session pattern. If this occurs, the following notification will be displayed in the UI followed by a 90 second countdown:
"Rational AppScan Standard has detected it is out-of-session and is trying to re-login"
During this time, the Scan Log will display multiple login requests until the scan eventually stops with this log entry:
Stopping scan due to out of session detection
There are several possibilities why this can occur:
- Server stopped responding:
Rational AppScan Standard may not be able to get a response in a timely manner from the application due to it being overloaded or temporarily down. To test, try disabling the "In-Session Detection" check-box in the Session Information window, then continuing the scan. If it still stops due to communication issues, please seeCommunication errors displayed when scanning with Rational AppScan Standardfor more details. - Required session cookies or parameters were not automatically detected by Rational AppScan Standard in the login sequence:
Rational AppScan Standard will automatically try to detect cookies or parameters in the login sequence that it believes to be related to the session state (i.e. "ASP.NET_SessionId", "JSESSIONID"). These will be listed on theScan Configuration > Parameters and Cookieswindow.
If there are other session identifiers that were not detected, add them to the Session IDs list and try continuing the scan. If you are not sure, try first adding all that show up in the login sequence and if Rational AppScan Standard is then able to remain in-session, you can go back and remove some IDs until the specific cookie or parameter is isolated. All parameters and cookies related to the login are listed at the bottom of the Details tab on the Login Management section of the Scan Configuration. - In-Session page is not accessible when requested out-of-sequence:
Because Rational AppScan Standard polls the In-Session page periodically throughout the course of its scan, it does so while not necessarily visiting it in the same sequence as when then login sequence was recorded. If you suspect that the reason why Rational AppScan Standard is not able to remain in-session is caused by this type of configuration, try testing by exploring the sequence using your browser, copying the URL which Rational AppScan Standard is using as its In-Session page, continuing with a short explore of the application, then forcefully browsing to the page in question. If you are not able to see the text in the response that you had previously marked in Rational AppScan Standard browser (Example: You are redirected to a customized error page), try selecting other pages as your In-Session page until you find one that permits this type of behavior. - Detected In-Session page is a POST with the login parameters:
If Rational AppScan Standard automatically detects a page as its In-Session page and you notice that it is not able to remain in-session throughout the scan, examine the marked page in the Session Information window by highlighting it and hitting the View button. If the page contains the username and password parameters, try selecting another page further down in the list, marking its pattern in the browser, then continuing the scan. If there is no other page to select, try re-recording the login sequence and include one extra page in the explore, then mark that page as your In-Session page.
NOTE:If the scan does not stop due to in-session detection but you notice quite a large number of "Performing login" entries in the Scan Log during the Test Phase, perhaps a particular test or group of tests are causing Rational AppScan Standard to go out-of-session. To investigate further, try enabling the negative tests in the Scan Log (Tools > Options > Scan Options tab > Customize Scan Logand selectingTest ID [ID] is negative on: url (param)) and continuing the Test Phase. If you see numerous occurrences of one test being performed followed by the login sequence, consider excluding a commonly displayed page or parameter from testing, or modifying the Test Policy according to a common test being performed. - Recording the login does not capture login page:
When trying to record a login sequence, sometimes upon opening the recorded login browser, you are already logged into the application. If this occurs, close the recorded login browser, go to Internet Explore and clear out the cookies (Tools > Internet Options > General) and delete all the cookies and temporary files. This should now allow you to record the complete login successfully.
Related information
TAG:
我的栏目
标题搜索
日历
|
|||||||||
| 日 | 一 | 二 | 三 | 四 | 五 | 六 | |||
| 1 | 2 | 3 | 4 | 5 | 6 | ||||
| 7 | 8 | 9 | 10 | 11 | 12 | 13 | |||
| 14 | 15 | 16 | 17 | 18 | 19 | 20 | |||
| 21 | 22 | 23 | 24 | 25 | 26 | 27 | |||
| 28 | 29 | 30 | |||||||
我的存档
数据统计
- 访问量: 76951
- 日志数: 111
- 建立时间: 2007-09-07
- 更新时间: 2012-06-05
