to track a Session ID located in the URL Path
上一篇 /
下一篇 2010-08-11 15:44:18
/ 个人分类:IBM Appscan Security Scan
|
| | | Question | | How can IBM Rational AppScan Standard Edition be configured to track a URL that contains a Session ID in the path? | | |
|
|
| Cause |
The SessionID appears in the URL, where 'abc34f3fa135' is the session ID, as seen here:
http://domain.name/dir/subdir/abc34f3fa135/anotherdir?param=val |
| |
|
| Answer |
- If Rational AppScan Standard does not track the Session ID correctly, it will frequently fall out of session. In order to be able to track this particular SessionID, the following steps need to be configured underScan Configuration > Parameters and Cookies > Advanced: Custom Parameters:
- Add a new Custom Parameter (use the plus sign,+, in the top right)
- In theAdd Custom Parameterdialog, enter a name for theCustom Parameter rulein theReference Namefield
- Enter the regular expression needed in thePatternfield (Example:(abc[a-zA-Z0-9]+))
- LeaveValue Group IndexandName Group Indexsettings as default
- SelectPathas theLocationvalue
- Click OK to save and apply the changes
- This creates the rule by which Rational AppScan Standard can recognize the Custom Parameter. Once this has been completed, it is now necessary to enter the parameter and set its value to be tracked under theParameters and Cookiestab of the same Scan Configuration entry by doing the following:
- Add a new Parameter (using the plus sign,+, in the top right)
- Set theTypetoCustom Parameter
- Select theReference Namefrom the drop-down list for the previously defined rule
- Enable theTrack this parameter during scancheck-box
- SetTrack Typeto 'Login Value (Recommended)' orDynamicas appropriate
- Click OK to save and apply the changes
- With both of these steps complete, a re-scan of the application is required fromScan > Re-Scan > (Full Scan or Re-Explore).
- Finally, if the login sequence includes a URL that contains the in-path SessionID, then it is necessary to set-up the Custom Parameter rule first before recording the login sequence. This may require that any existing login sequences be re-recorded so that Rational AppScan Standard can track the SessionID properly.
|
收藏
举报
TAG:
