IBM AppScan overview &

Scanning Features

1
Table of Contents
1.0 Document Purpose ............................................................................................................... 4
2.0 Intend of the Task ................................................................................................................. 4
3.0 Overview .............................................................................................................................. 5
4.0 Dashboard............................................................................................................................. 6
5.0 Scanning stages .................................................................................................................... 7
5.1 Explore Stage .................................................................................................................... 7
5.2 Test Stage ......................................................................................................................... 7
6.0 Scan Configuration ............................................................................................................... 8
EXPLORE....................................................................................................................................... 8
6.1 URL/Servers ..................................................................................................................... 8
6.2 Login Management ........................................................................................................... 9
6.3 Environment Definition .................................................................................................... 9
6.4 Exclude Paths and Files .................................................................................................... 9
6.5 Explore Options: ............................................................................................................... 9
6.6 Parameters and Cookies.................................................................................................. 11
6.7 Automatic Form Fill ....................................................................................................... 12
6.8 Error Pages ..................................................................................................................... 12
6.9 Multi-Step Operations .................................................................................................... 12
6.10 Content-Based Results .................................................................................................... 13
7.0 CONNECTION .................................................................................................................. 13
Communication and Proxy ........................................................................................................ 13
7.1 Communication .............................................................................................................. 13
7.2 Proxy............................................................................................................................... 13
7.3 Platform Authentication ................................................................................................. 13
8.0 TEST .................................................................................................................................. 14
8.1 Test policy ...................................................................................................................... 14
8.2 Test Options .................................................................................................................... 16
8.3 Malware Test .................................................................................................................. 18
9.0 Reports ............................................................................................................................... 18
9.1 Security report ................................................................................................................ 18

2
 9.2 Industry standard report .................................................................................................. 18
9.3 Regulatory compliance report ........................................................................................ 19
9.4 Delta analysis report ....................................................................................................... 19
10.0 Auxiliary tasks .................................................................................................................... 19
10.1 Manual Exploring............................................................................................................ 20
10.2 Privilege escalation ......................................................................................................... 20
10.3 Scheduling ....................................................................................................................... 21
10.4 Exporting scan results ..................................................................................................... 21
11.0 Quick guide line .................................................................................................................. 22
12.0 Reference: ........................................................................................................................... 22

3
1.0 Document Purpose
This document has been produced to provide information upon Protection Services methodology,
procedure, and process involved in the usage of IBM Appscan vulnerability scanner within
Supervalu environment.

2.0 Intend of the Task

The Intend of the task is to learn the IBM AppScan scanning features.

4
3.0 IBM Appscan Overview
As the value of the corporate assets that are accessible through Web applications grows daily, so
does the threat of damage and loss due to hacking. Hackers have compromised valuable
corporate brands, gained access to mission critical and highly sensitive information thought to be
far out of reach of the application user, and stolen goods from eCommerce companies. This is
just a sample of the kinds of threats businesses face every day they are open for business online.

The skill and vigilance of application developers and site administrators are not enough. Because
of the dynamic nature of Web applications and the sheer number of them in a typical site,
preventing attacks is highly complex, and vulnerabilities inevitably slip through the development
process and onto the computer screens of hackers with the experience and determination to
exploit them.

IBM AppScan is a flexible and efficient Web application security assessment tool. With
AppScan, user can identify vulnerabilities in the Web site before the hackers do. Early detection
and resolution of Web application vulnerabilities decreases the risk of attack and saves valuable
time and resources. Using Rational AppScan throughout the application life cycle standardizes
security auditing tests and schedules. It also lowers the total cost-of-ownership, as Rational
AppScan notifies the possible vulnerabilities before they become actual security risks.

The IBM AppScan scan engine operates by traversing a Web application, analyzing and testing
the application for security and compliance issues, and generating actionable reports with fix
recommendations to simplify the remediation process. It saves users from being inundated with
vulnerability data by providing intelligent fix recommendations and advanced remediation
capabilities, including comprehensive task lists that guide in fixing vulnerabilities uncovered
during the scan, which helps improve the organization’s overall security posture. Packaging the
best practices of vulnerability experts, IBM AppScan supports more successful scanning for
users with little Web application security experience, and also assists knowledgeable users in
addressing application issues more efficiently.

5
4.0 IBM Appscan Dashboard
The AppScan Edition main screen contains a menu bar, toolbar and View Selector, data panes.
The data panes is divided in to, Detail Pane, Result List and Application Tree (before a scan the
three data panes, and the dashboard, are empty) as shown in the figure 1.0 below.

Fig: 1.0. Main Screen.

View Selector Type of data displayed in the three panes.

Application In this section it shows the all the directories, URLs and files which
Tree AppScanner gathers in the exploring phase.
Result List During the testing phase this section shows all the Vulnerabilities found in
the application with affected URLs and parameters.
Detail Pane Shows relevant details for selected vulnerabilities from Result List, in three
tabs Advisory, Fix Recommendation, and full Request/Response.
Dashboard Shows information about the current results in the form of panels that can
be viewed in progression.

6
5.0 Scanning stages
An AppScan scan consists basically of two stages: Explore and Test.

5.1 Explore Stage

During the first stage, AppScan explores the site, Web service or Web application by simulating
a Web user clicking on links and filling in form fields. Rational AppScan software identifies
requests and responses, and pinpoints parameters, cookies, JavaScript code and other such
entities. It then analyzes these entities, looking for any indication of a potential vulnerability as
defined in its comprehensive database of rules. For each identified potential vulnerability,
Rational AppScan software automatically creates tests based on the original request or response.
Those tests are sent and validated during the test phase.

5.2 Test Stage

AppScan sends thousands of custom test requests that it created during Explore. It records and
analyzes the application’s response, identifying security problems and ranking their level of
security risk.

7
6.0 Scan Configuration
This Guide deals with standard application scan configuration using the Configuration Wizard as
shown in the figure 1.1 below.

Fig 1.1 Scan Configuration

EXPLORE

6.1 URL/Servers: Type in the application’s URL in the Starting URL field.

Case Sensitive Path: When this checkbox is selected (default), links that differ from
each other by case only are treated as different pages. For example, ―ReadMe.as″ would
be considered different to ―readme.as‖. In most cases user should check the checkbox
for Unix-based servers, and uncheck the checkbox for Windows-based servers.

Additional Servers and Domains: If the application includes servers or domains other
than those of the Starting URL, those URLs should be added in this section.

8
6.2 Login Management: The Login Management step of the wizard allows to select one of three
methods for AppScan to use when it encounters login pages during a scan 1) Recorded Login, 2)
Prompt, 3)Automatic & 4) None.

Recorded Login: If user selects this option, AppScan uses a login procedure that user
records, filling in fields and clicking on links like a real user. This is the recommended
login method.

Prompt: If login requires human interaction each time (such as Two-Factor

Authentication, One-Time Passwords, or CAPTCHA), select the Prompt option.

Automatic: In this step AppScan will be able to log in to the site using a username and
password only, without a special procedure, select this option and enter the Username
and Password.

None: Select this option only if the application does not require logging in, or if for some
other reason user do not want AppScan to log in.

6.3 Environment Definition: Environment definition is not essential, but enables AppScan
to safely refrain from sending non-relevant tests during the scan, resulting in a faster and more
accurate scan.
6.4 Exclude Paths and Files: In this section the AppScan allows to configure to ignore
certain paths in the application, or specific types of file. However, user should apply exclusions
with caution, as they may have important issues.

6.5 Explore Options:

Scan Limits: The Scan Limits determine how deeply (or how quickly) Rational AppScan
explores the application.

Redundant Path Limit: AppScan will not access the same path more than the
specified number of times. A particular path may be visited several times if it
appears with different parameters. This limit is relevant mainly for scripts.

Depth Limit: AppScan will not access pages that are accessed by clicking more
than the specified number of links.

9
 Link Limit: AppScan will access no more than this maximum number of links.
This is a total number of visited URLs; including duplicate URLs explored with
different parameters.

JavaScript: The JavaScript and Flash options determine whether Rational AppScan
should ignore or scan these scripts.

Parse JavaScript code to discover URLs: AppScan will parse JavaScript code
as text data to collect links.

Execute JavaScript to discover URLs and dynamic content: AppScan will

execute JavaScript code and analyze the results to collect links, including
dynamic links that may not be discovered by parsing alone.
Execute JavaScript when replaying login: If the application’s login page uses
JavaScript code, this checkbox must be selected in order for AppScan to be able
to login during scanning.

Flash

Parse Flash to discover URLs: AppScan will parse Flash code as text data to
collect links.

Play Flash Files to discover potential vulnerabilities: AppScan will play Flash
files to discover links that may not be discovered by parsing alone.

Explore Method

Breadth First: AppScan explores page by page, exploring all links on one page
before continuing to the next.
Depth First: AppScan explores link by link, exploring each new link.

Encoding: AppScan generally detects the application’s encoding method

automatically. If the content of responses in the scan Results looks distorted, this
may mean that the encoding method was not correctly identified. To solve this
problem, select the correct encoding method from the drop-down list.

10
 Fig. Explore Options

6.6 Parameters and Cookies: This view is used to manage the global list of parameters and
cookies received by AppScan from the application, as well as custom parameters. During the
Explore stage, AppScan automatically detects cookies and HTML parameters that are likely to
be session IDs and adds them to this list. User can manually add cookies and parameters that
he/she know to be session IDs.

The application may have parameters and cookies whose values do not want AppScan to
manipulate during tests. To make sure that Rational AppScan does not change these parameters
and cookies, exclude them from tests. For example, the application might lock a user session if
certain cookie or parameter values are changed. User should exclude these parameters from
manipulation. If user does not exclude them, Rational AppScan may not be able to successfully
complete the scan, as thesecookies will lock Rational AppScan out of the application.

11
6.7 Automatic Form Fill: Automatic Form Fill values are the values AppScan uses to fill forms
in the application. There are default values for many of these, and they are automatically updated
to include any values user enters during a ―Recorded Login‖. As it allows to view, add to and
edit these values.

6.8 Error Pages: When AppScan gets a 404 error page in response to a test, it records the test as
failed, since this response indicates that the site successfully recognized the request as illegal.
However, Web applications and servers often use customized or dynamically generated 404 error
pages that may be hard to recognize automatically. AppScan attempts to recognize customized
404 error pages, but in some cases may not succeed in doing so. If it receives a custom error
page and does not recognize it as such, it records the result as positive, where in fact it should be
negative. This is a ″false positive″ result.

By default the Error Pages list includes standard error page definitions. For each definition type
and value are shown.

If the application’s error pages are not covered by the definitions in this list, then it should add
the necessary strings, regexps and URLs that will enable AppScan to recognize the error pages.
By doing this it can reduce the number of ―false positives‖ in the scan results.

6.9 Multi-Step Operations: This view is used when parts of the application can only be reached
by sending requests in a specific order.

Consider, for example, an online shop where the user visits pages in the following order:

Page 1: User adds one or more items to a shopping cart

Page 2: User fills in payment and shipping details

Page 3: User receives confirmation that the order is complete

Page 2 can be reached only via Page 1. Page 3 can be reached only via Page 1 followed by Page
2. This is a sequence. In order to be able to test Pages 2 and 3, AppScan must send the correct
sequence of HTTP requests before each test.

12
6.10 Content-Based Results:

This can use this view to define a logical structure for the application tree, if AppScan will not be
able to do this based on URL structure.

If the site content is structured in such a way that the URLs reflect a folder-like hierarchy,
the scan results will automatically reflect this, making them easy to navigate.

If the site uses ″breadcrumbs″, or other ″content-based″ navigational methods, so that the
URLs do not indicate the user’s ″location″ within the site, it is recommended that
configure AppScan, so it can present the scan results in an easily understood format,
rather than long lists of results under one or two URLs. This is not essential, but will
make it easier for user to navigate the results.

7.0 CONNECTION

Communication and Proxy

7.1 Communication:

Time Out: Set the time limit for AppScan to wait for a response from the web server.

Number of Threads: Set the maximum number of threads that will be explored/ tested
simultaneously.

7.2 Proxy

Use Internet Explorer connection settings: Select this to use the Address and Port of
the Internet Explorer connection.

Use Proxy: Lets user define the proxy used to access application.

Configure Proxy Authentication: Click this link to enter Name, Password and Domain
for proxy authentication

7.3 Platform Authentication: If the application requires NTLM or HTTP authentication,

enter the Username, Password and Domain for AppScan to use during scanning here.

13
 Client-Side Certificate: If the web application server uses client-side certificates to
verify user identity, Rational AppScan will need to have one. Rational AppScan supports
one client-side certificate per scan, and requires the certificate to be in .pem format.

8.0 TEST

8.1 Test policy: The number of possible Rational AppScan tests for a site can reach the
thousands. Rather than manually filter the large number of tests and test variants, user can set a
general policy for the type of test user do, or do not, want to be run on the application. The User
can import one of the other predefined policies and edit the current policy.

Test name: Lists all AppScan tests. Tests that are checkmarked are included in the
current policy. User can edit the policy by selecting/deselecting tests.

Policy Description: Description of the current policy. To edit, just type into the field.

14
Update Settings link: This link opens a dialog box that lets user define which types of
test can be added to this policy when new tests are added to the database.

Advisory and Fix Recommendation tabs: View the Advisory and Fix Recommendation
tabs for any test. User can also Edit any Advisory to own specifications, or Reset to
Default an Advisory that has been edited.

Policy files: Load an existing Test Policy by clicking one of the Recent Policies, or
Predefined Policies.

15
8.2 Test Options: This view help to configure various settings that affect the length and
thoroughness of the scan. However, the default settings are sufficient in most cases. As shown in
the screenshot below.

Use Adaptive Testing: AppScan can send many thousands of tests to a site. However, in
order to reduce scan time, it can send preliminary tests that intelligently determine which
are the appropriate tests to send and which can be dispensed with. This is ″Adaptive
Testing″ and it can greatly reduce scan time, without sacrificing efficiency.

Clear this checkbox if user wants AppScan to send all its tests to the site.

Allow Multiphase Scanning: AppScan analyzes responses to the tests that it sends to the
application. From this analysis, AppScan frequently discovers additional content, such as
links that were invisible on the first ″phase″ of the scan. Multiphase scanning enables
AppScan to repeat the Explore and Test stages on this newly detected content. (The
additional phase is usually shorter, as it involves the new links only.)

16
Multiphase Scanning is configured by default to allow a maximum of 4 scan phases.

Note that multiphase scanning applies only when user run a Full Scan. If user use the
Explore Only and Test Only functions, the result will be a single-phase scan.

Send Tests on Login and Logout pages: It is recommended to allow AppScan to test
login and logout pages, unless the application locks out users who provide illegal input,
or the application flow would be altered by AppScan testing these pages.

Clear Session Identifiers before testing login pages: (Active only if previous checkbox
is selected.) It is recommended to leave this checkbox selected. Deselect it only if user is
sure that the application’s login pages cannot be tested without valid session tokens.

Analyze results for inadvertently-triggered issues: When selected, AppScan analyzes

each test response for additional security issues over-and-above the specific issue tested
for. Deselect this option if the application is very large, or if scans produce a large
number of false-positive results.

Include all variants of each issue: (Active only if previous checkbox is selected.) When
selected, AppScan analyzes all variants of each inadvertently-triggered issue; when
deselected, only one variant per issue is analyzed. Selecting this checkbox is not usually
necessary, and can significantly increase scan time.

Save Non-Vulnerable Test Variant Information: During a scan, AppScan sends many
thousands of test variants to the site it is testing. The responses too many of these indicate
that they do not pose a security threat of any kind, and by default AppScan discards all
these ″non-vulnerable″ results, considerably reducing the volume of the result data.

If user selects this checkbox AppScan will save all non-vulnerable variants. A warning
will appear this option may reduce AppScan performance and significantly increase the
disk space required.

17
 Apply previous noise classifications to new scans: If in a previous scan user classified
one or more issues as ″Noise″ (not relevant to the application), the same settings are
automatically applied to future scans, unless user deselect this checkbox.

8.3 Malware Test: Analyzes pages and links found on the site for malicious or otherwise
unwanted content.

9.0 Reports

There are various different templates for Security reports. Each template is a set of content topics
that are relevant to different audiences within the organization. The topics contain scan results
from each of the views (Security Issues, Remediation Tasks, Application Data), formatted for
easy printing, readability, and rapid comprehension of what the results mean, why they are
relevant, and how to fix them.

9.1 Security report: There are six content options for the security report:

Executive summary—provides a statistical summary formatted as tables and

charts

Detailed—includes full details in addition to the executive summary.

Remediation—lists the remediation tasks required to resolve the discovered
vulnerabilities.
Developer—lists issues, remediation tasks and application data.

QA—lists advisory and fix recommendations, application data and visited

URLs. Site inventory—lists visited URLs and application data.

9.2 Industry standard report: The industry standard report let to know whether the application
complies with the standards of a selected industry committee, for example:

Open Web Application Security Project (OWASP) Top 10

System Administration, Networking, and Security Institute (SANS) Top 20

V5 SANS Top 20 V6

18
 Web Application Security Consortium (WASC) Threat Classification
PCI DSS
International Standard – ISO 17799
International Standard – ISO 27001

9.3 Regulatory compliance report: The regulatory compliance report lets user to know whether
the application complies with regulations or legal standards (such as Health Insurance Portability
and Accountability Act [HIPAA], Gramm-Leach-Bliley Act [GLBA], Children’s
Online Privacy Protection Act [COPPA], PCI, ISO 17799, Sarbanes-Oxley, California Senate
Bill [SB] 1386 and Assembly Bill [AB] 1950, and European Directive 1995/46/EC).

Also user can create own regulatory compliance template to match internal policies or to
support any compliance requirements that are not offered with the AppScan software.
Defining a policy involves creating a simple XML file that provides information about
the policy, the different sections within it, and instructions as to what issues, risks, causes
or threat classes imply a violation (see the user guide for more detailed instructions.)

9.4 Delta analysis report: The delta analysis report compares the current scan with a saved
scan, or two saved scans, to help evaluate how the security situation has improved or
deteriorated. When comparing scans, the earlier scan is usually selected as the base scan and the
later one as the target scan. User also can choose to compare application URLs and/or security
issues.

10.0 Auxiliary tasks

Some auxiliary tasks that are common but not part of the standard workflow are:

Manual exploring
Privilege escalation
Scheduling scans
Exporting scan results

19
10.1 Manual Exploring: A manual explore task allows user to browse the application manually,
clicking on links and inputting data. There are three reasons user might consider exploring
manually rather than automatically:

To explore a specific user process (the URLs, files and parameters that a user accesses
given a certain scenario).

To pass anti-automation mechanisms (such as the requirement to type in a random word

displayed as an image).

To help user to fill in the required data in any interactive URLs detected during automatic
scans.

Also user can record a manual explore task at any point in the scan, whether the scan has started
or not, as well as mix automatic and manual exploring. Users can right-click on identified
interactive URLs in the Application Data view to manually submit tasks.

Manual explore tasks usually results in new URLs found and new tests created. User should
continue the full scan or the test phase only to submit these new tests.

10.2 Privilege escalation: AppScan can refer to scans that were run using different user
privileges in order to investigate the extent to which privileged resources might be accessible to
users with insufficient access permissions:

By comparison with a higher-privileged user: User can point Rational AppScan to scan results
obtained with a higher level of access permissions than the current scan, and Rational AppScan
uses the current permissions to access the additional links that were available to the higher-level
user.

By comparison with a non-authenticated user: User point Rational AppScan to results that were
obtained without user authentication. Rational AppScan then runs a scan using the current
authentication, notes the new links it accesses and attempts to access the new links without
authentication. The scan results indicate where these attempts were successful.

20
10.3 Scheduling: User can schedule scans to start automatically at a specified date and time,
or at regular intervals.

10.4 Exporting scan results: User can export the complete scan results as an XML file or as a
relational database. (The relational database option exports the results into a Firebird database
structure. This is open source and follows Open Database Connectivity [ODBC] and Java
Database Connectivity [JDBC] standards.)

21
11.0 Quick guide line
1. Select a Scan Template.

2. Open the Scan Configuration Wizard and choose either Web Application Scan or Web Service
Scan.

For an Application Scan:

a. Type in the Starting URL

b. (Recommended) Perform the login procedure manually

c. (Optional) Review Test Policy

3. (Optional) Scan Expert:

a. Run Scan Expert to review the effectiveness of configuration for the application being
scanned.

b. Review suggested configuration changes and apply selectively.

Note: User can also configure Scan Expert to perform its analysis, and apply some of its
recommendations, automatically when user start the scan.

5. Start Automatic Scan.

6. Review results and (as required):

7. Perform additional manual Explore for links that were not discovered

8. Review remediation tasks

12.0 Reference
http://www-01.ibm.com/software/awdtools/appscan/

22
Contact:

Vinit Kumar Malhotra

Sr Specialist, Supervalu Services India.

TATA CONSULTANCY SERVICES.

Email : vinit.malhotra@tcs.com,vinit.k.malhotra@supervalu.com

Contact : +91-9845622052

23