Home
Reference
Review reference information for the product.
Folder Explorer topics
Learn about folder explorer topics.
Creating scans in the Folder Explorer
Learn how to create scan in the folder explorer.
Optimizing your scan with advanced configuration options
Use this task to configure an advanced scan with complex configuration. Use this method for web applications that require a lot of user interaction to navigate the application or if you would like to just test a specific area of your application.
Handling login and logout pages
Configure how the scan handles the login and logout pages of a web application. Use a login sequence to follow a complex login process or enter regular expressions for detecting logout pages that the scan will encounter. Logout pages are identified to prevent the scan from logging out of the application or website prematurely.

Reference
Review reference information for the product.
- Configuring Wizard topics
  Learn about configuring wizard topics.
- Folder Explorer topics
  Learn about folder explorer topics.
  - Creating scans in the Folder Explorer
    Learn how to use scan in folder explorer.
  - Creating scans in the Folder Explorer
    Learn how to create scan in the folder explorer.
    - Creating a QuickScan template using scan properties from AppScan Enterprise
      A QuickScan template comprises either a content scan job or an import job, plus a report pack. After you create scan templates in the Templates folder in the Folder list, they will automatically be available as scan templates to QuickScan users and to more advanced users who have their QuickScan View turned on in the Show Folder Explorer list. When a QuickScan user creates a scan, a job and report pack will be created based on the template, but will only appear to the QuickScan user as a scan.
    - Configuring a basic scan without security testing
      Use this task to configure a basic scan with minimal configuration. This scan will automatically discover more URLs to test in your web application. Use this method for an application that has a lot of static links and does not require a lot of user interaction. This scan does not test for security issues, but helps you start exploring your site to determine complete site coverage.
    - Configuring a security scan using scan properties in AppScan Enterprise
      Security scans should be performed in a preproduction environment, such as on a staging or Quality Assurance server. Doing so helps you contain the risks associated with performing security scans. Your preproduction environment should mirror the production environment as much as possible; the application should have the same executable files in both environments so that you know you are thoroughly testing your exposed applications. Security scans should also be integrated into your Software Development Life cycle (SDLC) process so that you can catch security issues before they make their way into your production environment.
    - How a security scan works
      A security scan has two distinct phases: Explore and Test.
    - Workflow for security testing
      A security scan requires careful configuration so that it can find all the URLs on your web application and then test them for vulnerabilities.
    - How JavaScript™ source code analysis works
      JavaScript™ Security Analyzer (JSA) performs static JavaScript source code analysis to detect a range of client-side issues, primarily DOM-Based Cross Site Scripting. JSA analyzes the HTML pages that AppScan® Enterprise collected during the Explore stage. JSA runs in parallel to the Test stage, or can be launched manually on existing Explore results at any time.
    - Optimizing your scan with advanced configuration options
      Use this task to configure an advanced scan with complex configuration. Use this method for web applications that require a lot of user interaction to navigate the application or if you would like to just test a specific area of your application.
      - Adding additional servers and domains to the scan
        To account for additional domains and multiserver environments, add any additional servers and domains to the scan's What to Scan page.
      - Finding more content
        An XRule is an XML script used to enhance the scanning of your website or application and to search the database for information that has been collected by a scan. When using it to enhance the ability of the job to scan a site, an XRule can find links inside a Flash file, find dynamically-created links inside JavaScript™, or get past a login routine.
      - Scanning WebSphere® Portals
        Specify the portal to scan.
      - Setting scan limits
        Set scan limits to focus the scan. You can limit the scan by the number of pages, the path of redundant content or click depth.
      - Excluding URLs from a scan
        Exclusions are used to exclude specific files, directories or file types from being analyzed during the scan. You might have a section of your site that would negatively affect the overall scan results if it was included in the analysis, possibly because it is under construction and has known issues. By excluding this section of your site, you can prevent it from affecting the report and dashboard results.
      - Normalizing URLs and forms
        Normalization rules help the scan job determine whether URLs and forms are unique so that they are not repeated incorrectly in your reports.
      - Defining parameters and cookies
        You might have parameters and cookies that require special treatment, such as Session IDs and parameters that you do not want the scan to manipulate.
      - Handling login and logout pages
        Configure how the scan handles the login and logout pages of a web application. Use a login sequence to follow a complex login process or enter regular expressions for detecting logout pages that the scan will encounter. Logout pages are identified to prevent the scan from logging out of the application or website prematurely.
        Improving application login through login configuration heuristics
        During application login, it can be challenging to get an automated program to correctly discover session identifiers, handle JavaScript™ execution, bypass security controls, or identify an "in-session page".
        Recording a login sequence
        Recording a login sequence lets you teach the scan the procedure for logging in to your site: which links to click, which text to enter in forms, and the order in which to do them.
        Logging into an application using credentials
        You can configure the username and password credentials so that the scan uses them automatically to log into an application.
        Identifying in-session pages
        Using in-session detection, the scan can detect whether or not it has been logged out of an application it is attempting to test. An in-session pattern is a pattern identified in a page, such as a logout link, that the scan can use to verify that it is still logged in. During a recorded login sequence, the scan identifies an in-session page. If this is not the page you want to use for in-session detection, you can change it.
        Identifying the logout page
        Logout pages are identified to prevent the scan from logging out of the application or website prematurely.
      - Completing web forms automatically
        Use Automatic Form Fill to supply a content scan job with values for form fields that it encounters. Using the field values that you provide, the scan can continue uninterrupted to discover more URLs and content for analysis.
      - Connecting to a web server
        Define the scan job's behavior as it connects to your network.
      - Authenticating to the website
        When the scan job encounters a page that requires Windows™ NT® authentication, it automatically provides the user name and password that you choose. You can add user names and passwords for authenticated pages. Client side certificates dictate whether the scan engine and manual explore/recorded login rely on a particular client certificate file or the service account's certificate store for authentication with the server they are trying to scan.
      - Identifying custom error pages so the scan recognizes them
        Custom error pages are used on websites to ensure that a user does not hit a "dead end" when they encounter a broken link. Instead, the error page guides the user to another page, such as a home page.
      - Configuring scanning for privacy statement links
        It is important that a website visitor can easily determine how data is going to be used when a website asks for information. A website's privacy policy will describe why data is being collected, who will be given access to the data and what types of rights the website visitor has regarding that data after it is submitted. Providing a link from a page that contains a form collecting personal data to the privacy policy governing that data is the best way of providing information to the user when they need it.
      - Manually exploring your site to add more URLs to the scan
        A Manual Explore means you will be indicating the exact URLs for the scan to test in the configuration (the scan will not automatically crawl to discover new URLs). Use this method for web applications that require a lot of user interaction to navigate the application or if you would like to just test a specific area of your application.
      - Correlating static analysis data with dynamic analysis data
        Import data from AppScan® Source to correlate its findings with an existing dynamic analysis security scan (AppScan Enterprise Server content scan job or an AppScan Standard import job).
      - Incremental scans
      - Test Optimization view
        Test Optimization uses AppScan®’s intelligent test filtering to achieve faster scans, when speed is needed, with minimal loss of issue coverage. You choose between four optimization levels depending on your needs.
      - Retesting a security issue
        Retesting a security issue provides a quick way to verify that you have indeed fixed an issue. Rather than running an entire job to see results, you can select one or more issues that you have fixed and retest them right away.
    - Capturing and Importing Traffic Data
    - Importing an action-based login file from AppScan Standard
      The action-based login capability in AppScan Standard produces the user's actual actions in the browser, rather than just the requests, and replays the sequence in the browser. Take advantage of this capability by creating an action-based login in AppScan Standard and importing it into AppScan Enterprise to help avoid out-of-session events during scanning.
    - Importing manual explore data from AppScan® Standard
      You can import data that is exported from AppScan® Standard version 7.x (and later) into AppScan Enterprise. Importing this data can save you time and reduce redundant work effort. Only the URLs (parameters and domains) and HTTP requests from the AppScan .exd file are imported.
    - Importing AppScan® data to use in reports
      An import job takes the results from a data file, and integrates it into the AppScan® Enterprise Server database. Imported data can be used to create reports and dashboards. It can also be combined with data from content scan jobs to create a complete picture of your issues.
- Triage with reports
  Reports are automatically generated after a job has run. They provide a way of managing issues so that you can helps you manage issues that are important to your organization and do so in a way that is supported both by the Enterprise Console's workflow and the workflows of other processes within your organization.
- Configuration Manager

Handling login and logout pages

Configure how the scan handles the login and logout pages of a web application. Use a login sequence to follow a complex login process or enter regular expressions for detecting logout pages that the scan will encounter. Logout pages are identified to prevent the scan from logging out of the application or website prematurely.

About this task

The Login Management page lets you select one of two methods for AppScan® to use when it encounters login pages during a scan:

Recorded login: Recording a login sequence lets you teach the scan the procedure for logging in to your site: which links to click, which text to enter in forms, and the order in which to do them.
Automatic: If AppScan will be able to log in to the site using a name and password only, without a special procedure, select this option and enter the user name and password.

Procedure

Go to the Login Management page of the content scan job and choose a login method:

What to do next

Authenticating to the website