Creating a scan based on a template using AppScan Enterprise scan properties

A QuickScan crawls your site to discover its content using parameters set in a scan template created by an Administrator. After it is collected by the scan, the data is stored in a database for analysis by the reporting engine and made available to you through report packs, which are collections of reports. Most of your data analysis tasks will focus on the data provided in these reports.

Before you begin

  1. This task is completed by a developer with QuickScan User permissions. AppScan Enterprise V9.0.2 introduced a new method of creating a scan. This method helps create consistent scan configuration and results. See Creating a scan based on a template using AppScan Standard scan properties.
  2. You might need to install a browser plugin to use the manual explore or recorded login features. You can also use the Manual Explorer tool.

About this task

CAUTION: Do not use any private information in your scan configuration because this data might be viewed by a third party. To proceed with the browser recording, ensure that you have logged out from any existing sessions. Use a test user account during the manual explore to prevent usernames and passwords from appearing in clear text in the Enterprise Console interface.
Note:
  1. Depending on the template you are using, some of the options discussed in this task might not be available to you.
  2. If you need to configure some of the more advanced scan options, such as setting URL exclusions, click the Advanced Scan Configuration link at the bottom of the Setup tab.

Procedure

  1. In the Scans view, select a scan template from the QuickScan template list (under the toolbar), enter a starting URL in the field, and click the Create QuickScan icon. Depending on the template you choose, either the Setup tab or a recording browser will open.
  2. If the Setup tab opens, edit the Scan Name if necessary to something more meaningful to your organization. The scan name defaults to the name of the URL you entered on the previous page.
  3. (Optional) To import traffic data:
    1. Click Import Traffic.
    2. Choose how you want to use the traffic data.
    3. Download and install the Manual Explorer tool.
      Note:
      • The machine that hosts the Manual Explorer tool must also be FIPS enabled so that the tool works properly.
      • If you are using Microsoft™ Windows™ 2008 Server (with or without R2), you might encounter this error message while trying to install the tool: "The system administrator has set policies to prevent this installation." The group policies set on the server do not allow regular users to perform installations. Either have your system administrator change the group policy or install the tool for you.
    4. To launch Manual Explorer, go to Start Menu > HCL AppScan Manual Explorer or the desktop icon.
    5. Click File > Preferences and configure the settings for the recording tool:
    6. Click Record on the AppScan® Manual Explorer tool and navigate your application.
    7. When you have finished exploring the site, save the file and close the Manual Explorer tool.
    8. Import the *.htd file and click Import to add the URLs to the QuickScan.
    9. Skip step 4 and complete the task.
  4. If a recording browser opens, follow these steps:
    1. Browse the site manually, entering data and clicking links. QuickScan will record all input until you click the Stop Recording button or close the recording browser.
    2. When you are done exploring your application, click Stop or close the browser. The Setup tab will open.
    3. Edit the Scan Name if necessary to something more meaningful to your organization. The scan name defaults to the name of the URL you entered on the previous page.
    4. Check the URLs to be scanned list to verify that QuickScan has accurately identified the login pages to your application and that you have permission to run security tests on the recorded URLs. All pages recorded before the login page are classified as part of the login sequence. Pages recorded after the login page are classified as regular pages.If you want to reclassify some URLs, select them and move them above or below the line in the URL list. You can rerecord the login sequence if necessary, or manually explore the site to add URLs to the scan.
    5. Select how you want the scan to be completed. If you set a scan to crawl without limiting the number of pages, the scan may take a long time to complete.
    6. (optional) Select Login Session IDs to add to the global list of domains as tracked session IDs. Session IDs in the list that appear grayed out already exist in the global list of domains. Session IDs that are not grayed out were found during the recorded login sequence.
    7. Proceed to Step 4.
  5. (optional) Configure Automatic Login. If the application requires a one-time login, use a user name and password so the scan can log in for you.
  6. (optional) Enable or disable In-session Detection. The in-session pattern details section displays the in-session pattern that the scan used during scanning to verify that it is logged in. If this is not the one you want to use, enter a different one and click Update to verify the pattern.
  7. Click More Scan Options to configure optional scan properties.
  8. Once you finish configuring your scan, click Save to save the scan options.
  9. Start the scan. The Progress tab will open and display the scan statistics while the scan is running. You can also choose to:
    • Save current results and stop: Saves the current results and stops the job. The run will finish normally and save the data collected so far in the database, but the reports will be incomplete.
    • Discard results and stop: Discards any data collected during the run and stops the job.

What to do next

When scan results are ready, you can view the reports on the Results tab. Reports display information about your website or application and provide the functionality to navigate to more details. Most of your data analysis tasks will focus on the data provided in these reports.