Jump to main content
HCL Logo Help Center
HCL TECHNOLOGIES ABOUT US PRODUCTS & SOLUTIONS RESOURCES CONTACT US
AppScan Enterprise Server
  • Welcome
  • Accessibility features for AppScan® Enterprise
  • Overview
  • Installing
  • Upgrading and migrating
  • Integrating
  • Best practices
  • Configuring
  • Administering
  • Managing application risk
  • Troubleshooting and support
  • REST API
  • Reference
  • Glossary
  1. Home
  2. Reference

    Review reference information for the product.

  3. Folder Explorer topics

    Learn about folder explorer topics.

  4. Creating scans in the Folder Explorer

    Learn how to create scan in the folder explorer.

  5. Optimizing your scan with advanced configuration options

    Use this task to configure an advanced scan with complex configuration. Use this method for web applications that require a lot of user interaction to navigate the application or if you would like to just test a specific area of your application.

  6. Testing web services for security vulnerabilities

    You can add web services to the scan for security testing. Use the Web Services Explorer to send requests to the service and then package up the corresponding URLs for testing in AppScan® Enterprise Server.

  • Reference

    Review reference information for the product.

    • Configuring Wizard topics

      Learn about configuring wizard topics.

    • Folder Explorer topics

      Learn about folder explorer topics.

      • Creating scans in the Folder Explorer

        Learn how to use scan in folder explorer.

      • Creating scans in the Folder Explorer

        Learn how to create scan in the folder explorer.

        • Creating a QuickScan template using scan properties from AppScan Enterprise

          A QuickScan template comprises either a content scan job or an import job, plus a report pack. After you create scan templates in the Templates folder in the Folder list, they will automatically be available as scan templates to QuickScan users and to more advanced users who have their QuickScan View turned on in the Show Folder Explorer list. When a QuickScan user creates a scan, a job and report pack will be created based on the template, but will only appear to the QuickScan user as a scan.

        • Configuring a basic scan without security testing

          Use this task to configure a basic scan with minimal configuration. This scan will automatically discover more URLs to test in your web application. Use this method for an application that has a lot of static links and does not require a lot of user interaction. This scan does not test for security issues, but helps you start exploring your site to determine complete site coverage.

        • Configuring a security scan using scan properties in AppScan Enterprise

          Security scans should be performed in a preproduction environment, such as on a staging or Quality Assurance server. Doing so helps you contain the risks associated with performing security scans. Your preproduction environment should mirror the production environment as much as possible; the application should have the same executable files in both environments so that you know you are thoroughly testing your exposed applications. Security scans should also be integrated into your Software Development Life cycle (SDLC) process so that you can catch security issues before they make their way into your production environment.

        • How a security scan works

          A security scan has two distinct phases: Explore and Test.

        • Workflow for security testing

          A security scan requires careful configuration so that it can find all the URLs on your web application and then test them for vulnerabilities.

        • How JavaScript™ source code analysis works

          JavaScript™ Security Analyzer (JSA) performs static JavaScript source code analysis to detect a range of client-side issues, primarily DOM-Based Cross Site Scripting. JSA analyzes the HTML pages that AppScan® Enterprise collected during the Explore stage. JSA runs in parallel to the Test stage, or can be launched manually on existing Explore results at any time.

        • Optimizing your scan with advanced configuration options

          Use this task to configure an advanced scan with complex configuration. Use this method for web applications that require a lot of user interaction to navigate the application or if you would like to just test a specific area of your application.

          • Adding additional servers and domains to the scan

            To account for additional domains and multiserver environments, add any additional servers and domains to the scan's What to Scan page.

          • Finding more content

            An XRule is an XML script used to enhance the scanning of your website or application and to search the database for information that has been collected by a scan. When using it to enhance the ability of the job to scan a site, an XRule can find links inside a Flash file, find dynamically-created links inside JavaScript™, or get past a login routine.

          • Scanning WebSphere® Portals

            Specify the portal to scan.

          • Setting scan limits

            Set scan limits to focus the scan. You can limit the scan by the number of pages, the path of redundant content or click depth.

          • Excluding URLs from a scan

            Exclusions are used to exclude specific files, directories or file types from being analyzed during the scan. You might have a section of your site that would negatively affect the overall scan results if it was included in the analysis, possibly because it is under construction and has known issues. By excluding this section of your site, you can prevent it from affecting the report and dashboard results.

          • Normalizing URLs and forms

            Normalization rules help the scan job determine whether URLs and forms are unique so that they are not repeated incorrectly in your reports.

          • Defining parameters and cookies

            You might have parameters and cookies that require special treatment, such as Session IDs and parameters that you do not want the scan to manipulate.

          • Handling login and logout pages

            Configure how the scan handles the login and logout pages of a web application. Use a login sequence to follow a complex login process or enter regular expressions for detecting logout pages that the scan will encounter. Logout pages are identified to prevent the scan from logging out of the application or website prematurely.

          • Completing web forms automatically

            Use Automatic Form Fill to supply a content scan job with values for form fields that it encounters. Using the field values that you provide, the scan can continue uninterrupted to discover more URLs and content for analysis.

          • Connecting to a web server

            Define the scan job's behavior as it connects to your network.

          • Authenticating to the website

            When the scan job encounters a page that requires Windows™ NT® authentication, it automatically provides the user name and password that you choose. You can add user names and passwords for authenticated pages. Client side certificates dictate whether the scan engine and manual explore/recorded login rely on a particular client certificate file or the service account's certificate store for authentication with the server they are trying to scan.

          • Identifying custom error pages so the scan recognizes them

            Custom error pages are used on websites to ensure that a user does not hit a "dead end" when they encounter a broken link. Instead, the error page guides the user to another page, such as a home page.

          • Configuring scanning for privacy statement links

            It is important that a website visitor can easily determine how data is going to be used when a website asks for information. A website's privacy policy will describe why data is being collected, who will be given access to the data and what types of rights the website visitor has regarding that data after it is submitted. Providing a link from a page that contains a form collecting personal data to the privacy policy governing that data is the best way of providing information to the user when they need it.

          • Manually exploring your site to add more URLs to the scan

            A Manual Explore means you will be indicating the exact URLs for the scan to test in the configuration (the scan will not automatically crawl to discover new URLs). Use this method for web applications that require a lot of user interaction to navigate the application or if you would like to just test a specific area of your application.

          • Correlating static analysis data with dynamic analysis data

            Import data from AppScan® Source to correlate its findings with an existing dynamic analysis security scan (AppScan Enterprise Server content scan job or an AppScan Standard import job).

          • Testing web services for security vulnerabilities

            You can add web services to the scan for security testing. Use the Web Services Explorer to send requests to the service and then package up the corresponding URLs for testing in AppScan® Enterprise Server.

            • Web Services Explorer

              The adoption of web services to perform more critical online transactions has resulted in the urgent need to audit and assess these applications for security vulnerabilities. You can use the Web Services Explorer to launch the Generic Service Client (GSC) tool, where you can view the various methods incorporated in the web service, manipulate input data, and examine feedback from the service.

            • Installing Web Services Explorer

              The Web Services Explorer requires approximately 300 MB of disk space.

            • Workflow for testing simple web services

              This is a simple Web Services scan workflow.

            • Workflow for testing web services behind SSL authentication

              This workflow illustrates the procedure for exploring web services where the WSDL file resides behind SSL authentication.

          • Glass Box Scanning

            Learn more about Glass Box scanning.

          • Testing for malware

            Test your application for malware and malicious external links.

          • Retesting a security issue

            Retesting a security issue provides a quick way to verify that you have indeed fixed an issue. Rather than running an entire job to see results, you can select one or more issues that you have fixed and retest them right away.

        • Capturing and Importing Traffic Data
        • Importing an action-based login file from AppScan Standard

          The action-based login capability in AppScan Standard produces the user's actual actions in the browser, rather than just the requests, and replays the sequence in the browser. Take advantage of this capability by creating an action-based login in AppScan Standard and importing it into AppScan Enterprise to help avoid out-of-session events during scanning.

        • Importing manual explore data from AppScan® Standard

          You can import data that is exported from AppScan® Standard version 7.x (and later) into AppScan Enterprise. Importing this data can save you time and reduce redundant work effort. Only the URLs (parameters and domains) and HTTP requests from the AppScan .exd file are imported.

        • Importing AppScan® data to use in reports

          An import job takes the results from a data file, and integrates it into the AppScan® Enterprise Server database. Imported data can be used to create reports and dashboards. It can also be combined with data from content scan jobs to create a complete picture of your issues.

    • Triage with reports

      Reports are automatically generated after a job has run. They provide a way of managing issues so that you can helps you manage issues that are important to your organization and do so in a way that is supported both by the Enterprise Console's workflow and the workflows of other processes within your organization.

Testing web services for security vulnerabilities

You can add web services to the scan for security testing. Use the Web Services Explorer to send requests to the service and then package up the corresponding URLs for testing in AppScan® Enterprise Server.

About this task

  • Web Services Explorer
  • Installing Web Services Explorer
  • Workflow for testing simple web services
  • Workflow for testing web services behind SSL authentication
© Copyright HCL Technologies Limited 2001, 2019 / About HCL Software / Acquisition FAQ / Government - US Federal / Welcome / Contact Us