Using AppScan Source predefined filters

AppScan® Source includes a set of predefined filters that can be selected for filtering scan results. This help topic describes these out-of-the-box filters.

Note: In AppScan Source Version 8.8, predefined filters were improved to provide better scan results. If you need to continue using the predefined filters from older versions of AppScan Source (archived filters are listed in AppScan Source predefined filters (Version 8.7.x and earlier)), follow the instructions in Restoring archived predefined filters.

Note: In AppScan Source for Development (Visual Studio plug-in), this view is part of the Edit Filters window.

! - AppScan Vital Few
! - High Risk Sources
! - Important Types
CWE SANS Top 25 2010 Vulnerabilities
External Communications
Low Severity And Informational
Noise - Quality
OWASP Mobile Top 10 Vulnerabilities
OWASP Top 10 2010 Vulnerabilities
OWASP Top 10 2013 Vulnerabilities
PCI Data Security Standard Vulnerabilities
Targeted Vulnerabilities - EncodingRequired For HTTP Sources
Targeted Vulnerabilities - Validation Required For C/C++ Sinks
Trusted Sources
Vulnerabilities with no trace

! - AppScan Vital Few

This filter matches findings from some of the most dangerous vulnerability categories. The results are limited to High and Medium severity vulnerabilities. Results with specific sources are removed from the findings. The specific vulnerability categories which are included in this filter are:

Vulnerability.CrossSiteScripting
Vulnerability.CrossSiteScripting.Reflected
Vulnerability.CrossSiteScripting.Stored
Vulnerability.Injection.OS
Vulnerability.Injection.LDAP
Vulnerability.Injection.SQL
Vulnerability.Injection.Mail

! - High Risk Sources

This filter limits the findings to specific vulnerability types and sources with one of these properties:

Technology.Communications.HTTP
Technology.Communications.IP
Technology.Communications.RCP
Technology.Communications.TCP
Technology.Communications.UDP
Technology.Communications.WebService

! - Important Types

This filter contains findings from a broader range of important vulnerability categories. The findings are limited to High and Medium severities with Definitive or Suspect classifications. The specific categories which are included in this filter are:

Vulnerability.AppDOS
Vulnerability.Authentication.Credentials.Unprotected
Vulnerability.BufferOverflow
Vulnerability.BufferOverflow.FormatString
Vulnerability.BufferOverflow.ArrayIndexOutOfBounds
Vulnerability.BufferOverflow.BufferSizeOutOfBounds
Vulnerability.BufferOverflow.IntegerOverflow
Vulnerability.BufferOverflow.Internal
Vulnerability.CrossSiteRequestForgery
Vulnerability.CrossSiteScripting
Vulnerability.CrossSiteScripting.Reflected
Vulnerability.CrossSiteScripting.Stored
Vulnerability.FileUpload
Vulnerability.Injection
Vulnerability.Injection.LDAP
Vulnerability.Injection.OS
Vulnerability.Injection.SQL
Vulnerability.Injection.XML
Vulnerability.Injection.XPath
Vulnerability.Malicious.EasterEgg
Vulnerability.Malicious.Trigger
Vulnerability.Malicious.Trojan
Vulnerability.PathTraversal
Vulnerability.Validation.EncodingRequired
Vulnerability.Validation.EncodingRequired.Struts

CWE SANS Top 25 2010 Vulnerabilities

This filter focuses on vulnerability types related to the CWE/SANS TOP 25 Most Dangerous Software Errors for 2010.

To learn about the 2011 CWE/SANS Top 25 Most Dangerous Software Errors, see http://cwe.mitre.org/top25/.

External Communications

This filter matches findings which originate from outside the application and across a network. This filter matches findings which originate at any Technology.Communications source.

Low Severity And Informational

This filter contains findings with severities of Low and Informational. All classifications (Definitive, Suspect, and Scan Coverage) are included.

Noise - Quality

This filter causes the results to only include vulnerability types that are related to quality coding practices.

OWASP Mobile Top 10 Vulnerabilities

This filter focuses on vulnerability types related to the Open Web Application Security Project (OWASP) Mobile Top 10 Release Candidate v1.0 list.

To learn about OWASP, see https://www.owasp.org/index.php/Main_Page. Links to various OWASP documents and security risks are available at https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.

OWASP Top 10 2010 Vulnerabilities

This filter focuses on vulnerability types related to the Open Web Application Security Project (OWASP) Top 10 2010 list.

OWASP Top 10 2013 Vulnerabilities

This filter focuses on vulnerability types related to the Open Web Application Security Project (OWASP) Top 10 2013 list.

PCI Data Security Standard Vulnerabilities

This filter focuses on vulnerability types related to the Payment Card Industry Data Security Standard (PCI DSS) Version 3.2 standard.

See https://www.pcisecuritystandards.org/security_standards/index.php for information.

Scan Coverage Findings

This filter causes the results to only include Scan Coverage Findings (see Classifications for more information).

Targeted Vulnerabilities - `EncodingRequired` For HTTP Sources

This filter focuses on findings from the Validation.EncodingRequired and Validation.EncodingRequired.Struts vulnerability categories. Only findings that originate from a Technology.Communications.HTTP source are included. The findings are limited to High and Medium severities with Definitive or Suspect classifications.

Targeted Vulnerabilities - Validation Required For C/C++ Sinks

This filter focuses on Validation.Required vulnerabilities for a set of known C and C++ sinks. The findings are limited to High and Medium severities with Definitive or Suspect classifications.

Trusted Sources

This filter presumes that data coming from certain sources, such as session objects or request attributes, is safe.

Vulnerabilities with no trace

This filter lists vulnerabilities that do not contain traces.