Sequence validation

As part of Multi-Step Operation testing, AppScan tests each step in the sequence separately. For example, when testing a 5-step sequence, it will test steps 1,2,3 4, and 5 separately.

When testing Step 3 (for example), it will play Steps 1 and 2 first, in order to arrive at Step 3 in the correct state, and then test it.

Sometimes a successful attack on Step 3 may not be evident in the site response until a later step in the sequence, such as Step 5. For example, a malicious user may input a payload in Step 3 that will be returned only when the site responds to the complete sequence, in Step 5.

For cases such as these you can configure AppScan so that when it tests Step 3 it also validates the responses to Steps 4 and 5.

This validation is for specific issue types: Cross-Site Scripting, SQL Injection, Command Injection, and Path Traversal. The number of additional steps (after the step being tested) that are validated can be configured in Scan Configuration > Advanced Configuration > Tests: Multi-step Operation: Validation limit.