Home
Tools
This section explains how to use additional tools provided with HCL AppScan Standard.
PowerTools
AppScan offers access to five utilities (PowerTools), each providing a specific feature to help you manage your application security or to help you use AppScan.
Authentication Tester
The Authentication Tester PowerTool is a testing utility that uses the "brute-force" technique to reveal weak username-password combinations that could be used to gain access to your web application. (A brute force attack is an automated process of trial and error used to guess authentication credentials, causing a server to acknowledge an imposter as a legitimate user.)
HTTP authentication over form authentication

Tools
This section explains how to use additional tools provided with HCL AppScan Standard.
- Options dialog box
  This section describes options you can control, to customize AppScan, from the Options dialog box (Tools > Options).
- Web Services Wizard extension
  This extension lets you scan using Open API description files. It is available from Tools > Extensions > Web Services Wizard (Open API), and the extension is enabled by default.
- Scan Scheduler
- User-Defined Tests
- PowerTools
  AppScan offers access to five utilities (PowerTools), each providing a specific feature to help you manage your application security or to help you use AppScan.
  - Authentication Tester
    The Authentication Tester PowerTool is a testing utility that uses the "brute-force" technique to reveal weak username-password combinations that could be used to gain access to your web application. (A brute force attack is an automated process of trial and error used to guess authentication credentials, causing a server to acknowledge an imposter as a legitimate user.)
  - Connection Test
    The Connection Test PowerTool enables you to ping web sites without using the Ping protocol, which is blocked by many firewalls.
  - Encode/Decode
    The Encode/Decode PowerTool encodes and decodes strings you put into it, to and from the format of your choice.
  - Expression Test
    Writing precise regular expressions can be a tedious trial-and-error process. You can use the Expression Test PowerTool to help accelerate the process.
  - HTTP Request Editor
    The HTTP Request Editor PowerTool enables you to send a fully-controlled HTTP request to your site, to test how your site responds to different kinds of HTTP request.
- Customizing the Tools menu
- Extensions
- Logs
  Logs can help you troubleshooting.
- Searching Results
  You can filter the Result List in any of the views, for specific data.

HTTP authentication over form authentication

About this task

In some instances an application may use both types of authentication. HTTP authentication may be used generally on all pages, while Form authentication is used to protect specific administrator areas. In such cases you will probably want to run both types of test.

HTTP Authentication: This is tested as described above (see HTTP authentication)

Form Authentication: To test this you need to provide Authentication Tester with the actual username and password for the HTTP authentication. This will enable it to "get past" the HTTP authentication and test the Form authentication on these pages.

Procedure

In the Authentication Tester main window, select the Form Authentication radio button.
Configure Form Authentication (see Form authentication).
Click Advanced.

The Advanced Configuration dialog box opens (with the General tab on top).
In the HTTP authentication over Form authentication area select the Enable checkbox.

The Username, Password and Domain fields become active.
Type in valid HTTP authentication credentials for Authentication Tester to use when testing Form Authentication pages.
If the HTTP login window requires a domain, enter the correct domain name in the Domain field.
Click OK to close the dialog box.

You can now run brute force tests using the current configuration (see Running authentication tests).