Workflow for advanced users

This workflow can help users with experience in the field of web security achieve a more thorough scan.

The success of the Test stage, and therefore of the scan itself, depends on the coverage achieved during the Explore stage. If the Explore stage misses important parts of the application logic, the Test stage will not be able to reveal important vulnerabilities that might exist. Following this workflow can help you improve Explore stage coverage.


workflow diagram

Task

Description

1. Initial Configuration

Using the wizard or the Scan Configuration dialog box:
  1. Define the starting URL
  2. Record the login procedure
  3. Validate the in-session pattern and if needed choose a new pattern
  4. If your site has an account lockout feature, either disable the feature, or configure AppScan not to test login pages - otherwise AppScan will get locked out of the site during the Test stage and be unable to proceed.

For a fuller description of this step, see Initial Configuration

2. Explore Only

Run an initial Automatic Explore:
  1. On the toolbar, click scan icon > Explore Only, and let the new Explore stage complete. AppScan will explore the site but not test it yet. At the start of the Explore stage Scan Expert will run, and may suggest some changes to the configuration. The default setting lets Scan Expert make only those changes that can be applied automatically.
    Note: If your site uses URL rewriting, run Explore Optimization (Tools > Extensions > Explore Optimization Module: Run), and if recommended by the extension, run the Automatic Explore stage again (Scan > Re-Explore).
  2. If the Explore terminates early due to AppScan being out-of-session, re-record and reconfigure the login procedure, paying special attention to In-Session Detection and Session ID Tracking.

For a fuller description of this step, see Initial Automatic Explore

3. Improve site coverage manually using the browser

Add URLs which Automatic Explore missed:
  1. Manual Explore: Use Manual Explore to add individual pages, such as those that require specific input.
    Note: In rare cases where the built-in browser is unable to browse the application, you can configure AppScan to use a different browser.
  2. Multi-Step Operations: If parts of the site can be reached only by clicking links in a specific order, record one or more Multi-Step Operations.

For a fuller description of this step, see Improve site coverage manually

4. Continue Explore Only

With the new data you have provided trough the Manual Explore, Automatic Explore will probably be able to explore the application more thoroughly.
Note: Click scan icon > Continue Automatic Explore (or Scan > Explore Only), to preserve the initial Explore results and the Manual Explore data. Do not click Re-Scan > Re-Explore, as this will delete the existing data.

5. Evaluate Explore results

Review the results so far, to see if the application logic has been well covered by the exploring done so far.
Note: If you make any configuration changes, you should run Automatic Explore again (Scan > Re-Explore).

For a fuller description of this step, see Evaluate Explore results

6. (If needed) Additional configuration

There are some additional configuration options that you should consider if application coverage so far is not sufficient.

For a fuller description of this step, see Additional configuration

7. Test stage

Click Test Only to proceed with the Test stage, completing the scan.