Home
Configuring
You configure a scan by choosing settings that best describe your application, and the kind of testing you want.
Scan Configuration Dialog Box
Login Management view
Login Management view of the Scan Configuration dialog box.
Review & Validate tab
Scan Configuration > Login Management > Review & Validate tab
Optimizing In-Session Detection
Reviewing the login sequence can help troubleshoot and optimize in-session detection.

Configuring
You configure a scan by choosing settings that best describe your application, and the kind of testing you want.
- Scan Configuration Wizards
  You can quickly configure basic scans using the wizards.
- Scan Configuration Dialog Box
  - URL and Servers view
    URL and Servers view of the Scan Configuration dialog box.
  - Login Management view
    Login Management view of the Scan Configuration dialog box.
    - Login tab
      Scan Configuration > Login Management > Login tab.
    - Review & Validate tab
      Scan Configuration > Login Management > Review & Validate tab
      - Action-Based editor
        Dialog that opens from Scan Configuration > Login > Review & Validate > (Action-Based) Edit, can be used to troubleshoot the login procedure if validation fails.
      - Request-Based editor
        Dialog that opens from Scan Configuration > Login > Review & Validate > (Request-Based) Edit, can be used to troubleshoot the login procedure if validation fails.
      - Advanced request selection
        Advanced In-Session Request Selection dialog box, that opens from Scan Configuration > Login > Review & Validate > Advanced Request Selection
      - Advanced pattern selection
        Use this dialog to compare in-session and out-of-session responses to login requests, to help you decide on the detection pattern that is best for your application. Opened by clicking
      - Optimizing In-Session Detection
        Reviewing the login sequence can help troubleshoot and optimize in-session detection.
    - Session IDs tab
      Scan Configuration > Login Management > Session IDs tab.
    - Advanced tab
      Scan Configuration > Login Management > Advanced tab.
  - Environment Definition view
    Environment Definition view of the Configuration dialog box.
  - Exclude Paths and Files view
    Exclude Paths and Files view of the Configuration dialog box.
  - Explore Options view
    Explore Options view of the Configuration dialog box.
  - Parameters and Cookies view
    Parameters and Cookies view of the Configuration dialog box.
  - Automatic Form Fill view
    Automatic Form Fill view of the Configuration dialog box contains the values used to fill forms in your application.
  - Error Pages view
    Error Pages view of the Configuration dialog box.
  - Multi-Step Operations view
    Multi-Step Operations view of the Configuration dialog box is for testing parts of the site that can only be reached by clicking links in a specific order.
  - Content-Based Results view
    Content-Based view of the Configuration dialog box. You can use this view to define a logical structure for the application tree, if AppScan® will not be able to do this based on URL structure.
  - Communication and Proxy view
    Communication and Proxy (if AppScan needs a proxy to access the tested application) view of the Configuration dialog box.
  - HTTP Authentication view
    HTTP Authentication view of the Configuration dialog box.
  - 3rd Party Authentication view
    3rd Party Authentication view of the Configuration dialog box lets you configure AWS settings.
  - Test Policy view
    Test Policy view of the Configuration dialog box shows details of the current test policy.
  - Test Optimization view
    Test Optimization uses AppScan’s intelligent test filtering to achive faster scans, when speed is needed, with minimal loss of issue coverage. You choose between four optimization levels depending on your needs.
  - Test Options view
    Test Options view of the Configuration dialog box.
  - Privilege Escalation view
    Privilege Escalation view of the Configuration dialog box lets you compare results for different user levels.
  - Scan Expert view
    Scan Expert view of the Scan Configuration dialog box.
  - Advanced Configuration view
    The Advanced Configuration tab of the Scan Configuration dialog box is used to change advanced registry settings that affect specific scans (Scan Configuration > Advanced Configuration tab), and it should only be used by experienced AppScan users, or when instructed to do so by the support team to troubleshoot a problem.
- Scan file structure
  Explains the basic structure of an AppScan Standard SCAN file.
- Scan templates
  A scan template is simply a scan configuration that has been saved so that you can use it again.
- Changing the configuration during a scan

Optimizing In-Session Detection

Reviewing the login sequence can help troubleshoot and optimize in-session detection.

About this task

AppScan attempts to identify automatically an "In-Session Detection Pattern" that occurs on the in-session page, that it can use during the scan to verify that it is still logged in. This should be a pattern that occurs in the page's response only when you are logged in. An example might be text that reads: "Click here to log out".

During the scan, AppScan sends the in-session request repeatedly, and checks that the response contains the In-Session Detection Pattern. If AppScan does not find the pattern in the page's response, AppScan assumes it has been logged out, and attempts to log in again by replaying the login sequence. It follows that the login sequence is typically played many times during a scan. It is therefore best that it contains as few steps as possible. It is also helpful if the In-Session page is a small page, and does not contain tracked parameters or cookies, since these can also increase scan time significantly.

When the defined in-session pattern is detected in the in-session request, (the request immediately following the POST request), it is highlighted in green.

Procedure

Verify that the In-Session Detection Pattern that was automatically selected is in fact an indication that the user is logged in. If necessary, change it.
Verify that there are no unnecessary steps in the login procedure. If there are, delete them.
Verify that the in-session response is not a large one, and - if possible - does not include tracked parameters or cookies. If necessary, add one or more steps till you reach a smaller page or one without tracked items.
If you succeeded in selecting an in-session page without tracked parameters or cookies, there is no need for AppScan to check for these each time it logs in. Go to Advanced Configuration > Session Management: Parse In-Session Page, and change the setting to False.
If none of these succeed, you can try to identify an out-of-session pattern instead, and then change the detection method.