Test options

Additional test options.

This view lets you configure various settings that affect the length and thoroughness of the scan. However, the default settings are sufficient in most cases.
Note: If you make changes to Test options after a scan, you may be prompted to re-scan, as not all changes can be applied to existing results.

Setting

Details

General

Use adaptive testing

AppScan can send many thousands of tests to a site. However, in order to reduce scan time, it can send preliminary tests that intelligently determine which are the appropriate tests to send and which can be dispensed with. This is "adaptive testing" and it can greatly reduce scan time, without sacrificing efficiency.

Clear this check box if you want AppScan® to send all its tests to the site.

Allow multiphase scanning

AppScan analyzes responses to the tests that it sends your application. From this analysis, AppScan® frequently discovers additional content, such as links that were invisible on the first "phase" of the scan. Multiphase scanning enables AppScan to repeat the Explore and Test stages on this newly detected content. (The additional phase is usually shorter, as it involves the new links only.)

Multiphase scanning is configured by default to allow a maximum of 4 scan phases.

Note that multiphase scanning applies only when you run a full scan. If you use the Explore Only and Test Only functions, the result will be a single-phase scan.

Analyze test responses for issues beyond the specific test scope

When selected, AppScan® analyzes each test response for additional security issues over-and-above the specific issue tested for. Deselect this option if the application is very large, or if scans produce a large number of false-positive results.

Include all variants of issues beyond the specific test scope

(Active only if previous check box is selected.) When selected, AppScan analyzes all variants of each issue over-and-above the specific issue tested for; when deselected, only one variant per issue is analyzed. Selecting this check box is not usually necessary, and can significantly increase scan time.

Test for cookie security issues in form submission requests only

When selected (default), AppScan will submit cookie related tests only on cookies used in form submission requests. For higher accuracy (but increased scan time), deselect this check box, and AppScan® will submit cookie tests on all relevant HTTP requests.

Report vulnerable components

3rd-party components in your code are identified during the Explore stage and shown in Data view.

When this option is selected (default), AppScan will report known vulnerabilities in those components in Issues view, and suggest updates. For more details, see Components.

To ensure that AppScan uses the latest version of the vulnerable component database, you can download the latest updates and then import it using the Import file option under Tools > Options. For more details, refer to the Import file section.

Login/Logout tests

Send tests on login pages

It is recommended to allow AppScan to test login pages, unless your application locks out users who provide illegal input, or the application flow would be altered by AppScan® testing them.

Do not send session identifiers when testing login pages

(Active only if previous check box is selected.) It is recommended to leave this check box selected, since session identifiers could limit test success when testing login pages. Clear it only if you are sure that valid session tokens are necessary to test your login pages.

Note that even when this check box is selected, some tests are still sent with session identifiers, to prevent false positive results.

Send tests on logout pages

It is recommended to allow AppScan to test logout pages, unless your application locks out users who provide illegal input, or the application flow would be altered by AppScan® testing them.

Non-vulnerables

Save non-vulnerables information

During a scan, AppScan sends many thousands of test variants to the site it is testing. The responses to many of these indicate that they do not pose a security threat of any kind, and by default AppScan® discards all these "non-vulnerable" results, considerably reducing the volume of the result data.

If you select this checkbox AppScan will save all non-vulnerables. A warning will appear that this option may reduce AppScan®'s performance and significantly increase the disk space required.

For more details see Non-vulnerables

Issue Management

Apply previous noise classifications to this scan

If you previously identified one or more issues as 'Noise' in a scan (indicating they are not relevant to your application), the system will automatically apply the same settings to subsequent scans unless you clear this checkbox.

For more details see Issue state: Open or Noise