Glass Box view

Glass Box view of the Configuration dialog box.

Glass box scanning uses an agent installed on your application server. This agent monitors server-side activity during the scan, collecting source-code information and other data. This results in a faster and more accurate scan. The relevant glass box agent for the configured starting URL is selected by default, and both of the glass box scanning functions are enabled.

Glass box scanning can discover hidden URLs in the Explore stage, and additional issues and information during the Test stage.

Setting

Details

Use this glass box agent

If the glass box agent has been installed on your application server, and defined in AppScan, you can select it for use in the scan. If you have entered a Starting URL, AppScan attempts to select the appropriate agent automatically.

When an agent is selected, AppScan attempts to connect to it, and indicates whether this was successful.
Note: If you select an agent and get the message "Credentials needed", check that the credentials supplied in Tools > Glass Box Management are correct.
If the required server does not appear in the drop-down list, you can define it by clicking the Glass box agent management link.
Restriction: Only one glass box agent can be selected for use in a scan. If the application being scanned has more than one server, you must scan using each server agent separately.

Use glass box in the Explore stage

(Selected by default.)

This function can increase coverage of the site, by examining the server-side source code for the presence of parameters that affect the behavior of the server, but do not appear in the response.

Example server-side code:
String debugOn = request.getParameter("debug");
if (debugOn == "true"){
	response.getWriter().println(SECRET_SERVER_DATA);
}
In this example the developer has left the parameter "debug" in the code. It does not appear in any link on the site, but if an attacker were to send a request containing it, SECRET_SERVER_DATA could be obtained.

Use glass box in the Test stage

(Selected by default.) Select this check box to send glass box tests during the Test stage of the scan. This function can verify the success or failure of certain tests, such as Blind SQL Injection, with greater accuracy, and also reveal the existence of certain security issues that cannot be detected by black box techniques.

Skip equivalent black box tests

(Cleared by default.) This means that both glass box tests and black box tests for the same vulnerability (WASC Threat Classification) are sent. This is because although the glass box tests are generally both more accurate and give more detailed results, occasionally a glass box test may fail while the equivalent black box test succeeds. If the results for your application are unchanged when black box tests are skipped, you can reduce scan time by selecting this check box.
Note: By default the two main check boxes are selected. Deselecting both of them will disable glass box scanning.

See also:

c_GlassBoxScanning.html

Installing the glass box agent

Defining the glass box agent in AppScan

Scanning with glass box