Configuring a glass box scan

Although the scan is configured automatically, this section describes options you may want to change.

Procedure

  1. Configure your scan as usual.
  2. In Configuration > Glass Box tab, select one of the defined glass box agents from the drop-down list, and optionally adjust the settings:

    Setting

    Details

    Use this glass box agent

    If the glass box agent has been installed on your application server, and defined in AppScan, you can select it for use in the scan. If you have entered a Starting URL, AppScan attempts to select the appropriate agent automatically.

    When an agent is selected, AppScan attempts to connect to it, and indicates whether this was successful.
    Note: If you select an agent and get the message "Credentials needed", check that the credentials supplied in Tools > Glass Box Management are correct.
    If the required server does not appear in the drop-down list, you can define it by clicking the Glass box agent management link.
    Restriction: Only one glass box agent can be selected for use in a scan. If the application being scanned has more than one server, you must scan using each server agent separately.

    Use glass box in the Explore stage

    (Selected by default.)

    This function can increase coverage of the site, by examining the server-side source code for the presence of parameters that affect the behavior of the server, but do not appear in the response.

    Example server-side code:
    String debugOn = request.getParameter("debug");
if (debugOn == "true"){
	response.getWriter().println(SECRET_SERVER_DATA);
}
    In this example the developer has left the parameter "debug" in the code. It does not appear in any link on the site, but if an attacker were to send a request containing it, SECRET_SERVER_DATA could be obtained.

    Use glass box in the Test stage

    (Selected by default.) Select this check box to send glass box tests during the Test stage of the scan. This function can verify the success or failure of certain tests, such as Blind SQL Injection, with greater accuracy, and also reveal the existence of certain security issues that cannot be detected by black box techniques.

    Skip equivalent black box tests

    (Cleared by default.) This means that both glass box tests and black box tests for the same vulnerability (WASC Threat Classification) are sent. This is because although the glass box tests are generally both more accurate and give more detailed results, occasionally a glass box test may fail while the equivalent black box test succeeds. If the results for your application are unchanged when black box tests are skipped, you can reduce scan time by selecting this check box.
    The status bar indicates that glass box scanning is enabled, and you are ready to start the scan.