This section describes glass box scanning.
About this task
Once you have defined the glass box agent to AppScan®, glass box scanning
is enabled by default. You can use the Scan Configuration dialog box
to verify that the correct server agent is selected, and glass box
scanning is configured to run as part of the scan.
Glass box
scanning can discover hidden URLs in the Explore stage, and additional
issues and information during the Test stage.
Procedure
- Click Configuration > Glass Box view.
- Select the agent you want to use from the drop-down list.
Note: If your agent does not appear in the list, click the Glass box agent management link, and define it.
- Verify that one or both of the two main glass box scan
options are selected:
- Use glass box in the Explore stage
- Use glass box in the Test stage
Note: The Skip equivalent black box tests check box is cleared by default. This means that both glass box
tests and black box tests for the same vulnerability (WASC Threat
Classification) are sent. This is because although the glass box tests
are generally both more accurate and give more detailed results, occasionally
a glass box test may fail while the equivalent black box test succeeds.
If the results for your application are unchanged when black box tests
are skipped, you can reduce scan time by selecting this check box.
- Click Scan > Full Scan to start
the scan.
The scan starts and the status bar messages
indicate that glass box scanning is active.
The scan results
will include glass box data in the Issue Information tab where available.
