IBM Security AppScan ® Standard Edition Version 8.7 User Guide SC27-5432-00  ii IBM Security AppScan Standard Edition: User Guide Contents Chapter 1. Introduction 1 Product overview 1 What's new 1 Contact and support information 2 Chapter 2. Installing 5 System requirements 5 Flash Player upgrade 7 Flash Player configuration 7 Install 8 Silent install 8 Uninstall 9 Legacy scans 9 License 10 Load a floating or token license 12 Load a node-locked license 12 Updates 13 Temp file location 13 Chapter 3. Getting started 15 How an automatic scan works 15 Scanning web services 16 Basic workflow 18 Workflow description 18 Tour of the main window 20 View selector 20 Application Tree 21 Result List 23 Detail Pane 26 Scan panels 27 Status bar 28 Tutorial 28 Step 1: Configuring the scan 29 Step 2: Running the scan 30 Step 3: Reviewing Scan Results 30 Step 4: Communicating results 31 Chapter 4. Configuring 33 Scan configuration overview 33 Scan configuration wizard 33 Launching the Scan Configuration Wizard . . . 34 web Application Scan Configuration Wizard . . 35 web Services Scan Configuration Wizard . . . 40 Scan Configuration dialog box 42 URL and Servers view 44 Login Management view 47 Login Management Details 50 Environment Definition view 54 Exclude Paths and Files view 55 Explore Options view 59 Parameters and Cookies view 62 Automatic Form Fill view 72 Error Pages view 74 Multi-Step Operations view 76 Content-Based Results view 79 Glass Box view 81 Communication and Proxy view 82 HTTP Authentication view 82 Test Policy view 83 Test Options view 89 Privilege Escalation view 92 Malware view 93 Scan Expert view 93 Result Expert view 95 Advanced Configuration view 95 Generic Service Client 108 GSC: Example 108 Scanning a site that includes a web service as part of the site 109 Scan templates 109 Predefined templates 110 User-defined templates 111 Loading scan templates 112 Editing Scan Templates 112 Chapter 5. Scanning 113 Starting scans 113 Starting scans from the Scan Configuration Wizard 113 Starting scans from the Scan menu or the toolbar 114 Starting scans from the Welcome dialog box . . 114 Starting scans from the New Scan dialog box 115 Scan progress 115 Pausing and continuing scans 116 Scans stopped due to connectivity issues . . . 116 Scans stopped due to application issues . . . 116 Saving and loading scans 117 Saving scans 117 Automatic scan save 118 Loading saved scans 118 Legacy scan files 118 Automatic scan 119 Automatic multiphase scanning 120 Scan Expert 120 Scan Expert recommendations 121 Manual exploring 122 Recording a Manual Explore 123 Exporting Manual Explore data 125 Importing Manual Explore data 126 Using AppScan as a proxy server 127 Glass box overview 128 Installing the glass box agent 129 Permissions needed to work in secure mode . . 138 Defining the glass box agent 140 Scanning with glass box 141 Uninstalling the glass box agent 141 Partial scans 145 Explore Only 146 Test Only 146 © Copyright IBM Corp. 2000, 2013 iii Re-Scan 146 Scan Multi-Step Operations Only 147 Changing the configuration during a scan . . . 147 Result Expert 147 Exporting scan results 148 Generating scan result DB and XML files . . . 148 Firebird database structure 148 Chapter 6. Results: Application Data 153 Application Data overview 153 Application Data: Application Tree 153 Application Data: Result List and Detail Pane . . 153 Requests 154 User Interaction Needed 155 Manually exploring interactive URLs 155 Filtered URLs 156 Failed Requests 156 Parameters 157 Comments 157 JavaScript 157 Cookies 157 Searching Application Data in Result List 158 Chapter 7. Results: Security Issues 161 Security Issues overview 161 Security Issues: Application Tree 161 Exclude URL from scan 162 Security Issues: Result List 162 Severity levels 163 Issue state: Open or Noise 163 Resending tests 164 Right-click menu 165 Filtering Security Issues in Result List 165 Sorting the Result List 166 Security Issues: Detail Pane 166 Issue Information tab 166 Advisory tab 170 Fix Recommendations tab 172 Request/Response tab 173 Manual tests 177 Non-vulnerable variants 180 Saving all non-vulnerable variants 180 Defining variants as non-vulnerable 180 Non-Vulnerable Variants List 180 Deleting variants 181 Chapter 8. Results: Remediation Tasks 183 Remediation Tasks overview 183 Remediation Tasks: Application Tree 183 Remediation Tasks: Result List 183 Searching Remediation Tasks in Result List . . 184 Sorting Remediation Tasks 185 Manipulating priority levels 185 Deleting Remediation Tasks from the Result List 185 Remediation Tasks: Detail Pane 186 Chapter 9. Reports 187 Report overview 187 Configuring report layout 187 Viewing and saving reports 188 Creating partial reports 188 Creating user-defined report templates 189 Earlier versions of report templates 194 Security reports 194 Industry standard reports 196 Regulatory compliance reports 198 Delta analysis reports 199 Template-based reports 201 Creating a custom report template 202 Importing a custom template 207 Chapter 10. Tools 209 Options dialog box 209 Scan Options tab 209 Preferences tab 211 General tab 212 Advanced tab 213 Scan Scheduler 215 Schedule a new scan 215 Edit scheduled scan configuration 215 Delete a scheduled scan 216 Schedule a Test stage only 216 Schedule a scan in installments 217 Scheduled task command line parameters . . . 218 User-defined tests 220 User-Defined Test Wizard 220 Defining infrastructure tests 221 Defining parameter modification tests 223 Defining parameter addition tests 225 Defining pattern search tests 226 Creating your own advisory 227 Completing the user-defined test wizard . . . 229 Managing user-defined tests 229 PowerTools 230 Authentication Tester 230 Connection Test 231 EncodeDecode 231 Expression Test 231 HTTP Request Editor 231 Token Analyzer 232 Customizing the Tools menu 232 Adjust the order of the PowerTools 232 Add programs to the Tools menu 233 Extensions 233 Extension Manager 233 Pyscan 234 Explore Optimization module 235 Logs 238 Scan Log 239 AppScan Log 239 Update Log 240 TrafficLog 241 Chapter 11. Integrations 243 AppScan Enterprise 243 Importing AppScan Enterprise license permissions 243 Publishing to AppScan Enterprise 244 Rational ClearQuest 244 iv IBM Security AppScan Standard Edition: User Guide HP Quality Center 245 Chapter 12. Best practices 247 Workflow for advanced users 247 Initial Configuration 249 Initial Automatic Explore 250 Improve site coverage manually 250 Evaluate Explore results 252 Additional configuration 254 Sites that use parameter-based navigation 255 The challenge of parameter-based navigation sites 255 Live production environments 256 Flash content 258 Chapter 13. Troubleshooting 261 License troubleshooting 261 Troubleshooting features 261 Reporting false positive results 262 Troubleshooting the Report False Positive feature 262 Extended Support Mode 262 Changing the default browser 263 In-session detection troubleshooting 265 In-session request same as login request 265 Long or never-ending Explore stage 266 Flash movie troubleshooting 267 Some Flash movies are not scanned 268 Restore Adobe Flash Player settings 269 Scan Log messages 270 AppScan Log messages 278 Flash Log messages 283 Chapter 14. CLI 285 Command structure 285 Commands 285 Exec command 285 Report command 288 Help command 289 Exit Status codes 289 Launching the application from the command line 289 Chapter 15. Menus, toolbars and keyboard shortcuts 291 File menu 291 Edit menu 292 View menu 292 Scan menu 293 Tools menu 293 Help menu 294 Main toolbar 295 Browser toolbar 296 Keyboard shortcuts 296 Accessibility controls 297 Chapter 16. Glossary 301 Chapter 17. Notices 311 Contents v vi IBM Security AppScan Standard Edition: User Guide Chapter 1. Introduction Overview of AppScan ® , summary of what's new in this version and contact information. v “Product overview” v “What's new” v “Contact and support information” on page 2 Product overview AppScan Standard Edition is a flexible, accurate, and efficient web application security assessment tool. It automates vulnerability testing to help protect against the threat of cyber-attack, with an easy-to-use solution that combines dynamic analysis and static JavaScript analysis. v Automates dynamic (black box) security testing for emerging web vulnerabilities including web services, web 2.0 and Rich Internet Applications (JavaScript, Ajax and Adobe Flash) v Includes JavaScript Security Analyzer for advanced static (white box) analysis of client-side security issues, such as DOM-based cross site scripting and code injection v Scans web sites for embedded malware and links to malicious or undesirable sites v Provides customization and extensibility with the AppScan eXtension Framework, which allows the user community to build and share open source add-ons v Includes regulatory compliance reporting templates with 40 out-of-the box compliance reports With AppScanyou can identify vulnerabilities in your application before the hackers do. Early detection and resolution of web application vulnerabilities decreases the risk of attack and saves valuable time and resources. Using AppScan throughout the application life cycle standardizes security auditing tests and schedules. It also lowers the total cost-of-ownership, as AppScan notifies you of possible vulnerabilities before they become actual security risks. What's new This section describes new product features and enhancements in this version. A complete list of fixes in AppScan Standard 8.7 can be found at: http://www.ibm.com/support/docview.wss?uid=swg27037000 New in IBM Security AppScan Standard 8.7 This version includes a variety of fixes and performance enhancements, as well as the following new features: FIPS 140-2 support The US Federal Information Processing Standards (FIPS) define cryptography requirements. AppScan now uses encryption and hashing mechanisms that support these requirements, and can run on Windows machines that have been set up to work in FIPS Compliant mode. GSC update For scanning web services, Generic Service Client version 8.11 is now replaced with version 8.3, with the following improvements: v Web services security policies are now supported v Raw transaction data view v GZIP encoding supported © Copyright IBM Corp. 2000, 2013 1 v Enhanced web services policies and security algorithms v Improved logging v Improved memory usage Note: For scanning web services with AppScan Standard 8.7 the newer version of GSC is required. If you have GSC 8.11 installed, the AppScan Standard 8.7 installation wizard will detect and uninstall it. High-contrast GUI For increased accessibility, the user interface is now high-contrast compatible. Deprecated in this version Support for PEM client-side certificates is deprecated as of this version. They can still be used in this version, but will not be supported in future versions. See “Convert a PEM Certificate to PKCS#12 Format” on page 83 Contact and support information AppScan contact information for technical support, to report false positive test results, and for technical, sales and general information. Item Details Documentation The AppScan Standard Publications Library links to all online user documentation, including: v PDF version of this Help v Readme file, containing any last minute information that could not be included in this Help v Fix List, detailing APARs fixed by version v System requirements v Known issues of general interest in the current version (updated as issues are discovered and as they are resolved in fix packs) v AppScan Standard download instructions http://www.ibm.com/support/docview.wss?uid=swg27024868 Support portal http://www.ibm.com/support/entry/portal/Overview To open a service request http://www.ibm.com/support/entry/portal/Open_service_request To report "false positive" results http://www.ibm.com/support/docview.wss?uid=swg21295428 For more details see: “Report false positive test results” on page 176 AppScan eXtensions framework http://www.ibm.com/developerworks/rational/downloads/08/ appscan_ext_framework/ For more details see: “Extensions” on page 233 Sales and general information http://www.ibm.com/software/rational/offerings/testing/ webapplicationsecurity/ Note: When calling or submitting a problem to AppScan Support about a particular service request, have the following information ready: v Customer Number v The machine type/model/serial number (for software maintenance calls) v Company name 2 IBM Security AppScan Standard Edition: User Guide v Contact name v Preferred means of contact (voice or email) v Telephone number where you can be reached (if voice contact requested) v Related product and version information v Related operating system and database information v Detailed description of the issue v Severity of the issue with reference to your business needs Chapter 1. Introduction 3 4 IBM Security AppScan Standard Edition: User Guide [...]... default path for AppScan from version 8.6 is: (Program Files Folder) \IBM\ AppScan Standard The default path for earlier versions of AppScan is: (Program Files Folder) \IBM\ Rational AppScan License A description of license types, installation and management 10 IBM Security AppScan Standard Edition: User Guide TheAppScan, Version 8.6 installation includes a default license that allows you to scan IBM' s custom... with /v"/qn" (see next row) IBM Security AppScan Standard Edition: User Guide Parameter Function /v Sets additional MSI properties such as UI mode and the path where AppScan will be installed UI Mode: For "Silent Mode", include /qn as a parameter (enclosed in quotes) Path: If you do not define an install path, installation uses the default path: Program Files \IBM\ AppScan Standard\ To define a different... INSTALLDIR=\"D:\Program Files \AppScan\ "" Examples: v To silently install an English version of AppScan in the default directory enter: AppScan_ Setup.exe /s /v"/qn" v To silently install Japanese versions of AppScan in the default directory enter: AppScan_ Setup.exe /l"1041" /s /v"/qn" v To silently install a Korean version of AppScan in D:\Program Files \AppScan\ enter: AppScan_ Setup.exe /l"1042" /s... sufficient to supply AppScan with the start URL and login authentication credentials for it to be able to test the site If necessary you can also manually crawl the site through AppScan, in order to get access to areas that can only be reached through specific user input 16 IBM Security AppScan Standard Edition: User Guide web services In order to be able to scan a web service effectively, the AppScan installation... Interactive Links Security Issues Result List The Result List in Security Issues view displays issues found by the scan During a scan, Security Issues view is automatically activated and issues are listed in the Result List as they are found Each issue is assigned a severity level, which is indicated by one of the icons below Icon Indicates High severity issue 24 IBM Security AppScan Standard Edition: User... by AppScan to your web application The results of the tests are provided by AppScan' s site-smart engine and result in expansive reports and fix recommendations, available for enhanced review and manipulation AppScan is an interactive tool: you decide on the configuration of the scan and determine what is to be done with the results The AppScan workflow includes the following stages: 18 IBM Security AppScan. .. window 7 In the AppScan license dialog box, click 12 IBM Security AppScan Standard Edition: User Guide to load your license Updates Keeping your installation up-to-date About this task Subscription updates include new types of web application exploitation techniques and bug fixes It is recommended that you install these files as soon as you receive notification of their availability AppScan periodically... following options: Load IBM Rational License If you have an IBM Rational license (either on your computer or on a different network server), click here to open the AppScan License Key Administrator, from where you can load and manage your licenses The program can also be opened from \IBM\ RationalRLKS\common\licadmin8.exe Add AppScan Enterprise License If your organization has an AppScan Enterprise license... Linux Ubuntu server LTS 10.04 v Linux SLES 10 SP4 v Linux SLES 11 SP2 Supported UNIX systems: v UNIX AIX® 6.1 v UNIX Solaris 10 (SPARC) v UNIX Solaris 11 Express® 6 IBM Security AppScan Standard Edition: User Guide Supported languages The AppScan user interface can run in the following languages: Chinese (Simplified), Chinese (Traditional), English (United States), French, German, Italian*, Japanese,... 240 Temp file location Describes where AppScan saves its temporary files during normal operation, and how to change the location By default AppScan stores its temporary files in: C:\Documents and Settings\All Users\Application Data \IBM\ AppScan Standard\ temp If you need to override this default location for any reason, edit the path for the environment variable APPSCAN_ TEMP as required (Environment variables . IBM Security AppScan ® Standard Edition Version 8.7 User Guide SC27-5432-00  ii IBM Security AppScan Standard Edition: User Guide Contents Chapter 1 management. 10 IBM Security AppScan Standard Edition: User Guide TheAppScan, Version 8.6 installation includes a default license that allows you to scan IBM& apos;s custom designed AppScan testing. default path for AppScan from version 8.6 is: (Program Files Folder) IBM AppScan Standard The default path for earlier versions of AppScan is: (Program Files Folder) IBM Rational AppScan License A