First, the general configuration Appscan (automated security testing tools)
- Appscan is one of the most widely used on the web application penetration testing stage tool. It is a desktop application that helps security professionals automate Web application vulnerability assessments. This article focuses on the configuration and use Appcan.
- Customizable scan policies: Appscan equipped with a custom scanning policies, you can customize the scanning strategy for your needs.
- Report: According to your requirements, you can generate a report in the desired format.
- Appscan divided into three parts: exploration, connection and testing.
Exploration and testing phases:
Before we start scanning, let us do the work Appscan an understanding of any automated scanner has two goals: to find all available links to find application vulnerabilities and attacks.
Exploration (Explore):
In the exploratory stage, Appscan trying through all the available links to your site, and create a hierarchy. Making a request, and is based on the response to determine where the scope of a vulnerability. For example, see a landing page, it will be determined by bypassing the injection verified. Does not perform any attacks in the exploratory stage, but a test to determine the direction this stage to determine the structure of the site and will soon test the vulnerability by sending multiple requests of range.
Test (Test):
During the testing phase, Appscan tested by attacking vulnerabilities in applications. By releasing the payload of the actual attack, to determine the circumstances established in the exploratory stage security vulnerabilities. Depending on the severity and risk rankings.
During the testing phase may link back to the discovery of new sites, so Appscan after the completion of exploration and testing phase will begin another round of scans, and continue to repeat the above process until no new link can be tested. Number of scans may be arranged in the user's settings.
========================================================================================================================================================
Start Scan, start Appscan, you will see a welcome screen shown in Fig.
Figure I
Click on "Create New Scan" to begin scanning a new Web application
Figure II
Select a template for your scanning requirements. The template includes a good scan configuration has been defined. Configuration wizard will appear after selecting a template. Click on "conventional scanning."
Figure III
It will ask you to choose the type of scan, select "Web Application Scan" -web application scanning, and then click Next
Scan configuration wizard is a core part of the tool, using the Setup Wizard, make Appscan know your needs; there are a lot of demand for choice.
URL and Servers (URL and servers - the figure below)
Starting URL (starting URL): this feature to specify the start URLs to be scanned in most cases, this will be the site of the landing page selection http://demo.testfire.net this demo site to test the Web application. bugs. If you want to restrict the scan only a link to this directory, select the check box.
Case Sensitive Path (case selection) : If your server has a URL is case-sensitive, select this option. The difference of the case depends on the server operating system - see the server system you use to decide to choose, Linux / Unix are case-sensitive so choose, but Windows is not.
Figure 4:
(Another server and domain): During a scan Appscan try to crawl all the links on this site. When it finds a link to a different domain, it is not scanned attack, unless specified in the "additional servers and domains" in. By specifying the link under the label to tell Appscan continue scanning, and even if it URL It is under a different domain.
Click Next to continue.
Login Management (login management)
During the scan, you may accidentally hit the eject button leads Appscan cancellation. Therefore, to log into the application, we need to set this section based on.
① the web without the test case verification code, can be used (1 and 3 kinds of landing Method)
② In the web there are circumstances under verification code, you can use the second landing approach.
Recorded(记录):选择此项后,会出现一个新的浏览器,并尝试链接到指定的网站作为本扫描的起始URL.你需要输入账号和密码登陆到应用程序.这样设置之后你可以关闭浏览器,但是不要点击注销按钮。有时候你会发现打开的浏览器不是IE或者Mozilla,而是Appscan浏览器.你可以改变通过设置来改变这个.Tools-->Options -->Advanced,设置OpenIEBrower的值0--Appscan浏览器,1--IE,2--Firefox,3--Chrome.如果该网站的行为在不同的浏览器下有所不同,这个设置将是非常有用的.
Prompt(提示):每次注销之后,Appscan会提示你登陆到应用程序中.如果你打算整个扫描你的系统,你可以选择这个选项.
Automatic(自动):在这里你可以直接指定用户名和密码,当你需要登陆到应用程序的时候.
图五
和图六(是以记录的登陆方式,请求成功登陆提示)
点击下一步继续.
Test celie-测试策略
根据你的测试策略,你需要选择最适合你需求的策略,现有的策略都是默认的,该策略包含所有测试,但侵入式和端口侦听器测试除外。.如果你不希望在登陆时发送测试和注销页面,你可以选择该选项。
- 将测试发送到登录和注销页面:缺省(默认)情况下,AppScan 将测试登录和注销页面以及应用程序的其余部分。您应该保持该默认配置;如果不确定您的应用程序会如何响应这些测试,那么请保持选定该选项。
建议将此复选框保留为选中状态,因为测试登录页面时会话标识可能会导致测试不成功。仅当您确定需要有效会话令牌来测试登录页面时,才应清除该复选框。
图七
点击下一步继续.
Complete
这是开始扫描的最后一步.IBM Rational Appscan允许你选择你想要的扫描方式,即完成扫描设置,探索扫描等.
Start a full automatic sacn(开始一个完整的自动扫描):随着前面创建的配置,Appscan将开始探索和测试阶段.
- 动应用程序的全面扫描(“探索”后将立即进行“测试”)。
Start with automatic explore only(开始探索扫描):Appscan只会探索应用程序,但不发送攻击.
- 探索应用程序,但不继续“测试”阶段。(可以稍后运行“测试”阶段)。
Start with manual explore(开始手动探索):浏览器将被打开,你可以手动浏览器应用程序.
- 浏览器将打开,并且您可以通过单击链接并填写字段来手动探索站点。AppScan® 将记录结果,以便在“测试”阶段使用。
当你想做出更多的更改扫描配置,你可以选择最后一个选项"i will start scan later".我将稍后启动扫描
- 关闭向导,不启动扫描。下次启动扫描时,会使用该模板。
在我们开始之前,我们有很重要的事情要做,它是Appscan的心脏和灵魂-"Full scan Configuration(全局扫描配置)"窗口.让我们明白为什么它在扫描任意应用程序的时候那么重要.
AppScan渗透测试工具
图八:
点击OK,将回到最初的扫描向导窗口.选择"start a full automatic sacn",单击"finish"。完成配置过程。
=======================================================================================》
二、就是可以手动配置全局
Full Scan Configuration
在下图中,有四个主要的部分--探索,链接,测试和一般,让我们看看具体的细节:
Explore
URL and Servers(URL和服务器): 扫描的URL和额外的服务器链接的处理.
Login Management(登陆管理):除了登陆方法,如果你想在Appscan同时登陆,通过这个可以指定.这将减少总的扫描时间.你还可以指定正则表达式检测注销页.
图八:
Environment Definition(环境的定义):在此设置下,你可以指定操作系统,Web服务器,数据库服务器,以及其它第三方组件,它可以帮助你提高扫描的精度和性能。
图九:
Exclude Paths and Files(排除路径和文件):设置扫描过程中排除的特定路径,甚至是特定的文件,比如.mps或.7z等.你可以在此选项下通过正则表达式来设置.
Explore Options(浏览选项):冗余路径选项有助于设置Appscan针对相同路径的扫描次数限制。因为有时Appscan可能会进入一个无限循环一次又一次扫描相同的URL.
Parameters and Cookies(参数和Cookies):包括有关参数的详细信息和应用程序中存在的COOKIES.
Automatic Form Fill(自动表格填写):在扫描过程中,Appscan遇到需要输入的形式.例如,一个注册页面,可能需要输入值,比如用户名和地址等。通过选择此项,可以让Appscan自动填写这些信息.
Error pages(错误页面):你在此配置下输入的错误页面将帮助Appscan判断错误页面.
Multi-Step Operations(多步骤操作):有部分应用程序,只有当你请求的数据按一定的顺序才可以达成(比如电子商务网站).通过这个设置你可以点击"start recording"来记录其序列.
Glass box Scanning:Glass box Scanning是Appscan引入的一个新的功能,代理将被安装在服务器上,这有助于扫描找到隐藏的URl和其它的问题.
Communication and Proxy(通讯及代理):你可以指定扫描器是否可以使用IE浏览器的代理设置(或不能使用任何代理)。
HTTP Authentication(HTTP身份验证):使用客户端证书,上传证书文件和密钥文件.
Test Policy(测试策略):所有的测试名称都列在这个部分,如果你不想Appscan扫描特定的漏洞,你可以取消其中的任何一个.
图十:
Test Options(测试选项):这个部分你可以选择适合的测试选项.Appscan发送大量的测试,需要花费大量的时间.但是选择适性测验,Appscan会尝试发送,以确定是适当的测试.它可以检测到服务器是IIS,然后只发送其中针对IIS的脆弱性检测测试,而不会检查其它服务器有关的问题.
Privilege Escalation(特权升级):你可以上传不同权限的用户或未经授权的用户扫描的扫描文件。
Scan Expert(扫描专家):扫描专家提出了建议,以更好的扫描应用程序。
======================================================================》
Export Report
