Case study: AppScan security scan of Rational Focal Point

Using IBM Rational Focal Point as an example, Shivakumar Patil describes using IBM Security AppScan Standard edition to test web-based applications and their external endpoints, such as SOAP and REST web services.

Share:

Shivakumar Patil (shivakpa@in.ibm.com), Security Lead, IBM

Author1 photoShivakumar Patil is with the IBM Rational Focal Point development team. He has been working on security aspects, using Rational AppScan, for the last two years.



29 January 2013

IBM® Rational® Focal Point™ is web-based software for portfolio management, which provides market- and business-driven analysis tools. IBM® Security AppScan® Standard edition is a web application security testing tool that automates security vulnerability assessments. In addition, it offers support for SOAP and REST web services for securing service-oriented architecture (SOA) environments. The article describes how we used AppScan to test Focal Point for security vulnerabilities. The diagram in Figure 1 illustrates the ways that you can use AppScan Standard to scan the various Rational Focal Point endpoints, including the web URL, SOAP web services, and REST web services.

Figure 1. Resources and relationships
Relationships of Focal Point and AppScan

AppScan has a built-in browser that you can use for security test scanning of the Rational Focal Point web URL. It also has a built-in GUI-based SOAP client that operates on a Web Services Description Language (WSDL) file. Using the client assists in scanning Focal Point SOAP web services.

Poster is a Mozilla Firefox browser add-on that developers can use to invoke REST web services. You can configure AppScan to act as a proxy for the Firefox Poster add-on. Using this technique, you can invoke Rational Focal Point REST web services and scan them to test security.

The Scan Configuration Wizard for AppScan has four basic sections:

  • URL Servers
  • Login Management
  • Test Policy
  • Complete

Scan the Rational Focal Point web application URL

AppScan Standard includes predefined scan templates to choose from (see Figure 2). Templates help you customize the many configuration options to optimize your scans.

We created a template called Rational Focal Point - Manual. You can choose Regular Scan if you do not have a customized template.

Figure 2. Template choices listed in the New Scan screen
screen lists recently used and predefined templates

On the Scan Configuration Wizard Welcome screen (Figure 3), you can choose either a Web Application Scan or a Web Service Scan.

Figure 3. Scan type selection screen in AppScan
Scan Configuration Wizard Welcome screen

On the next screen, we point the Starting URL to the Rational Focal Point login page.

Figure 4. AppScan target URL configuration screen
Starting URL in the Scan Configuration Wizard

In the Login Method screen (Figure 5), we selected the Recorded (Recommended) option to record instructions for AppScan for how to log in automatically to your web application (see AppScan Help for details).

Figure 5. AppScan Login Method screen
Other options: prompt, automatic, none

If you are get session timeout errors during automated scanning, skip this step by clicking the Next button. You can record the Login Method later in the scanning cycle. This usually helps in systems that are running on low memory.

The next screen is the Test Policy screen. Usually, it shows the Default test policy. That should suffice for most scanning policy needs.

Set Explore options, scan limits, and other test options

From the Scan Configuration view, under Explore, select Explore Options (see Figure 6). The many configuration options available dictate how AppScan scans Focal Point. Two important ones are in the Scan Limits section:

Redundant Path Limit
This setting makes sure that AppScan will not access the same path more than the configured number of times. For this case study, we set the path limit to 5.
 
Depth Limit
AppScan will not scan pages that deeper than this specified number of links (number of clicks away from the starting URL). For this case study, we set the depth limit to 20. Leave the default settings for other options.
 
Figure 6. AppScan Explore Options configuration screen
Also: JavaScript, Flash, Explore Method, Encoding

Prevent communication proxy timeout

Scan Configuration > Connection > Communication and Proxy option configurations dictate how AppScan communicates with the Focal Point target server. If you are getting many timeout notices, in the Communications section, change the Timeout setting to 45 seconds. That helps most communications over LANs.

Figure 7. AppScan Communication and Proxy configuration
Communication and Proxy configuration options

How to handle cross-site scripting attacks by using server filters

The traditional approach to cross-site scripting (XSS) issues is to fix the parameter that's causing the problem in the pages where it is used, so that malicious code cannot be injected into that parameter. We found that this is cumbersome and makes the code harder to maintain.

Figure 8 illustrates the use of an application server-based filter as an alternative.

Figure 8. Cross-site filter architecture diagram
cross-site filter architecture diagram

Here, we intercept every HTTP request coming into the server and passit through the cross-site filter before passing it on to the Rational Focal Point core. There are three sub-modules inside the cross-site filter:

Alphanumeric filter
This filter lets only alphanumeric values through.
 
Unsafe character filter
This filter removes all unsafe characters from the parameters.
 
Special provision filter
This filter uses special provisions for special parameters to let them through, based on specific business case.
 

Scan Rational Focal Point SOAP web services

To scan Rational Focal Point by using SOAP web services, you must choose Web Service Scan alternative in the Welcome screen of the Scan Configuration Wizard (see Figure 3).

Choosing the Focal Point WSDL for testing

In the URL and Servers view, find the WSDL URL section (Figure 9). In the field for where the WSDL file for the service is located, use the drop-down menu to point to the URL that you are going to scan. You can click on the global icon at the right of that field to see the WSDL file in HTML format. (Other settings shown here are defaults.)

Figure 9. AppScan screen to configure the target WSDL
Screen as described with URL entered

In the Test Policy screen that follows, you need to choose the test policy. Choose the Web Service test policy, which has tests targeted specifically toward SOAP web service scanning.

Using the generic SOAP client for testing exposed web services

AppScan will launch the built-in Generic Service Client, which will import the target WSDL file and build a GUI around it. Using this client, you can send specific SOAP requests to Rational Focal Point.

After you invoke all of the necessary SOAP requests, AppScan runs the security scan and reports any issues that it finds.

Figure 10. AppScan Generic Service Client
Generic Service Client window

Integrate the Firefox Poster add-on to scan REST web services

First, configure AppScan proxy settings to receive data from an external browser.

  1. In the Full Scan Configuration page, select Communication and Proxy, and choose the Don't use proxy option (see Figure 7).
  2. Select Tools > Options > Scan Options.

In the Scan Options tab view, under Communications, "AppScan proxy port" shows the port that AppScan listens to for the traffic going to the web application.

Figure 11. AppScan proxy port configuration screen
Scan Options tab view

How to use an external browser for scanning

  1. Configure your Firefox, Internet Explorer, or Chrome browser to use AppScan as the proxy.
  2. Next, perform a manual exploration of your application.
    1. Select Open Scan > Manual Explore to open the AppScan internal browser.
    2. Without closing the internal browser, open your external browser.
    3. Explore the application as necessary.
  3. Close the external browser.
  4. Close the internal browser.

Important:
The OpenExternalBrowser option that is available in AppScan version 8.0.0.3 and later might not work correctly in all browsers. Do not use this option for scanning.

Purpose of using the Poster add-on for the Firefox browser

Poster is an open source developer tool for Firefox. You can use it for HTTP requests, to set the entity body and to set the content type. It helps in making GET, POST, PUT, or DELETE calls on REST web services.

Figure 12. Firefox Poster add-on screen
Poster add-on screen in Firefox

Resources

Learn

Get products and technologies

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Rational software on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Rational, Security, DevOps
ArticleID=856558
ArticleTitle=Case study: AppScan security scan of Rational Focal Point
publish-date=01292013