IBM® Rational® Focal Point™ is web-based software for portfolio management, which provides market- and business-driven analysis tools. IBM® Security AppScan® Standard edition is a web application security testing tool that automates security vulnerability assessments. In addition, it offers support for SOAP and REST web services for securing service-oriented architecture (SOA) environments. The article describes how we used AppScan to test Focal Point for security vulnerabilities. The diagram in Figure 1 illustrates the ways that you can use AppScan Standard to scan the various Rational Focal Point endpoints, including the web URL, SOAP web services, and REST web services.
Figure 1. Resources and relationships
AppScan has a built-in browser that you can use for security test scanning of the Rational Focal Point web URL. It also has a built-in GUI-based SOAP client that operates on a Web Services Description Language (WSDL) file. Using the client assists in scanning Focal Point SOAP web services.
Poster is a Mozilla Firefox browser add-on that developers can use to invoke REST web services. You can configure AppScan to act as a proxy for the Firefox Poster add-on. Using this technique, you can invoke Rational Focal Point REST web services and scan them to test security.
The Scan Configuration Wizard for AppScan has four basic sections:
- URL Servers
- Login Management
- Test Policy
Scan the Rational Focal Point web application URL
AppScan Standard includes predefined scan templates to choose from (see Figure 2). Templates help you customize the many configuration options to optimize your scans.
We created a template called Rational Focal Point - Manual. You can choose Regular Scan if you do not have a customized template.
Figure 2. Template choices listed in the New Scan screen
On the Scan Configuration Wizard Welcome screen (Figure 3), you can choose either a Web Application Scan or a Web Service Scan.
Figure 3. Scan type selection screen in AppScan
On the next screen, we point the Starting URL to the Rational Focal Point login page.
Figure 4. AppScan target URL configuration screen
In the Login Method screen (Figure 5), we selected the Recorded (Recommended) option to record instructions for AppScan for how to log in automatically to your web application (see AppScan Help for details).
Figure 5. AppScan Login Method screen
If you are get session timeout errors during automated scanning, skip this step by clicking the Next button. You can record the Login Method later in the scanning cycle. This usually helps in systems that are running on low memory.
The next screen is the Test Policy screen. Usually, it shows the Default test policy. That should suffice for most scanning policy needs.
Set Explore options, scan limits, and other test options
From the Scan Configuration view, under Explore, select Explore Options (see Figure 6). The many configuration options available dictate how AppScan scans Focal Point. Two important ones are in the Scan Limits section:
- Redundant Path Limit
- This setting makes sure that AppScan will not access the same path more than the configured number of times. For this case study, we set the path limit to 5.
- Depth Limit
- AppScan will not scan pages that deeper than this specified number of links (number of clicks away from the starting URL). For this case study, we set the depth limit to 20. Leave the default settings for other options.
Figure 6. AppScan Explore Options configuration screen
Prevent communication proxy timeout
Scan Configuration > Connection > Communication and Proxy option configurations dictate how AppScan communicates with the Focal Point target server. If you are getting many timeout notices, in the Communications section, change the Timeout setting to 45 seconds. That helps most communications over LANs.
Figure 7. AppScan Communication and Proxy configuration
How to handle cross-site scripting attacks by using server filters
The traditional approach to cross-site scripting (XSS) issues is to fix the parameter that's causing the problem in the pages where it is used, so that malicious code cannot be injected into that parameter. We found that this is cumbersome and makes the code harder to maintain.
Figure 8 illustrates the use of an application server-based filter as an alternative.
Figure 8. Cross-site filter architecture diagram
Here, we intercept every HTTP request coming into the server and passit through the cross-site filter before passing it on to the Rational Focal Point core. There are three sub-modules inside the cross-site filter:
- Alphanumeric filter
- This filter lets only alphanumeric values through.
- Unsafe character filter
- This filter removes all unsafe characters from the parameters.
- Special provision filter
- This filter uses special provisions for special parameters to let them through, based on specific business case.
Scan Rational Focal Point SOAP web services
To scan Rational Focal Point by using SOAP web services, you must choose Web Service Scan alternative in the Welcome screen of the Scan Configuration Wizard (see Figure 3).
Choosing the Focal Point WSDL for testing
In the URL and Servers view, find the WSDL URL section (Figure 9). In the field for where the WSDL file for the service is located, use the drop-down menu to point to the URL that you are going to scan. You can click on the global icon at the right of that field to see the WSDL file in HTML format. (Other settings shown here are defaults.)
Figure 9. AppScan screen to configure the target WSDL
In the Test Policy screen that follows, you need to choose the test policy. Choose the Web Service test policy, which has tests targeted specifically toward SOAP web service scanning.
Using the generic SOAP client for testing exposed web services
AppScan will launch the built-in Generic Service Client, which will import the target WSDL file and build a GUI around it. Using this client, you can send specific SOAP requests to Rational Focal Point.
After you invoke all of the necessary SOAP requests, AppScan runs the security scan and reports any issues that it finds.
Figure 10. AppScan Generic Service Client
Integrate the Firefox Poster add-on to scan REST web services
First, configure AppScan proxy settings to receive data from an external browser.
- In the Full Scan Configuration page, select Communication and Proxy, and choose the Don't use proxy option (see Figure 7).
- Select Tools > Options > Scan Options.
In the Scan Options tab view, under Communications, "AppScan proxy port" shows the port that AppScan listens to for the traffic going to the web application.
Figure 11. AppScan proxy port configuration screen
How to use an external browser for scanning
- Configure your Firefox, Internet Explorer, or Chrome browser to use AppScan as the proxy.
- Next, perform a manual exploration of your application.
- Select Open Scan > Manual Explore to open the AppScan internal browser.
- Without closing the internal browser, open your external browser.
- Explore the application as necessary.
- Close the external browser.
- Close the internal browser.
The OpenExternalBrowser option that is available in AppScan version 126.96.36.199 and later might not work correctly in all browsers. Do not use this option for scanning.
Purpose of using the Poster add-on for the Firefox browser
Poster is an open source developer tool for Firefox. You can use it for HTTP requests, to set the entity body and to set the content type. It helps in making
DELETE calls on REST web services.
Figure 12. Firefox Poster add-on screen
- For more information about AppScan:
- Check out the Poster add-on for Firefox.
- To learn about Focal Point:
- Learn more about the web services mentioned in this article:
- Explore the Rational software area on developerWorks for technical resources, best practices, and information about Rational collaborative and integrated solutions for software and systems delivery.
- Stay current with developerWorks technical events and webcasts focused on a variety of IBM products and IT industry topics.
- Improve your skills. Check the Rational training and certification catalog, which includes many types of courses on a wide range of topics. You can take some of them anywhere, anytime, and many of the Getting Started ones are free.
Get products and technologies
- Get the free Trial Download or check the Trials and Demos page for Rational software.
- Evaluate IBM software in the way that suits you best: Download it for a trial, try it online, use it in a cloud environment.
- Get connected with your peers and keep up on the latest information in the Rational community.
- Rate or review Rational software. It's quick and easy.
- Share your knowledge and help others who use Rational software by writing a developerWorks article. Find out what makes a good developerWorks article and how to proceed.
- Follow Rational software on Twitter (@ibmrational), and YouTube, and add your comments and requests.
- Ask and answer questions and increase your expertise when you get involved in the Rational forums, cafés, and wikis.