Privilege Escalation Runner

The Privilege Escalation Runner automates the scanning with different login credentials, and then continues to perform the Privilege Escalation tests available in IBM Security AppScan.

13 January 2009 (First published 03 July 2008)

The Privilege Escalation Runner automates the scanning with different login credentials, and then continues to perform the Privilege Escalation tests available in IBM Security AppScan.

System requirements

IBM Security AppScan Standard 7.5 and above.

Overview

To use this eXtension, first record a login sequence with each user role. This can be done by following these steps:

  1. Open the Scan Configuration (Shortcut: F10)
  2. Make sure the Starting URL is configured
  3. Select the Login/Logout tab
  4. Select the Recorded Login radio button
  5. Press the New button, and record a login sequence
  6. Save the login sequence to a file using the Save As button at the bottom
  7. Record additional login sequences by repeating steps 5-6

Once the login sequences are recorded, open the extension's main form from Tools > Extensions > Privilege Escalation Runner.

In the form, perform the following steps:

  1. Browse to a Scan configuration template to use when performing the scans (must include the starting URL)
  2. This can be done by configuring the current scan, and then choosing Save As Template within the Scan Configuration Dialog
  3. Browse to the primary recorded login file, marking a standard user (average permission level)
  4. Add any additional login sequences for logins with different permissions (e.g. admin, other users, etc.)
  5. Optionally change the max URLs per scan, scan files location and results file
  6. Hit Run!

The eXtension will proceed to run individual scans, once with no login and once with each login sequence, and save those scans into the configured folder. When all the scans have run, the scan with the primary login will be configured for Privilege Escalation testing with the other scans, and the test phase will be run with these tests only. Finally, the results will be saved to the results scan file.

Supported

No, this eXtension is provided "as-is" by IBM.

Downloads

DescriptionNameSize
eXtension (AppScan Standard v8.5 and below)PrivilegeEscalationRunnerExtension-bin-1.0.zip15KB
eXtension source (AppScan Standard v8.5 and below)PrivilegeEscalationRunnerExtension-src-1.0.zip23KB
eXtension (AppScan Standard v8.6 and above)PrivilegeEscalationRunnerExtension-bin-2.0.zip90KB
eXtension source (AppScan Standard v8.6 and above)PrivilegeEscalationRunnerExtension-src-2.0.zip95KB

Resources

Learn

Get products and technologies

Discuss

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Security,
ArticleID=855331
SummaryTitle=Privilege Escalation Runner
publish-date=01132009