This tool can be used to view any vulnerability outside IBM Security AppScan.
IBM Security AppScan Standard 7.5 up to 8.6 (including).
Upon initial release, thie eXtension served only as a simple viewer which replicated the look and feel of the Security AppScan GUI components that are displayed for each issue under the Request\Response tab--see Figure 1. However, the latest version includes new features like the response comparison or regular expression search, and has made this application indispensable.
Figure 1. Test Positive in action
How does it work?
There are three main ways in which you can use Test Positive:
- False Positive Reports Viewer and Analyzer: This is the primary purpose for which the application has been designed. False positive or false negative report text files can be rendered and validated with the help of the tool. Figure 1 shows a comparison between the raw text, false positive report of a Blind SQL Injection vulnerability displayed in Notepad and how it looks loaded in Test Positive.
- Security AppScan External Vulnerability Viewer: Test Positive is not limited only to False Positive reports. The tool can be used to view any vulnerability outside Security AppScan. The most common use case is that of a security expert wanting to demonstrate the vulnerability to a developer that doesn't have Security AppScan installed. Our auditor can simply click on the Send to Test Positive menu item added by the Test Positive Extension, save the report in a convenient location and then zip the Test Positive executable together with the report and e-mail the package to the author of the vulnerable Web application.
- Security AppScan Extension: The Send to Test Positive Extension enhances the Security AppScan GUI with all the Test Positive features making vulnerabilities easier to understand and validate. It also provides a convenient way to send false positive reports to IBM Rational Technical Support for those customers that do not have an e-mail client installed on the testing server, by using the Save As link.
Here is a list of the features of Test Positive with examples on how they can be put in use:
- Test Traffic Splitting: This feature allows Test Positive to separate different test requests when it comes to complex attacks like Blind SQL Injection or Inadequate Account Lockout. Let’s take Inadequate Account Lockout attack for example. This attack is composed of 13 repeated test requests. First Security AppScan sends one request with the correct credentials, then it sends 11 requests using W0tchf1r instead of the correct password and last it sends the correct credentials one more time. Then it compares the first and last request against each other and against the last request that used the W0tchf1r password in order to establish if the account has been locked out after 11 unsuccessful attempts. Test Positive will parse the test traffic and identify and separate each of these requests allowing the user to visualize each step performed by Security AppScan in establishing this vulnerability.
- Information Bar: Test Positive contains a convenient way to display messages to its users without disrupting their work: the Information Bar. If the message is too long simply hover your mouse over the yellow band and you can see the entire message in an informational balloon.
- Request and Response Comparison: All test requests are automatically compared to the original request and the differences are highlighted in red. Thus one can easily see how Security AppScan mutated the request and performed the attack. Responses can also be compared against each other by clicking the compare link on the top right corner. After the comparison is complete the Information Bar will display the similarity factor of the two responses. The Next Diff link allows the user to circle through the identified differences.
- URL & Base 64 Decoding: Although highlighting the difference can be great help sometimes the difference will be URL encoded and hard to understand. Using the URL Decoding feature available through the Test Positive context menu the user can clear the encoded characters and understand easily what does the payload actually mean. The tool also contains a Base64 decoding function should anyone want to see what is encoded in a Viewstate parameter for example.
- Show in browser: Test Positive gives you the possibility to preview the test or original responses in Internet Explorer in order to better visualize the modifications caused by the attack.
- Regular Expression Search: The search feature allows the use of regular expressions. By default Test Positive will search the test response for the validation string, where available, and highlight it on file load.
- Import from ASE: Security AppScan Enterprise traffic information can also be imported into Test Positive.
- Drag & Drop: Drag & drop a False Positive Report text file over the Test Positive icon in order to conveniently load that file into the tool.
- Security AppScan Extension: Vulnerabilities can be easily sent to Test Positive from the Issue context menu using the Send to Test Positive menu item. This action will export the traffic information to a text file in the temporary folder and run Test Positive with that file as an argument. This process will work provided that the Test Positive executable is located in the %userprofile%\Application Data\Watchfire\AppScan\Extensions\Send-to-Test-Positive folder and it is named test_positive.exe. This is usually automatically setup for you when you install the extension.
Test Positive comes as a standalone executable. It needs the .Net Framework 2.0, which is usually installed along Security AppScan, to work correctly. The Test Positive extension is also very easy to install using Security AppScan > Tools > Extensions > Extensions Manager.
Building this eXtension
In order to build this eXtension, you will need to have Visual Studio 2005 installed on your machine, and then you should follow these steps:
- Unzip the source package to a directory of your choice
- Go to the Test Positive 2 directory
- Open the solution file in Visual Studio
- Build the project. This should yield the executable test_positive.exe
- Close Visual Studio
- Go to the Test Positive Extension directory
- Open the solution file in Visual Studio
- Build the project. This should yield 2 files, info.xml and Send-To-Test-Positive.dll
- Copy all result files (test_positive.exe, info.xml, Send-To-Test-Positive.dll), into a separate directory called Send-To-Test-Positive
- Zip this directory
That's it, the zipped file is now ready to be loaded into Security AppScan as an eXtension (Tools > Extensions > Extension Manager).
No, this eXtension is provided "as-is" by IBM.
|eXtension (AppScan Standard v8.5 and below)||Send-To-Test-Positive-bin-1.0.4.zip||5KB|
|eXtension source (AppScan Standard v8.5 and below)||Send-To-Test-Positive-src-1.0.4.zip||270KB|
|eXtension (AppScan Standard v8.6 and above)||Send-To-Test-Positive-bin-2.0.zip||32KB|
|eXtension source (AppScan Standard v8.6 and above)||Send-To-Test-Positive-src-2.0.zip||255KB|
- Google Code Project.
- In the Security AppScan area on developerWorks, get the resources you need to advance your skills in the testing arena.
- Browse the technology bookstore for books on these and other technical topics.
Get products and technologies
- Download trial versions of IBM Rational software.
- Download IBM product evaluation versions and get your hands on application development tools and middleware products from DB2®, Lotus®, Rational®, Tivoli®, and WebSphere®.