Topic
  • 1 reply
  • Latest Post - ‏2013-02-19T21:56:18Z by warrenm1
SystemAdmin
SystemAdmin
403 Posts

Pinned topic "...only scan links in and below the directory of each starting URL"?

‏2013-02-16T02:41:23Z |
Greetings --
I've noticed during 'manual explore' scans that AppScan does not appear to be honoring the "In starting domains, only scan links in and below the directory of each starting URL" setting. Here is a simplified scenario

Under "What to Scan":

-I have a starting URL set for:

https://somesite.fake/dir1/dir2/

-I have checked "In starting domains, only scan links in and below the directory of each starting URL".

-I have the following URL defined in "Manual Explore":

https://somesite.fake/dir1/dir2/dir3/100010
Under "Explore Options":

-I have checked "Specified URLs limit (URLs specified in Starting URLs, Manual Explore and Recorded Login properties. No spidering)".
However, when I review logs, I consistently see requests for stuff like

https://somesite.fake/dir1/test.php
https://somesite.fake/dir1/admin.txt
https://somesite.fake/test.php
https://somesite.fake/admin.txt
https://somesite.fake/test.pl
... is this intended behavior? I was thinking that NO tests would be executed above the directory path that I had set. I'm wondering if the tests that look for admin functionality are an exception, since they would typically be relatively 'low impact'. Although, I suppose of test.pl did exist and had some unfriendly functionality associated with it, I might be feel differently.

This is only a simplified example. A more realistic example would be a situation where I wanted to manually scan a list of web services...

https://somesite.fake/dir1/dir2/dir3/index.php?cmd=blah1 ...
https://somesite.fake/dir1/dir2/dir3/index.php?cmd=blah2
...
https://somesite.fake/dir1/dir2/dir3/index.php?cmd=blahN

and NOT allow appscan to touch any contents above "https://somesite.fake/dir1/dir2/dir3/".
FWIW, I've also noticed during manual explore (no-spider) scans, exceptions and exclusions are not honored (this actually makes a little more sense).

In any event, if anyone can tell me how to prevent AppScan from doing ANY tests above the directory I intended, I would appreciate it.

Thanks,
Adam
Updated on 2013-02-19T21:56:18Z at 2013-02-19T21:56:18Z by warrenm1
  • warrenm1
    warrenm1
    224 Posts

    Re: "...only scan links in and below the directory of each starting URL"?

    ‏2013-02-19T21:56:18Z  
    Hi,

    Paths like
    https://somesite.fake/dir1/test.php
    https://somesite.fake/dir1/admin.txt
    https://somesite.fake/test.php
    https://somesite.fake/admin.txt
    https://somesite.fake/test.pl

    Come from many infastructure tests which look to access known paths that either shouldn't be accessible, or that are tied to known vulnerable 3rd party components, they aren't a part of the auto explore but a function of these tests.

    For your second example you should open a support pmr so the logs can be reviewed in more detail, the only expected requests outsides the scans configured scope should be HEAD requests that just look for broken links. Also the Manual Explored url's supercede the 'only scan in and below' option.
    Another option to limits scan scope would be with Exclusions/Exceptions
    you could add the exclusion
    regexp:.*
    with the exception
    regexp:.\/dir3\/.
    to limit a scan to only contents under dir3.

    Regards,