I've noticed during 'manual explore' scans that AppScan does not appear to be honoring the "In starting domains, only scan links in and below the directory of each starting URL" setting. Here is a simplified scenario
Under "What to Scan":
-I have a starting URL set for:
-I have checked "In starting domains, only scan links in and below the directory of each starting URL".
-I have the following URL defined in "Manual Explore":
Under "Explore Options":
-I have checked "Specified URLs limit (URLs specified in Starting URLs, Manual Explore and Recorded Login properties. No spidering)".
However, when I review logs, I consistently see requests for stuff like
... is this intended behavior? I was thinking that NO tests would be executed above the directory path that I had set. I'm wondering if the tests that look for admin functionality are an exception, since they would typically be relatively 'low impact'. Although, I suppose of test.pl did exist and had some unfriendly functionality associated with it, I might be feel differently.
This is only a simplified example. A more realistic example would be a situation where I wanted to manually scan a list of web services...
and NOT allow appscan to touch any contents above "https://somesite.fake/dir1/dir2/dir3/".
FWIW, I've also noticed during manual explore (no-spider) scans, exceptions and exclusions are not honored (this actually makes a little more sense).
In any event, if anyone can tell me how to prevent AppScan from doing ANY tests above the directory I intended, I would appreciate it.
This topic has been locked.
Pinned topic "...only scan links in and below the directory of each starting URL"?
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
warrenm1 270001F39C224 Posts
Re: "...only scan links in and below the directory of each starting URL"?2013-02-19T21:56:18ZThis is the accepted answer. This is the accepted answer.Hi,
Come from many infastructure tests which look to access known paths that either shouldn't be accessible, or that are tied to known vulnerable 3rd party components, they aren't a part of the auto explore but a function of these tests.
For your second example you should open a support pmr so the logs can be reviewed in more detail, the only expected requests outsides the scans configured scope should be HEAD requests that just look for broken links. Also the Manual Explored url's supercede the 'only scan in and below' option.
Another option to limits scan scope would be with Exclusions/Exceptions
you could add the exclusion
with the exception
to limit a scan to only contents under dir3.