• 2 replies
  • Latest Post - ‏2014-06-19T13:02:41Z by warrenm1
1 Post

Pinned topic AppScan not finding issues that PCI scanners find

‏2014-06-17T21:47:09Z |

Once a year we go through PCI compliance.  There is an outside vendor that does this for us and they scan our site and servers.  The scans are based on OWASP Top 10.  The problem I am running into is that they are finding XSS issues and some other things that AppScan doesn't seem to find.  I have run every available test AppScan Standard has to offer against the areas they found issues and it doesn't find anything.  I am wondering if anyone else has had these issue and if anyone might have any insight into other test policies I can import that might catch the issues. 



  • Arnab Roy
    Arnab Roy
    11 Posts

    Re: AppScan not finding issues that PCI scanners find



    First you need to understand that the issues reported by the third-party tool, are they real issues or false positives. Could you flag them manually as well?

    If they are real issues and not false positives, and AppScan does miss flagging the same XSS vulnerabilities(False Negative), then IBM AppScan Support needs to check the logs (AppScan logs) to understand what kind of tests were sent to the URLs in question! It might happen we do not flag certain vulnerabilities since such test payloads are not present in the available test policies, however that highly unlikely.

    You filter the Test Policy in AppScan, to verify what kind of Cross-Site Scripting tests are available. Also, ensure that you are testing with the latest version of the tool, i.e. 9.0.

    I would also suggest you to open a PMR for support to further investigate.


  • warrenm1
    224 Posts

    Re: AppScan not finding issues that PCI scanners find



     There are many possible reasons this could happen, as Arnab suggested one reason would be AppScan doesn't have the specific variant that succeeded, although I don't see this very often especially with XSS since the XSS analyzer has millions of possible injections.  What I think is more likely in this case is some other configuration problem in your scan limiting its coverage, here are a few tips to maximize your coverage:


    • Ensure that when scanning an application with a web based login you always use a recorded login and in session detection is enabled. (failing to do so can lead to massive coverage gaps and inaccuracies).
    • Perform a manual explore of the application to fill in any form inputs that it requires (appscan will re-use these inputs you train it with during automatic testing).
    • If any pages are state induced, i.e. you need to go to page 1 before visiting page 2 (like a survey or shopping cart process), Ensure these are captured as Multi-Step sequences.
    • Another option Test Options/Use Adaptive testing can be beneficial to speed up scans by turning off tests that are less likely to succeed based on some probing responses, but if the target doesn't respond consistently it can lead to not sending some potentially valuable variants, if you want to be as thorough as possible turn adaptive testing off.
    • Per the last point if the server isn't always stable under load consider running the scan at 1 thread to reduce AppScan's impact on the target, it will slow do the scan but will also usually minimize these types of problems.