Scanning a web app

Provide the Starting URL and user credentials for the scan, select the type of scan, and (if not previously done) verify your permission to scan the site. Alternatively, you can upload your own AppScan Standard scan (SCAN) or template (SCANT) file for scanning, or a traffic file recorded using the AppScan Presence proxy server (CONFIG). If the site is not available on the Internet, you will also need to create an AppScan Presence, or select an existing one, that has access to the site and to the Internet.

Before you begin

It is recommended that you back up your site before scanning.

For more information about using an AppScan Standard configuration (SCAN or SCANT file) for your scan, see Using AppScan Standard.

For more information about using the AppScan Presence proxy server, see AppScan Presence.

Procedure

To scan your site:

  1. If your site is not available on the Internet, and an AppScan Presence does not yet exist on the server: Create an AppScan Presence.
  2. If you not yet done so: Create an application for your scans.
  3. In the Application, click Create Scan.
  4. In the What type of app? screen:
    • Public sites (available on the Internet): Click Web > Dynamic > Public Network.
    • Private sites (not available on the Internet): Click Web > Dynamic > Private Network, then select the correct AppScan Presence from the list.
      Note: If an AppScan Presence has not yet been created, you can create it now by clicking Create Presence, and following the instructions here.
  5. In the What URL should we scan? screen:
    1. Type or paste in the URL from where you want the scan to start exploring the site.
      Note: If your app uses the default port (80 for HTTP; 443 for HTTPS), you need not include it in the URL. If you include a non-default port value in the URL, it must be higher than 1024.
    2. To use the regular configuration, leave the No Radio button selected. If you want to upload your own AppScan Standard configuration file (SCAN or SCANT), or AppScan Presence proxy server traffic file (CONFIG), select Yes.
      Important: If you choose "Yes", make sure that the URL you entered above is identical to the Starting URL in the file you upload. Note also that scans based on a configuration file uploaded by the user will not be examined by our Scan Enablers in the event of any issues. If such a scan does not succeed, it will simply fail.
    3. Click Continue.
  6. (If you chose to upload a file:) Click Select file and locate your SCAN, SCANT or CONFIG file, or simply drag-and-drop it into the blue area.
  7. In the Scan Settings screen:
    1. Name: Optionally change the scan Name.
    2. Staging/Production: Select whether your site is a Staging site (under development) or a Production site (live and in use).

      A Staging scan is more thorough but might affect site stability. A Production scan is less likely to do this, but might occasionally do so. For this reason, always back up your data before scanning. See FAQ.

    3. Optionally select the Include additional verified domains check box. Do this only if the scan will include sub-domains other than that of the Starting URL, and you are able to verify all the sub-domains (or they are already verified).
      Example 1:
- Starting URL: http://b.a.com/home/
- Site has links to http://c.b.a.com 
  and you want those links included in the scan.
- Select the check box.

Example 2:
- Starting URL: http://b.a.com/home/
- Site has links to http://c.a.com or to http://a.com 
  and you want those links included in the scan.
- Select the check box and then verify a.com in Step 3
  (unless already verified).
    4. Test Policy: Optionally change the type of tests used for the scan:
      Comprehensive (Default)
      This is the most complete and thorough set of tests, and is used by default
      Application-Only
      This policy includes only application-level tests
      The Vital Few
      This policy includes a selection of tests that have a high probability of success. It can be useful for evaluating a site when time is limited.
    5. Test Optimization: Lets you choose to send all, or an "intelligently selected subset" of all tests in your selected policy (for details, see Test Optimization).
      Normal
      Performs in-depth testing, sending all tests that are appropriate for the site as configured. This setting is recommended when a longer scan will not interrupt your development workflow.
      Optimized (Default)
      Speeds up the scan by sending only tests for the more common, severe and otherwise significant vulnerabilities. This setting is recommended during development, as part of your DevOps cycle, and whenever a faster, overall picture is needed.
    6. Login: If your application requires login, select Yes, and enter valid user credentials so that ASoC can log in to the site.
      Tip: It is recommended to use dedicated test credentials rather than those of an actual user.
      If your app requires a third credential, click Does the app require a third credential?, and enter a valid value, for example:
      PIN# = 1234
      Note that the use of a third credential will require intervention by our Support team, and may cause the scan to take longer than usual. CAPTCHA is not supported.
    7. HTTP Authentication: If your application requires Negotiate, NTLM, Kerberos, ADFS, Basic or Digest authentication, select Yes, and enter domain/username in the first field and password in the second.
    8. Optionally select/clear the Send me an email when the scan is complete check box.
    9. Click Scan.
    If your permissions for running this scan are already verified, the scan starts immediately. Otherwise the URL verification screen appears.
  8. URL verification (appears only if your permission to scan this site has not yet been verified). Select a verification method:
    • Email: Select one of the registered administrators of the site, and the domain or subdomain that you are authorized to scan. An email is sent to that administrator, containing a link to click, confirming your permission to scan the site. You will be able to start the scan only after that link is clicked. The link is valid for seven days, if not clicked during that time you need to repeat this step.
    • File: Download a file and save it to the root folder of your site. The file's presence in the root folder confirms to ASoC your permission to scan the site.
      Important: The verification file must be available from the same scheme, domain and port as the starting URL, however, once the file is detected by the service, all the domain's applications are verified.
      Important: If you selected the Include additional verified domains check box on the previous page, make sure to verify using a domain that includes all parts of the site you wish to scan. 
      Example:
- Starting URL: https://b.a.com/home/
- Site has links to https://c.a.com or to https://a.com 
  and you want those links included in the scan.
- Verify using an a.com email address or by saving the file
  under a.com
  9. Great, let’s verify: (appears only if your permission to scan this site has not yet been verified):
    1. When the email link has been clicked, or you saved the verification file in the root folder, click Verify. When verification is complete, the name changes from "Verify" to "Next".
    2. Click Next.
  10. Personal Scan: If you do not want the issues found in this scan to be aggregated with the rest of the issues found in this application, select the Run as a Personal Scan check box. For details see Personal scans.
  11. Click Scan.

Results

The new scan is added to the Scans view with its starting time, and a progress bar indicates that the scan is running. When the scan is complete the progress bar closes, the results are summarized in a graph, and (if selected) you receive an email notification. See Working with Scan Results.
Note: Free plan scans are limited to four hours in length, so large or complex sites may not be completely covered by these.
Related information:
http://www.ibm.com/software/products/en/appscan-standard