Content

The IBM Worklight platform has a rich set of security tests that can be enabled to perform application authenticity checking, help prevent cross-site request forgery attacks, etc. These security tests are performed using challenge/response protocols between the Worklight client and the Worklight server. These protocols are not understood by AppScan at the time of this writing. So, if AppScan tries to scan a Worklight server with some of these tests enabled, it will not be able to authenticate and will therefore not be able to scan the service protected by those tests.

In order to be able to scan the services on the Worklight server, the following recommendations are made. Note that these recommendations are only meant to apply to the configuration of a Worklight server in a test environment for the purposes of running the scan. A production Worklight server should be configured with the security tests appropriate for the security needs of the business.

1. Protect the resources to be scanned (static resources, adapters, applications) explicitly with a customSecurityTest. Do not use mobileSecurityTest or webSecurityTest as these include Worklight specific challenge response protocols that AppScan does not currently understand.
2. Do not include any of the Worklight predefined authentication realms (like wl_antiXSRFRealm, wl_authenticityRealm, etc.) in your customSecurityTest. The predefined realms use Worklight specific challenge response protocols that AppScan does not currently understand.
3. In the realm for your customSecurityTest, only use authenticator classes that use a standard login form (com.worklight.core.auth.ext.FormBasedAuthenticator or com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator). Other authenticators, like com.worklight.integration.auth.AdapterAuthenticator, use Worklight specific challenge response protocols that AppScan does not currently understand.