An in-depth analysis of Rational AppScan standard Edition multi-step operation

Preface

IBM Rational AppScan Standard (hereinafter referred to as AppScan) is widely recognized and applied by the industry as an automated tool for secure black-box detection of WEB applications. Many people use AppScan with their powerful manual explorations and automatic probing methods, but this approach does not apply to all scenarios. When using AppScan for a security scan, we must ensure the validity of the URLs explored by AppScan (especially if the user wants to export these exploratory results for reuse), the validity of which is that the HTTP request corresponding to the URL can be accepted by the server and processed in the desired manner. In some scenarios, several URLs must be executed in a specific order before they are valid. In this scenario, the previously mentioned detection method does not necessarily guarantee the validity of the detected URL, and therefore may cause partial URL tests to fail. Multi-step operations with AppScan can handle the validity of several URLs that must be executed in a particular order. This article will share with the reader the AppScan of the multi-step operation, analyze the basic principle of AppScan multi-step operation, and demonstrate the use of multi-step operation with the case to the reader.

Scenarios for multi-step operation

Multi-step operations are primarily applied to scenarios where URLs must be executed in a specific order. For example, online shopping, users need to select products to the shopping cart, then provide payment and logistics information, and finally to confirm the order to complete the order. From a functional logic perspective, there is a clear order of precedence between these steps. From the point of view of coding implementation, the user data submitted by the previous page in this process will be stored on the server side such as session, the subsequent pages will take the data, if there is no such data in the session, the system will throw an exception resulting in subsequent URLs inaccessible. Typically, this is true of the wizard-like operations pages for online shopping, user registration, and so on.

With manual exploration, AppScan can explore all the URLs in the above scenes. However, once in the test phase, because the AppScan test is usually multithreaded concurrency test, it does not guarantee the sequence of the above URL test. If the test variant of the subsequent URL is executed first, the server side will throw an exception due to incomplete data in the session, causing the HTTP response of the test variant to be 500 error, so that the simulated attack originally planned by the Test variant has no chance of being executed at all. Therefore, it is possible to omit some of the security test cases by directly exploring and testing in this scenario.

After analyzing the above scenes and principles, it is no longer difficult to identify the applicable scenarios for multi-step operation. I recommend two ways: first of all, we recommend that the security tester to test the Web application before the start of a comprehensive evaluation (recommended "Check if there is a specific sequence of execution of the URL" record to the Web Application Evaluation Checklist), if possible to find the opportunity to communicate with the system developers, After all, developers are most aware of which URLs must be executed in a particular order. In addition, if conditions permit, we recommend enabling logging of request/Response records during the AppScan test (enabled by "Tools-options-scan options-Enable request/Response logging"). Observe the request/response record during the test. If the record has a large number of consecutive 500 error responses, then to carefully analyze these 500 error requests and responses, it is recommended to use the AppScan built-in Tools HTTP request Editor to execute the URL of their context, check whether the URLs must be executed sequentially.

Fundamentals and use of multi-step operation

The following article describes the fundamentals of AppScan multi-step operations to help readers understand how multi-step operations handle scenarios where multiple URLs are executed in a specific order. We illustrate the principle of multi-step operation through a simple scenario. Suppose the user online shopping consists of three pages: the first page, the user adds the item to the shopping cart, the second page, the user fills in the payment and the logistics information, the third page, the user confirms the order and submits. When we use a multi-step operation, the above three pages are executed as a sequence. AppScan will test the first page first, the first page will be executed when the second page is tested, and the first page and the second page will be executed in turn when the third page is tested. It is important to note that when you test the second page, each test variant executes the first page before execution, and, similarly, when you test the third page, the first to second page is executed in turn before each third page of the test variant is executed. In turn. This ensures that the pre-built URLs that are dependent on each URL are executed before the test variant is executed. However, it should be noted that the multi-step operation compared to the normal scan, the execution of the process will be a large number of repeated execution of the pre-URL, so in practice should try to control the number of steps in the sequence (that is, the number of URLs), otherwise prone to performance problems. It is generally recommended to limit the number of sequences for multi-step operations to five, where the number of steps in each sequence is no more than 25 and the total number of steps is less than 70.

The multi-step operation is more intuitive and straightforward to use. Figure 1 shows a view of the multi-step operation. In this view, the user can record a sequence (by clicking the red dot button in the graph to record a sequence). Recording a multi-step sequence of operations will have two options: Log in and record and log without logging. The former automatically executes the login sequence and then begins to record the sequence, but does not log the login as part of the sequence, which records all the URLs. We need to note that the AppScan does not perform session state monitoring when the sequence is being played. Therefore, AppScan does not automatically execute a logon sequence if the sequence is playing, causing the user to be logged off from the Web app. In this case, it is recommended that the user record the logon process to a sequence so that the login is played back each time the sequence is run.

Figure 1. Multi-Step Operation view

In addition, there are several important configuration items in Figure 1 that need to be carefully understood by the reader.

• The Enable playback of this sequence option controls the active/inactive state of the current sequence. If this option is selected, the sequence is enabled, the sequence is executed when the multi-step operation is tested, and if unchecked, the sequence is deactivated and the sequence is ignored when performing a multi-step operation.
• The Allow Playback optimizations option provides performance-optimized processing of the AppScan engine for the current sequence. If this option is selected, AppScan will determine the relationship in the URL in the sequence based on the built-in algorithm, determine if the previous URL can be skipped directly to test the following URL, while AppScan will try to scan the sequence using multithreading, thereby achieving performance gains.
• The single-threaded test option is relevant to the option allow playback optimization. If Allow playback optimization is disabled, AppScan is automatically tested in single-threaded mode. If Allow playback optimization is enabled, as described above AppScan will attempt to use a multithreaded scan. If the user determines that the business logic for the scenario should not be multithreaded concurrently, it is recommended that the "test as single-threaded" option be enabled.

After a sequence recording is complete, there are usually two ways to start a security test for a multi-step operation. If you want to test only a multi-step operation, click the menu "Scan-only test multi-step operation" to start the multi-step operation of the security test, as shown in 2. If you want to perform multi-step operations and all other scan tasks, the Run Menu "scan – Full Scan" starts a full scan, and when fully scanned, AppScan checks whether there is currently a multi-step sequence of operations and, in some cases, automatically initiates a multi-step operation of the security test.

Figure 2. Sequence variable expressions for testing multi-step operations with multiple steps

So far, everything seems to be very intuitive and simple. Let's take a look at another typical multi-step sequence scenario, where the user registers. If a system distinguishes between individual users and business users, the user registration page contains three pages: the first page requires the user to enter the user name, the mailbox and the user type of the request, the second page asks the user to enter additional information for the corresponding user type, and the third page is the Registration information confirmation page. It is obvious that this scene is similar to the shopping cart scenario mentioned earlier, depending on the input information provided on the previous page, these three pages need to be executed sequentially, or an access error will occur. The difference is that the user name and mailbox in the first page can only be entered once, because the system is designed to constrain the uniqueness of the user name and mailbox.

According to the principle of the previous AppScan multi-step operation, the first page is executed every time the test of the second to third page is executed, so that the same user name and mailbox are reused, which clearly violates the uniqueness constraint, so the Web app throws a system exception, causing the second to third page test to fail. We immediately thought that if AppScan can automatically update the user name and mailbox every time the first page is executed, this problem can be solved perfectly. Indeed, AppScan does provide a rich array of variable expressions that help the user solve the problem of automatic updating of parameter values.

AppScan built-in sequence variable expression

Referring to IBM's official documentation, AppScan currently provides five built-in expressions to enable sequence variables to be automatically updated in an incremental or random number way. The following will explain the role of each sequence variable expression to the reader individually.

• __SeqVariable__<variable id>__random_integer(min,max)__

The sequence variable expression supports user-defined random integers as part of a parameter value or parameter value. <variable id> Specifies the parameter name for the user so that the user can identify the parameter ( Note: the <variable id> function in the other sequence variable expressions below will not be described again). For example, if the user wants to design the parameter values of the sequence variable "username" to be generated randomly, such as user11,user31,user45, you can design the parameter value of the sequence variable as "User__seqvariable__p1__random_integer" ( 10,99) __ ".

• __SeqVariable__<variable id>__incrementing_integer(min,increment)__

The sequence variable expression supports user-defined increment integers as part of a parameter value or parameter value. For example, the user wants to design the parameter values of the sequence variable "username" to be automatically generated in an incremental way, such as User1,user2,user3. You can design the parameter value for the sequence variable "username" to "User__seqvariable__p2__incrementing_integer".

• __SeqVariable__<variable id>__random_string(length)__

The sequence variable expression supports user-defined random strings of a specified length as part of a parameter value or parameter value. For example: The user wants to design the parameter value of the sequence variable "username" to be a five-bit random string. The parameter value of the sequence variable "username" can be designed as "__seqvariable__p3__random_string (5) __".

• __SeqVariable__<variable id>__date_time()__

The sequence variable expression supports a user-defined date value as part of a parameter value or parameter value. For example, the user wants to design a sequence variable "email" parameter value is "AppScan date @ibm. com", you can design its parameter value is "Appscan__seqvariable__p4__date_time () [email protected]".

It is important to note that AppScan uses a datetime display format of "MMDDYYHHMMSS". MM represents the current month with two digits (for example, 04 for April), and DD uses two digits for the current number of days of the month (for example, 16 for 16th), YY for the current year with two digits (for example, 12 for 2012), and HH for two-hour hours (for example, 24 for the afternoon 1 o'clock); mm uses two digits for the current minute, and the SS represents the current number of seconds with a two-digit number. For example: If the current time is April 16, 2012 1:02 P.M. 03 seconds, the generated date is "041612130203".

• __SeqVariable__<variable id>__ date_time_milliseconds()__

The sequence variable expression is similar to the previous expression, except that its accuracy is accurate to milliseconds.

How to use sequence variable expressions

The previous article describes five types of AppScan built-in sequence variable expressions. However, the multi-step operation view shown in Figure 1 does not provide an interface for the reader to modify the value of the sequence variable. Currently we can only export the sequence to a local file. seq file, and then use an editor such as Notepad to open the. Seq sequence file, locate the corresponding sequence variable definition, and manually modify its variable value to the above sequence variable expression.

For example, we want to modify the registration ID in a registration application form to the parameter format of "Test date time @ibm. com". You can find the UID parameters in the corresponding form by opening the exported sequence file with Notepad, as shown in Listing 1.

Listing 1. Original parameters in the sequence file

<request sessionrequesttype= "Login" method= "POST" scheme= "http" httpversion= "http/1.0" numberofpatternparameters = "0" host= "demo.testfire.net" port= "path="/doregistration "contenttype=" urlencoding "boundary=" "  Pathqueryseparator= "?" japencoding= "><parameter" name= "UID" value= "[email protected]" type= "BODY" Linkparamtype= "Simplelink" separator= "&amp;" operator= "="/>...</request>

Modify the value of the sequence variable "UID" shown in Listing 1 to "test__seqvariable__uid__date_time_milliseconds () [email protected]" and save the sequence file. Next, delete the original sequence in the multi-step Operation view and import the modified sequence file. Then run the multi-step operation to observe that the value of the sequence variable "UID" is dynamically updated to "[email protected]" parameter values during operation.

Listing 2. Sequence parameter expressions in a sequence file

<request sessionrequesttype= "Login" method= "POST" scheme= "http" httpversion= "http/1.0" numberofpatternparameters = "0" host= "demo.testfire.net" port= "  path="/doregistration "contenttype=" urlencoding "boundary=" "  Pathqueryseparator= "?" japencoding= "><parameter name=" UID "value=" test__seqvariable__uid__date_time_ milliseconds () [email protected] "type=" BODY "linkparamtype=" Simplelink "separator=" &amp; "operator=" = "/> .... </request>

Back to top of page

Case: Using AppScan multi-step operation

Based on IBM's Altoro Mutual system demonstrating WEB security vulnerabilities, the author implements a simple multi-URL-specific sequence execution scenario. The following article will introduce you to this case scenario and how to use AppScan multi-step operation to implement a security scan of the scenario.

Case Scenario Introduction

Figure 3-Figure 6 shows the whole process of the scene. The user is logged in successfully altoromutual the banking system and can transfer funds. The transfer consists of three steps: First, the user needs to specify the funds to transfer the account, then specify the funds transferred to the account, finally provide the transfer amount after the transfer, after the successful transfer of the system will show the transfer success information. To facilitate the reader to understand the author's implementation of the scene, the following will be described in conjunction with a summary of the various pages implementation. Figure 3 After the user has provided the funds transfer account, after clicking the Next button, the form will be submitted to the next page of the JSP file.

Figure 3. Select funds to transfer out account

The JSP file in Figure 4 checks the request for funds to be transferred out of the account, throws an exception if not, and some will transfer the funds out of the account for a temporary session. After the user provides funds to the account, click the Next button, the form will be submitted to the next page of the JSP file.

Figure 4. Select funds to transfer to account

The JSP file in Figure 5 checks the request for funds to be transferred to an account, throws an exception if not, or transfers funds to the account for a temporary session. After the user fills in the transfer amount, the form is submitted to the next page when the Transfer button is clicked.

Figure 5. Amount of funds transferred out

Figure 6 The page will get funds transferred from the session to the account and the funds transfer out account, from the HTTP request to obtain the transfer amount, after the parameter verification is executed the transfer logic. Once the transfer has been successfully executed, the success information is displayed.

Figure 6. Successful transfer of funds

Case Scan Configuration

The following article describes the scanning configuration process for this case in detail with the reader.

1. To create a new WEB application scan, I directly select AppScan predefined demo.testfire.net template, shown in 7. Select scan type for WEB application scan, then click Next to use default start URL, login sequence and test strategy;

Figure 7. New scan

1. In the Completing the Scan Configuration Wizard screen, select I'll start the scan later, and then tap done, as shown in 8. Select the menu "file-save" to save the current scan configuration.

Figure 8. Completing the Scan Configuration Wizard

1. Click on the menu "Scan-scan configuration" to open the Scan Configuration dialog box, click on the left "multi-step operation" to enter the multi-step operation view. As shown in 9, select Log on record to record a multi-step sequence. In AppScan Open Browser, manually explore the complete transfer process in the case described above.

Figure 9. Recording a multi-step sequence

1. Examine each step and its URL as recorded by AppScan, as shown in Figure 10. Readers in the actual project process must pay attention to check these URLs, will be unrelated to the scene of some URLs removed, the previous article has emphasized to try to control the number of steps in the sequence, otherwise prone to performance problems. Click the OK button, and then save the current scan configuration.

Figure 10. Check the recorded sequence

1. Click the menu "Scan-Test multi-step only" to initiate a security scan of the sequence. By clicking on the menu "View-Scan log", you can see that AppScan executes the login sequence first, then loads the multi-step sequence of operations, performs validation of each URL in the sequence, and then tests each URL.

Figure 11. Scan Log

At this point, a simple multi-step operation of the scan presentation is complete. If the user encounters the parameter uniqueness constraint problem mentioned earlier in the actual work, the user only needs to export the current sequence in the multi-step operation view shown in Figure 10, then modify the sequence file according to the method shown in Listing 1 and 2, then import the modified sequence file, and then abolish the original sequence file. Re-perform a multi-step operation scan.

Conclusion

This article shares with readers how to handle multiple URLs using Rational AppScan standard Edition The security scan in a scenario must be performed in a specific order. The author found that many users neglect the particularity of this kind of scene, and scan it in the way of common exploration and testing, which causes many URL's vulnerability scan cases not to be executed. Therefore, this article introduces the particularity of the specific sequence of URL execution scenarios, and probes into the principle and usage of the solution provided by AppScan-multi-step operation. The parameter uniqueness constraint problem is often encountered in multi-step operation, so this article also shares with the reader how to use the sequence variable expression to implement the custom updating of parameters. At last, this paper demonstrates the use of AppScan multi-step operation with the reader. I hope this article will help readers improve the quality of scanning.

Reprinted from: http://www.ibm.com/developerworks/cn/rational/r-cn-appscanmultiplesteps/

An in-depth analysis of Rational AppScan standard Edition multi-step operation