Appscan usage sharing

 

Here we will mainly share how to use appscan to perform security scans on some features of a major project.

------------------------------------------------------------------------

In fact, we know little about security testing. Because the company requires security scanning for the product every month. I have mastered one-person tips, so I will share them with you.

Because the product is large and there are many functional modules, we cannot scan the entire product. Each tester is responsible for testing different modules. We only need to scan the module that is responsible for testing.

The scan tool is IBM appscan., Powerful and easy to use. I have used or heard of this tool for security testing. I will not mention it here.

 

Extract links to the scan Function

First, extract the scan link.FiddlerTool to extract. Open the system, find the functional module you want to scan, and enableFiddlerIntercept the function, and then perform various operations on the function you want to test,FiddlerIt will record all access links, because privacy is involved, so it will be vague.

In fact, there are many links in the request, but many of them are the same. We only need to find all the different links. Here you need to know the status of each connection. Some external links do not need to be extracted.

 

 
Aaa.bbb.cng2.aaa.bbb.cng1.aaa.bbb.cnwebapp.aaa.bbb.cnuec.aaa.bbb.cnaddrapi.aaa.bbb.cnsmsrebuild1.aaa.bbb.cndisk2.aaa.bbb.cnmw.aaa.bbb.cnscriptlog.aaa.bbb.cnimages.139cm.comappmail.aaa.bbb.cngfile5-disk.aaa.bbb.cngfile8-disk.aaa.bbb.cngfile7-disk.aaa.bbb.cn
 

After all the links are extracted, there will be few. Remove duplicates.

 

 

 Complete Configuration Wizard

 

Open belowAppscanCreate a scan. (AboutAppascanDownload, install, crack, and describe. I have already mentioned this in another blog post)

Select regular scan to enter the Configuration Wizard. Click Next To Go To Configuration

 

The above step is the focus, starting fromURLEnter the URL you want to scan. Other servers and domains: All links extracted are added here. Including the homepage link of the website. Click Next.

 

Three methods are provided to record accounts. The first and third are the most commonly used.

 

Click the next step and select the third or fourth option to complete the scan.

 

 

Recording scan script

 

After the configuration is complete, we will start recording the script.

Click the explore button on the toolbar,AppscanThe built-in browser will be opened, enter the system username and password to log on to the system, and perform operations on the function of the module you want to scan.

Appscan opened for meBuilt-inBrowser (unable to access because the url I entered is incorrect ). After the operation is complete, click the pause button to close the browser window.

 

After the browser is closed, all the connections you accessed will be recorded in the window above, and click OK. All the information will be recorded. Next, click scan on the toolbar to start scanning. We usually get off work in the evening. We can check the scan results the next morning.

------------------------------------

It would have ended up here. I will talk about more settings. Haha! During manual exploration, because the browser opened is appscanIt may have compatibility issues, and some pages cannot be opened normally. Can we use a browser on our computer (IEFirefox, Google. Of course.

Menu Bar--Tools---Option----Advanced

 

This must be a big image. We only need to modify it.Openexternalbrowser OptionThe "value" parameter is enough (1 = IE,2 = Firefox,3 = chrome).

-----------------

 

Security Testing has a promising future. It started very late in China and has been paid more and more attention in the past two years. Companies are paying more and more attention to security.

 

Appscan usage sharing