(reprint) AppScan use Share

Reprint: http://www.cnblogs.com/fnng/archive/2012/10/09/2717568.html

Here's how to use AppScan to safely scan some of the features of a large project.

------------------------------------------------------------------------

In fact, there is little to know about security testing. Because the company requires a safety scan of the product every month. Mastered the use of one-person points of skill, so bring to share with you.

Because the product is big, the function module also is very many, we cannot carry on the scan to the entire product. Another module that each tester is responsible for testing is different. We only need to scan the module that we are responsible for testing.

The scanning tool is naturally IBM AppScan, powerful and simple to use. Use or have heard about this tool for a bit of safety testing. It's not too much to introduce here.

Extracting links to scanned features

　　

The first thing to do is to extract the scanned links. Fiddler tool to extract. Open the system, find the function module you need to do the scanning, turn on the fiddler interception function, and then do various operations on the function you want to test, Fiddler will record all the access links, because it is related to privacy, so it will be more ambiguous.

In fact, there are a lot of links in the request, but many of them are the same, we just have to find out a different whole. Here you need to know the situation of each connection. There are also some external links that do not need to be extracted.

aaa.bbb.cng2.aaa.bbb.cng1.aaa.bbb.cnwebapp.aaa.bbb.cnuec.aaa.bbb.cnaddrapi.aaa.bbb.cnsmsrebuild1.aaa.bbb.cndisk2.aaa.bbb . cnmw.aaa.bbb.cnscriptlog.aaa.bbb.cnimages.139cm.comappmail.aaa.bbb.cngfile5-disk.aaa.bbb.cngfile8-disk.aaa.bbb.cngfile7- disk.aaa.bbb.cn

After extracting all the links, there are not a few. There is not much to remove the repetition.

Completing the Configuration Wizard

Open AppScan below to create a scan. (about Appascan download installation and hack, introduction, I have said in another blog post)

Select General Scan to go to the configuration Wizard. Click Next to enter the configuration

The above step is the focus, the starting URL to fill in the URL you want to scan. Other servers and domains: This is where all the extracted links are added. Includes the homepage link of the Post site. Click Next.

There are three ways to record accounts, not more. The first and third most commonly used.

Then click on a few next steps after the option appears, select the third or fourth to complete the scan configuration.

Record Scan Script

Once the configuration is complete, you will start recording the script below.

Click the Explore button on the toolbar, AppScan will open your own browser, enter the system user name password login system, the module you want to scan the function of the operation.

The AppScan I opened for my own browser (because I entered the wrong URL, so I cannot access). Once the operation is complete, click the Pause button to close the browser window.

When you close the browser, the above window will record all the connections you have accessed and click OK. All the information will be recorded, click on the button on the toolbar to start scanning. We usually go to work at night, the next morning to see the results of the scan.

------------------------------------

Ben came here to finish, I'll say a few more settings. Oh! In the manual exploration, because the open browser is AppScan, there may be compatibility issues, some pages do not open properly. So can we use the browser on our computer (IE, Firefox, Google) to record it. Of course it's possible.

Menu Bar--Tools---options----advanced

This must be a big picture, we only need to modify the openexternalbrowser option "value" of the parameters can be (1=ie, 2=firefox, 3=chrome).

-----------------

Safety testing is very promising, the domestic start very late, these two years only gradually received attention. Companies are also increasingly focused on security.

(reprint) AppScan use Share