AppScan just focus on the security of the application layer
One, AppScan scan
1, white box scan = static scan, scan source code.
2, Dynamic scan = black box scan, use tools to simulate hacker attacks, to see the response of the application layer. There will be a large number of compromised libraries inside the product, and when we send a mock attack to our application, we use the tool to analyze the response.
Second, AppScan Web application scanning process
Third, automatic network exploration capability Advantage
Four, setting up the Configuration Wizard
Test URL: http://demo.testfire.net/bank/login.aspx
File-----> New-----> Predefined templates (select "General Scan" as an example)----->web application Scans------> input requires test URLs
Click "Record"
Username:jsmith
password:demo1234
Then close the Altoro mutual:online Banking Longin-appscan Browser, in the Scan Configuration Wizard page of the "Log in application using the following login sequence" box will show the login of the member login successful after the URL information, and then click "Next"
Then click Next
Click Finish
Select "Yes" to save automatically
Save Scan Results
Five, Web Services scan
Interface Test URL: http://demo.testfire.net/transfer/transfer.asmx?wsdl
To select a generic service client in the Scan Configuration Wizard
Set the Start URL
Default Test Policy Web Service
Complete
Display the Generic Services window
Enter User ID selection call
Input of Transfer interface data
Method invocation
After the discovery is complete, close the Generic Sercice client window, and AppScan will analyze the results of the exploration and scan
Then select Test only in the scan options
Show scan Results
Vi. Glass Box scanning-Architecture
Open the Wed App scan file, select Glass box Agent Management-----Glass box Agent in the Tools menu options
can help users discover hidden parameters, page
Vii. Record Agent
Use of 1.Appscan Tools