- What are the minimum system requirements to install AppScan 4.5?
- Where does AppScan install in my IT environment?
- What operating systems does AppScan support?
- Can AppScan function if I configure HTTP on a different port than 80?
- Which protocols does AppScan support?
- How does AppScan explore my application?
- How does AppScan test my application?
- What is Login/Logout Test Control?
- What is Login Before Manual Testing?
- Does AppScan support search engines?
- Can AppScan automatically crawl my site if it requires HTTP authentication?
- Can AppScan automatically crawl my site if my site utilizes client side certificates for authentication?
- Can AppScan automatically crawl my site if my site utilizes NTLM?
- Can I schedule scans?
- What is the Business Record and play and how does it work?
- How does AppScan 4.0 handle JavaScript?
- What is SQL injection and does AppScan test for it?
- What is Cross-Site Scripting and does AppScan test for it?
- What is the offline session mode?
- What source code does AppScan understand?
|
|
What are the minimum system requirements to install AppScan 4.5? |
|
Minimum System & Software Requirements:
- Computer: Pentium III PC, 500 MHz (800 MHz recommended)
- Operating System: Windows 2000 with SP2 or higher, Windows XP, Windows 2003 Enterprise edition.
- RAM: 512 Mbytes (1GB recommended for scanning large sites)
- Network: 1 NIC 10/100 MBPS for network communication with configured TCP/IP (100 MBPS recommended)
- Disk Space: 1 GB
- Software: Internet Explorer 5.5 or 6.x (You can install AppScan without IE, but you must install IE before running AppScan on your machine.)
|
|
Back to Questions |
|
Where does AppScan install in my IT environment? |
|
AppScan is a standalone Windows 2000 or Windows XP application. As a result, it can be installed on any network compatible Windows 2000 Professional or Windows XP machine and run against a site from within or outside of a network firewall.
|
|
Back to Questions |
|
Which operating systems AppScan support? |
|
AppScan runs on Microsoft Windows 2000,Windows XP and Windows 2003 Enterprise edition.
|
|
Back to Questions |
|
Can AppScan function if I configure HTTP on a different port than 80? |
|
Yes, AppScan can be configured to scan on any port (including multiple ports).
|
|
Back to Questions |
|
Which protocols does AppScan 4.0 support? |
|
AppScan supports HTTP 1.0, HTTP 1.1 and HTML 3.2.
|
|
Back to Questions |
|
How does AppScan explore my application? |
|
The purpose of the explore stage is to learn the behavior and structure of the application
so that the tests AppScan creates and customizes are extremely effective at identifying
all potential vulnerabilities. When in automatic mode, AppScan behaves like a user and
rapidly visits every page of your site, except for those filtered by configuration settings.
For each page it visits, it analyzes the application's handling of the HTTP requests
and responses. In the process, it detects potential vulnerabilities in the forms,
HTML code, links embedded in JavaScript, and CGI's. Once the explore stage is complete,
AppScan has created an extensive battery of custom tests it will run against the site
to determine the location and severity of actual vulnerabilities.
|
|
Back to Questions |
|
How does AppScan test my application? |
|
AppScan's tests are designed to find security defects in the application code itself and in the underlying technologies that support it. Each test is created and customized automatically by AppScan before it is sent to the application. When the application responds to a test, AppScan's Expert Security System quickly and precisely analyzes the response to determine if it indicates a vulnerability or not. In addition, every response is categorized and rated automatically based on the likelihood that it is a vulnerability and the level of risk associated with the vulnerability.
|
|
Back to Questions |
|
What is Login/Logout Test Control? |
|
Most web-based applications require some form of end user identification. User logon pages are a necessary part for providing many web-based services and can also supply a degree of security to a web application. However testing these pages with an automated tool can cause problems for the web application's session management capability. Authentication systems are often the source of the problem because account lockout (or deactivation) usually occurs after multiple, unsuccessful logon attempts. Further testing of these pages when "out of session" can change the entire landscape of the application test environment and present testing obstacles that may also lead to false positives/negatives test results. To circumvent these difficulties, AppScan AE provides Login/Logout Test Control to exclude/include logon/logout pages during an AppScan session. The login pages are clearly indicated in the AppScan Explore Results with a designating icon. By bypassing login/logout pages, AppScan eliminates many of the false negatives/positives that these pages can produce during the automatic scan. These sites can be tested manually at a later time and the test results are incorporated into the overall test results to assure testing accuracy.
|
|
Back to Questions |
|
What is Login Before Manual Testing? |
|
Testing web applications that require a session logon can often be a tedious and time-consuming effort. AppScan AE the Login Before Manual Testing option for testers to store information so it can be automatically submitted to a web application when performing a manual test. This timesaving feature improves testing efficiency by providing a degree of automation when working in environments that require manual testing.
|
|
Back to Questions |
|
Does AppScan support search engines? |
|
Yes. Search engines require the input of parameter values from end users like any other application. AppScan can assess the security the search engine web applications.
|
|
Back to Questions |
|
Can AppScan automatically crawl my site if it requires HTTP authentication? |
|
Yes. AppScan can crawl a site requiring HTTP authentication. Completion of the automatic form filler during the configuration of the explore stage will ensure that AppScan will automatically fill in the user name and password required during the HTTP authentication process.
|
|
Back to Questions |
|
Can AppScan automatically crawl my site if my site utilizes client side certificates for authentication? |
|
Yes. AppScan supports web sites requiring client side certificates to authenticate users; the AppScan user needs only to load the required certificate in order to scan the site.
|
|
Back to Questions |
|
Can AppScan automatically crawl my site if my site utilizes NTLM? |
|
Yes. AppScan supports web sites running NTLM. The user only needs to enable this option from within AppScan's General Settings menu.
|
|
Back to Questions |
|
Can I schedule scans? |
|
Yes. Scan Scheduling is a powerful feature that enables users to trigger scans to run at the optimal times of the day or week. With AppScan it is possible to schedule one or more scans to run from the Scheduler feature in the user interface. Scans can also be scheduled to run remotely from the command line of the computer on which AppScan is installed.
|
|
Back to Questions |
|
What is the Business Record and Play and how does it work? |
|
Applications are typically designed to facilitate one or more key business processes. AppScan provides users with the opportunity to record and playback a specific business process or a collection of business processes for one-time testing or regression testing as a part of a test plan. These business processes are stored as XML which enables easy modification retesting etc.
|
|
Back to Questions |
|
How does AppScan handle JavaScript? |
|
Nearly every site today uses JavaScript to enhance client-side functionality. Until now, there hasn't been a testing tool that could explore JavaScript, identify potentially dangerous content, and test the links embedded in it. This problem was solved with the current version of AppScan.
AppScan can parse JavaScript and test any and all of the areas of the application that are accessible through it. This means users no longer have to remember to test JavaScript links manually but can rely on AppScan to do this automatically. Results no longer contain client-side logic "blind spots".
|
|
Back to Questions |
|
What is SQL injection and does AppScan test for it? |
|
Web applications commonly use SQL to add, edit, or retrieve data from a database. If an application is not sufficiently protected from this form of attack, a hacker can inject SQL commands into a form field and have the backend database execute them. The destructive potential for this attack is enormous. SQL injection can enable a hacker to:
- Obtain any or all of the information stored in the database
- Erase records
- Bring down the database
AppScan runs a series of tests during a scan to determine if the application is vulnerable to SQL injection. It does this safely to ensure that the integrity of the database and its contents are not compromised.
|
|
Back to Questions |
|
What is Cross-Site Scripting and does AppScan test for it? |
|
Many web applications contain forms and other interactive components that allow the end user to pass information to the application. Instead of passing benign information into the application through the form, hackers will pass scripts (written in JavaScript or Vbscript typically) to the application. The scripts usually contain code for forms or other manners of collecting information from a web page. As a result of this process, hackers can insert their own scripts into web applications that enable them to do things like:
- Steal user names and passwords
- Collect customer information
AppScan runs a complete series of tests against every application to determine if it is susceptible to this popular type of attack.
|
|
Back to Questions |
|
What is the offline session mode? |
|
AppScan's offline session mode allows a user to access saved audit session data without a connection to the Internet or scanned site. This feature enhances the flexibility of the tool and enables users to view and work with audit session results and generate reports any time, anywhere.
|
|
Back to Questions |
|
What source code does AppScan understand? |
|
AppScan explores application behavior and looks for security vulnerabilities by analyzing the HTML output of the application. In aggregate, AppScan uses this information to identify potential vulnerabilities and to run a battery of tests against the application that are specifically designed to exploit that kind of suspected vulnerability.
|
|
Back to Questions |
|
|
|
AppShield, AppScan, Policy Recognition, and Adaptive Reduction are trademarks of
Sanctum, Inc. All other product names referenced are the property
of their respective owners and are hereby acknowledged.
|