Overview of In-Session detection in IBM Security AppScan Standard.
With Appscan Standard you can use one of the following mechanism to deal with pages of the scanned application that require login (as seen in Scan Configuration > Login Management > Login/Logout ):
- Recorded login - this option is described below
- Prompt login - AppScan prompts you to login manually every time login is required.
- Automatic login - AppScan log in to the application automatically using the given credentials (User Name and Password).
- During the explore AppScan is searching for logout requests according to the predefined logout pattern.
- Once AppScan finds its first logout request it checks which request led us to the logout request and set it as the in-session request.
- Then AppScan creates an in-session pattern based on the response to that request and the link to the logout request.
- No login - AppScan does not login at all. AppScan will not scan pages that require a login.
For the Recorded login option, you need to record a login sequence in "Scan Configuration > Login Management > Login/Logout", by pressing the Record... button.
After recording a login sequence, go to the Details tab (Scan Configuration > Login Management > Details) for more configuration of the recorded sequence.
In version 8.8 and later, AppScan Standard has two methods of recording (previously only request-based recording was used):
- Action-based recording - AppScan remembers the action you have taken when recording the login.
- Request-based recording - AppScan remembers all the requests sent to the application when recording the login.
If the Use action-based login when possible option is unchecked, Appscan will use only the Request-based recording to login into the application.
The Actions tab lists all recorded actions.
The Requests tab lists the recorded URLs. AppScan marks these URLs (pages) as one of the following types:
One of the pages will be marked as In-Session if AppScan detects it. AppScan detects the page by matching the Logout Page Detection strings to the content of that page (the string can be modified in Scan Configuration > Login Management > Login/Logout > Logout Page Detection).
If no page is automatically detected, you need to select a page, set it as an "In-session" page, and mark its unique pattern using the Select... button.
How AppScan keeps being in-session
When running a scan with the Recorded login, AppScan will poll the application periodically to check if it can reach the page marked as "in-session" and whether it is able to detect the marked detection pattern. The period is defined by the following switch "Scan Configuration > Advanced Configuration > Session management: In-session heartbeat interval". By default it is set to 5 seconds.
If AppScan Standard is unsuccessful reaching the page (such as the response to request is a redirect to the login page or a customized error page), an out-of-session state is detected. AppScan will stop the scan, replay the login sequence, confirm its valid session state using the In-Session Detection pattern and if successful, continue the scan.
If an out-of-session state is detected in the test phase, AppScan will stop all of its testing threads, re-login, check its in-session state, and then re-run in single-threaded mode all the tests since the last point a valid session state was confirmed. After each test is performed, it will poll the in-session page and skip a test should it cause the session to be invalidated. AppScan will continue using one thread for the remaining tests until all have been performed, at which point it will return to the original thread configuration.
If AppScan is not able to re-login, it will show an error as described in Scan results in error "out-of-session and is trying to re-login".