Overview of In-Session detection in IBM Security AppScan Standard.
With Appscan Standard you can use one of the following mechanism to deal with pages of the scanned application that require login (as seen in Scan Configuration > Login Management > Login/Logout ):
- Recorded login - this option is described below
- Prompt login - AppScan prompts you to login manually every time login is required.
- Automatic login - AppScan log in to the application automatically using the given credentials (User Name and Password).
- During the explore AppScan is searching for logout requests according to the predefined logout pattern.
- Once AppScan finds its first logout request it checks which request led us to the logout request and set it as the in-session request.
- Then AppScan creates an in-session pattern based on the response to that request and the link to the logout request.
- No login - AppScan does not login at all. AppScan will not scan pages that require a login.
For the Recorded login option, you need to record a login sequence in "Scan Configuration > Login Management > Login/Logout", by pressing the Record... button.
After recording a login sequence go to the Details tab (Scan Configuration > Login Management > Details) for more configuration of the recorded sequence.
The Login Sequence window lists the recorded URLs. AppScan marks these URLs (pages) as one of the following types:
One of the pages will be marked as In-Session if it detects that the page content contains strings listed in its Logout Detection Pattern (the regular expression can be modified in Scan Configuration > Login Management).
If no page is automatically detected, it is possible to set a page as in-session and mark its unique pattern using the Select In-Session pattern... button.
AppScan Standard will poll the application periodically during the automatic explore and test phases to see if it can reach the page and whether it is able to detect the marked pattern. The period is defined by the following switch "Scan Configuration > Advanced Configuration > Session management: In-session heartbeat interval". By default it is set to 5 seconds.
If AppScan Standard is unsuccessful reaching the page (such as the response to request is a redirect to the login page or a customized error page), an out-of-session state is detected. AppScan will stop the scan, replay the login sequence, confirm its valid session state using the original In-Session Detection pattern and if successful, continue the scan.
If an out-of-session state is detected in the test phase, AppScan will stop all of its testing threads, re-login, check its in-session state, and then re-run in single-threaded mode all the tests since the last point a valid session state was confirmed. After each test is performed, it will poll the in-session page and skip a test should it cause the session to be invalidated. AppScan will continue using one thread for the remaining tests until all have been performed, at which point it will return to the original thread configuration.