How to optimize scans by setting correct "Redundant Path Limit" in IBM Security AppScan Standard, IBM Security AppScan Enterprise, and Rational Policy Tester.
In AppScan Standard and AppScan Enterprise, the Redundant Path Limit is set by default to 5.
How is the Redundant Path limit counted?
The Redundant Path limit setting restricts the number of requests to a URL, which does not include the query parameters.
For example, these three paths:
are counted as redundant paths. The unique path is represented by: folder1/folder2/index.jsp
(In AppScan Enterprise, due to its integration with Policy Tester where the focus is content scanning, the query is included in the redundant path limit calculations.)
Why Redundant Paths can be limited?
Consider a site with biography pages for different artists, which contains of a unique path biography.jsp, and a value of a query parameter called artist, as follows:
The structure of the pages will be the same for all three pages. The only difference between them is the text of the biography and the picture(s) that are displayed in the page. If there is a Cross-Site Scripting vulnerability on the session parameter, it will exist on all of them. Then it does not make sense to navigate to all of them. It is enough to navigate to the biography.jsp path only once.
Why is the redundant path limit set to 5 by default
There are situations where parameters have effect on the structure of the page. For example the navigational parameters that are encountered in MegaScript applications (review Handling MegaScript sites with AppScan Standard.) In this case, the vulnerabilities may be different depending on which parameter is used.
The restriction to 5 redundant paths was set in an attempt to find a middle ground between parameters that affect the page content and parameters that affect the page structure. However, if the parameters only affect the page content and the site has 200 pages, AppScan will discover 1000 pages and take 5 times longer to explore the site.
Can you change the redundant path limit?
In cases where where AppScan runs out of resources, or scanning takes too long time, you can decrease the redundant path limit, even to 1, if there is no parameters that have effect on the structure of the pages. However, if there is a limited number of pages that change their structure based on parameters values, you may use manual explore or multi-step operations to explorer those pages.
How to change the redundant path limit?
You can change redundant path limit with the following switches:
- In AppScan Standard: Scan Configuration > Explore Options > Redundant Path Limit
- In AppScan Enterprise and Policy Tester: Edit job properties > Explore Options > Redundant Path limit
|Security||Security AppScan Enterprise||Performance: Long run time/Large scans||8.0, 8.5, 8.6, 126.96.36.199, 8.8|
|Security||Rational Policy Tester||Performance||8.0, 8.5|