Technote (FAQ)
Question
How to optimize scans by setting correct "Redundant Path Limit" in IBM Security AppScan Standard, IBM Security AppScan Enterprise, and Rational Policy Tester.
Cause
In newly created scan or job, Redundant Path Limit is set by default to 5.
You can change redundant path limit with the following switches:
- In AppScan Standard: Scan Configuration > Explore Options > Redundant Path Limit
- In AppScan Enterprise and Policy Tester: Edit job properties > Explore Options > Redundant Path limit
Answer
The redundant path limit setting restricts the number of requests to a specific URL, which does not include the query parameters.
The path in this example URL http:// www.site.com/folder1/folder2/index.jsp?query=123 is represented by the following section: folder1/folder2/index.jsp
The path usually specifies the name of the page and its location on the servers file system.
(In AppScan Enterprise, due to its integration with Policy Tester where the focus is content scanning, the query is included in the redundant path limit calculations.)
-
Example of Redundant Paths:
An entertainment site contains biography pages for different artists. The biography page is called biography.jsp, is based on the value of a query parameter called artist, and will display a different text and picture for each artist.
As you can see, there is no difference in structure between
biography.jsp?artist=madonna&session=123
and
biography.jsp?artist=britney_spears&session=123
The only difference between the two is the text of the biography and the picture that are displayed in the page. So if there is a Cross-Site Scripting vulnerability on the session parameter, it will exist on both artist=madonna and artist=britney_spears, so it does not make sense to navigate to this page more than once.
The redundant path limit allows the (artist) parameter to change only 5 times by default, preventing AppScan from testing this page for every single artist on the site. However in this specific case, the redundant path limit of 5 is too much.
Why then have the redundant path limit set to 5 instead of 1?
There are situations where parameters have effect on the structure of the page. For example the navigational parameters that are encountered in MegaScript applications. To learn more about MegaScripts and advanced redundancy tuning in AppScan Standard, review Handling MegaScript sites with AppScan Standard.
The restriction to 5 identical paths was set in an attempt to find a middle ground between parameters that affect the page content and parameters that affect the page structure. However, if the parameters only affect the page content and the site has 200 pages, AppScan will discover 1000 pages and take 5 times longer to explore the site.
So in certain cases the redundant path limit should be decreased or set to 1. If a limited number of pages that change their structure based on parameters values exists, manual explore or multi-step operations should be used for those pages .
| Segment | Product | Component | Platform | Version | Edition |
|---|---|---|---|---|---|
| Security | Security AppScan Enterprise | Performance: Long run time/Large scans | Windows | 5.5, 5.6, 8.0, 8.5, 8.6 | |
| Security | Rational Policy Tester | Performance | 5.6, 8.0, 8.5 | Accessibility, Privacy, Quality |
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.