How to optimize scans and jobs by setting correct "Redundant Path Limit"

Technote (FAQ)


Question

How to optimize scans by setting correct "Redundant Path Limit" in IBM Security AppScan Standard, IBM Security AppScan Enterprise, and Rational Policy Tester.

Cause

In AppScan Standard and AppScan Enterprise, the Redundant Path Limit is set by default to 5.

Answer

How is the Redundant Path limit counted?

The Redundant Path limit setting restricts the number of requests to a URL, which does not include the query parameters.

For example, these three paths:
     http://www.site.com/folder1/folder2/index.jsp
     http://www.site.com/folder1/folder2/index.jsp?query=1
    http://www.site.com/folder1/folder2/index.jsp?query=234

are counted as redundant paths. The unique path is represented by: folder1/folder2/index.jsp

(In AppScan Enterprise, due to its integration with Policy Tester where the focus is content scanning, the query is included in the redundant path limit calculations.)


Why Redundant Paths can be limited?

Consider a site with biography pages for different artists, which contains of a unique path biography.jsp, and a value of a query parameter called artist, as follows:

biography.jsp?artist=madonna
biography.jsp?artist=britney_spears
biography.jsp?artist=celine_dion

The structure of the pages will be the same for all three pages. The only difference between them is the text of the biography and the picture(s) that are displayed in the page. If there is a Cross-Site Scripting vulnerability on the session parameter, it will exist on all of them. Then it does not make sense to navigate to all of them. It is enough to navigate to the biography.jsp path only once.


Why is the redundant path limit set to 5 by default

There are situations where parameters have effect on the structure of the page. For example the navigational parameters that are encountered in MegaScript applications (review Handling MegaScript sites with AppScan Standard.) In this case, the vulnerabilities may be different depending on which parameter is used.

The restriction to 5 redundant paths was set in an attempt to find a middle ground between parameters that affect the page content and parameters that affect the page structure. However, if the parameters only affect the page content and the site has 200 pages, AppScan will discover 1000 pages and take 5 times longer to explore the site.


Can you change the redundant path limit?

In cases where where AppScan runs out of resources, or scanning takes too long time, you can decrease the redundant path limit, even to 1, if there is no parameters that have effect on the structure of the pages. However, if there is a limited number of pages that change their structure based on parameters values, you may use manual explore or multi-step operations to explorer those pages.


How to change the redundant path limit?

You can change redundant path limit with the following switches:

  • In AppScan Standard: Scan Configuration > Explore Options > Redundant Path Limit
  • In AppScan Enterprise and Policy Tester: Edit job properties > Explore Options > Redundant Path limit

Cross reference information
Segment Product Component Platform Version Edition
Security Security AppScan Enterprise Performance: Long run time/Large scans 8.0, 8.5, 8.6, 8.7.0.0, 8.8
Security Rational Policy Tester Performance 8.0, 8.5

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security AppScan Standard
Performance: Long run time/Large scans

Software version:

8.0, 8.5, 8.6.0.0, 8.7, 8.8

Operating system(s):

Windows

Reference #:

1612674

Modified date:

2014-02-05

Translate my page

Machine Translation

Content navigation