Ben Smith, Andy Meneely, and Laurie Williams
CSC 326 - Software Engineering
Department of Computer Science
North Carolina State University

Back to Software Engineering Tutorials

IBM Rational AppScan helps software developers protect against the threat of attacks and data breaches. If you use your Web applications to collect or exchange sensitive or personal data, your job as a security professional is harder now than ever before.

AppScan is an example of a Fuzzer, which is a program that conducts a black box software testing technique, consisting of finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.

In this tutorial, we assume that you already have AppScan 7.8 set up and have the proper licensing. If you are using this tutorial for a class (e.g. CSC 591-003 for NCSU Fall 2009) consult your lab instructions on how to access and start AppScan.

Also, this tutorial assumes that you have installed Damn Vulnerable Web Application (DVWA) and configured it with an Apache web server on port 80.

Among other things, AppScan is capable of monitoring requests made over HTTP and then replicating those requests. AppScan uses this ability to perform scripted authentication according to a pre-defined login sequence that you as the tester will specify. However, AppScan is set to ignore HTTP requests to localhost or 127.0.0.1. Since your copy of Apache is running at this address, you will need to identify the public IP address of this computer to "trick" AppScan into believing the server you are scanning is remote.

You can obtain your external IP from whatismyip.com.

Alternatively, if you are using NCSU's VCL, you can obtain the IP either from the "Connect" page on the VCL Current Reservations page. You can find the IP where the arrow is pointing in the figure below.

Figure 2.1: Your IP Address in the VCL Connect Screen

Another alternative is, when connected to the VCL computer, you can find the IP address at the top of the window containing your connection, as shown by the arrow in the figure below.

Figure 2.2: Your IP Address in the Remote Desktop Connection Title Bar

Finally, to prepare for using Rational AppScan,

1. Obtain your external IP and store it somewhere where you can find it again.
2. Please note that you do NOT need Tomcat running for this tutorial.
3. Double-click the icon labeled IBM Rational AppScan 7.8.

Follow these instructions to set up a typical scan for DVWA:

1. When AppScan first opens, a popup to AppScan's website will appear as shown below. You can close this.
   
   Figure 3.1: The AppScan Website
2. After closing the Internet Explorer popup, you will be presented with the following screen. Click Create New Scan....
   
   Figure 3.2: Welcome Screen
3. The following window will appear. Click Regular Scan.
   
   Figure 3.3: Choosing the Scan Type
4. Then the Configuration Wizard will open. Click Next.
5. The following window will appear. In the field labeled Starting URL enter the following: http://XXX.XXX.XXX.XXX/DVWA where XXX.XXX.XXX.XXX is YOUR IP address that you obtained in Section 2.0. Also, uncheck Treat all paths as case-sensitive (Unix, Linux, etc.). When finished, your page should look like the following figure (your IP will be different). Click Next.
   
   Figure 3.4: Pointing to the Starting URL (your IP will be different!)
6. The following window will appear. Select None and then click Next.
   
   Figure 3.5: Choosing the Authentication Method
7. The following window will present options for a test policy as shown below. Select The Vital Few from the Policy Files and click Next.
   
   Figure 3.6: Choosing a Test Policy
8. The following window will present options for how to begin. Select Start a full automatic scan as shown below. Also be sure to uncheck Start Scan Expert when Scan Configuration Wizard is complete. Click Finish.
   
   Figure 3.7: Completing the Scan Configuration Wizard
9. Then, a dialog box will appear asking you to save the scan as shown below. Click Yes and save the scan file somewhere where you can find it again. It doesn't matter what you call it.
   
   Figure 3.8: Saving the Scan
10. First, AppScan will crawl DVWA automatically, following any links that it finds and searching for input parameters as in the following figure. You will have to wait about four minutes before the first result appears, and the whole AppScan process can take approximately fifteen minutes, so please just wait patiently.
    
    Figure 3.9: Scanning and Crawling
11. After scanning, crawling and then pre-testing, AppScan will begin testing DVWA for security issues. Issues will appear as they are discovered, but it is best to wait until the scan is complete before examining the discovered vulnerabilities. Testing will look like the figure below.
    
    Figure 3.10: Early Results
12. After testing the application, AppScan will start the Result Expert and analyze the various modules to respond to the issues it found as shown below.
    
    Figure 3.11: Result Expert Runs

Now that the results have been completely gathered, you should begin looking through them and deciding whether they are false positives or not. Let's start by expanding the Cross-Site Scripting Node, then the node for /dvwa/xss.php and then double clicking the name parameter.

After selecting a specific security issue, the tabs on the bottom provide detailed information.

• Issue Information: This tab tells you the URL of occurence, the risk represented by this vulnerability and details to help you determine whether the attack was a false positive or not.
  
  Figure 4.1: Issue Information Tab
• Advisory: This tab provides a flash video which can help you understand the history and nature of the vulnerability type and also why the attack type occurs.
  
  Figure 4.2: Advisory Tab
• Fix Recommendation: This tab explains how to fortify your application against the chosen attack type
  
  Figure 4.3: Fix Recommendation Tab
• Request/Response: This tab tells you the exact HTTP request/response pair that AppScan used to identify the attack. Inspect this carefully.
  
  Figure 4.4: HTTP Request/Response Tab

Proceed through the list of security issues and consider the following questions:

• Is this attack legitimate? Could you see an attacker actually mounting this attack on the system?
• What assets does this attack threaten? Obviously for DVWA, there are no assets, but what assets could the attack threaten in a commercial web application?
• Do you think the mitigation strategy proposed by AppScan (under Fix Recommendation) would prove successful at preventing future attacks?
• Does this list seem complete? Are there more attacks that could be mounted?

To generate a report,

1. Click the Report button ( ). The following window will appear.
   
   Figure 5.1: The Report Window
2. Click Industry Standard and choose OWASP Top 10 2007 as shown below.
   
   Figure 5.2: The Industry Standard Tab
3. Click Save Report and save the report somewhere you can remember.
4. After the dialog box says Done, click Close.
5. Now open the report in the system's PDF viewer.

Now, consider the following questions...

• Is this report comprehensive? Are there more vulnerabilities not in this report?
• Who is this report useful to?
• As a software developer, what would you do upon reading this report? As a tester?
• How does this report deal with the OWASP standard specifically?

• IBM Rational AppScan
• OWASP: Fuzzing
• IBM Web Application Security