Documente Academic
Documente Profesional
Documente Cultură
Ori Pomerantz
orip@us.ibm.com
Abstract:
In this white paper you learn how to scan your web applications using IBM Security AppScan Source to identify
vulnerabilities.
• Table of Contents
1Introduction..............................................................................................................................................3
1.1Assumptions.....................................................................................................................................3
2Installation................................................................................................................................................3
2.1Obtain the license.............................................................................................................................3
2.2Install the software...........................................................................................................................3
2.3Verify the installation.......................................................................................................................3
2.4Install the Eclipse plug-in.................................................................................................................4
3Scanning a very simple application..........................................................................................................4
3.1Create a simple application to scan..................................................................................................4
3.2Scan the application..........................................................................................................................5
3.3Interpret the scan..............................................................................................................................5
3.4How does it work?............................................................................................................................6
4Manage findings.......................................................................................................................................6
4.1Filter findings...................................................................................................................................6
4.2Modify findings manually................................................................................................................7
5Resources.................................................................................................................................................7
6About the author.......................................................................................................................................8
• Table of Figures
Figure 1: The Security Analysis Perspective.............................................................................................5
Figure 2: WebGoat findings.......................................................................................................................6
Figure 3: Filtered WebGoat findings..........................................................................................................7
• Index of Tables
• Table of Listings
1 Introduction
In this white paper you learn how to use IBM Security AppScan Source as a developer. This paper
focuses on JEE applications developed in Eclipse.
Hopefully, even if you use a different environment these examples would be enough to show you what
to do.
1.1 Assumptions
I am going to assume that you are experienced in using Eclipse, or a derived product such as IBM
Rational Application Developer. I am also going to assume that you already have IBM Security
AppScan Enterprise running in your environment, and you just need to install the IBM AppScan Source
software on your own machine.
2 Installation
2.1 Obtain the license
1. Browse to https://licensing.subscribenet.com/control/ibmr/general_content?
partnerContentId=GenerateLicensesHostIDHelp and follow the directions to obtain the host ID
for the license.
2. Provide the host name and host ID to your AppScan administrator. You probably need part
number D0BR3LL, AppScan Source for Remediation, and part number D0BSMLL, the basic
scan permission.
3. Put the license file on your development machine.
If you'd like, run this application and see that it reflects whatever string you provide it, including
JavaScript. This means it is vulnerable to cross-site scripting.
3.2 Scan the application
1. Click Security Analysis > Scan > Scan Projects.
2. Select the project you created and click OK.
3. The default AppScan Source installation directory is at C:\Program Files
(x86)\IBM\AppScanSource.
4. The scan results appear in the Security Analysis perspective.
The data source here is request.getParameter(<name>). This function returns a parameter from the
POST data, which is provided by the user in the HTTP request. This means that it is tainted and
potentially dangerous.
The JSP construct <%= ... %> evaluates the expression in the ellipsis (...) and prints it to the HTML
sent back to the user. This is a dangerous sink, because it allows for cross site scripting. You can see
this data from, from getParameter() to print(), in the trace in Figure 1: The Security Analysis
Perspective, panel (d).
4 Manage findings
Real applications typically have many findings. For example, the scan of WebGoat shown in Figure 2:
WebGoat findings has 29 findings, of various severity levels (the likely damage) and reliability levels
(how sure are we this is a vulnerability).
5 Resources
You can learn from about IBM Security AppScan Source from IBM's web site or the product
documentation.
To learn how to filter results and what the different classifications mean, see the user guide, especially
chapter 5 Triage and Analysis.
There is a good article about the process to use the scanner on developerWorks.
Visit the security on developerWorks blog for announcements of new security articles, how-to guides,
and demonstration videos.
Visit the IBM developerWorks security zone for more articles about AppScan Enterprise and other
security topics.
Sign up for the developerWorks security newsletter and other topical newsletters from developerWorks.
Follow @dwSecurity on Twitter.
Ori Pomerantz has been securing computer networks and teaching other people how he does it since
1995. Since joining IBM in 2003, he has written and taught classes on several IBM Security products,
including the IBM Security AppScan product family.
6.1 Acknowledgements
I would like to thank Nicholas Chop for his valuable input. Any remaining mistakes are my own fault.