AppSpider Pro

Getting Started Guide

Product version: 6.4

Introduction
Now that you've installed AppSpider, it's time to get started. This guide provides procedures for
configuring and running a scan in AppSpider, and suggests useful tips to help improve your Web
application security program.
For more detailed information on the application, see the AppSpider Pro User's Guide.

Introduction

Configure
With AppSpider's Universal Translator technology, it is capable of interpreting the new
technologies being used in today's Web and mobile applications, in addition to crawling traditional
applications.
To help you learn to set up a scan, you can use the Webscantest target, which is already
configured by default. Once you are familiar with the interface, you can move on to scanning your
organization's own applications.

Scan configuration
A scan configuration is a collection of settings for a scan. You must have a scan configuration
created before you can run a scan.
1. From the Actions panel, select New Configuration.

2. In the Main settings, enter a unique name for the scan configuration in the Scan Name field.

Configure

3. In the URL List field, enter the URL or URLs that you wish to scan. Hit ENTER/RETURN
after each URL.
4. By default, AppSpider will crawl both the http and https protocols for a specified page. If you
see a URL that you don't want to scan, highlight the URL in the list and select delete to restrict
the scan.

Scan configuration

4. The Max Links setting is set to 5,000 by default. You can change this number, if necessary.
You may know an adjustment is necessary when a previous scan report shows that the
maximum number of links was reached. For more information, see the User's Guide.
5. You can select Restrict the scan to seed URLs. If this checkbox is selected, and if you added
three URLs to your list, then AppSpider will only scan those three URLs. By default,
AppSpider will scan everything in the URL list including all the pages within each domain that
you specify.
6. Select the Next button.

Questionnaire
The Questionnaire allows you to modify and enable advanced options for your scan.

AppSpider gives you the ability to configure many aspects of the scan and gives you more
visibility into what exactly is happening behind the scenes.

Questionnaire

These options include:

l

Attack Policy: Select the list of attack types, attacks locations (such as directory, file, or path)
and other properties.

Proxy Settings: Set the proxy settings for the scan.

Authentication: Set the authentication settings for the scan.

Crawl and Attack Restrictions: Set a whitelist and blacklist for crawling.

HTTP Headers: Edit the settings for the HTTP headers used during the scan.

Performance and Logging Settings: Edit the network, performance and logging settings.

Reporting: Configure the reports produced from the scan.

Web Service: Edit settings for scanning of web services.

Recorded Traffic: Import pre-recorded traffic files of activity on your Web app.

Browser Macro: Record using Browser Macro. A macro is a sequence of actions (e.g. menu
selections, link executions, value entries, etc.) that will be replayed exactly as input by the
user.

Selenium Recordings: Manage Selenium scripts.

Parameters Training: Modify Scan Engine intelligence.

Custom URLs: Create your own custom URL processing parser.

1. Select the check boxes for the settings that you wish to modify and click the Next button.

Questionnaire

2. Set your parameters. When finished, click the Save button.

Authentication
Authenticating and maintaining session is a critical aspect of application security testing. The
AppSpider team has worked with hundreds of custom applications with complex authentication
schemes. If you encounter any issues with authentication, please contact Support so we can help
you resolve them.
Many applications require authentication and use various authentication schemes. AppSpider
includes support for the following authentication approaches:
AppSpider has a robust feature set to allow you to configure scans to log into Web sites and to
maintain sessions for the duration of scans.
l

Form: Form authentication looks simple, but developers can implement it in an almost
unlimited number of ways. AppSpider enables users to logon to forms by entering credentials
which it then uses to authenticate. For single sign-on, specify a URL in the SSO field. For
mutliple SSO URLs, use the Advanced settings.

Proxy: Users record traffic in a proxy and then upload it to log in

Macro: Users record a login macro in a built-in browser and play it back at the start of a scan.

Bootstrap: Users log in using a built-in browser and then continue the scan. AppSpider will
grab the session cookies from the built-in browser and use them in the scan. This is useful for
sites that use two factor authentication.

Authentication

Web service authentication

l

HMAC: Keyed-hash message authentication code

OAuth: An open standard for authentication that provides secure delegated access

Nonce: Arbitrary number used only once

User defined

AppSpider will crawl and perform attacks on the application(s) specified in the Main Settings with
a predefined set of rules. However, if your application requires authentication, select the
Authentication checkbox and add the required credentials. Or, if you have a sophisticated login
sequence, select the Browser Macro checkbox and record the appropriate login sequence so
AppSpider can properly access your application during the crawl.

Notifications
Before initiating a scan, be sure to consider notifications. AppSpider will perform input validation
attacks on submission forms. Thus, if a form submission triggers a notification to be sent to an
individual or a team within your organization, they should expect to see similar activity when
AppSpider performs a scan.
Tip: Be sure to turn notifications off or notify people to ignore the alerts.

Large applications
If the target application is too large, the scan may not complete. What constututes a large site
depends on the interplay of several factors, including the number of functional links, links that
accept or process user input, the number of user input parameters, and site complexity.
Tip: The best practice for scanning larger targets is to segment the assessment into separate
scan configurations for subdomains or subdirectories.

Notifications

Large applications

Scan
Find vulnerabilities in your web application(s).
l

From the Main settings panel, highlight your scan configuration and click the Run button to
start your scan.

Once a scan is started, the Scan Status page will open and a summary of the active scan will be
provided.

Scan

10

Reporting
AppSpider provides interactive actionable reports that behave like web pages with organization
and links for deeper analysis.
When the scan is in the Completed state, an HTML report will open in your browser.

You may use the View Report button (

) and generate an HTML report at any time.

Note: By default, the reports will be stored at C:\AppSpider\Scans

Reporting

11

Getting started scanning your own applications

Now that you have practiced using AppSpider Pro with Webscantest, you can prepare to scan
your own applications.
The following four items are essential to many deployments:
l

1. A target URL: You will need the exact address for the application to be scanned.
2. Credentials (if needed): For the first try, there is value in scanning the application without
credentials and seeing what you can find that way. If you will need to scan with credentials
eventually, you can start working to get an appropriate account set up.
3. A proxy (if one exists in your environment): AppSpider will automatically note whether
scanning your application requires a proxy. It is a good idea to note which one it is using and
make sure the scan results will accurately reflect your organizations infrastructure.
4. A decision on scan policies: Decide which types of vulnerabilities to scan for and whether to
change any from the default settings.

Each application is unique, so there may be other settings that are essential for your organization.
As you proceed with your scans, review the AppSpider Pro Users Guide for more details on the
available options.

Getting started scanning your own applications

12