ibm tivoli using rational appscan with tivoli integrated portal(v2.2
TRANSCRIPT
IBM Tivoli
Using Rational AppScan with TivoliIntegrated Portal(V2.2) basedproducts
Author: Patrick O'Neill
Date: November 2012Version: 1.0
© Copyright International Business Machines Corporation 2012.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract withIBM Corp.
CONTENTS
Contents........................................................................................................................................ii
List of figures................................................................................................................................iii
1 Using IBM Rational AppScan V8.6 with Tivoli Integrated Portal V2.2 overview............................4
2 Working with AppScan on a Tivoli Integrated Portal based product..............................................5
2.1 Setup the Configuration parameters.........................................................................................5
2.1.1 Installation of AppScan and Application servers.......................................................5
2.1.2 Setting up the starting URL......................................................................................6
2.1.3 Login & Session management.................................................................................7
2.1.4 Environment Definition..........................................................................................10
2.1.5 Exclude Paths and Files........................................................................................11
2.1.6 Communication and Proxy.....................................................................................12
2.1.7 Test Options..........................................................................................................13
2.1.8 Miscellaneous.......................................................................................................14
2.2 Manual Explore function........................................................................................................15
2.2.1 Explore your application........................................................................................15
2.2.2 CURI Providers.....................................................................................................17
2.3 Run the test...........................................................................................................................18
2.4 Analyze the results...................................................................................................19
3 Summary..................................................................................................................................20
4 Notices.....................................................................................................................................21
4.1 Trademarks..........................................................................................................................23
ii
LIST OF FIGURES
Figure 1: Setup the starting URL
Figure 2: Login management: Login Method
Figure 3: Login management: In-Session URL.
Figure 4: Login management: Detection Pattern.
Figure 5: Environment Definition.
Figure 6: Exclude Paths and Files: Exclude Paths.
Figure 7: Communication and Proxy: Number of Threads
Figure 8: Test Options: log in/log out tests
Figure 9: Manual Explore of your application
iii
1 Using IBM Rational AppScan V8.6 withTivoli Integrated Portal V2.2 overview
IBM® Rational® AppScan Standard Edition automates vulnerability testing to help protectagainst the threat of cyber-attacks. With AppScan you can identify vulnerabilities in yourapplication before the hackers do. Early detection and resolution of web applicationvulnerabilities decreases the risk of attack and saves valuable time and resources.
Web-based products built on the Tivoli Integrated Portal framework share a common userinterface where you can launch applications and share information.
Tivoli Integrated Portal helps the interaction and secure passing of data between Tivoli®products through a common portal. You can launch from one application to another andwithin the same dashboard view you can research different aspects of your managedenterprise.
Use of the IBM Rational AppScan application is useful to determine if your acceptanceenvironment is secure and to highlight any potential security vulnerabilitys such as cross-site scripting, phishing, and so on. Some of the reported vulnerabilitys will not be relevantto your environment and some can be solved by additional configuration.
This paper gives you Tivoli Integrated Portal V2.2 specific configuration changes that arerequired for AppScan to successfully run and highlights best practice methods for usingAppScan on a Tivoli Integrated Portal based product.
This paper is to be read in conjunction with the AppScan UG and focuses on AppScanconfiguration changes that are required specifically for Tivoli Integrated Portal basedproducts. Tivoli Business Service Manager is used as the example in this paper but anyTivoli Integrated Portal based product can be substituted.
This paper does not cover all configuration options. Depending on your specificrequirements, you might have to enable or disable additional configuration items inAppScan.
This paper does not cover running the source code version of AppScan.
Important: IBM Rational AppScan should not be run against a production environment.
This paper assumes a working knowledge of Tivoli Integrated Portal and associated TivoliIntegrated Portal based products and AppScan. The target audience is Tivoli IntegratedPortal based product administrators who want to run AppScan.
4
2 Working with AppScan on a TivoliIntegrated Portal based product.
This paper includes the following high-level tasks:
Setup the Configuration parameters
Explore the areas of your product that you want to test with AppScan
Run the test
Analyze the results
2.1 Setup the Configuration parameters
2.1.1 Installation of AppScan and Application serversBecause AppScan is bombarding your target application server with many HTTP requestsand attempting to break your application, it might cause intermediate firewall systems tointerpret the traffic as bad or malicious traffic and block any additional traffic, thusbreaking the test.
To counteract any firewall issues, it is good practice to install your AppScan on a dedicatedserver that is inside the same firewall boundary as your target application server.
You should also disable any internal operating system firewalls between your AppScanand application servers.
If you cannot disable all firewalls you should contact your network administrator to ensurethat all traffic between your two servers is allowed.
You can also co-locate your AppScan and application servers. This would, of course,require much more memory and processor capacity.
5
2.1.2 Setting up the starting URLWithin Scan Configuration select URL and Servers
Use this starting URL:https://<hostname>:16311/ibm/console
This URL assumes that default port numbers were used during the Tivoli Integrated Portalinstall. Change port number as necessary for your environment.
Figure 1: Setup the starting URL
6
2.1.3 Login & Session managementAppScan has the capability to sense when it is no longer in-session. For example, if yourapplication is configured to automatically log out a user after 30 minutes, AppScan would no longerbe in-session and its tests would fail from that point on. Login management and session detectionis a key element of a successful execution of AppScan in a Tivoli Integrated Portal environment sothat it can sense this scenario and gracefully deal with it and get back in-session.
Within Scan Configuration select Login Management.
On the Login/Logout tab, select the Recorded radio button and then click the Record button.Proceed with the Tivoli Integrated Portal login procedure.
When you are logged in, click Pause and then logout and close the browser.
Important: By clicking Pause you are limiting the recording to just the login procedure, ensuringthat the logout and close actions are not included.
Figure 2: Login management: Login Method
7
When the recording is finished, you must configure the in-session configuration that is on theDetails tab.
Figure 3: Login management: In-Session URL.
On the Details tab, select the bannerframe.jsp URL in the Login Sequence list and set its Typeto In-Session. By selecting bannerframe.jsp URL as the In-Session URL, you are limiting the in-session detection to that URL only. This URL is always present when you are logged into TivoliIntegrated Portal.
The final part of configuring in-session detection is to specify what pattern within the in-sessionURL you are going to look for, to determine that you are in-session. In this case, you are looking forthe presence of the Logout link. If the Logout link is present, you can be sure that you are still in-session.
Click Select. On the browser window that is displayed, switch to the Response Body tab.
Look for bannerLogoutURL and highlight the full hyperlink including href which is typically asfollows for Tivoli Integrated Portal based applications:
href="https://<hostname>:16311/ibm/console/logout.do"
Click Mark Pattern to add that pattern to the In-Session Detection Pattern field and then clickOK.
8
Figure 4: Login management: Detection Pattern.
AppScan only uses one user name and password combination to log in. AppScan learns the username and password from the recording that you did previously in this section of the paper.Because Tivoli Integrated Portal only allows you to log in once per user, you have to disable theConcurrent Logins capability of AppScan. You do this as follows:
Within Login Management, on the Login/Logout tab you must ensure that you clear the Allowlogin even if the application is already logged in check box.
9
2.1.4 Environment DefinitionThere are no Tivoli Integrated Portal specific changes that are required in this section but it isworthwhile to select the appropriate values in each of the menus to give AppScan better knowledgeof your product and environment and to limit the volume of tests that AppScan attempts to run, thusreducing execution time.
For example, there is no need for AppScan to run Oracle specific tests if you have no Oracleproducts in your environment.
If you are unsure what to select in any of the menus just use the default Not Defined value and letAppScan figure it out as best it can. The test will not fail. It will just take longer to run and mightresult in some additional false positives.
Figure 5: Environment Definition.
10
2.1.5 Exclude Paths and FilesWhen running a test, you might not want to run the scan on the entire Tivoli Integrated Portalinterface. You might want to limit the test to only one application within that Tivoli Integrated Portalcontainer, for example, TBSM. This is particularly true if you have multiple Tivoli Integrated Portalbased applications installed under the one Tivoli Integrated Portal container.
It is also a good idea to limit the scope of the test run to smaller subsets of the website becauseAppScan and your application server, or both, can fail during the scan if you attempt to run thescan on the entire web interface. This is dependent on your system specification on both yourAppScan and application servers and the volume and type of tests that you selected to run.
To limit the scope of the test you must add Exclude expressions to the Exclude Paths list.
Figure 6: Exclude Paths and Files: Exclude Paths.
Click the Add button(+) button to add an exclude path. You can add a regular expression or a fullpath.
Ensure that you use the Expression Test Power Tool to check the validity of your regularexpression and that it is excluding just the URLs that you expect it to exclude.
Some sample Exclude Paths are shown in Figure 6. For example, if you have both Tivoli CommonReporting and TBSM installed, you can exclude all of Tivoli Common Reporting by adding theregular expression “.*/tarf/.*”
When AppScan comes across any URLs that match that regular expression, it skips them.
11
2.1.6 Communication and ProxyAppScan can use multiple threads to execute tests. The more threads you can use the fasterAppScan runs but, of course, it is a trade off with the volume of hits your application server canhandle.
If you find that your system, either AppScan, or your application server, or both cannot handle theload, you can reduce the number of threads until you find a reliable point that works for you.
To modify the number of threads, select Communication and Proxy and enter a new value forNumber of Threads.
Figure 7: Communication and Proxy: Number of Threads
12
2.1.7 Test OptionsOne of the areas that AppScan validates is the login and logout area of your application. It checksfor problems like multiple failed login attempts. Does your application give an appropriate errormessage in that scenario?
It is good practice to run this test in isolation because it might cause problems with your applicationprocess. For example, if you leave this test enabled and multiple failed login attempts block theuser account that AppScan is using, the rest of the tests fail, because AppScan cannot gain accessto your system.
To disable the login tests, open the Test Options section and clear the Send tests on login andlogout pages check box.
Figure 8: Test Options: login/logout tests
13
2.1.8 MiscellaneousThere are other configuration items that are not specific to Tivoli Integrated Portal but are specificto your product. For instance, do you have any JavaScript or Flash content in your product? Youhave to enable or disable that capability as appropriate in the “Explore Option” section.
There are many other features and functions within AppScan that are not covered here. Forexample, you might want to configure automatic form filling to allow AppScan to get deeper intoyour application by filling in a form and getting to the next level of a web process.
You can use Multi-Step operations to simulate a user who is using your application. For example, aretail web site must validate that you can search for a product, add it to your basket, and checkoutand submit payment details.
Some of the above manual interaction details can be captured using the Manual Explore option,which is discussed in more detail in the next section of this paper.
14
2.2 Manual Explore function
2.2.1 Explore your applicationAppScan can automatically explore your application and build up a navigation tree ofURLs that it needs to test. This automatic exploration has limited capability because it doesnot know or understand how to use your application. AppScan tries to learn new URLs byaccessing any links on the Starting URL and proceeding to work its way through all ofthose and down to the next level. This might not expose all the URLs that it needs to testand can leave important parts of your application untested if you do not also use theManual Explore function.
To manually explore your application, click Manual Explore. This opens AppScan's built-in browser. Proceed to log in and use your application as your user would, or you can limitthe exploration to just the areas of your application that you want AppScan to focus on.
When complete, log out and close the browser window. AppScan now displays a list of allthe URLs that it found in your manual explore session, and you can include or exclude allthe URLs that you deem appropriate.
When accepted, the navigation tree on the left of the AppScan user interface is updatedwith any new URLs that were discovered. Also, any forms that you filled in whileexploring are also saved in the Configuration section, under Automatic Form Fill, so thatAppScan can repeat those entries and get further into your application process during thetest cycle.
Note that any regular expressions that you added to your Exclude Paths that match URLsin your navigation tree will be displayed with a red X on them. So, you can quickly seewhat areas of your application are being tested.
15
Figure 9: Manual Explore of your application
16
2.2.2 CURI ProvidersIMPORTANT: If your Tivoli Integrated Portal based application has a CURI dataprovider, it is not automatically tested unless you add the CURI URLs to your manualexplore procedure.
This is an example of a CURI Provider URL:https://localhost:16311/ibm/tivoli/rest/providers/Impact_NCICLUSTER/datasources/defaultobjectserver/datasets/ALERTS/items/123?properties=all
Because your starting URL, as configured in section 2.1.2, does not cover the previousURL path, your entire CURI provider interface is not tested.
If you want to cover the CURI Provider interface, you must manually explore your CURIprovider URL tree.
In fact, any URLs that are not displayed in the navigation pane of AppScan are not tested.Before you start a scan, look at the navigation pane and validate with one of yourApplication architects that all the appropriate areas of your application are listed. Anymissing areas must be manually explored.
17
2.3 Run the testAfter you have your configuration parameters set up appropriately and you have the navigation treepopulated with all the URLs that you want tested, you can now start a test scan.
From the Scan menu you can select Full Scan which, will run through all the configured tests.
If you already executed a scan and there are results on your screen you can select the Re-Scan(Full) option, which runs a full scan but also removes any existing test results. You can usethis option if you made configuration changes to your application server that might affect the testresults, therefore you don't want stale results remaining.
If, for whatever reason, the scan fails, you can reset your AppScan, application servers, or bothand resume the scan from where it previously stopped. You do this by selecting Continue TestOnly.
This is a useful feature because a full scan can take many hours, or even days, to complete,depending on what level of testing you configured and how many applications you installed underTivoli Integrated Portal.
TIP: It is good practice to monitor your application server during the test to ensure it did not crash.Also, check for low memory and high processor use. You might have to reconfigure AppScan toreduce the load on your application server as detailed in this paper in section 2.1.6.
18
2.4 Analyze the results
Analyzing the results is more time consuming than configuring and running AppScan.
Every issue reported must be individually assessed and determined if it is a valid problem for yourapplication. You might have the same issue reported for two applications which is a majorvulnerability for one application but not the other. It depends on such factors as how securityconscious the user is, how exposed the web interface is to hackers, whether the application dealsinternally with the vulnerability and therefore not deemed a risk, and so on.
This analysis can only be done in conjunction with the appropriate product team.
The following Tivoli Integrated Portal related issues might get reported, which can be addressed byadditional configuration changes in WebSphere Application Server.
Missing HttpOnly Attribute in Session Cookie
Missing Secure Attribute in Encrypted Session (SSL) Cookie
HttpOnly attribute
Make a change to this file:
TIP_HOME\tipv2\profiles\TIPProfile\config\cells\TIPCell\nodes\TIPNode\servers\server1\server.xml
Add this property to the file:
<properties xmi:id="Property_12" name="com.ibm.ws.webcontainer.httpOnlyCookies"value="LtpaToken2,JSESSIONID_ibm_console_16310,JSESSIONID"/>
Secure attribute
The secure attribute in the session cookie can be enabled within WebSphere Application Serverunder Security->Global Security. Under Authentication, click Web Security->Single Sign-on(SSO), and select the Requires SSL check box.
You must also update the following deployment.xml file and set the secure attribute to true,
TIPHOME\profiles\TIPProfile\config\cells\TIPCell\applications\isc.ear\deployments\isc\deployment.xml
IMPORTANT: Making these changes can break your application. Thorough testing of yourapplication is required after you implement these changes.
19
3 SummaryThis paper detailed the Tivoli Integrated Portal V2.2 changes that are required in theAppScan configuration to perform a successful scan of your Tivoli Integrated Portal basedproduct.
The paper also detailed the AppScan configuration parameters and the need for the manualexplore process, particularly if you want to cover any CURI Providers exposed in yourTivoli Integrated Portal application.
Finally, the paper detailed how to run the test, how to deal with failures, and gave somesample solutions to problems that are reported by AppScan.
20
4 NoticesThis information was developed for products and services offered in the U.S.A. IBM maynot offer the products, services, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and servicescurrently available in your area. Any reference to an IBM product, program, or service isnot intended to state or imply that only that IBM product, program, or service may be used.Any functionally equivalent product, program, or service that does not infringe any IBMintellectual property right may be used instead. However, it is the user's responsibility toevaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described inthis document. The furnishing of this document does not give you any license to thesepatents. You can send license inquiries, in writing, to:
IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.1623-14, Shimotsuruma, Yamato-shiKanagawa 242-8502 Japan
The following paragraph does not apply to the United Kingdom or any other countrywhere such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSOR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIESOF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR APARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.
This information could include technical inaccuracies or typographical errors. Changes areperiodically made to the information herein; these changes will be incorporated in neweditions of the publication. IBM may make improvements and/or changes in the product(s)and/or the program(s) described in this publication at any time without notice.
21
Any references in this information to non-IBM websites are provided for convenience onlyand do not in any manner serve as an endorsement of those websites. The materials atthose websites are not part of the materials for this IBM product and use of those websitesis at your own risk.
IBM may use or distribute any of the information you supply in any way it believesappropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose ofenabling: (i) the exchange of information between independently created programs andother programs (including this one) and (ii) the mutual use of the information which hasbeen exchanged, should contact:
IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, includingin some cases payment of a fee.
The licensed program described in this document and all licensed material available for itare provided by IBM under terms of the IBM Customer Agreement, IBM InternationalProgram License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment.Therefore, the results obtained in other operating environments may vary significantly.Some measurements may have been made on development-level systems and there is noguarantee that these measurements will be the same on generally available systems.Furthermore, some measurement may have been estimated through extrapolation. Actualresults may vary. Users of this document should verify the applicable data for their specificenvironment.
Information concerning non-IBM products was obtained from the suppliers of thoseproducts, their published announcements or other publicly available sources. IBM has nottested those products and cannot confirm the accuracy of performance, compatibility orany other claims related to non-IBM products. Questions on the capabilities of non-IBMproducts should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.
This information is for planning purposes only. The information herein is subject to changebefore the products described become available.
22
This information contains examples of data and reports used in daily business operations.To illustrate them as completely as possible, the examples include the names ofindividuals, companies, brands, and products. All of these names are fictitious and anysimilarity to the names and addresses used by an actual business enterprise is entirelycoincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrateprogramming techniques on various operating platforms. You may copy, modify, anddistribute these sample programs in any form without payment to IBM, for the purposes ofdeveloping, using, marketing or distributing application programs conforming to theapplication programming interface for the operating platform for which the sampleprograms are written. These examples have not been thoroughly tested under allconditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or functionof these programs. You may copy, modify, and distribute these sample programs in anyform without payment to IBM for the purposes of developing, using, marketing, ordistributing application programs conforming to IBM‘s application programminginterfaces.
Each copy or any portion of these sample programs or any derivative work, must include acopyright notice as follows:
© (your company name) (year). Portions of this code are derived from IBM Corp. SamplePrograms. © Copyright IBM Corp. _enter the year or years_. All rights reserved.
If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.
4.1 TrademarksIBM, the IBM logo, and ibm.com are trademarks or registered trademarks of InternationalBusiness Machines Corporation in the United States, other countries, or both. If these andother IBM trademarked terms are marked on their first occurrence in this information witha trademark symbol (® or ™), these symbols indicate U.S. registered or common lawtrademarks owned by IBM at the time this information was published. Such trademarksmay also be registered or common law trademarks in other countries. A current list of IBMtrademarks is available on the web at "Copyright and trademark information" athttp://www.ibm.com/legal/copytrade.shtml.
Other company, product, or service names may be trademarks or service marks of others.
23