Creating an API scan using recorded traffic

If you have recorded traffic of your web API, you can import it and use it as the basis for a scan. For example, if there are API endpoints that are not part of the Postman collection or if you have API functional automation, you can record the traffic when the API automation runs and feed the traffic to AppScan for security testing.

Before you begin

About this task

Ensure you have the recorded traffic file that was recorded using one of the following methods:
  • Recorded using an Activity recorder through Swagger UI

  • AppScan Standard with Postman or SoapUI
  • Using a traffic recorder

For web APIs, the best option is usually the HCL AppScan Traffic Recorder.

Procedure

  1. On the specific Application page, click Create scan, then click Create scan under DAST Dynamic Analysis.
  2. In the Create scan: DAST dialog, choose API scan to begin the configuration process.
  3. Select the API explore method, Recorded traffic.
  4. Drag and drop your file to the marked area, or click the Add icon to browse and add the dast.config file that has the recorded traffic.
  5. In the Domains to test section, you must add all verified/allowed domains you want to include in the scan. Both these formats are valid:
    • https://demo.testfire.net/
    • demo.testfire.net
    Important: Domains not listed will not be scanned.
  6. Configure the other scan options as required, such as authentication, test policies, and other advanced settings. For more information, see Creating an API scan.
  7. Click Scan. The recorded traffic file is imported. Run the scan to detect any vulnerabilities in your web API.

What to do next

  • You can view the status of the scan on the Scans and sessions page.