Creating an API scan using recorded traffic
If you have recorded traffic of your web API, you can import it and use it as the basis for a scan. For example, if there are API endpoints that are not part of the Postman collection or if you have API functional automation, you can record the traffic when the API automation runs and feed the traffic to AppScan for security testing.
Before you begin
- Backup your site before scanning.
- If you have not yet done so, Create an application for your scans.
- Verify with ASoC that you have permission to scan the domain (see Verifying a domain), or you can authorize domains without verification using Domain management.
- If your site is not available on the Internet, and an AppScan Presence does not yet exist on the server: Creating the AppScan Presence.
- If scanning a live production site, refer first to What changes should I make when scanning a live production site?
About this task
-
Recorded using an Activity recorder through Swagger UI
- AppScan Standard with Postman or SoapUI
- Using a traffic recorder
For web APIs, the best option is usually the HCL AppScan Traffic Recorder.
Procedure
- On the specific Application page, click Create scan, then click Create scan under DAST Dynamic Analysis.
- In the Create scan: DAST dialog, choose API scan to begin the configuration process.
- Select the API explore method, Recorded traffic.
- Drag and drop your file to the marked area, or click the Add icon to browse and add the dast.config file that has the recorded traffic.
-
In the Domains to test section, you must add all verified/allowed domains you want to
include in the scan. Both these formats are valid:
https://demo.testfire.net/
demo.testfire.net
Important: Domains not listed will not be scanned. - Configure the other scan options as required, such as authentication, test policies, and other advanced settings. For more information, see Creating an API scan.
- Click Scan. The recorded traffic file is imported. Run the scan to detect any vulnerabilities in your web API.
What to do next
- You can view the status of the scan on the Scans and sessions page.