Automating DAST scans
Incorporate dynamic scanning in your functional testing.
In the world of DevOps it's increasingly important to be able to
incorporate security scans in the functional testing
process for your web applications. If you use an
automation framework (such as Selenium), you can
take advantage of the scripts that are already
written to create tailor-made scans:
- The requests from the automation framework to the web application are sent through the Proxy Server proxy.
- The server records the traffic and saves it as
a
dast.config
file. - Upload the file to be used byAppScan on Cloud as Explore data for a scan.
- Send traffic through the automation server
proxy manually, to create a
dast.config
file.
ASoC Automation Workflow:
- Initialization (once per AppScan Presence server):
- Creating the AppScan Presence
- Configuring a Private Site Server proxy for the Presence
- Start the AppScan Presence.
- (Optional) Install root certificate to avoid SSL warnings (see Configuring the HCL AppScan Traffic Recorder).
- Running scans:
- Start proxy listening on specified or randomly selected port, as configured (see Starting and stopping the HCL AppScan Traffic Recorder).
- Run your Selenium script (or other functional test) through the selected
proxy,
OR
Browse your web application manually using a web browser configured to work through the selected proxy.
- Stop the proxy and save the traffic recording.
- Publish to ASoC using the ASoC REST API, by creating a new scan under a particular application. See REST API.
You can download our demo script for this workflow using the REST API. Download demo script.
See also: