Creating a new scan from a template file
You can upload your own AppScan Standard template
(SCANT
) file to run an ASoC scan.
Before you begin
- Backup your site before scanning.
- If you have not yet done so, Create an application for your scans.
- Verify with ASoC that you have permission to scan the domain (see Verifying a domain), or you can authorize domains without verification using Domain management.
- If your site is not available on the Internet, and an AppScan Presence does not yet exist on the server: Creating the AppScan Presence.
- If scanning a live production site, refer first to What changes should I make when scanning a live production site?
Procedure
- On the specific Application page, click Create scan, then click Create scan under DAST Dynamic Analysis to open the wizard.
- Select From template.
-
Upload file:
Drag and drop the template (
SCANT
) file into the dialog, or click to select the file.Note: Enable "Allow intervention" during scan creation to allow the Scan Enablement Team to examine the scan in the event of a failure. By default, intervention is disabled for uploaded scans or templates.The file is opened and the starting URL from the configuration is filled in the URL field. -
If your file includes only configuration data (no explore data), you can only run a
full scan. If your file includes multistep operations configured, you are given the
options of running the Test stage only, or a full scan (Explore and
Test stages):
- Start full scan: Runs a full scan using the current configuration.
- Run test only: Runs the Test stage only using the configuration and based on the multistep operations.
-
Private site scanning:
Public site scanning is the default. If your site is not available on the Internet, click Private network. Select your presence from the list of connected presences.
If you have not yet created an an AppScan Presence you can do so now by clicking the Presences link, and referring to Creating the AppScan Presence.
-
Explore:
Setting
Options
Automatic form fill
ASoC uses AppScan Standard's default form fill parameter values to fill and submit forms on the site.Important: If you are scanning a live production site, we recommended disable this function. For more details refer to What changes should I make when scanning a live production site?Note: If you turn off automatic form fill and scan in AppScan on Cloud, it will remove all the information filled in the forms except for the login management data. AppScan will not fill in the forms automatically during scanning. When you import this scan into AppScan Standard, automatic form fill is enabled, but the form filling data, except for login management, will be empty.Type
- Explore automatically
- AppScan crawls the web application automatically, from the starting URL, to discover the pages it will test.
- Explore with guidance
- Upload your own recorded Explore stage for AppScan to test. You can use this on its own or in addition to an automatic Explore stage.
Explore with guidance
This section is active only if you selected Explore with guidance. Upload recording
Upload one or more
DAST.CONFIG
traffic files. For details of how to record these, see Recording traffic.File settings
If the requests in your traffic file must be sent in the specific order you recorded them, activate Multistep. This method significantly increases the duration of the scan, so use only if needed. To understand the difference between Multistep and regular Explore with guidance, refer to Explore with guidance.
To activate Multistep:- For each uploaded recording, click on the filename and toggle the Activate Multi-step option to On.
How to use the recording - Use the recorded Explore in addition to a full automatic Explore stage, and test it all
- ASoC runs its own automatic Explore stage to discover the application, and test it based on both these results and the traffic file you uploaded.
- Analyze and test the recorded Explore only
- ASoC treats the uploaded file as the Explore stage for the scan. It analyzes and creates tests for the recorded traffic only, and then tests it. There will be no automatic Explore stage.
-
Schedule:
Setting
Options
Scan now
Your scan runs as soon as set up and review are complete.
Save for later
Your configuration is saved when completed. You can run the scan later.
Schedule Your configuration is saved, and one or more scans run as configured:- Select a date and time. Enter these according to the time zone configured on your machine, but note that times will be converted to UTC when displayed in the user interface.
- To run the scan more than once, select the
Repeat, and then choose:
- Daily, and select a daily interval (1-30 days)
- Weekly, and select which day, or
- Monthly, select a monthly interval, and then select which numerical day of the month, or which weekday of the month (first, second, third, fourth, last).
Note: If the maximum number of concurrent scans are running when the scheduled time arrives, the scan starts as soon as allowed by your subscription. - Set the End date (the last date a scan will run), or click Remove end date to have the schedule run indefinitely.
-
Scan options:
In the Scan options panel, you can:
- Elect to run the scan as a Personal scan.
- Elect to receive an email when the scan is complete.
- Specify Scan enablement. By default, the
Allow intervention check box is selected. This means that
if ASoC detects that the scan may produce poor results with
the current settings, it alerts the Scan Enablement Team to review them. The scan
status changes to Under Review and resumes when review is complete (see Scan status).
- If you do not want to allow intervention by the Scan Enablement Team, clear the check box.
- If you allow intervention, you can include a message to the team if you think they might need specific information to resolve an issue. Optional.
-
Summary:
Edit the name of the scan, if desired, and review the settings selected for the scan. Click back to previous panels to make adjustments if needed.
- Click Scan.