Recorded explore

The Recorded explore feature lets you crawl specific parts of your application, to "guide" ASoC to those areas, ensuring that they are tested in the DAST scan, and that ASoC has the information needed to browse links in a specific order.

Use Recorded explore when specific user input is required, or when a site responds only to a different type of tool or device.

There are two ways you can record traffic:
  • Using the AppScan Activity Recorder (an extension for your Chrome or Edge web browser)
  • Using the HCL AppScan Traffic Recorder (may be most suitable in the case of web APIs)
In both cases the recorded traffic is saved as a DAST.CONFIG file.

Alternatively, you can also upload a traffic file recorded using AppScan Standard or AppScan Dynamic Analysis Client (ADAC) that is saved as a .EXD file.

When you upload a file with multiple domains, the domains are added to the "domains to test" list. Only the allowed or verified domains will be tested. ASoC can only scan up to 5 domains in each scan.

When creating your ASoC scan, you can use Recorded explore in one of three ways:
  • Using the file options in Recorded explore:
    • Use both recorded and automatic explore stages for comprehensive testing: In addition to an automatic Explore stage, ASoC explores the application automatically and tests both your recording and its own explore data.
    • Analyze and test only the recorded explored data: During the Explore stage of the scan, test only the parts of the application included in your recording.
  • Use Manual Explore in AppScan Standard, save it as a SCAN file, and upload the file to ASoC to create a scan. Manual Explore in AppScan Standard is similar to Recorded explore in ASoC.

Recorded explore applies to DAST scans only. Your DAST.CONFIG or .EXD file is uploaded and guidance is configured in the Explore stage of the scan wizard. See DAST scan configuration > Explore step.

For details of how to record the traffic, see Recording traffic.

Multistep explore

Multistep explore is a specific type of recorded explore, where you not only show ASoC which links to crawl, but the specific order in which to crawl. Use multistep for testing parts of the site that can be reached only by sending requests in a specific order, such as an online shop where the user adds items to a cart before paying for them.

For example, consider the following three pages of a site:
  1. User adds one or more items to a shopping cart.
  2. User fills in payment and shipping details.
  3. User receives confirmation that the order is complete.
Page two can be reached only after page one is completed. Page three can be reached only after page two is completed. This is a sequence. To be able to test pages two and three, ASoC must send the correct sequence of HTTP requests before each test.
In the case of the above example you would save an guided explore recording (DAST.CONFIG) where you browsePage 1 > Page 2 > Page 3. ASoC would extract the necessary sub-sequences from this sequence, as required: when testing page two it would send a page one request first; when testing page three, it would send page one followed by page two.
Important: Because you must precede any step in a multistep recording with all its previous steps, and because a particular step may be tested hundreds of times in a scan, activating Multistep can increase scan time significantly. You should only use it when the order of requests is really important to get to a specific part of the application.

Multiple DAST.CONFIG files

You can upload more than one file for a single scan. If activated, the Multistep setting is applied to all the files, see DAST scan configuration > Explore step.