Explore with guidance

The Explore with guidance feature lets you crawl specific parts of your application, filling in fields and forms as you go, to "guide" ASoC to those areas, ensuring that they are tested in the DAST scan, and that ASoC has the information needed to complete forms correctly and, if necessary, to browse links in a specific order.

Use Explore with guidance when specific user input is required, or when a site responds only to a different type of tool or device.

There are two ways you can record traffic to use as your Explore with guidance data:
  • Using the AppScan Activity Recorder (an extension for your Chrome or Edge web browser)
  • Using the HCL AppScan Traffic Recorder (may be most suitable in the case of web APIs)
In both cases the recorded traffic is saved as a DAST.CONFIG file.

Alternatively, you can also upload a traffic file recorded using AppScan Standard or AppScan Dynamic Analysis Client (ADAC) that is saved as a .EXD file.

When creating your ASoC scan, use Explore with guidance in one of three ways:
  • As the Explore stage of the scan, and test only the parts of the application it includes
  • In addition to an automatic Explore stage, so ASoC explores the application automatically and tests both your recording and its own explore data.
  • Use Manual Explore in AppScan Standard, save as a SCAN file, and upload the file to ASoC to create a scan. Manual Explore in AppScan Standard corresponds to Explore with guidance in ASoC.

Explore with guidance applies to DAST scans only. Your DAST.CONFIG or .EXD file is uploaded and guidance configured in the Explore stage of the scan wizard. See DAST scan configuration > Explore step.

For details of how to record the traffic, see Recording traffic.

Multistep explore

Multistep explore is a specific type of guided explore, where you not only show ASoC which links to crawl, but the specific order in which to crawl. Use multistep for testing parts of the site that can be reached only by sending requests in a specific order, such as an online shop where the user adds items to a cart before paying for them.

For example, consider the following three pages of a site:
  1. User adds one or more items to a shopping cart.
  2. User fills in payment and shipping details.
  3. User receives confirmation that the order is complete.
Page two can be reached only after page one is completed. Page three can be reached only after page two is completed. This is a sequence. To be able to test Pages two and three, ASoC must send the correct sequence of HTTP requests before each test.
In the case of the above example you would save an guided explore recording (DAST.CONFIG) where you browsePage 1 > Page 2 > Page 3. ASoC would extract the necessary sub-sequences from this sequence, as required: when testing Page two it would send a page one request first; when testing page three, it would send page one followed by page two.
Important: Because any step in a multistep recording must be preceded by all its previous steps, and because any particular step may be tested hundreds of times in a scan, activating Multistep can increase scan time significantly. It should be used only when the order of requests is essential to reaching a particular part of the application.

Multiple DAST.CONFIG files

You can upload more than one file for a single scan. If activated, the Multistep setting is applied to all the files, see DAST scan configuration > Explore step.