Recording QA automation test scripts with the Manual Explorer tool

In QA test environments for web applications, thousands of automated test cases of browser interactions are often run by using multiple browser instances on distributed servers. Using the AppScan® Manual Explore Server, you can record the traffic that is generated by these automated tasks for security testing.

About this task

This procedure helps you use the HTTP traffic that is generated by scripts that are used for functional testing to remove the additional work required to record AppScan scripts. You can set up as many Manual Explore Servers as you need within your organization, and then use a REST API to automate the recording of data that flows from the test cases to a testing server, and to automatically send the data as an *.htd file to AppScan Enterprise to be configured as a scan. In this scenario, you download the Manual Explorer tool and set up a Manual Explore server by using a command line interface.

Note:
  1. The maximum file size for the *.htd file is 20 MB. If you exceed this limit, split the file into smaller chunks by recording smaller sequences.
  2. For your convenience, here is a script you can use to automate the capturing of HTTP traffic and to automate the creation of scan jobs to use the captured HTTP traffic: recordTraffic.zip. (If file doesn't download, right-click the link and save the file to your hard drive.)

Procedure

  1. Download the Manual Explorer tool and set up the Manual Explorer server:
    1. In the Manual Explore section of the What to Scan page of the job, click the Add icon (Add).
    2. On the Manual Explore page, select Use manual explorer tool or AppScan Standard explore data file.
    3. Download and install the tool.
      It typically installs at <install-dir>\HCL\AppScan Manual Explorer.
    4. Run a command line prompt on the server, change the directory to <install-dir>\HCL\AppScan Manual Explorer, and enter: manualexploreserver.exe -host <host_name_ip> -recordingsDir <recordings_dir>.
      Tip: Use the -help flag to see all the available command line options.
  2. To start a recording session on a port of your choice:
    1. In a browser, go to http://<host_name_ip>:9999/start?port=<recordingPort>. The recording port number is the ID of the recording.
      For example, http://myVM:9999/start?port=1111. "1111" is the ID of the recording session.
      Note: Make sure that the browser that is issuing the control commands does not use the Manual Explorer Server as a proxy; otherwise, the control commands are added to the recording.
    2. Set your automation or the browser that is used for playback to use <host_name_ip>:<recordingPort> as a proxy.
    3. Run the automation that contains your QA test cases.
    Note: You can configure Steps a and b during the automation process.
  3. To stop a recording session:
    1. When your automated test cases are finished, stop the Manual Explorer recording by entering this URL in the browser: http://<host_name_ip>:9999/stop?port=<recordingPort>&fileName=<recordingDataFile>. When you specify the fileName argument, the data that is collected during the recording is saved in HTD format. The file path is <recordings_dir>\<recordingDataFile>.htd. If you do not use a file name, the recording stops without saving a file.
    2. If you are finished capturing traffic data, type quit to end the process.
  4. In AppScan Enterprise, make sure you
    1. Set up email notification. Make sure that the SMTP server for email is configured. See Configuring the Enterprise Console, and make sure that you have set up your personal email notifications to receive alerts. See Configuring your user settings.
    2. Create a scan to test only the specified URLs in the Manual Explore template (on the Explore Options page).
    3. Set alerts for the Security Issues report for the report pack that is generated by the automated script. See Adding an alert to a report pack.
    4. Write down the folderID for the job you just created (from the URL. For example: https://<servername>/ase/FolderExplorer.aspx?fid=8)
  5. The ASECMD utility is stored in the same folder that stores the ManualExploreServer command line. This utility makes it easy to construct a command that publishes the recorded traffic file to AppScan Enterprise using the template that was created in step 4. The scan is created in the folder where you created the scan job in step 4.
    1. Open the command line prompt and navigate to the folder where the AppScan Manual Explorer tool is located.
    2. Type this command to create a scan: ASECMD -aseUrl https://<ase_server_name>/ase/ -jobTemplateId 1 -htdFile \\qaserver\recordings\rec1.htd
      Note: If you do not specify a user name and password, the command line utility uses your current user account for authentication.
  6. Optional: To see the available command-line prompts for the ASECMD utility, open the command line prompt, and call the asecmd.exe. The usage details display in the window.
  7. View the results in the Enterprise Console of AppScan Enterprise Server.