Configuring DAST scans with a Postman collection URL using REST APIs

Overview

This section explains how to use the REST API in AppScan Enterprise to configure Dynamic Application Security Testing (DAST) scans by providing a URL to a Postman collection. This feature allows for the automation of scan configurations using your existing Postman collections, which can be particularly useful when setting up AppScan Dynamic Analysis Client (ADAC) jobs or other dynamic scans. This API-driven method provides a way to perform this configuration directly within AppScan Enterprise, replacing manual steps previously often managed via AppScan Standard.

API endpoint for Postman URL configuration

Prerequisites

• You will need an existing DASTConfig job. You can create DASTConfig jobs using any of the following existing APIs:
  • POST/jobs/{templateId}/dastconfig/createjob
  • POST/jobs/createjobBasedOnTemplateFile
  • POST/jobs
• The jobId (Integer) of the DASTConfig job is required. This can be retrieved using the GET /folders/{folderId}/jobs API endpoint.
• A valid asc_xsrf_token is required for API request authentication and can be obtained from the POST /login API endpoint. This token should be sent as a request header, typically named asc_xsrf_token or similar, with its corresponding value.
• We recommend using the ‘Regular scan’ template to avoid any performance issues.
  Note:

  If the web API requires authorization, the authorization request must include valid credentials (API Key, Basic Auth., or other fixed tokens and passwords). The authorization request must be one of the first requests in the collection. By default, AppScan Enterprise examines the first seven requests for the authorization request, but if needed, this can be increased in the ADAC client in Advanced Configuration > Postman: Login analysis sample size.