Home
Reference
Review reference information for the product.
Folder Explorer topics
Learn about folder explorer topics.
Creating scans in the Folder Explorer
Learn how to create scan in the folder explorer.
Web API scanning
HCL AppScan Enterprise is a scalable enterprise solution that allows organizations to manage their application security program for their web applications and web APIs. It features cutting edge methods and techniques to identify security vulnerabilities to help protect applications from the threat of cyber-attacks.

Reference
Review reference information for the product.
- Configuring Wizard topics
  Learn about configuring wizard topics.
- Folder Explorer topics
  Learn about folder explorer topics.
  - Working with Folder Explorer
    Learn how to use the folder explorer.
  - Creating scans in the Folder Explorer
    Learn how to create scan in the folder explorer.
    - Creating a QuickScan template using scan properties from AppScan Enterprise
      A QuickScan template comprises either a content scan job or an import job, plus a report pack. After you create scan templates in the Templates folder in the Folder list, they will automatically be available as scan templates to QuickScan users and to more advanced users who have their QuickScan View turned on in the Show Folder Explorer list. When a QuickScan user creates a scan, a job and report pack will be created based on the template, but will only appear to the QuickScan user as a scan.
    - Configuring a basic scan without security testing
      Use this task to configure a basic scan with minimal configuration. This scan will automatically discover more URLs to test in your web application. Use this method for an application that has a lot of static links and does not require a lot of user interaction. This scan does not test for security issues, but helps you start exploring your site to determine complete site coverage.
    - Configuring a security scan using scan properties in AppScan Enterprise
      Security scans should be performed in a preproduction environment, such as on a staging or Quality Assurance server. Doing so helps you contain the risks associated with performing security scans. Your preproduction environment should mirror the production environment as much as possible; the application should have the same executable files in both environments so that you know you are thoroughly testing your exposed applications. Security scans should also be integrated into your Software Development Life cycle (SDLC) process so that you can catch security issues before they make their way into your production environment.
    - How a security scan works
      A security scan has two distinct phases: Explore and Test.
    - Workflow for security testing
      A security scan requires careful configuration so that it can find all the URLs on your web application and then test them for vulnerabilities.
    - Web API scanning
      HCL AppScan Enterprise is a scalable enterprise solution that allows organizations to manage their application security program for their web applications and web APIs. It features cutting edge methods and techniques to identify security vulnerabilities to help protect applications from the threat of cyber-attacks.
      - How to create an API scan using ADAC
        You can scan a web API using ADAC from AppScan Enterprise where you can create and run a DAST scan. Scanning web API requires some manual input by the user, to show AppScan Enterprise how to use the API. This can be done by using the Manual Explore section, where you can record traffic using an external client like Postman, SOAP UI or any other external client, or, import a previously recorded traffic file.
      - How to use AppScan Traffic Recorder to record traffic for web API
        You can scan a web API using a recording done with AppScan Traffic Recorder. AppScan Traffic Recorder can be used to record traffic that can be used as explore data in your AppScan Enterprise job. The AppScan Traffic Recorder is a system for managing traffic recorder instances. Traffic Recorder instances can be created on demand to record traffic and login sequence that can be used later in a DAST scan.
      - How to scan using a Postman Collection
        If you have a Postman collection of requests to your web API, you can add this collection and use it as the basis for a scan. AppScan runs its own Explore stage using the collection, and displays the resulting data in Dashboard.
    - How JavaScript™ source code analysis works
      JavaScript™ Security Analyzer (JSA) performs static JavaScript source code analysis to detect a range of client-side issues, primarily DOM-Based Cross Site Scripting. JSA analyzes the HTML pages that AppScan® Enterprise collected during the Explore stage. JSA runs in parallel to the Test stage, or can be launched manually on existing Explore results at any time.
    - Optimizing your scan with advanced configuration options
      Use this task to configure an advanced scan with complex configuration. Use this method for web applications that require a lot of user interaction to navigate the application or if you would like to just test a specific area of your application.
    - Capturing and Importing Traffic Data
    - Importing an action-based login file from AppScan Standard
      The action-based login capability in AppScan Standard produces the user's actual actions in the browser, rather than just the requests, and replays the sequence in the browser. Take advantage of this capability by creating an action-based login in AppScan Standard and importing it into AppScan Enterprise to help avoid out-of-session events during scanning.
    - Importing manual explore data from AppScan® Standard
      You can import data that is exported from AppScan® Standard version 7.x (and later) into AppScan Enterprise. Importing this data can save time and reduce redundant efforts. Only the URLs (parameters and domains) and HTTP requests from the AppScan .exd file are imported.
    - Importing AppScan® data to use in reports
      An import job takes the results from a data file, and integrates it into the AppScan® Enterprise Server database. Imported data can be used to create reports and dashboards. It can also be combined with data from content scan jobs to create a complete picture of your issues.
- Triage with reports
  Reports are automatically generated after a job has run. They provide a way of managing issues so that you can helps you manage issues that are important to your organization and do so in a way that is supported both by the Enterprise Console's workflow and the workflows of other processes within your organization.
- Configuration Manager
- AppScan resources
  A GitHub collection of integrations, helper scripts, utilities, useful examples, libraries, and other resources related to HCL AppScan.

Web API scanning

HCL AppScan Enterprise is a scalable enterprise solution that allows organizations to manage their application security program for their web applications and web APIs. It features cutting edge methods and techniques to identify security vulnerabilities to help protect applications from the threat of cyber-attacks.

HCL AppScan Enterprise Dynamic Analysis engine, evaluates application security at runtime by attacking the application using techniques analogous to methodologies used by hackers. The result of the tests includes a rich set of data ranging from application inventory to detailed attack traffic which can be reproduced for validation and fix. This data can be examined and processed in the UI or exported in various formats for sharing in other tools.

To scan a web API, AppScan Enterprise must get the generated API traffic, and then use this data to perform tests in an automated way.

There are few ways to provide AppScan Enterprise with the data for API scanning:

Record traffic using AppScan Dynamic Analysis Client (ADAC)
- Using Postman or SoapUI integration
- Using any other external client
Record traffic using AppScan Traffic Recorder
Scan using a Postman Collection

The recorded traffic can be uploaded to AppScan Enterprise scan by using one of the following options:

Upload traffic using ADAC
Use REST API to create a scan and upload traffic
Create an API scan using AppScan Standard and then upload the file in AppScan Enterprise for scanning. See Recording with an external client and Importing manual explore data from AppScan Standard.

For more information on the different methods used to capture and import traffic data, see Capturing and Importing Traffic Data.

When creating an API scan, if you have authentication to the site, it is recommended to provide a login sequence recording.

Login sequence recording can be done using the following ways similar to recording traffic: