Frequently Asked Questions
This topic addresses general application questions.
What are the different ways available to scan web services?
A site is scanned by first exploring it, and then, based on the data
gathered, testing it. "Explore data" can be gathered using one or more different Explore methods. In
all cases, once the Explore data is gathered AppScan is used to create and send tests to the site
during the Test stage.
- Exploring web applications (sites with a user interface)
- In the case of applications (sites) without web services it is often sufficient to supply AppScan with the start URL and login authentication credentials for it to be able to test the site.
- Manual Explore: If necessary you can manually explore the site through AppScan,in order to get access to areas that can only be reached through specific user input.
- Multi-Step Operations: For pages that can be reached only by accessing pages in a specific order, you can record a multi-step operation for AppScan to use.
- Exploring web services
- There are three methods for doing this, the first is recommended.
- You can set up AppScan as a recording proxy for the device (such as a mobile phone or simulator) you use to explore the service. That way AppScan can analyze the Explore data collected, and send appropriate tests. You can also use AppScan to record traffic using external tool, such as a web services functional tester. See Using AppScan as recording proxy.
- If you have Open API description files (JSON or YAML) for your web service, you can use the Web Services Wizard extension to configure a scan, and the multi-step sequences needed to use the service. AppScan will then automatically scan the service.
- If you cannot use the first two methods, and have a WSDL file for your web service (such as a SOAP web service), the AppScan installation optionally includes a separate tool that lets users view the various methods incorporated in the web service, manipulate input data, and examine feedback from the service. You first need to give AppScan the URL of the service. The integrated "Generic Service Client" (GSC) uses the WSDL file to display the individual methods available in a tree format, and create a user-friendly GUI for sending requests to the service. You can use this interface to enter parameters and view the results. The process is "recorded" by AppScan and used to create tests for the service when AppScan scans the site. GSC can also be used as client for REST requests, without parsing a WSDL file, as a simple HTTP client. See Using GSC.
- External client or device
- In both the above cases, if you need to use an external device such as a mobile phone to explore the site, you can set up AppScan as proxy to follow your actions and then test the site based on the data.
What is the difference between a manual exploring and a multi-step operation?
- Manual Exploring
-
Manual exploring is when you explore your site to gather data that can be used by AppScan to ensure that when it tests the site it covers parts of the application or services that it might have missed with its automatic Explore stage. This may be because specific user input is required, or because the site responds only to a different type of tool or device. You can manually explore using AppScan, or using it as a recording proxy, or using Generic Service Client (GSC).
See Manual exploring
- Multi-Step Operation
-
A multi-step operation is needed to explore parts of the site that can only be reached by clicking links in a specific order, such as an online shop where the user adds items to a cart before paying for them. Consider the following three pages:
- User adds one or more items to a shopping cart
- User fills in payment and shipping details
- User receives confirmation that the order is complete
What is the difference between action-based playback and request-based playback?
When a procedure is recorded for use as the Login or a multi-step operation, two possible
playback methods are available:
- Request-based playback
- Sends the raw HTTP requests from the recording. This method is usually faster.
- Action-based playback
- Replays the clicks and keystrokes of the user. Reasons for selecting this method could be that the site includes a lot of JavaScript, or that some of the requests in the request-based playback were marked with a red X when you attempted to validate them. This method can increase scan time.
See Configure > Explore > Review & Validate tab, and Configure > Multi-Step Operations view