Main tab

Scan Configuration > Explore Options > Main tab.

In this tab you select the Explore method AppScan will use for the scan, and configure options that apply to both methods.
Explore Method
AppScan uses two distinct methods for the Explore stage of the scan. You can select either one, or both. Of the two methods, Request-based Explore is usually faster than Action-based Explore. When both are selected (default, and recommended), Action-Based Explore runs first, with a 30 minute time limit, followed by Request-Based Explore.
Page Structure (DOM) Filtering
These can greatly reduce scan time by identifying pages that are similar enough to pages already scanned, that they can safely be ignored.
Scan Limits
These determine how deeply (or how quickly) AppScan explores your application.
Other Settings
These are for configuring the client to recognize a specific server encoding and to send a specific user-agent header.

Setting

Details

Explore Method

Action-Based

A version of the Google Chrome browser is used to scan the site, as a user would, clicking the links that are visible in the browser. This method is particularly effective where new technologies such as JavaScript and Session Storage are used, and for sites that are RIA, Single-page Application (SPA), or AngularJS.

Request-Based

Requests are sent based on all page content that AppScan discovers. This includes content that is not visible to users using a browser, such as links in comments, which an attacker would find.

Page Structure (DOM) Filtering

Filter similar pages based on structure (DOM)

AppScan® compares new pages with those already scanned, for structural (DOM) similarity, which indicates the new page contains no new links or content that require additional testing. For example, on a commercial site there may be a catalog with individual pages for a thousand different items, that are in all other ways identical. There is usually no need to scan all those pages. Filtering based on DOM similarity can greatly reduce scan time.

By default both check boxes are selected. After the scan you should examine the Filtered tab of the scan results to see whether unique requests were mistakenly filtered out of the scan. If this happened you should try the "Filter less pages" option, which maintains a steady, lower level of filtering, or disable DOM filtering altogether.

Three kinds of filtered items will be found in the Filtered tab of the results:
  • Similar DOM: This indicates a page that was filtered from the scan because its structure (DOM) is similar to that of a previously explored page, and probably contains no new elements to test.
  • Likely Similar DOM: This indicates a request that was not sent at all, because AppScan estimates that the response will have the same structure (DOM) as that of a previously explored page, and will contain no new elements to test.
  • Similar Body: This indicates a request (from a page that was not filtered due to Similar DOM) that was filtered from the scan because its response body content is similar to that of a request that was previously explored.
After the scan you should examine the Filtered tab of the scan results to see whether unique requests were mistakenly filtered out of the scan. If this happened you should clear the "Filter likely duplicate pages" option (next option), or disable DOM filtering altogether by clearing this check box.

Filter pages that are likely to be similar based on structure (DOM)

This setting filters "Likely similar DOM" pages from the scan (see description above). If unique requests are mistakenly filtered out of the scan you should clear this check box.

Scan Limits

Redundant Path Limit

AppScan will not access the same path more than the specified number of times.

A particular path may be visited several times if it appears with different parameters. This limit is relevant mainly for scripts. It is deselected by default, as in most cases selecting the check box above, Filter duplicate pages based on structure (DOM), will sufficiently control scan time.

Click Depth Limit

AppScan will not scan pages that are accessed by clicking more than the specified number of links.

Total Page Limit

If selected, AppScan will access no more than the maximum number of pages defined. Note that there may be many URLs explored per page.

Other Settings

Encoding

AppScan generally detects the application's encoding method automatically, and therefore Autodetect is selected by default.

If the content of responses in the scan Results looks distorted, this may mean that the encoding method was not correctly identified. To solve this problem, select the correct encoding method from the drop-down list.

User-Agent

The user-agent header in an HTTP request tells the server what kind of client sent the request, and this may affect the content that the server returns. For example, there may be content that is specific to mobile phones that is sent only when the user-agent is a mobile phone browser. In order for AppScan to be able to test such content, you need to configure it to send the appropriate user-agent header.

AppScan generally detects the user agent automatically, and therefore Autodetect is selected by default. However, if you use a browser other than the built in browser, and you do not record a login procedure, a multi-step operation, or a manual explore, AppScan will be unable to autodetect the user agent, and you must select it manually.

To change the user-agent, select an agent from the drop-down list.

To enter custom content, click the Edit button and type in the content. When you close the dialog box the button name changes to Custom User Agent.

Note: If you change the default browser, refer to the conditions listed in Changing the default browser