Multi-Step Operations view

Multi-Step Operations view of the Configuration dialog box is for testing parts of the site that can only be reached by clicking links in a specific order.

A multi-step operation is needed to explore parts of the site that can only be reached by clicking links in a specific order, such as an online shop where the user adds items to a cart before paying for them. Consider the following three pages:

User adds one or more items to a shopping cart
User fills in payment and shipping details
User receives confirmation that the order is complete

Page 2 can be reached only via Page 1. Page 3 can be reached only via Page 1 followed by Page 2. This is a sequence. In order to be able to test Pages 2 and 3, AppScan® must send the correct sequence of HTTP requests before each test.

In the case of the above example you would record a single sequence: Page 1 > Page 2 > Page 3. AppScan would extract the necessary sub-sequences from this sequence, as required. (When testing Page 2 it would send a Page 1 request first; when testing Page 3, it would send Page 1 followed by Page 2.)

Note: It is suggested that the number of multi-step operations be limited to five, with no more than 25 steps in any single operation, and no more than 70 steps altogether.

Note: Configuring multi-step operations should not be confused with manual exploring, and should only be used in cases like the one described above. For more details see Manual Explore using AppScan

Table 1. Multi-Step Operations view options
Setting	Details
Record	Click to record a new sequence. If login details have been configured, you can click the down arrow to select: AppScan Chromium browser (default) AppScan will record using the built-in Chromium-based browser, without logging in. When the browser opens you can log in, if needed, and then record your multi-step sequence. Note: If you use this option and then record login requests as part of the sequence, parameters and cookies received will always be treated as Dynamic, even if they are Login requests, and even if you change their tracking to Login Value. AppScan IE browser > Log in and then record AppScan will log in to the application automatically (using the login you recorded) before the browser opens. You can then record your multi-step operation without recording the login requests. This method has the advantage that the login requests will not be replayed every time this sequence is played, but only if AppScan is out-of-session. Note: Parameters and cookies that are present in the Multi-Step sequence but not in the Login sequence, are always tracked as Dynamic, even if you change their tracking to Login Value. AppScan IE browser > Record without login AppScan will begin recording the sequence without logging in. When the browser opens you record your multi-step sequence directly. If you need to log in, the login will be part of the recording and will therefore be replayed every time the sequence is played, which can significantly increase scan time. Where login is required, the best practice is to use the previous option. Note: If you use this option and then record login requests as part of the sequence, parameters and cookies received are always tracked as Dynamic, even if they are Login requests, and even if you change their tracking to Login Value. Note: If no login sequence has been configured there is just one IE option: Record. External browser Active only if you have configured AppScan to use an external browser for scanning (Tools > Options > Use External Browser > Select Browser). If possible it is recommended to use the AppScan Chromium browser, as it records extra information that improves login success during scanning. Use the external browser only if recording the login with the AppScan browsers does not work for your application. For details, see Record sequence with browser
\| \|	Export a sequence (SEQ file) for use with a different scan Import a sequence (SEQ file) exported from a different scan Delete the selected sequence from the current scan.
Playback Method	When you record a multi-step operation, AppScan records both the actions and the requests. You can select which of them will be used for the scan: Request-based playback Sends the raw HTTP requests from the recording. This method is usually faster. Action-based playback Replays the clicks and keystrokes of the user. Reasons for selecting this method could be that the site includes a lot of JavaScript, or that some of the requests in the request-based playback were marked with a red X when you attempted to validate them. This method can increase scan time. Request-based playback is the default method. Note: If the scan is configured not to use a browser other than the embedded browser (Tools > Options > Use external browser), request-based playback is always used. Note: If you load a sequence that was recorded in a version of AppScan that did not support action-based playback, request-based playback is used for that sequence, even if action-based playback is selected. Note: If you select Action-based playback for a multi-step operation, you must also select Action-based as the login method. If necessary, record the Login sequence again (see Login Management view).
Sequence List	Lists all recorded Multi-Step Operations for this scan.
Sequence Name	The name of the sequence that is selected in the List of Sequences. The check box next to each one indicates if the sequence is enabled for this scan. Validate Click this to check that the sequence is valid. AppScan replays the sequence, and any requests that receive a response different to the original response are marked with a red X, indicating that they will not be tested. Tip: A common reason for requests receiving a different response is the presence of a dynamic sequence variable that needs to be defined, see Sequence variables. If this is not the problem, and the site contains JavaScript, changing to action-based playback may give better results.
Recorded URLs	Shows the links or actions in the selected sequence. Validated A green check mark indicates that the URL has been validated. A red X appears next to URLs that were not validated. Test Indicates whether this URL will be tested on its own (as well as in the Multi-Step Operation). Options are Yes/No. To change the setting right-click on the URL and select Test / Don't Test. Even if you select No the URL will still be playes as part of the Multi-Step Operation. Play Sequence (Applies to tested URLs only) Indicates whether the previous steps in the sequence will be replayed each time this URL is tested. Options are Yes/No. To change the setting right-click and select Play sequence before testing request > Yes/No. View any link in the sequence by selecting it and then clicking the browser button (you can delete individual requests by clicking the trash icon in the upper right of the dialog that opens) Delete any link in the sequence by selecting it and clicking . After doing this click Validate to check that the updated sequence stays in-session.
Log in before sequence replay	If selected, each time a Multi-Step Operation is played, AppScan will log in first. This option is cleared if you record the login as part of the multi-step operation.
Allow play optimization	(Request-based playback only) When selected (default) AppScan attempts to optimize scan time by avoiding unnecessary playback. You should not disable this setting unless you find that AppScan is missing parts of the application due to play optimization. The Scan Log can help in determining this.
Test in Single-Thread mode	AppScan may send two or more requests simultaneously, if they don't require the replaying of a sequence between them. If this results in parts of the application being missed, select this check box.
Sequence Variables	Lists variables that were received while recording the sequence(s), and indicates those that AppScan has determined should be tracked. These may be session IDs or other variables. You can change the status of variables in this list to improve how AppScan deals with them (for details see Sequence variables).

Related topics:

Manual Explore using AppScan

Scan Multi-Step Operations Only