Frequently Asked Questions
This topic addresses general application questions.
What are the different ways available to scan web services?
- Exploring web applications (sites with a user interface)
- In the case of applications (sites) without web services it is often sufficient to supply AppScan with the start URL and login authentication credentials for it to be able to test the site.
- Manual Explore: If necessary you can manually explore the site through AppScan,in order to get access to areas that can only be reached through specific user input.
- Multi-Step Operations: For pages that can be reached only by accessing pages in a specific order, you can record a multi-step operation for AppScan to use.
- Exploring web services
- There are two methods for doing this, the first is recommended.
- You can set up AppScan as a recording proxy for the device (such as a mobile phone or simulator) you use to explore the service. That way AppScan can analyze the Explore data collected, and send appropriate tests. You can also use AppScan to record traffic using external tool, such as a web services functional tester. See Using an external client.
- If you have Open API description files (JSON or YAML) for your web service, you can use the Web Services Wizard extension to configure a scan, and the multi-step sequences needed to use the service. AppScan will then automatically scan the service.
What is the difference between a manual exploring and a multi-step operation?
- Manual Exploring
-
Manual exploring is when you explore your site to gather data that can be used by AppScan to ensure that when it tests the site it covers parts of the application or services that it might have missed with its automatic Explore stage. This may be because specific user input is required, or because the site responds only to a different type of tool or device. You can manually explore using AppScan, or using it as a recording proxy.
See Manual exploring
- Multi-Step Operation
-
A multi-step operation is needed to explore parts of the site that can only be reached by clicking links in a specific order, such as an online shop where the user adds items to a cart before paying for them. Consider the following three pages:
- User adds one or more items to a shopping cart
- User fills in payment and shipping details
- User receives confirmation that the order is complete
What is the difference between action-based playback and request-based playback?
- Request-based playback
- Sends the raw HTTP requests from the recording. This method is usually faster.
- Action-based playback
- Replays the clicks and keystrokes of the user. Reasons for selecting this method could be that the site includes a lot of JavaScript, or that some of the requests in the request-based playback were marked with a red X when you attempted to validate them. This method can increase scan time.
See Configure > Explore > Review & Validate tab, and Configure > Multi-Step Operations view
What test policies can replace the Web Services, The Vital Few, and the Developers Essentials test policies when they are removed?
Current policy |
Suggested alternative |
---|---|
Web Services |
Default The Default test policy now covers web services, so a separate policy is not needed. |
The Vital Few |
Default Use the Default policy together with the fastest Test Optimization setting. |
Developers Essentials |
Application Only Use the Application Only policy together with one of the faster Test Optimization settings. |