Multi-step operations

Record and manage multi-step operations that are required to reach specific parts of the application that could otherwise be missed.

A multi-step operation is needed to explore parts of the site that can only be reached by clicking links in a specific order, such as an online shop where the user adds items to a cart before paying for them. Consider the following three pages:

User adds one or more items to a shopping cart
User fills in payment and shipping details
User receives confirmation that the order is complete

Page 2 can only be reached via Page 1. Page 3 can only be reached via Page 1 followed by Page 2. This is a sequence. In order to be able to test Pages 2 and 3, AppScan® must send the correct sequence of HTTP requests before each test.

In the case of the above example, you would record a single sequence: Page 1 > Page 2 > Page 3. AppScan® would extract the necessary sub-sequences from this sequence, as required. (When testing Page 2, it would send a Page 1 request first; when testing Page 3, it would send Page 1 followed by Page 2.)

Note: It is suggested that you limit the number of multi-step operations to five, with no more than 25 steps in any single operation, and no more than 70 steps altogether.

Note: Configuring multi-step operations should not be confused with manual exploring and should only be used in cases like the one described above. For more details, see Manual Explore using AppScan


Setting	Details
Sequences
Record sequence	Click to record a new sequence. If you have configured login details, you can click the down arrow to select them. For more information, see Record sequence with browser.
Playback method	When you record a multi-step operation, AppScan records both the actions and the requests. You can select which of them will be used for the scan: Request-based playback Sends the raw HTTP requests from the recording. This method is usually faster. Action-based playback Replays the clicks and keystrokes of the user. Reasons for selecting this method could be that the site includes a lot of JavaScript, or that some of the requests in the request-based playback were marked with a red X when you attempted to validate them. This method can increase scan time. Request-based playback is the default method. Note: If you load a sequence that was recorded in a version of AppScan that did not support action-based playback, request-based playback is used for that sequence, even if action-based playback is selected. Note: If you select Action-based playback for a multi-step operation, you must also select Action-based as the login method. If necessary, record the Login sequence again (see Login management). Note: If your scan is configured to use an external browser (Tools > Options > Use external browser) and you encounter recording issues, disable action-based recording by setting `Gui.RecordUserActionsInExternalBrowser` to `False` under Tools > Options > Advanced, then try again.
Import	Import a sequence (SEQ file) exported from a different scan.
Export	Export the selected sequence as a SEQ file to use in a different scan.
Sequence list	Lists all recorded multi-step operations for this scan.
Sequence name	The name of the sequence that is selected in the List of Sequences. The check box next to each one indicates if the sequence is enabled for this scan.
	Options available on the three-dot menu: Validate Click this to check that the sequence is valid. AppScan replays the sequence, and any requests that receive a response different to the original response are marked with a red X, indicating that they will not be tested. Tip: A common reason for requests receiving a different response is the presence of a dynamic sequence variable that needs to be defined, see Sequence variables. If this is not the problem, and the site contains JavaScript, changing to action-based playback may give better results. Rename Rename the selected sequence. Delete Delete the selected sequence from the current scan.
Sequence details
Validate	Click this to check that the sequence is valid. Only after validation the Troubleshooting options are enabled.
Recorded URLs	Shows the links or actions in the selected sequence. Validated A green check mark indicates that the URL has been validated. A red X appears next to URLs that were not validated. Test Indicates whether this URL will be tested on its own (as well as in the Multi-Step Operation). Options are Yes/No. To change the setting, right-click on the URL and select Test / Don't Test. Even if you select No, the URL will still be played as part of the Multi-step operation. Play Sequence (Applies to tested URLs only) Indicates whether the previous steps in the sequence will be replayed each time this URL is tested. Options are Yes/No. To change the setting, right-click and select Play sequence before testing request > Yes/No. View the various options under the three-dot menu here.
Log in before sequence replay	If selected, each time a Multi-Step Operation is played, AppScan will log in first. This option is cleared if you record the login as part of the multi-step operation.
Allow play optimization	(Request-based playback only) When selected (default), AppScan® attempts to optimize scan time by avoiding unnecessary playback. You should not disable this setting unless you find that AppScan® is missing parts of the application due to play optimization. The Scan Log can help in determining this.
Test in Single-Thread mode	AppScan® may send two or more requests simultaneously if they don't require the replaying of a sequence between them. If this results in parts of the application being missed, select this check box.
Sequence Variables	Lists variables that were received while recording the sequence(s) and indicates those that AppScan® has determined should be tracked. These may be session IDs or other variables. You can change the status of variables in this list to improve how AppScan® deals with them (for details, see Sequence variables).

Related topics:

Manual Explore using AppScan