Jump to main content
HCL Logo Product Documentation
Customer Support Community
Customer Support HCLSoftware U Community Forums Customer Idea Portal
AppScan Standard Help
  1. Home icon
  2. Welcome
  3. Configuration

    You configure a scan by choosing settings that best describe your application, and the kind of testing you want.

  4. Views
  5. Excluded paths and files

    You can configure AppScan to ignore certain paths in the application, or specific types of file.

  6. Excluding paths

    Exclude certain paths in the application from the scan.

  7. Editing exclusions or inclusions
Product logo

  • Welcome

    Welcome to the documentation for HCL AppScan Standard version 10.10.0

  • Getting started

    This section provides a short tour of basic product features and procedures, including using the wizard to set up a scan.

  • Configuration

    You configure a scan by choosing settings that best describe your application, and the kind of testing you want.

    • Presets

      Presets give you the main configuration views needed for a particular type of scan.

    • Views
      • Starting URL and domains

        Configure the Starting URL for the scan, and any additional servers and domains to be included.

      • API

        For scanning web APIs, define your API type, explore methods, and specify domains to be tested.

      • Excluded paths and files

        You can configure AppScan to ignore certain paths in the application, or specific types of file.

        • Excluding paths

          Exclude certain paths in the application from the scan.

          • Adding new exclusions or exceptions
          • Editing exclusions or inclusions
        • Limiting scan to a specific folder

          Using Exclusions and Exceptions to limit the range of a scan.

        • Excluding files

          Exclude certain types of files from the scan.

      • Multi-step operations

        Record and manage multi-step operations that are required to reach specific parts of the application that could otherwise be missed.

      • Large Language Model (LLM)

        Configure AppScan to dynamically test Large Language Model (LLM) features in your applications for risks such as sensitive information disclosure, prompt injection, data exfiltration, tool abuse, and content policy violations. Target chat endpoints, retrieval-augmented generation (RAG) pipelines, and other LLM components, then review reproducible findings with LLM interaction history and remediation guidance.

      • Login management

        Show AppScan® how to log in to your application.

      • API key

        AppScan Standard supports API authentication for scanning APIs that require an API key.

      • Multi-Factor Authentication (MFA)

        Configure AppScan® to use one-time password or security questions (multi-factor authentication) when logging in.

      • HTTP authentication

        Add server-level authentication and client-side certificates, if required by the application.

      • AWS authorization

        Configure AWS settings.

      • Communication and proxy

        Configure communication timeout and proxy server settings.

      • Parameters, cookies & headers

        Identify session IDs and list parameters to exclude from the scan.

      • Automatic form fill

        Provide AppScan® with valid parameter values for filling forms in your application during the scan.

      • Error pages

        Enhance your application's error page identification by adding strings or regular expressions that enable AppScan® to recognize your error pages witihin the response content, path or both. This ensures that AppScan can effectively recognize and handle your error pages, contributing to the overall accuracy of your security scans.

      • Explore options

        Define the explore method (action-based, request-based, or both) that AppScan will use to explore the application, as well as other basic and advanced explore settings.

      • Test policy and optimization

        Define the collection of tests that will be sent to the application during testing (the test policy), and apply optimization for faster scans at times in the product lifecycle when speed is more important to you than scan depth.

      • Environment definition

        Environment definition is not essential, but enables AppScan® to safely refrain from sending non-relevant tests during the scan, resulting in a faster and more accurate scan. Customizing CVSS 3.1 environmental scores will improve the accuracy of your scan results.

      • Test options

        Additional test options.

      • Advanced configuration

        This view provides access to numerous advanced settings and should only be used by experienced AppScan users or when instructed to do so by the support team to troubleshoot a problem.

      • Custom scripts

        Custom scripts make your DAST scans more dynamic. You can add JavaScript to manipulate HTTP requests and responses during a scan, either before a request is sent to the server or after a response is received.

      • Privilege escalation

        Compare scans that used different user privileges, to discover if privileged resources are accessible to non-privileged users.

      • Content-based view

        Lets you define a logical structure for the application tree, for cases where a URL-based tree will just be a long list under one or two URLs. This is not essential, but can make it much easier to navigate results.

    • Scan file structure

      Explains the basic structure of an AppScan Standard SCAN file.

    • Scan templates

      A scan template is simply a scan configuration that has been saved so that you can use it again.

    • Changing the configuration during a scan
  • Intelligent Finding Analytics (IFA)

    Intelligent Finding Analytics (IFA) uses artificial intelligence (AI) and machine learning (ML) to analyze data, discover patterns, and make predictions, ultimately transforming data into actionable insights. IFA goes beyond regular data analysis by using advanced methods to find deeper meanings and make smart decisions.

  • Manual exploring

    Manual exploring enables you to explore specific parts of your application, filling in fields and forms as you go. This can be a way of ensuring that particular areas of the site are covered, and that AppScan has the information needed to complete forms correctly.

  • Scanning

    Learn how to start a scan, and what happens during the scan; how to manually manipulate the Explore stage, and how to export the results of a scan.

  • Data

    Data view is populated with information about the structure of the site during the Explore stage of the scan.

  • Issues

    Issues view provides access to the results of a scan. You can view results at a high level or select specific tests or objects and access more details. These details include how to fix, requests/responses, and differences between the test variants that resulted in issues. You can manipulate the severity of issues, resend tests (with or without modifications), and create reports based on Issues.

  • Reports
  • Tools

    This section explains how to use additional tools provided with HCL AppScan Standard.

  • Integrations

    This section describes integrations of other applications with AppScan Standard:

  • Best practices

    This section contains some best practices and use cases for advanced users.

  • FAQ & Troubleshooting
  • CLI

    This section describes the syntax and options available using the Command line interface.

  • References

    Menus and toolbar summaries, and glossary

 Feedback

Editing exclusions or inclusions

Procedure

  1. Select an item in the Exclude or Include Paths list.
  2. Click Edit.

    The Edit Exclusion or Inclusion dialog box appears, displaying the properties of the selected item.

  3. Change as required and click OK.

What to do next

See also: Limiting scan to a specific folder

Limiting scan to the Starting URL folder

  • Share: Email
  • Twitter
  • Disclaimer
  • Privacy
  • Terms of use
  • Cookie Preferences