General FAQ

This topic addresses general application questions.

Contents

What options are available for scanning web APIs?

What is the difference between a manual explore and a multi-step operation?

What is the difference between action-based playback and request-based playback?

What test policies can replace the Web Services, The Vital Few, and the Developers Essentials test policies when they are removed?

How can I reduce the size of my scan files?

Are some issues missing information?

What options are available for scanning a GraphQL web API?

What options are available for scanning web APIs?

A site is scanned by first exploring it, and then, based on the data gathered, testing it. "Explore data" can be gathered using one or more different Explore methods. In all cases, once the Explore data is gathered AppScan is used to create and send tests to the site during the Test stage.
Exploring web applications (sites with a user interface)
  • For many applications it is sufficient to supply AppScan with the start URL and authentication credentials for it to be able to test the site.
  • Manual Explore: If necessary you can manually explore the site through AppScan,in order to get access to areas that can only be reached through specific user input.
  • Multi-Step Operations: For pages that can be reached only by first accessing other pages in a specific order, you can record a multi-step operation for AppScan to use.
While the Configuration Wizard lets you configure and start your scan in a few steps, for complex sites the Configuration Dialog Box lets you fine-tune and customize many more settings.
Exploring web APIs
AppScan offers three ways to do this.
  1. You can set up AppScan as a recording proxy for the device (such as a mobile phone or simulator) you use to explore the service. That way AppScan can analyze the Explore data collected, and send appropriate tests. You can also use AppScan to record traffic using external tool, such as a web API functional tester. See Using an external client.
  2. If you have prerecorded a Postman Collection of requests to the API as part of your DevOps, you can import it to be used as the Explore stage of the scan. AppScan will analyze and use the collection to test the site. See Scan using a Postman Collection.
  3. If you have Open API description files (JSON or YAML) for your web service, you can use the Web API Wizard extension to configure a scan, and the multi-step sequences needed to use the service. AppScan will then automatically scan it.
In all cases, once you have supplied AppScan with Explore data, it can proceed to automatically test the site and present the scan results for review and triage.

What is the difference between a manual explore and a multi-step operation?

Manual Explore

Manual exploring is when you explore your site to gather data that can be used by AppScan to ensure that when it tests the site it covers parts of the application or services that it might have missed with its automatic Explore stage. This may be because specific user input is required, or because the site responds only to a different type of tool or device. You can manually explore using AppScan, or using it as a recording proxy.

See Manual exploring

Multi-Step Operation
A multi-step operation is needed to explore parts of the site that can only be reached by clicking links in a specific order, such as an online shop where the user adds items to a cart before paying for them. Consider the following three pages:
  1. User adds one or more items to a shopping cart
  2. User fills in payment and shipping details
  3. User receives confirmation that the order is complete
Page 2 can be reached only via Page 1. Page 3 can be reached only via Page 1 followed by Page 2. This is a sequence. In order to be able to test Pages 2 and 3, AppScan® must send the correct sequence of HTTP requests before each test.

See Multi-step operations

What is the difference between action-based playback and request-based playback?

When a procedure is recorded for use as the Login or a multi-step operation, two possible playback methods are available:
Request-based playback
Sends the raw HTTP requests from the recording. This method is usually faster.
Action-based playback
Replays the clicks and keystrokes of the user. Reasons for selecting this method could be that the site includes a lot of JavaScript, or that some of the requests in the request-based playback were marked with a red X when you attempted to validate them. This method can increase scan time.

See Configure > Explore > Login playback, and Configure > Multi-step operations

What test policies can replace the Web Services, The Vital Few, and the Developers Essentials test policies when they are removed?

In version 10.0.5 we announced our intention of removing three test policies in a future release. The following methods can be used to obtain similar results. If you use these policies, you may wish to start using the suggested alternatives.

Current policy

Suggested alternative

Web Services

Default

The Default test policy now covers web services, so a separate policy is not needed.

The Vital Few

Default

Use the Default policy together with the fastest Test Optimization setting.

Developers Essentials

Application Only

Use the Application Only policy together with one of the faster Test Optimization settings.

How can I reduce the size of my scan files?

If your scan files are large and you need to reduce file size for any reason, you can use the compact_scan command that reduces the size of the database within the SCAN file. At the command prompt, type:
AppScanCmd.exe compact_scan /b <full path to base scan file> /d <full path to destination file>

Are some issues missing information?

If the Issues pane seems to be missing information for a certain issue, try clicking Edit > Generate issue information to update it.

Too many login popups

If you selected "Prompt" as the login method, you may get too many login prompts to manage during the scan.

To resolve this issue go to Configuration > Test options view and clear the Send tests on logout pages check box.

What options are available for scanning a GraphQL web API?

  • Use the Web API preset, (see Configuration presets).
  • Load the GraphQL template (from the predefined templates folder) and import your own Postman Collection.
  • Load the GraphQL template (from the predefined templates folder) and import your own traffic file.