Home
Tools
This section explains how to use additional tools provided with HCL AppScan Standard.
PowerTools
AppScan offers access to five utilities (PowerTools), each providing a specific feature to help you manage your application security or to help you use AppScan.
Authentication Tester
The Authentication Tester PowerTool is a testing utility that uses the "brute-force" technique to reveal weak username-password combinations that could be used to gain access to your web application. (A brute force attack is an automated process of trial and error used to guess authentication credentials, causing a server to acknowledge an imposter as a legitimate user.)
Form authentication
Provide a typical login

Welcome
Welcome to the documentation for HCL AppScan Standard version 10.4.0
Getting started
This section provides a short tour of basic product features and procedures, including using the wizard to set up a scan.
Configuration
You configure a scan by choosing settings that best describe your application, and the kind of testing you want.
Manual exploring
Manual exploring enables you to explore specific parts of your application, filling in fields and forms as you go. This can be a way of ensuring that particular areas of the site are covered, and that AppScan has the information needed to complete forms correctly.
Scanning
Learn how to start a scan, and what happens during the scan; how to manually manipulate the Explore stage, and how to export the results of a scan.
Data
Data view is populated with information about the structure of the site during the Explore stage of the scan.
Issues
Issues view provides access to the results of a scan. You can view results at a high level or select specific tests or objects and access more details. These details include how to fix, requests/responses, and differences between the test variants that resulted in issues. You can manipulate the severity of issues, resend tests (with or without modifications), and create reports based on Issues.
Reports
This section describes how to generate reports from the scan results.
Tools
This section explains how to use additional tools provided with HCL AppScan Standard.
- Options dialog box
  This section describes options you can control, to customize AppScan, from the Options dialog box in Tools > Options.
- Web API Wizard extension
  This extension lets you scan using Open API description files. It is available from Tools > Extensions > Web Services Wizard (Open API), and the extension is enabled by default.
- Scan Scheduler
- User-Defined Tests
- PowerTools
  AppScan offers access to five utilities (PowerTools), each providing a specific feature to help you manage your application security or to help you use AppScan.
  - Authentication Tester
    The Authentication Tester PowerTool is a testing utility that uses the "brute-force" technique to reveal weak username-password combinations that could be used to gain access to your web application. (A brute force attack is an automated process of trial and error used to guess authentication credentials, causing a server to acknowledge an imposter as a legitimate user.)
  - Connection Test
    The Connection Test PowerTool enables you to ping web sites without using the Ping protocol, which is blocked by many firewalls.
  - Encode/Decode
    The Encode/Decode PowerTool encodes and decodes strings you put into it, to and from the format of your choice.
  - Expression Test
    Writing precise regular expressions can be a tedious trial-and-error process. You can use the Expression Test PowerTool to help accelerate the process.
  - HTTP Request Editor
    The HTTP Request Editor PowerTool enables you to send a fully-controlled HTTP request to your site, to test how your site responds to different kinds of HTTP request.
- Customizing the Tools menu
- Extensions
- Logs
  Logs can help you troubleshooting.
- Searching Results
  You can filter the Result List in any of the views, for specific data.
Integrations
This section describes integrations of other applications with AppScan Standard:
Best practices
This section contains some best practices and use cases for advanced users.
FAQ & Troubleshooting
CLI
This section describes the syntax and options available using the Command line interface.
References
Menus and toolbar summaries, and glossary

Provide a typical login

About this task

If you select Form Authentication in the Authentication Method section of the main window, the Setup button appears. This is used to configure Authentication Tester with the correct Login procedure.

Procedure

Click Setup.

The Authentication Tester browser opens.
Browse to the login page of your web application.
Perform the Login procedure using these credentials (you can cut-and-paste them from the upper part of the browser window):

username:

BruteUsername

password:

BrutePassword

Authentication Tester requires that you model the site login procedure using these values. During the testing stage, these strings will be replaced with possible username and password combinations as Authentication Tester attempts to gain access to the site by 'Brute Force". When you complete the Login procedure now, however, Authentication Tester does not actually attempt to log in using these credentials, but simply examines the login request.
CAUTION: If the strings "BruteUsername" and "BrutePassword" are not allowed by your client-side verification, no Login request will be created for Authentication Tester to examine! In such a case you must change the placeholder values for the username and password strings. See Form Authentication tab.
When you have completed the login process, Authentication Tester "captures" the login request, and a confirmation message appears.
On the confirmation message, click OK

The browser closes and the Successful Login Detection window opens. This is used to describe the login responses. See Describe the application's login responses