Web application vs. web API
This topic explains the different methods available for exploring sites, before AppScan tests them.
A site is scanned by first exploring it, and then, based on the data
gathered, testing it. "Explore data" can be gathered using one or more different Explore methods.
In all cases, once the Explore data is gathered AppScan is used to create and send tests to the
site during the Test stage.
- Exploring web applications (sites with a user interface)
- For many applications it is sufficient to supply AppScan with the start URL and authentication credentials for it to be able to test the site.
- Manual Explore: If necessary you can manually explore the site through AppScan,in order to get access to areas that can only be reached through specific user input.
- Multi-Step Operations: For pages that can be reached only by first accessing other pages in a specific order, you can record a multi-step operation for AppScan to use.
- Exploring web APIs
- AppScan offers three ways to do this.
- You can set up AppScan as a recording proxy for the device (such as a mobile phone or simulator) you use to explore the service. That way AppScan can analyze the Explore data collected, and send appropriate tests. You can also use AppScan to record traffic using external tool, such as a web API functional tester. See Using an external client.
- If you have prerecorded a Postman Collection of requests to the API as part of your DevOps, you can import it to be used as the Explore stage of the scan. AppScan will analyze and use the collection to test the site. See Scan using a Postman Collection.
- If you have Open API description files (JSON or YAML) for your web service, you can use the Web API Wizard extension to configure a scan, and the multi-step sequences needed to use the service. AppScan will then automatically scan it.