Welcome
Welcome to the documentation for HCL AppScan Standard version 10.4.0
Getting started
This section provides a short tour of basic product features and procedures, including using the wizard to set up a scan.
Configuration
You configure a scan by choosing settings that best describe your application, and the kind of testing you want.
- Presets
  Presets give you the main configuration views needed for a particular type of scan.
- Views
  - Starting URL and domains
    Configure the Starting URL for the scan, and any additional servers and domains to be included.
  - API
    For scanning web APIs, define the your API type (improves coverage by better configuring custom parameters), explore method, and domains to be tested.
  - Exclude paths and files
    You can configure AppScan to ignore certain paths in the application, or specific types of file.
  - Multi-step operations
    Record and manage multi-step operations that are required to reach specific parts of the application that could otherwise be missed.
  - Login management
    Show AppScan® how to log in to your application.
  - Multi-Factor Authentication (MFA)
    Configure AppScan® to use one-time password or security questions (multi-factor authentication) when logging in.
  - HTTP authentication
    Add server-level authentication and client-side certificates, if required by the application.
  - AWS authorization
    Configure AWS settings.
  - Communication and proxy
    Configure communication timeout and proxy server settings.
  - Parameters, cookies & headers
    Identify session IDs and list parameters to exclude from the scan.
    - Parameter definition
      You can define parameters, cookies and headers that you want to exclude from being tested during scans.
    - Parameter names
    - Session IDs
    - Redundancy tuning
      Careful redundancy tuning can significantly reduce scan time.
    - Custom Parameters tab
      The Custom Parameters tab of Parameters and Cookies view in the Configuration dialog box.
    - Custom Header tab
      The Custom Headers tab of Parameters and Cookies view in the Configuration dialog box.
  - Automatic form fill
    Provide AppScan® with valid parameter values for filling forms in your application during the scan.
  - Error pages
    Add strings, regular expressions and URLs to identify your application's custom error pages.
  - Explore options
    Define the explore method (action-based, request-based, or both) that AppScan will use to explore the application, as well as other basic and advanced explore settings.
  - Test policy and optimization
    Define the collection of tests that will be sent to the application during testing (the test policy), and apply optimization for faster scans at times in the product lifecycle when speed is more important to you than scan depth.
  - Environment definition
    Environment definition is not essential, but enables AppScan® to safely refrain from sending non-relevant tests during the scan, resulting in a faster and more accurate scan. Customizing CVSS 3.1 environmental scores will improve the accuracy of your scan results.
  - Test options
    Additional test options.
  - Privilege escalation
    Compare scans that used different user privileges, to discover if privileged resources are accessible to non-privileged users.
  - Content-based view
    Lets you define a logical structure for the application tree, for cases where a URL-based tree will just be a long list under one or two URLs. This is not essential, but can make it much easier to navigate results.
  - Advanced configuration
    This view gives you access to many advanced registry settings and it should only be used by experienced AppScan users, or when instructed to do so by the support team to troubleshoot a problem.
- Scan using a Postman Collection
  If you have a Postman Collection of requests to your web API, you can import it and use it as the basis for a scan.
- Scan file structure
  Explains the basic structure of an AppScan Standard SCAN file.
- Scan templates
  A scan template is simply a scan configuration that has been saved so that you can use it again.
- Changing the configuration during a scan
Manual exploring
Manual exploring enables you to explore specific parts of your application, filling in fields and forms as you go. This can be a way of ensuring that particular areas of the site are covered, and that AppScan has the information needed to complete forms correctly.
Scanning
Learn how to start a scan, and what happens during the scan; how to manually manipulate the Explore stage, and how to export the results of a scan.
Data
Data view is populated with information about the structure of the site during the Explore stage of the scan.
Issues
Issues view provides access to the results of a scan. You can view results at a high level or select specific tests or objects and access more details. These details include how to fix, requests/responses, and differences between the test variants that resulted in issues. You can manipulate the severity of issues, resend tests (with or without modifications), and create reports based on Issues.
Reports
This section describes how to generate reports from the scan results.
Tools
This section explains how to use additional tools provided with HCL AppScan Standard.
Integrations
This section describes integrations of other applications with AppScan Standard:
Best practices
This section contains some best practices and use cases for advanced users.
FAQ & Troubleshooting
CLI
This section describes the syntax and options available using the Command line interface.
References
Menus and toolbar summaries, and glossary

Parameters, cookies & headers

Identify session IDs and list parameters to exclude from the scan.

This view is used to manage four main functions:

Exclude specific parameters, cookies and headers from being tested during scans
Control the default treatment of parameters and cookies ("redundancy tuning")
Define parameters, cookies and headers that have a special format which AppScan might not recognize on its own
Define custom headers


Setting	Description	See
Parameters and Cookies tab	Lets you view, add, edit and delete global parameters that require non-default treatment. For example, your application may have parameters, cookies or headers whose values you do not want AppScan® to manipulate during tests. To make sure that AppScan does not change these parameters and cookies, exclude them from tests. For example, your application might lock a user session if certain cookie or parameter values are changed. You should exclude these parameters from manipulation. If you do not exclude them, AppScan may not be able to successfully complete the scan, as these cookies will lock AppScan out of the application. During the Explore stage, AppScan® automatically detects cookies and HTML parameters that are likely to be session IDs and adds them to the list in this tab. You can manually add cookies, parameters and headers that you know to be session IDs. The columns in this tab are defined in the table below. Note: The Hide/Show template items button lets you filter out items that originated in the scan template, which may not be relevant to the current scan.	Parameter definition
Custom Parameters tab	Lets you add, edit and delete parameters with a custom format that AppScan might not otherwise recognize as such.	Custom Parameters tab
Custom Headers tab	Lets you define non-standard (custom) HTTP header formats. AppScan® must be able to identify parameters in response content and correctly add them to headers it sends to the site, in order to be able to test the site effectively.	Custom Header tab
Redundancy Tuning Defaults	This link (at the bottom of the Parameters and Cookies tab) lets you access and edit the default redundancy tuning applied to all parameters, whether discovered by AppScan® or defined by the user. Note: Changing the specific redundancy tuning of an individual parameter is done as part of Parameter definition Changes to the defaults are not applied retroactively to parameters that have already been defined. This must be done manually for each parameter.	Redundancy tuning

Parameters and Cookies tab fields

The following table summarizes the fields in this tab.


Heading	Options and description
Type	Parameter \| cookie \| custom parameter \| header
Name
Tracking	How to track this parameter or cookie: As a login value As a dynamic value As a fixed value Don't track it at all For more details see Session IDs.
Test Exclude	Defines whether or not to exclude this parameter/cookie/header from testing during the Test stage of the scan.
Redundancy Tuning	Default: The default redundancy tuning is applied to this item Custom: The redundancy tuning for this item is different to the current default
Source	Shows from where AppScan obtained this item: Scan template: Originated in the scan template Login session ID: From the login sequence recorded by the user Multi-step sequence variable: From a sequence recorded by the user Explore Optimizer: From the Explore Optimizer extension User-defined