Welcome
Welcome to the documentation for HCL AppScan Standard version 10.4.0
Getting started
This section provides a short tour of basic product features and procedures, including using the wizard to set up a scan.
Configuration
You configure a scan by choosing settings that best describe your application, and the kind of testing you want.
Manual exploring
Manual exploring enables you to explore specific parts of your application, filling in fields and forms as you go. This can be a way of ensuring that particular areas of the site are covered, and that AppScan has the information needed to complete forms correctly.
Scanning
Learn how to start a scan, and what happens during the scan; how to manually manipulate the Explore stage, and how to export the results of a scan.
Data
Data view is populated with information about the structure of the site during the Explore stage of the scan.
Issues
Issues view provides access to the results of a scan. You can view results at a high level or select specific tests or objects and access more details. These details include how to fix, requests/responses, and differences between the test variants that resulted in issues. You can manipulate the severity of issues, resend tests (with or without modifications), and create reports based on Issues.
Reports
This section describes how to generate reports from the scan results.
Tools
This section explains how to use additional tools provided with HCL AppScan Standard.
- Options dialog box
  This section describes options you can control, to customize AppScan, from the Options dialog box in Tools > Options.
- Web API Wizard extension
  This extension lets you scan using Open API description files. It is available from Tools > Extensions > Web Services Wizard (Open API), and the extension is enabled by default.
  - Description files
    Add one or more Open API description files that define the web service.
  - Domains
    All domains found in the description files are added to the list of domains that can be scanned. In this step you can remove any that should not be scanned.
  - Login Management
    Configure the login procedure for the web service.
  - Sequences
    Review the list of requests created from the description files (and their parameters), and define "Sequences" of requests that must be sent in a specific order (objects that depend on other objects being created first).
  - Parameters
    Review all the parameters found in the requests. You can select which parameters are tracked and which are not tracked, and edit their values.
  - Complete
    When configuration is complete decide whether to start the scan now or later.
- Scan Scheduler
- User-Defined Tests
- PowerTools
  AppScan offers access to five utilities (PowerTools), each providing a specific feature to help you manage your application security or to help you use AppScan.
- Customizing the Tools menu
- Extensions
- Logs
  Logs can help you troubleshooting.
- Searching Results
  You can filter the Result List in any of the views, for specific data.
Integrations
This section describes integrations of other applications with AppScan Standard:
Best practices
This section contains some best practices and use cases for advanced users.
FAQ & Troubleshooting
CLI
This section describes the syntax and options available using the Command line interface.
References
Menus and toolbar summaries, and glossary

Login Management

Configure the login procedure for the web service.

If a login is required you must configure it so that so that AppScan can log in to the service.

Limitation: Using API keys as HTTP query parameters is not supported.

Select one of the Login radio buttons:

Configure Login below

If you select this option the lower part of the dialog becomes active and lets you input the following:

Login request: Select a login request from the drop-down list of requests from the description files.
Note: If the web service implements authorization control using API keys, a login request is not needed, so select None from the drop-down list.
Login credentials: Review and if needed edit the values of Login credentials.
Custom headers: If the service uses custom headers (such as bearer authentication in the Authorization header), click Edit to open the Add Custom Header dialog box. For details see Custom Header tab.
In-Session Detection request: Select an in-session request from the drop-down list. This will be used by AppScan to verify that it is logged in when testing.

Use existing Login configuration

Select if your scan configuration already includes a valid login sequence you can use it.

Record Login sequence in AppScan Configuration > Login Management

Select if the description file does not include a login request. You can use the main AppScan Configuration dialog box to record the Login using the AppScan built-in browser or an external device. This is most likely to be the case when users log in though a user interface, or where JavaScript is involved in the login process. For details see Login management.

None

Select if the service does not require logging in.

Next Step: Sequences