Record login with an external client

Before you begin

When you use an external client to send requests to the application, a Starting URL is not needed, but AppScan will define a Starting URL for itself after the Explore stage is complete.

About this task

Recording a Login with an external browser lets you teach AppScan® which request or requests to send so it can log in during the scan. When you have logged in, AppScan identifies an in-session pattern that it can use in future to verify that it is still logged in.

During scanning, AppScan must know at all times whether it is logged into or out of the site, so it can evaluate the site's responses correctly. During the scan, AppScan sends the In-Session Detection Request repeatedly, and checks that the response contains the In-Session Detection Pattern, to verify that it is still logged in. If AppScan does not find the pattern in the page's response, AppScan assumes it has been logged out, and attempts to log in again by replaying the login sequence. It follows that the login sequence is typically played many times during a scan. It is therefore best that it contains as few steps as possible. It is also helpful if the In-Session page is a small page, and does not contain tracked parameters or cookies, since these can also increase scan time significantly.

To record the login:

Procedure

  1. In Scan Configuration > Login Management > Login tab, select the Recorded radio button.
  2. Click the red Record button > External client > and then select the client you will use to log in.
    OptionDescription
    Postman AppScan® will open and automatically configure Postman to work with AppScan® as recording proxy (IP and port). AppScan® will then open its traffic recorder to record the requests you send from Postman.
    SoapUI AppScan® will open and automatically configure SoapUI to work with AppScan® as recording proxy (IP and port). AppScan® will then open its traffic recorder to record the requests you send from SoapUI.
    Note: The configuration change affects any other instances that are open during the session. Therefore it is recommended that you close any open instances before you start, and do not open any while you record. When you close AppScan, SoapUI is also closed, and the settings changed back to what they were before.
    For SSL, see SSL with SoapUI.
    Other Select this option if the client you want to use is installed on a different machine, or if you are using a client other than Postman or SoapUI on the same machine as AppScan®. You will be asked to open and configure your client manually, to use AppScan as proxy.

    For SSL, see SSL with other external client

    AppScan's External Login Recorder opens, recording requests you send to your web service from the client. For details, see External Login Recorder

    If you seleted Postman or SoapUI, it opens, and is configured to use AppScan as recording proxy.
    Note: AppScan can automatically configure Postman or SoapUI only if installed on the same machine as AppScan, otherwise you must select Other, and configure the client yourself in the next step.
    Note: If using SSL, you must also follow these steps: SSL with SoapUI.
  3. If you selected External client > Other, open your client and configure it to use the port and IP shown at the top of the traffic recorder. If the client is on the same machine as AppScan, use the "Local IP" shown, otherwise use the "Remote IP".
    Note: If using SSL, you must also follow these steps: SSL with other external client.
  4. From your client, send whatever requests are needed to log in to the site as a valid user. When you are logged in, send an additional request that could be sent only by a logged-in user.
    Important:
    • Sending the additional request after you are logged in is essential in the case of web APIs, for AppScan to be able to identify an in-session pattern.
    • Verify that the traffic you sent is shown in the login recorder. If it is not, refer to Traffic recorder troubleshooting.
  5. In the login recorder, click Stop recording, then click Save to close.

    AppScan® extracts the login information from your login request, for use during scanning.

    The Session Information dialog box opens displaying the login requests you recorded, and the gray key icon changes to the green key icon, indicating that in-session detection is active.
    Note: If the key icon turns red the red key icon, AppScan® attempted but was unable to identify any pattern in the in-session page that it can use during scanning to verify that it has not been logged out. If this happens, you need to identify the "in-session pattern" for AppScan®, see Select Detection Pattern dialog box for details. In some cases a more specific message may appear, with a link to a page in this Help for troubleshooting the problem, see Login troubleshooting.
  6. To make changes to the recorded sequence (for example to remove unnecessary steps), refer to Login playback.
    Tip: Generally speaking the URL which logs the user in (and whose response is the first to include an in-session pattern), should be the one marked In-Session. However, sometimes you may want to select a later URL, that also includes the in-session pattern, but which has the advantage of being a smaller page or of not including tracked parameters or cookies. Additionally, sometimes the POST request with the user credentials is the request which logs you in and first contains the in-session pattern, this is a poor choice for the in-session page, since the in-session check would send the credentials each time, leading to a false positive in session response. See Optimizing In-Session Detection
  7. To save the new login sequence, click OK.
    Tip: If you are sure that the in-session page contains no tracked parameters or cookies, you can improve scan performance by changing the Advanced Configuration > Session Managment: Parse in-session page setting to "False". See Advanced configuration.
    Limitation: Authentication methods that require a user to be present, such as OAuth2 with Prompt User, are not supported. However, you can use OAuth2 with an offline grant type that uses a refresh token (also known as a service token).

What to do next

Related topics:

Traffic recorder troubleshooting

SSL with SoapUI

Manual exploring

Multi-step operations