Exploration methods for web applications and APIs

This topic explains the different methods available for exploring sites, before AppScan tests them.

A site is scanned by first exploring it, and then, based on the data gathered, testing it. "Explore data" can be gathered using one or more different Explore methods. In all cases, once the Explore data is gathered AppScan is used to create and send tests to the site during the Test stage.
Exploring web applications (sites with a user interface)
  • For many applications it is sufficient to supply AppScan with the start URL and authentication credentials for it to be able to test the site.
  • Manual Explore: If necessary you can manually explore the site through AppScan,in order to get access to areas that can only be reached through specific user input.
  • Multi-Step Operations: For pages that can be reached only by first accessing other pages in a specific order, you can record a multi-step operation for AppScan to use.
While the Configuration Wizard lets you configure and start your scan in a few steps, for complex sites the Configuration Dialog Box lets you fine-tune and customize many more settings.
Exploring web APIs
AppScan offers three primary methods for exploring web APIs:

  1. Importing a Postman Collection

    If you have pre-recorded a Postman Collection of API requests as part of your DevOps process, you can import it to be used as the Explore stage of the scan. AppScan analyzes and uses the collection to test the site. See Scan using a Postman Collection

  2. Using an OpenAPI Description File
    • If you have an OpenAPI description file (in JSON or YAML format) for your web service, you can use this as the basis for your scan. AppScan initiates an automatic scan based on the description. See, Scan using an OpenAPI description file.
    • Alternatively, you can use the Web API Wizard extension to configure the scan and set up the multi-step sequences needed to use the service.
  3. Recording Proxy Setup
    1. Device Setup: Configure AppScan as a recording proxy for the device (such as a mobile phone or simulator) you use to explore the service. AppScan then analyzes the collected Explore data and sends appropriate tests.
    2. External Tool Recording: You can also use AppScan to record traffic using an external tool, such as a web API functional tester. See Using an external client.
In addition to the methods listed above, you can also choose manual exploration or import explore data. In all cases, once you have supplied AppScan with Explore data, it can proceed to automatically test the site and present the scan results for review and triage.