Recording Proxy tab

Tools > Options > Recording proxy tab

Use this tab to configure AppScan to act as a proxy for external browsers, or for manually exploring non-SOAP web APIs using either a remote device (such as a mobile phone), or a local application (such as a simulator or emulator).

Option

Description
AppScan proxy port

Specifies which port AppScan uses. When using AppScan as a proxy server you need to configure the external browser or mobile device to use this port.

Select whether AppScan selects an available port automatically, or lets you choose the port. Note that if the port is chosen automatically it may change between sessions, and you will therefore need to re-configure your mobile device.

Let AppScan choose the port automatically

Define manually

External Connections
This setting determines which connections to external domains are accepted.
Reject all
(Default) Connection attempts from all external IPs will be rejected. Use this setting only if you will be exploring using an application on the same machine as AppScan.
Accept allowlist only
Connections from external IPs that appear on the allowlist will be accepted; all others will be rejected.
Accept allowlist and prompt for others
Connections from external IPs that appear on the allowlist will be accepted automatically; for all others the AppScan user will be prompted, with the option of adding the new IP to the allowlist. Note that prompts are seen only if the External Traffic Recorder is open.

Allowlist

Connections from IPs listed here will be accepted automatically.

To add new IPs to the list, click + Add, and select an option:

  • To add a single IP to the list, type in the IP and optionally a description.
    Tip: If you will be using a remote device but are not sure of its IP address, or if it changes frequently, select Accept allowlist and prompt for others. The first time the device connects with a new IP, a pop-up appears giving you the option to add it to the allowlist.
  • To add a range of IP addresses, add an IPv4 address and subnet mask, or an IPv6 address and subnet prefix length, and optionally a description.

AppScan SSL certificate
If the server uses HTTPS, since AppScan has to act as a proxy in order to record the traffic between the web service and the device you use to manually explore, it will be sending SSL certificates to the device instead of the web service's certificate. When a browser receives an unrecognized certificate, it typically warns the user with a pop-up, but in the case of a mobile device, the request is usually just ignored. It is therefore impossible to explore the application unless the AppScan certificate is accepted on the device sending the requests.
Add

Adds the AppScan SSL certificate to the root certificates on this machine.

You must do this to allow sending requests to the web service. The AppScan certificate will be added to the root certificate, and requests from the web service to the simulator will not be rejected.
Remove
After you have added the certificate, the Add button changes to Remove, and can be used to remove the certificate from the AppScan machine.
Export
Saves the AppScan SSL certificate that is currently installed on this machine, as a ZIP file, so it can be added manually to the root certificates on a different device. Note that you do not usually need to do this, as you can import the certificate directly from the device in most cases.
  1. In AppScan, click Scan > Manual Explore > External Client > Other. The External Traffic Recorder opens.
    Important: Leave it open for the next sub-steps.
  2. On the mobile device, browse to http://appscan.
  3. In AppScan, if you are prompted to allow an incoming connection from your device, click OK.
    When the device connects successfully to AppScan as its proxy, a message (on the device) confirms the connection, IP and port. If the certificate is installed on the AppScan machine, it also provides a button to install it on the device.
    Note:
    • If the button is grayed out, the certificate is not installed on the AppScan machine.
    • The device's domain and request will appear in the External Traffic Recorder lists.
  4. On the mobile device, tap Install AppScan SSL Certificate.
    The certificate is installed.
    Note: If the device is unable to access the application you are testing after this procedure, you need to install the certificate (onto the remote device or application) manually:
    1. In AppScan, open Tools > Options > Recording Proxy.
    2. Click Export and save the certificate as a ZIP file.
    3. Install the certificate as a root certificate on the device or application.
  5. When finished, click Cancel on the External Traffic Recorder, to close it.
    Note: This option is active only if the certificate is already added to the root certificates on this machine.
    Attention: The AppScan certificate that is exported must be identical to the one installed locally. If you Remove the local certificate and then Add again, you must also reinstall it on the device, as the new certificate is not identical to the previous one.

For more information, see Using an external client