Postman Collection scan troubleshooting

Some suggestions for troubleshooting a Postman Collection scan.

Login not detected

If the login was not detected in the Postman Collection, then the icon in Configuration > Login Management > Login tab will be:

and the selected Login Method will be None.

To fix this, follow these steps:
  1. In Configuration > Login Management > Login tab, change the Login method to Recorded.
  2. Open the Review & Validate tab, click the Edit button, and review the sequence of recorded requests.
  3. Close the list, and examine the settings in the Session Detection area. If you identify and correct any errors here, click Validate and see if this solves the problem.
  4. If the problem is not solved, click on the Session IDs tab, and review the Login Detection IDs.
  5. By default the Recorded Login Requests sequence contains the first 7 requests from the collection. If the login request comes after the first 7 requests, and was therefore not included in the AppScan sequence, go to Configuration > Advanced Configuration > Postman: Login analysis sample size, and increase the value as needed.
  6. If you made any changes to the configuration in the steps above, and you want AppScan to try to detect the login automatically using the collection:
    1. In the Review & Validate tab, click the Edit button, and delete the list of requests.
    2. On the menubar, click Rescan > Re-Explore
    3. Verify that the Recorded login status is changed to "Login successfully configured", and the problem is solved.
  7. You can also record the login manually using Configuration > Login Management > Login tab > Login method: Recorded login; then click the Record button and select an external client.

Invalid long term token

If you are using a long term token without configured login, be aware that rescanning after an interval may require updating the token value. Do one of the following:
  • Update your Postman Collection with a valid token and import again.
  • Update the token values in AppScan, with the following steps:
    • If the token is in a parameter or cookie:
      1. In Data view select the expired parameter, cookie, or header.
      2. Right-click and select Add/Edit this parameter.
      3. Select the Tracking check box.
      4. Set the Track type to Fixed value, and add the correct Value.
    • If the token is in a header:
      1. Go to Configuration dialog box > Parameters and Cookies > Custom Headers tab.
      2. Add a new custom header with a fixed value.

Postman Collection with strictSSL Attribute

If the Postman collection uses the "strictSSL": true attribute, AppScan will fail because a self-signed certificate is used for the proxy to record the traffic.

Workaround:

You can change the "strictSSL" attribute to "false" for every failing request by:
  1. Modifying the Postman collection JSON file or,
  2. Using the Postman UI: Go to the failed request, and make sure Settings > Enable SSL certificate verification is turned OFF.