Welcome
Configuration
You configure a scan by choosing settings that best describe your application, and the kind of testing you want.
Views
Login management
Show AppScan® how to log in to your application.
Login playback
When you record a login sequence, AppScan records both the actions and the requests. When replaying the login AppScan attempts (by default) to reproduce the action-based login; if this is unsuccessful it uses the request-based login. This area is used to review and edit: Action-based version of the login sequences and Request-based version of the login sequences.

Welcome
Welcome to the documentation for HCL AppScan Standard version 10.10.0
Getting started
This section provides a short tour of basic product features and procedures, including using the wizard to set up a scan.
Configuration
You configure a scan by choosing settings that best describe your application, and the kind of testing you want.
- Presets
  Presets give you the main configuration views needed for a particular type of scan.
- Views
  - Starting URL and domains
    Configure the Starting URL for the scan, and any additional servers and domains to be included.
  - API
    For scanning web APIs, define your API type, explore methods, and specify domains to be tested.
  - Excluded paths and files
    You can configure AppScan to ignore certain paths in the application, or specific types of file.
  - Multi-step operations
    Record and manage multi-step operations that are required to reach specific parts of the application that could otherwise be missed.
  - Large Language Model (LLM)
    Configure AppScan to dynamically test Large Language Model (LLM) features in your applications for risks such as sensitive information disclosure, prompt injection, data exfiltration, tool abuse, and content policy violations. Target chat endpoints, retrieval-augmented generation (RAG) pipelines, and other LLM components, then review reproducible findings with LLM interaction history and remediation guidance.
  - Login management
    Show AppScan® how to log in to your application.
    - Login method
      Define how AppScan logs in to your application and, if necessary, record the login procedure. AppScan can automatically detect login requests and fill in the username and password parameters. If your application has a non-standard login sequence of actions, you can record these actions for AppScan to use.
    - Login playback
      When you record a login sequence, AppScan records both the actions and the requests. When replaying the login AppScan attempts (by default) to reproduce the action-based login; if this is unsuccessful it uses the request-based login. This area is used to review and edit: Action-based version of the login sequences and Request-based version of the login sequences.
      - Action-based editor
        Dialog that opens from Scan Configuration > Login Management > Advanced options > (Action-Based) Edit, can be used to troubleshoot the login procedure if validation fails.
      - Request-based editor
        Dialog that opens from Scan Configuration > Login > Review & Validate > (Request-Based) Edit, can be used to troubleshoot the login procedure if validation fails.
    - Session detection
      Configure session detection so AppScan can verify login status during scans by selecting an In-Session Detection Request and defining an in-session (or out-of-session) detection pattern. Use advanced dialogs to review the recorded login sequence, set the in-session request, choose or define patterns (regular expressions supported), and validate or troubleshoot with Revalidate and Run login analyze.
    - Login session IDs
      The Login session IDs section of Login Management view is used to review and manage the tracking of variables (session IDs) received during the recorded login.
    - Advanced login settings
      The Advanced login settings section of the Login Management view is used to configure advanced login settings and logout page detection.
  - API key
    AppScan Standard supports API authentication for scanning APIs that require an API key.
  - Multi-Factor Authentication (MFA)
    Configure AppScan® to use one-time password or security questions (multi-factor authentication) when logging in.
  - HTTP authentication
    Add server-level authentication and client-side certificates, if required by the application.
  - AWS authorization
    Configure AWS settings.
  - Communication and proxy
    Configure communication timeout and proxy server settings.
  - Parameters, cookies & headers
    Identify session IDs and list parameters to exclude from the scan.
  - Automatic form fill
    Provide AppScan® with valid parameter values for filling forms in your application during the scan.
  - Error pages
    Enhance your application's error page identification by adding strings or regular expressions that enable AppScan® to recognize your error pages witihin the response content, path or both. This ensures that AppScan can effectively recognize and handle your error pages, contributing to the overall accuracy of your security scans.
  - Explore options
    Define the explore method (action-based, request-based, or both) that AppScan will use to explore the application, as well as other basic and advanced explore settings.
  - Test policy and optimization
    Define the collection of tests that will be sent to the application during testing (the test policy), and apply optimization for faster scans at times in the product lifecycle when speed is more important to you than scan depth.
  - Environment definition
    Environment definition is not essential, but enables AppScan® to safely refrain from sending non-relevant tests during the scan, resulting in a faster and more accurate scan. Customizing CVSS 3.1 environmental scores will improve the accuracy of your scan results.
  - Test options
    Additional test options.
  - Advanced configuration
    This view provides access to numerous advanced settings and should only be used by experienced AppScan users or when instructed to do so by the support team to troubleshoot a problem.
  - Custom scripts
    Custom scripts make your DAST scans more dynamic. You can add JavaScript to manipulate HTTP requests and responses during a scan, either before a request is sent to the server or after a response is received.
  - Privilege escalation
    Compare scans that used different user privileges, to discover if privileged resources are accessible to non-privileged users.
  - Content-based view
    Lets you define a logical structure for the application tree, for cases where a URL-based tree will just be a long list under one or two URLs. This is not essential, but can make it much easier to navigate results.
- Scan file structure
  Explains the basic structure of an AppScan Standard SCAN file.
- Scan templates
  A scan template is simply a scan configuration that has been saved so that you can use it again.
- Changing the configuration during a scan
Intelligent Finding Analytics (IFA)
Intelligent Finding Analytics (IFA) uses artificial intelligence (AI) and machine learning (ML) to analyze data, discover patterns, and make predictions, ultimately transforming data into actionable insights. IFA goes beyond regular data analysis by using advanced methods to find deeper meanings and make smart decisions.
Manual exploring
Manual exploring enables you to explore specific parts of your application, filling in fields and forms as you go. This can be a way of ensuring that particular areas of the site are covered, and that AppScan has the information needed to complete forms correctly.
Scanning
Learn how to start a scan, and what happens during the scan; how to manually manipulate the Explore stage, and how to export the results of a scan.
Data
Data view is populated with information about the structure of the site during the Explore stage of the scan.
Issues
Issues view provides access to the results of a scan. You can view results at a high level or select specific tests or objects and access more details. These details include how to fix, requests/responses, and differences between the test variants that resulted in issues. You can manipulate the severity of issues, resend tests (with or without modifications), and create reports based on Issues.
Reports
Tools
This section explains how to use additional tools provided with HCL AppScan Standard.
Integrations
This section describes integrations of other applications with AppScan Standard:
Best practices
This section contains some best practices and use cases for advanced users.
FAQ & Troubleshooting
CLI
This section describes the syntax and options available using the Command line interface.
References
Menus and toolbar summaries, and glossary

Login playback

When you record a login sequence, AppScan records both the actions and the requests. When replaying the login AppScan attempts (by default) to reproduce the action-based login; if this is unsuccessful it uses the request-based login. This area is used to review and edit: Action-based version of the login sequences and Request-based version of the login sequences.

Configuration > Login management > Advanced options > Login playback

Table 1. Advanced options
Setting	Details
Login Playback	This section appears only if Recorded or Prompt login is the selected login method.
Login Playback Method	When you record using the built-in browser, AppScan saves two versions of the login sequence you record: one based on the actions you performed, and the other on the HTTP requests actually sent. Action-Based: (Used by default whenever possible:) AppScan will attempt to log in using action-based login, replaying the clicks and keystrokes of the user. Replay recording: Opens the Action-Based Player and replays the recorded login sequence in its browser. Edit playback: Opens the Action-Based editor to view and edit details of the login recording. Request-Based: If the first method fails, AppScan will use the request-based version, which re-sends the raw HTTP requests from the login recording. Edit playback: Opens the Request-Based editor to view and edit details of the login recording. If a message indicates that one of the methods failed, use the other method. Note: If you select Action-Based Login and it fails during the scan, AppScan will try Request-Based Login. If that succeeds, the setting here will be changed automatically to Request-Based. Note: If your scan is configured to use an external browser (Tools > Options > Use external browser) and you encounter recording issues, disable action-based recording by setting `Gui.RecordUserActionsInExternalBrowser` to `False` under Tools > Options > Advanced, then try again.
Automatic Login	This section appears only if Automatic Login is the selected login method
Analyze automatic login configuration > Analyze	Click for AppScan to perform the following actions: Attempt to log in to the site using the credentials you supplied Identify an In-Session Detection Pattern on the login page (see below) Configure session identifiers (see Login session IDs