Automating DAST scans
Incorporate dynamic scanning in your functional testing.
In the world of DevOps it's increasingly important to be able to
incorporate security scans in the functional testing
process for your web applications. If you use an
automation framework (such as Selenium), you can
take advantage of the scripts that are already
written to create tailor-made scans:
- The requests from the automation framework to the web application are sent through the Proxy Server proxy.
- The server records the traffic and saves it as
a
dast.config
file. - Upload the file to be used byAppScan 360° as Explore data for a scan.
- Send traffic through the automation server
proxy manually, to create a
dast.config
file.
AppScan 360° Automation Workflow:
- Running scans:
- Start proxy listening on specified or randomly selected port, as configured (see Starting and stopping the HCL AppScan Traffic Recorder).
- Run your Selenium script (or other functional test) through the selected
proxy,
OR
Browse your web application manually using a web browser configured to work through the selected proxy.
- Stop the proxy and save the traffic recording.
- Publish to AppScan 360° using the AppScan 360° REST API, by creating a new scan under a particular application. See REST API.
You can download our demo script for this workflow using the REST API. Download demo script.
Note: To use the demo script with AppScan 360°:
- In the Python script, replace the
self.asoc_base_url
variable with the URL of the AppScan 360° server. - The variable
self.asoc_presence_id
is not applicable for AppScan 360°.
See also: