Create a new scan (full configuration)

Provide the starting URL and user credentials for the scan, select the type of site, and (if not previously done) verify your permission to scan the site.

Before you begin

Procedure

  1. On the specific Application page, click Create scan, then click Create scan under DAST Dynamic Analysis to open the wizard.
  2. Click New scan.
    Click through the panels to indicate values or change settings as needed. In many cases, the default values are sufficient. When finished, click Scan.
  3. Targets: Starting URL and domains

    You must enter the starting URL for the scan.

    Setting

    Options

    Starting URL
    URL field
    Enter the URL where the scan should start. For web APIs, there is no "starting" URL; enter any valid URL in the domain of the service you want to scan.
    Scan the demo site
    Click this link to fill in the URL of the AppScan demo site. This lets you run a scan without verifying a domain. In the Login tab, enter Username JSmith and Password Demo1234
    Note: Running a scan of the demo site is not counted towards your license limit as long as you use the full URL provided. If you remove the ?mode=demo switch, the scan is counted towards your limit.
    Include only links in and below this directory
    Select this check box to exclude any external, parallel, or sub-domains that may be discovered as links when scanning. When this check box is cleared, the scan can include domains other than that of the starting URL.

    Domains to be tested

    Lists all domains that will be included in the scan. The starting URL you enter is added here automatically.

    If your site includes domains other than that of the starting URL, and you want them scanned, click Add another domain to add them.

    Note: The option to select Staging or Production environment was recently removed as it is no longer needed. For more information, see Why can I no longer specify the environment to be Staging or Production?.
  4. Authentication and connectivity: Login management

    By default, login is not required.

    Leave this selection as is if:
    • No login/authorization is required, or
    • (Web API) Authorization uses a fixed or long-term value, such as an API key or a fixed bearer token.

    Setting

    Options

    Login
    Login required: Username and Password
    Select if AppScan 360° is able to log in as needed using credentials but with no special procedure. You can also enter a third credential (optional). For example: PIN# = 1234. However, the use of a third credential requires intervention by the AppScan 360° Support team, and the scan may take longer.
    Note: CAPTCHA is not supported.
    Tip: AppScan 360° recommends use of test credentials rather than the credentials of an actual user.
    This option is not relevant for web APIs.
    Login Required: Recorded login
    If a special login procedure is needed, select this option to upload a recording of the procedure that AppScan 360° must use whenever it logs in to the applications during the scan. You can record using the AppScan Activity Recorder (saved as a CONFIG file) or AppScan Standard (exported as a LOGIN file).
    Important: The recorded login sequence must contain the following requests:
    • Login/authorization request
    • An additional logged-in/authorized request. This "extra" request helps AppScan identify a successful authorization and maintain session when testing the application.

    For details about recording a CONFIG or LOGIN file see Recording traffic and Recording the login using AppScan Standard.
  5. Authentication and connectivity: HTTP authentication

    In addition to the login information, indicate whether the application requires HTTP authentication (Negotiate, NTLM, Kerberos, ADFS, Basic, or Digest). Enter the Username, Password, and Domain (optional) for AppScan 360° to use during the scan.

  6. Authentication and connectivity: One-time password

    If your site requires a time-based one time password for users to log in (MFA), select this check box and complete the first four fields in the dialog.

    Setting

    Options

    Use TOTP
    • Secret key
    • OTP length (number of digits)
    • Hash algorithm used (select from drop-down)
    • Time step (in seconds)
    Note: TOTP is the only OTP supported in this wizard. For more OTP options you can configure a scan in AppScan Standard and upload to AppScan 360°. When configuring a scan in AppScan Standard with OTP, you must use action-based login, not request-based login, see the AppScan Standard documentation for details.
  7. Authentication and connectivity: Communication

    Set the maximum number of requests that AppScan 360° can send to the site simultaneously.

    Setting

    Options

    Number of threads

    Reduce the limit if your site does not allow this amount; if your site does not allow simultaneous threads at all, reduce the limit to 1.

    Server communication timeout
    Adjust automatically during the scan
    Allow AppScan 360° to decide how long to wait for any particular response before timing out. This can significantly reduce scan time.
    Fixed
    Set the maximum time AppScan 360° waits for a response before timing out. Increase this setting if your site's responses are slow and AppScan 360° is missing responses due to the short timeout.

    Max request rate

    By default, AppScan 360° sends its requests to the site as fast as possible. If this limit will overload your network or server, you can reduce it.
  8. Authentication and connectivity: Explore

    Define how AppScan 360° explores the site during the scan.

    Setting

    Options

    Automatic form fill
    AppScan 360° uses AppScan Standard's default form fill parameter values to fill and submit forms on the site.
    Important: If you are scanning a live production site, we recommended disable this function. For more details refer to What changes should I make when scanning a live production site?
    Note: If you turn off automatic form fill and scan in AppScan 360°, it will remove all the information filled in the forms except for the login management data. AppScan will not fill in the forms automatically during scanning. When you import this scan into AppScan Standard, automatic form fill is enabled, but the form filling data, except for login management, will be empty.

    Type
    Explore automatically
    AppScan crawls the web application automatically, from the starting URL, to discover the pages it will test. This option is not relevant for web APIs; use the next option.
    Explore with guidance
    Upload your own recorded Explore stage for AppScan to test. You can use this on its own or in addition to an automatic Explore stage.
    For details about the two Explore types, see About dynamic analysis (DAST)

    Explore with guidance

    		 This section is active only if you selected Explore with guidance.

    Upload recording

    Upload one or more DAST.CONFIG traffic files. For details of how to record these, see Recording traffic. For web APIs the best option is usually the HCL AppScan Traffic Recorder.

    File settings

    If the requests in your traffic file must be sent in the specific order you recorded them, activate Multistep. This method significantly increases the duration of the scan, so use only if needed. To understand the difference between Multistep and regular Explore with guidance, refer to Explore with guidance.

    To activate Multistep:
    • For each uploaded recording, click on the filename and toggle the Activate Multi-step option to On.
    How to use the recording
    Use the recorded Explore in addition to a full automatic Explore stage, and test it all
    AppScan 360° runs its own automatic Explore stage to discover the application, and test it based on both these results and the traffic file you uploaded. This option is not relevant for web APIs; use the next option.
    Analyze and test the recorded Explore only
    AppScan 360° treats the uploaded file as the Explore stage for the scan. It analyzes and creates tests for the recorded traffic only, and then tests it. There will be no automatic Explore stage.
  9. Tests: Test policy and optimization

    AppScan 360° applies the AppScan Standard Default Test Policy to scans. This cannot be changed using the wizard.

    Setting

    Options

    Test policy
    Apply a different test policy by configuring the scan in AppScan Standard, or through the API. Test policy cannot be changed in the wizard.
    Tip: Test policy is different from application policy.

    Test optimization

    Select the level of tradeoff between scan speed and issue coverage for your needs. The slider offers four levels. The default is Fast. For details, see Test Optimization.
    Login/Logout tests Choose whether to send tests on login and logout pages. If you choose to send tests on login pages, specify whether to send session identifiers..
  10. Tests: Test options

    Choose whether to send tests on login and logout pages. If you choose to send tests on login pages, specify whether to send session identifiers.

  11. Preferences: Schedule

    Specify when the scan runs: now, later, or on a schedule.

    Setting

    Options

    Scan now

    Your scan runs as soon as set up and review are complete.

    Save for later

    Your configuration is saved when completed. You can run the scan later.
    Schedule
    Your configuration is saved, and one or more scans run as configured:
    1. Select a date and time. Enter these according to the time zone configured on your machine, but note that times will be converted to UTC when displayed in the user interface.
    2. To run the scan more than once, select the Repeat, and then choose:
      • Daily, and select a daily interval (1-30 days)
      • Weekly, and select which day, or
      • Monthly, select a monthly interval, and then select which numerical day of the month, or which weekday of the month (first, second, third, fourth, last).
      Note: If the maximum number of concurrent scans are running when the scheduled time arrives, the scan starts as soon as allowed by your subscription.
    3. Set the End date (the last date a scan will run), or click Remove end date to have the schedule run indefinitely.
  12. Preferences: scan options
    In the Scan options panel, you can:
    • Elect to run the scan as a Personal scan.
    • Elect to receive an email when the scan is complete.
  13. Summary

    Edit the name of the scan, if desired, and review the settings selected for the scan. Click back to previous panels to make adjustments if needed.

  14. Click Scan.

Results

The new scan is added to the Scans view with its starting time, and a progress bar indicates that the scan is running. When the scan is complete the progress bar closes, the results are summarized in a graph, and (if selected) you receive an email notification. See Results.