Multi-Step Operations

Multi-Step Operations view of the Configuration dialog box is for testing parts of the site that can only be reached by clicking links in a specific order.

This view is used when parts of the application can only be reached by sending requests in a specific order.

Consider, for example, an online shop where the user visits pages in the following order:

Page 1: User adds one or more items to a shopping cart

Page 2: User fills in payment and shipping details

Page 3: User receives confirmation that the order is complete

Page 2 can be reached only via Page 1. Page 3 can be reached only via Page 1 followed by Page 2. This is a sequence. In order to be able to test Pages 2 and 3, AppScan® must send the correct sequence of HTTP requests before each test.

In the case of the above example you would record a single sequence: Page 1 > Page 2 > Page 3. AppScan would extract the necessary sub-sequences from this sequence, as required. (When testing Page 2 it would send a Page 1 request first; when testing Page 3, it would send Page 1 followed by Page 2.)

Note: It is suggested that the number of multi-step operations be limited to five, with no more than 25 steps in any one operation, and no more than 70 steps altogether.
Note: Configuring multi-step operations should not be mistaken for manual exploring, and should only be used in cases like the one described above. For more details see Manual Explore




Click to record a new sequence. If login details have been configured, you can click the down arrow to select:
Log in and then record
AppScan will log in to the application automatically (using the login you recorded) before the browser opens. You can then record your multi-step operation without recording the login requests. This method has the advantage that the login requests will not be replayed every time this sequence is played, but only if AppScan is out-of-session.
Note: Parameters and cookies that are present in the Multi-Step sequence but not in the Login sequence, are always tracked as Dynamic, even if you change their tracking to Login Value.
Record without login
AppScan will begin recording the sequence without logging in. When the browser opens you record your multi-step sequence directly. If you need to log in, the login will be part of the recording and will therefore be replayed every time the sequence is played, which can significantly increase scan time. Where login is required, the best practice is to use the previous option.
Note: If you use this option and then record login requests as part of the sequence, parameters and cookies received are always tracked as Dynamic, even if they are Login requests, and even if you change their tracking to Login Value.

For details, see Record a Sequence

export button | import button | minus button

Export a sequence (as an SEQ file) for use with a different scan; import a sequence (SEQ file) exported from a different scan; delete the selected sequence from the current scan.

Playback Method

When you record a multi-step operation, AppScan records both the actions and the requests. You can select which of them will be used for the scan:
Request-based playback
Sends the raw HTTP requests from the recording. This method is usually faster.
Action-based playback
Replays the clicks and keystrokes of the user. Reasons for selecting this method could be that the site includes a lot of JavaScript, or that some of the requests in the request-based playback were marked with a red X when you attempted to validate them. This method can increase scan time.
Request-based playback is the default method.
Note: If the scan is configured not to use a browser other than the embedded browser (Tools > Options > Use external browser), request-based playback is always used.
Note: If you load a sequence that was recorded in a version of AppScan that did not support action-based playback, request-based playback is used for that sequence, even if action-based playback is selected.

Sequence Name

The name of the sequence that is selected in the List of Sequences.

The check box next to each name indicates if the sequence is enabled for this scan.


Shows the links in the selected sequence.
  • Click Validate to check that the sequence is valid. AppScan replays the sequence, and any requests that receive a response different to the original response are marked with a red X, indicating that they will not be tested.
    Note: A common reason for requests receiving a different response is the presence of a dynamic sequence variable that needs to be defined, see Sequence variables
  • View any link in the sequence by selecting it and then clicking the browser button
  • Delete any link in the sequence by selecting it and clicking minus button. After doing this click Validate to check that the sequence still keeps in-session.
  • Right-click on one or more of the steps in the Sequence pane and select Don't Test. They will still be included when playing the sequence, but will not be tested individually.

Allow play optimization

(Request-based playback only) When selected (default) AppScan attempts to optimize scan time by avoiding unnecessary playback. You should not disable this setting unless you find that AppScan is missing parts of the application due to play optimization.

Test in Single-Thread mode

AppScan may send two or more requests simultaneously, if they don't require the replaying of a sequence between them. If this results in parts of the application being missed, select this check box.

Sequence Variables

Lists variables that were received while recording the sequence(s), and indicates those that AppScan has determined should be tracked. These may be session IDs or other variables. You can change the status of variables in this list to improve how AppScan deals with them (for details see Sequence variables).