Scanning sites that use client certificates

ASoC does not currently offer a way to configure a client certificate from the user interface or API, but you can use AppScan Standard 10.0.8 (or later) to do this.

However, there is limitation. When you save a scan template (SCANT file) in AppScan Standard, the certificate is not saved in the template. Refer to the following procedures to scan sites that use client certificates.

To run a scan through AppScan Connect:
  1. Configure the scan, including the client certificate, in AppScan Standard 10.0.8 or later.
  2. In AppScan Standard, use the AppScan Connect feature to upload the configuration to ASoC and run the scan.
    Note: The certificate is saved in the scan template only when you use AppScan Connect. It is not included if you save directly as a SCANT file.
To run a scan through the API:
  1. In AppScan Standard, use AppScan Connect to download the SCANT file from ASoC (described above).
  2. Open the scan in AppScan Standard and save as a SCANT file.

    The client certificate is included in the file.

  3. Use the ASoC FileUpload API to upload the SCANT file and get a file ID.
  4. Use this ID to create the DAST scan using the DynamicAnalyzerWithFile API.

Client certificates for private sites

Before a scan starts, the AppScan Presence verifies that it can access the scan's starting URL. If it is unable to do so, the scan fails immediately.

When a client certificate is required for a private site, the Presence cannot connect to the tested site because it does not have the client certificate. Resolve this is by directing the Presence to run the scan even though it cannot reach the web application being scanned.

To override the Starting URL check:
  1. In the root folder of the Presence, locate appsettings.json and open it with a text editor.
  2. Set: "StartingUrlTestNotFailing": true,