Home
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
HCL AppScan Traffic Recorder
The HCL AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.
API commands

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
- About dynamic analysis (DAST)
  An ASoC dynamic (DAST) scan consists of two stages: Explore and Test. Even though most of the scan process is seamless to the user, and no input is required until the scan is complete, understanding how dynamic scanning works can help you to better understand the role of scanning in your development process.
- Dynamic scanning (DAST)
  ASoC can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available in ASoC, or upload an AppScan Standard configuration (template file) or a full scan file.
- AppScan Presence
  An AppScan Presence on your server enables you to scan sites not accessible from the Internet, and to incorporate scanning as part of your functional testing.
- Recording traffic
  You can record traffic as Explore data for DAST scans using the AppScan Activity Recorder browser extension (for Chrome or Edge), the HCL AppScan Traffic Recorder proxy server, or AppScan Standard.
- HCL AppScan Traffic Recorder
  The HCL AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.
  - System requirements
  - Installing the HCL AppScan Traffic Recorder
  - Configuring the Traffic Recorder
    Changes you can make in the configuration file Settings.json for use with HCL AppScan Traffic Recorder
  - Starting and stopping the Traffic Recorder
    You can either start the traffic recorder, or run it as a service. You cannot do both in parallel.
  - Using the HCL AppScan Traffic Recorder
    Once the HCL AppScan Traffic Recorder has started, you can start new instances to record your application's traffic.
  - API commands
  - Configuring a Private Site Server Proxy
    If your private network requires the Private Site Server to use a proxy to connect with the web application or back-end server (internal proxy), or with the Internet (outgoing proxy), configure it as follows.
- IAST Total
  IAST Total (Interactive Application Security Testing), harnesses IAST capabilities to enhance Dynamic Analysis (DAST) scans, improving scan and remediation times while uncovering a broader spectrum of vulnerabilities.
- AppScan Standard
- Private sites
  An AppScan Presence on your server enables you to scan sites not accessible from the Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

HCL AppScan Traffic Recorder API commands

The information on this page is also available in Swagger using the following command at a command prompt:

https://<server>:<port>

All commands point to an endpoint that looks like this:

https://[server]:[port]/automation/

server = IP address of the machine on which the Traffic Recorder is installed. The default is localhost.

port = port on which the HCL AppScan Traffic Recorder proxy listens

`StartProxy`

Starts the HCL AppScan Traffic Recorder, that listens on the specified port.

URL: https://[server]:[port]/automation/StartProxy/<recordingPort>
Request type: POST or GET. If using chainedProxy, proxyCertificate, and clientCertificate the request is POST. otherwise it is GET.

`StopProxy`

Stops the instance of the traffic recorder that is listening on the specified port.

URL: https://[server]:[port]/automation/StopProxy/<recordingPort>
Request type: GET

Important: Setting the port to 0 does not stop all open proxies. Use StopAllProxies.

`StopAllProxies`

Stop all running recording proxies on all ports, including those started by other users.

URL: https://[server]:[port]/automation/StopAllProxies
Request type: POST

`EncryptDastConfig`

Uploads DAST.CONFIG file for encryption.

URL: https://[server]:[port]/automation/EncryptDastConfig
Request type: POST

`DownloadEncryptedDast`

Downloads an encrypted DAST.CONFIG file (uploaded using the EncryptDastConfig API call).

Note: When the file is downloaded, both encrypted and unencrypted DAST.CONFIG files are deleted from the Traffic Recorder.

URL: https://[server]:[port]/automation/DownloadEncryptedDastConfig/<uuid>
Request type: GET

`Traffic`

Downloads recorded data from the Traffic Recorder identified by its port, as a DAST.CONFIG file.

URL: https://[server]:[port]/automation/Traffic/<recordingPort>
Request type: GET

`Certificate`

Downloads the self-signed Root Certificate Authority, used by the traffic recorder, as a PEM file.

URL: https://[server]:[port]/automation/Certificate
Request type: GET