Using the Proxy Server

You can use the AppScan Presence Proxy Server to record traffic, save it as a CONFIG file, and import it to run an ASoC scan. You can optionally encrypt this file, as described in the sub-section following procedure below.

Procedure

  1. To view the REST API documentation, type in a browser:
    http://localhost:<port>
    To view it from a different machine, type:
    http://<IP>:<port>
    port
    the port on which the Proxy Server listens
    IP
    the IP address of the machine on which the Proxy Server is installed
  2. If the site is secured (HTTPS), you can avoid SSL warnings by doing this:
    1. Use the REST API to download the self-signed Root Certificate Authority, used by the AppScan Proxy Server, as a PEM file.
    2. Install the certificate on the browser used for the Explore, or wherever needed (depending on where the traffic is sent from).
    For more details see Configure the Root Certificate, below.
  3. To start a proxy, use the REST API request: StartProxy, and define the recording port (to which you want to send the traffic).
    Note: If the proxy server does not have direct access to the site, you can also define an upstream (chained) proxy with this REST API.
    Note: If you need to define more than one chained proxy, or exceptions to the proxy, use the chained proxy rules file (proxy.chain) found in the installation folder.
    Note: If traffic is not encrypted (see sub-section below), you can encrypt the traffic file (DAST.CONFIG) for an individual recording using:
    Query param Example:
    /StartProxy/<recordingPort>?encrypted=true
  4. Send your traffic via the defined recording port.
  5. When done, send the REST API request: StopProxy (note that StopProxy/0 is not allowed).
  6. Download the recorded traffic file by sending the REST API request: Traffic
    The traffic file has extension .dast.config
    Note: When you download the traffic file, the traffic data is deleted from the Proxy Server.

    You can use the DAST.CONFIG file to update the Explore data of an existing job, using the ASoC REST API. You can

Encrypt DAST.CONFIG file

You can use the Proxy Sever REST API to upload a DAST.CONFIG file for encryption, and then download the encrypted file.
  • To upload your file for encryption, use: EncryptDastConfig
  • To download the encrypted file, use: DownloadEncryptedDastConfig
See Proxy Server commands (REST API) for details.

Encrypt all traffic

By default, traffic (DAST.CONFIG) files are not encrypted. To configure the server to encrypt all traffic, change the "encryptDastConfig" key in the Settings.json file, found in the installation folder, to true.

Inactivity timeout

If a proxy instance is not closed with a close command after use, it remains open and listening on the port. Proxy instances are closed automatically if they are idle for a predefined time. The default inactivity timeout for proxy instances is 60 minutes. You can change this value in the Settings.json file, saved in the installation folder.
Important: Do not change any other settings in this file.

Configure the Root Certificate

If your application uses SSL (HTTPS), the proxy must act as a man-in-the-middle to record traffic. To do this the proxy server must have a root certificate that it can use to sign its communication with the app.
By default, the proxy server generates a unique root certificate, and no user intervention is needed. However, when browsing the app you will get SSL warnings. You can do one of the following:
  1. Ignore the warnings
  2. Install the certificate generated by the proxy on your machine(s):
    1. Use the REST API to download the self-signed Root Certificate Authority, used by the AppScan Proxy Server, as a PEM file.
    2. Install it on the browser used for the Explore, or wherever needed (depending on where the traffic is sent from).
  3. Import your own root certificate to the proxy server. Supported certificate formats are PKCS12 (.P12, .PFX), JKS:
    1. Open a command line window and navigate to the installation folder of the Proxy Server on the AppScan Presence machine. Default location:
      <AppScanPresenceInstallFolder>\Automation
    2. Run the following command:
      ..\Java\jre\bin\java -jar DastProxy.jar -irc [path to certificate file] -ircp [password]
    Note: To see the complete command usage, run:
     ..\Java\jre\bin\java -jar DastProxy.jar
Important: Since the certificate will be saved on the proxy server, it is recommended that you use a dedicated test certificate.
Note: Our demo script for this workflow, ProxyServerDemoScript.py, can be found in (default location);
<AppScanPresenceInstallFolder>\Automation