Explore with guidance

The "Explore with guidance" feature lets you crawl specific parts of your application, filling in fields and forms as you go, to "guide" AppScan to those areas, ensuring that they are tested in the DAST scan, and that AppScan has the information needed to complete forms correctly and - if necessary - to browse links in a specific order.

The main reasons for exploring with guidance are because specific user input is required, or because the site responds only to a different type of tool or device. There are three ways you can record traffic to use as your "Explore with guidance" data:
  • Using the AppScan Activity Recorder (an extention for your Chrome or Edge web browser)
  • Using the AppScan Traffic Recorder (may be most suitable in the case of web APIs)
  • Using AppScan Standard (using its built-in version of the Activity Recorder)
    Tip: In AppScan Standard, "Explore with guidance" is called "Manual Explore".
The recorded traffic is saved as a DAST.CONFIG file.

When creating your ASoC scan, you can choose to use the "Explore with guidance" as the Explore stage of the scan, and test only the parts of the application it includes, or to use it in addition to an automatic Explore stage, so ASoC explores the application automatically and tests both your recording and its own explore data.

Explore with guidance applies to DAST scans only. Your DAST.CONFIG file is uploaded and "Explore with Guidance" configured in the Explore stage of the scan wizard, see DAST scan configuration > Explore step. For details of how to record the traffic, see Recording traffic.

Multistep

Multistep explore is a specific type of guided explore, where you not only show AppScan which links to crawl, but which specific order to crawl them in. Use Multistep for testing parts of the site that can be reached only by sending requests in a specific order, such as an online shop where the user adds items to a cart before paying for them.

For example, consider the following three pages of a site:
  1. User adds one or more items to a shopping cart
  2. User fills in payment and shipping details
  3. User receives confirmation that the order is complete
Page 2 can be reached only via Page 1. Page 3 can be reached only via Page 1 followed by Page 2. This is a sequence. In order to be able to test Pages 2 and 3, AppScan must send the correct sequence of HTTP requests before each test.
In the case of the above example you would save an "Explore with guidance" recording (DAST.CONFIG) where you browse: Page 1 > Page 2 > Page 3. AppScan would extract the necessary sub-sequences from this sequence, as required. (When testing Page 2 it would send a Page 1 request first; when testing Page 3, it would send Page 1 followed by Page 2.)
Important: Because any step in a multistep recording must be preceded by all its previous steps, and because any particular step may be tested hundreds of times in a scan, activating "Multistep" can greatly increase scan time. Therefore it should be used only when the order of requests is essential to reaching a particular part of the application.

Multiple DAST.CONFIG files

You can upload more than one file for a single scan. If activated, the "Multistep" setting will be applied to all the files, see DAST scan configuration > Explore step.