Recording traffic

You can record traffic as Explore data for DAST scans using the AppScan Activity Recorder browser extension (for Chrome or Edge), the HCL AppScan Traffic Recorder proxy server, or AppScan Standard.

When you run a DAST scan ASoC explores your site automatically. Sometimes it's useful to make your own recording and upload it for ASoC to use when testing the site. The table below summarizes the options for recording traffic, and suggests the scenarios where you may find them helpful.
Option Description Use cases
AppScan Activity Recorder Browser extension for Chrome and Edge. Record your own browsing activity and save as a DAST.CONFIG file. Upload the file to ASoC when configuring your DAST scan.
HCL AppScan Traffic Recorder DAST proxy server. Traffic Recorder instances can be created on demand (for example by an automation framework such as Selenium), to automatically record traffic and saved as a DAST.CONFIG file. Upload the file to ASoC when configuring your DAST scan.
Note: When you upload a recording of traffic sent to a web API, select Run Test stage only (in scan setup). ASoC DAST explore stage is not able to explore a web API.
AppScan Standard Desktop application If you have AppScan Standard installed, you can take advantage of its advanced configuration options to configure a scan and save it as a SCAN file. Use this file to create your DAST scan in ASoC.

You can also record and validate the login procedure only, save it as a LOGIN file, and upload it to use in your ASoC DAST scan.

Using the AppScan Activity Recorder

To record traffic using the AppScan Activity Recorder:
  1. Open your browser and install AppScan Activity Recorder.
  2. In a new browser tab, enter the Starting URL.
  3. Click the extension icon to start the recording and record your guided explore stage.‚Äč
    Note: You must be logged out of the application before you start the recording.
  4. When finished, click the extension icon again, to stop the recording. You will be prompted to save the DAST.CONFIG file.

Using the AppScan Traffic Recorder

The HCL AppScan Traffic Recorder enables you to record traffic to a web service or web API, that can be saved as a DAST.CONFIG file and then used as explore data for an ASoC scan. For details, see HCL AppScan Traffic Recorder.

Note: When you upload a recording of traffic to a web API, select Run Test stage only (in scan setup). ASoC DAST explore stage is not able to explore a web API.

Using AppScan Standard

For details of use cases and how to obtain AppScan Standard, see AppScan Standard

To record traffic for ASoC using AppScan Standard:
  1. Open the Configuration dialog box, and configure your AppScan scan with the starting URL for the scan, login, and any other settings needed.
  2. In AppScan Standard, click Manual Explore to open the built-in Activity Recorder and start recording.
  3. Log in to your application, and click the links you want tested in the scan.
  4. Click OK.
  5. Review the list of requests, edit if needed, and then click OK.
  6. Save the SCAN file and upload it to create an ASoC scan (see Create a new scan from a scan file).

Recording the login using AppScan Standard

You can use ASoC to record the login procedure for your application, export it as a LOGIN file, and upload it to use in an ASoC scan.

To record the login procedure in AppScan Standard:
  1. Open the Configuration dialog box, and configure your AppScan scan with the starting URL for the scan.
  2. In Login Management view, select Login Method: Recorded.
  3. Click Record, and using the internal browser that opens, log in to your application.

    Both HTTP requests and user actions are recorded.

  4. When you are logged in, click I am logged in to the site.

    The browser closes, and AppScan analyzes the sequence to identify an in-session page that can be used during scanning to verify when AppScan gets logged out, and when it is still logged in. When this is successful, the green key icon appears as confirmation.

  5. In the lower part of the dialog, click Export, to save this procedure as a LOGIN file.