Test Automation in AppScan Enterprise Using AppScan Proxy Server

This section describes how to incorporate dynamic scanning in your functional testing.

Overview

In the world of DevOps it's increasingly important to be able to incorporate security scans in the functional testing process for your web apps. If you use an automation framework (such as Selenium), you can take advantage of the scripts that are already written to create tailor-made scans. The requests from the automation framework to the web app are sent through the Proxy Server proxy. The server records the traffic and saves it as a DAST configuration file. You then upload the file to be used by AppScan Enterprise (ASE) as Explore data for a scan. You can also send traffic through the automation server proxy manually, to create a DAST configuration file.

This diagram depicts the automated scan flow with AppScan® Enterprise.


Automated scan flow with AppScan Enterprise

Typical Workflow

  1. Initialization (once per server):
    1. Install Proxy Server
    2. [Optional] Configure Proxy Server
      1. Handle SSL warning (root certificate)
      2. Inactivity timeout
      3. Chained proxy
    3. Start Proxy Server
  2. Running Scans:
    1. Start proxy instance listening on specified or randomly selected port, as configured (see, Using the proxy server).
    2. Run your Selenium script (or other functional test) through the selected proxy.

      Or

      Browse your web application manually using a web browser configured to work through the selected proxy.
    3. Stop the proxy and save the traffic recording.
    4. Update the Explore data of an existing AppScan Enterprise job, using the ASE REST API.

      For more information, see the documentation https://%3Case_server%3E:9443/ase/api/pages/apidocs.html.

Note: The demo script for this workflow, ProxyServerDemoScript.py, is available in the AppScan Installation folder.

Install Proxy Server

  1. Download one of the current versions of Node.js and install it on your machine.
    Note: If your service is FIPS compliant, you must use a FIPS compliant Node.js server.
  2. For FIPS compliant proxy servers:
    1. Locate the file Settings.json in the root folder of the proxy server and open it in a text editor.
    2. Locate the setting requireFips and change its value from false to true.
    3. Save the file.
  3. For a secure (SSL) connection to Node.js, you must configure your own PEM or PKCS12 certificate in the Settings.json.
  4. To set a default port for Node.js to run, you must configure the port setting in Settings.json.
  5. Extract DastProxyServer.zip to a folder on your machine.

Configure Proxy Server

Root Certificate

If your application uses SSL (HTTPS), the proxy must act as a man-in-the-middle to record traffic. To do this, the proxy server must have a root certificate that it can use to sign its communication with the application.

By default, the proxy server generates a unique root certificate, and does not require manual intervention. However, when you are browsing the application, SSL warnings is displayed. You can do one of the following:
  1. Ignore the warnings.
  2. Install the certificate generated by the proxy on your machine(s):
    1. Use the REST API to download the self-signed Root Certificate Authority, used by the AppScan Proxy Server, as a PEM file.
    2. Install it on the browser used for the Explore, or wherever needed (depending on where the traffic is sent from).
  3. Import your own root certificate to the proxy server. Supported certificate formats are PKCS12 (.P12, .PFX), JKS:
    1. Open a command line window and navigate to the installation folder on the Proxy Server machine.
    2. Run the following command:

      .\Java\jre\bin\java -jar DastProxy.jar -irc [path to certificate file] -ircp [password]

      Note: To see the complete command usage, run the .\Java\jre\bin\java -jar DastProxy.jar command.

      Important: It is recommended to use a dedicated test certificate because the certificate is saved on the proxy server.

Set Proxy Inactivity Timeout

If a proxy instance is not closed with a close command after use, it remains open and listening on the port. Proxy instances are closed automatically if they are idle for a predefined time.

The default inactivity timeout for proxy instances is 60 minutes. You can change this value by changing the value of inactivityTimeoutInMinutes in the Settings.json file saved in the installation folder.

Important: Do not make changes to any other settings in this file.

Encrypt Traffic

By default, the traffic (DAST.CONFIG) file is not encrypted. To configure the server to encrypt all traffic, you must change the encryptDastConfig value to true in the Settings.json file that is available in the installation folder.

Chained Proxy

If you need to define more than one chained proxy or exceptions to the proxy, use the chained proxy rules proxy.chain file that is available in the installation folder. This file includes instructions about using the chained proxy rules.

Start the Proxy Server

You can start the proxy server or run it as a service. Note that you cannot perform both the operations in parallel.

To start the Proxy Server:
  • Run the command: node app.js [port]

    where, *port = the port on which the AppScan Proxy Server listens for REST API requests.

Note:
  • If you do not define the port, port 8383 is used.
  • It is advisable to run the DAST Proxy Server permanently, and not necessary to stop it.

Run the Proxy as a Service

You can run the DAST proxy server as a Service using the service.js executable file that is available in the Service folder.

Note:
  • Service uses Local System privileges.
  • All service commands must be run with administrator privileges.
  • When you run Proxy as a service, the AppScan Proxy server always uses port 8383 for REST API requests.

Start the Service

To start the service, run the following commands:

node service.js --install

node service.js --start

Additional Service Commands

You can print this list by running the command node service.js --help

Service commands Description
--start Start the service
--stop Stop the service
--install Install the service
--uninstall Stop and uninstall the service
--h | --help Output usage information

Using the Proxy Server

After the proxy server has started, you can start proxy instances to record traffic of your application.

  1. To view the REST API documentation, type in the browser: http://localhost:<port>
    Note:

    To view from a different machine, type in the browser: http://<IP>:<port>

    where,
    • *port = port on which the proxy server listens.
    • *IP = IP address of the machine on which the proxy server is installed.
  2. To start a proxy instance, use the REST API request: StartProxy, and define the recording port (to which you want to send the traffic), and also – optionally - an upperBound port.
    Note:
    • The upperBound sets the upper limit of a port range, from which the lowest available port will be used. If set, then the recordingPort value is used as the lower limit of the range.
    • If the proxy server does not have direct access to the site, you can also define an upstream (chained) proxy with this REST API.
    • If not set in the Settings.json file (see above), you can encrypt the traffic (DAST.CONFIG) file for an individual recording using: Query param, for example: /StartProxy/<recordingPort>?encrypted=true
  3. Send your traffic via the defined recording port.
  4. Send the REST API request: StopProxy
    Note: StopProxy/0 is not allowed.
  5. Download the DAST configuration file (.dast.config), which contains the recorded traffic by sending REST API request: Traffic. The file is a ZIP file containing one or more .har (HTTP Archive) files.
    Note: When you download the DAST configuration file, this data is deleted from AppScan Proxy Server.
  6. You can use the DAST configuration file to update the Explore data of an existing job, using the ASE REST API.

    For more information, see the documentation, https://%3Case_server%3E:9443/ase/api/pages/apidocs.html

Encrypt the DAST.CONFIG File

If you need to edit your DAST.CONFIG before encryption, you can edit the unencrypted file, upload it for encryption, and then download the encrypted file.
  • To upload your file for encryption, use EncryptDastConfig API.
  • To download the encrypted file, use DownloadEncryptedDastConfig API.

StopAllProxies

Note: Its is advisable to use this command with precaution.

This command stops all proxies on all ports, including proxies that were started by other users.

Attempting to stop a specific proxy port after the StopAllProxies command has been run will cause an exception, so use this command carefully.

Updates

Proxy

Before dropping the AppScan Proxy Server and moving to a newer version, make sure to copy any configuration files you may have modified into the new folder.

Proxy Service

Before moving to a newer version of the DastProxy / Dast Proxy Service, you must run node service.js --uninstall.