Recording Proxy tab

Use this tab to configure AppScan to act as a proxy for external browsers, or for manually exploring non-SOAP web services using either a remote device (such as a mobile phone), or a local application (such as a simulator or emulator).

Option

Description

Proxy Port

Specifies which port AppScan uses. When using AppScan as a proxy server you need to configure the external browser or mobile device to use this port.

Use the check box to select whether AppScan selects an available port automatically, or lets you choose the port. Note that if the port is chosen automatically it may change between sessions, and you will therefore need to re-configure your mobile device.

External Connections

This setting determines which connections to external domains are accepted.
Reject all
(Default) Connection attempts from all external IPs will be rejected. Use this setting only if you will be exploring using an application on the same machine as AppScan.
Accept white list only
Connections from external IPs that appear on the white list will be accepted; all others will be rejected.
Accept white list and prompt for others
Connections from external IPs that appear on the white list will be accepted automatically; for all others the AppScan user will be prompted, with the option of adding the new IP to the white list. Note that prompts are seen only if the External Traffic Recorder is open.

White List

Connections from IPs listed here will be accepted automatically.

To add new IPs to the list, click the plus icon, and select an option:

  • To add a single IP to the list, type in the IP and optionally a description.
    Tip: If you will be using a remote device but are not sure of its IP address, or if it changes frequently, select White List and prompt for others. The first time the device connects with a new IP, a pop-up appears giving you the option to add it to the white list.
  • To add a range of IP addresses, add an IPv4 address and subnet mask, or an IPv6 address and subnet prefix length, and optionally a description.

AppScan SSL Certificate

If the server uses HTTPS, since AppScan has to act as a proxy in order to record the traffic between the web service and the device you use to manually explore, it will be sending SSL certificates to the device instead of the web service's certificate. When a browser receives an unrecognized certificate it typically warns the user with a pop-up, but in the case of a mobile device the request is usually just ignored. It is therefore impossible to explore the application unless the AppScan certificate is accepted on the device sending the requests.
Add
Adds the AppScan SSL certificate to the root certificates on this machine.
You must do this to allow sending requests to the web service. The AppScan certificate will be added to the root certificate, and requests from the web service to the simulator will not be rejected.
Note: After you have added the certificate, the button changes to Remove, and can be used to remove the certificate from the AppScan machine.
Export
Saves the AppScan SSL certificate that is currently installed on this machine, as a ZIP file, so it can be added manually to the root certificates on a different device. Note that you do not usually need to do this, as you can import the certificate directly from the device in most cases.
  1. In AppScan, click Scan > Manual Explore > Using External Device
    The External Traffic Recorder opens with status "Waiting for incoming connections".
    Important: Leave it open for the next sub-steps.
  2. On the mobile device, browse to http://appscan
  3. In AppScan, if you are prompted to allow an incoming connection from your device, click OK.
    When the device connects successfully to AppScan as its proxy, a message (on the device) confirms the connection, IP and port. If the certificate is installed on the AppScan machine, it also provides a button to install it on the device.
    Note: If the button is grayed out, the certificate is not installed on the AppScan machine.
    Note: The device's domain and request will appear in the External Traffic Recorder lists.
  4. On the mobile device, tap Install AppScan SSL Certificate
    The certificate is installed.
    Note: If the device is unable to access the application you are testing after this procedure, you need to install the certificate (onto the remote device or application) manually:
    1. In AppScan, open Tools > Options > Recording Proxy
    2. Click Export and save the certificate as a ZIP file.
    3. Install the certificate as a root certificate on the device or application.
  5. When finished, click Cancel on the External Traffic Recorder, to close it.
Note: This option is active only if the certificate is already added to the root certificates on this machine.
Attention: The AppScan certificate that is exported must be identical to the one installed locally. If you Remove the local certificate and then Add again, you must also reinstall it on the device, as the new certificate is not identical to the previous one.

For more information, see Using AppScan as recording proxy