Home
Tools
This section explains how to use additional tools provided with HCL AppScan Standard.
PowerTools
AppScan offers access to five utilities (PowerTools), each providing a specific feature to help you manage your application security or to help you use AppScan.
Authentication Tester
The Authentication Tester PowerTool is a testing utility that uses the "brute-force" technique to reveal weak username-password combinations that could be used to gain access to your web application. (A brute force attack is an automated process of trial and error used to guess authentication credentials, causing a server to acknowledge an imposter as a legitimate user.)
Advanced configuration
Form Authentication tab

Tools
This section explains how to use additional tools provided with HCL AppScan Standard.
- Options dialog box
  This section describes options you can control, to customize AppScan, from the Options dialog box (Tools > Options).
- Web Services Wizard extension
  This extension lets you scan using Open API description files. It is available from Tools > Extensions > Web Services Wizard (Open API), and the extension is enabled by default.
- Scan Scheduler
- User-Defined Tests
- PowerTools
  AppScan offers access to five utilities (PowerTools), each providing a specific feature to help you manage your application security or to help you use AppScan.
  - Authentication Tester
    The Authentication Tester PowerTool is a testing utility that uses the "brute-force" technique to reveal weak username-password combinations that could be used to gain access to your web application. (A brute force attack is an automated process of trial and error used to guess authentication credentials, causing a server to acknowledge an imposter as a legitimate user.)
  - Connection Test
    The Connection Test PowerTool enables you to ping web sites without using the Ping protocol, which is blocked by many firewalls.
  - Encode/Decode
    The Encode/Decode PowerTool encodes and decodes strings you put into it, to and from the format of your choice.
  - Expression Test
    Writing precise regular expressions can be a tedious trial-and-error process. You can use the Expression Test PowerTool to help accelerate the process.
  - HTTP Request Editor
    The HTTP Request Editor PowerTool enables you to send a fully-controlled HTTP request to your site, to test how your site responds to different kinds of HTTP request.
- Customizing the Tools menu
- Extensions
- Logs
  Logs can help you troubleshooting.
- Searching Results
  You can filter the Result List in any of the views, for specific data.

Form Authentication tab

This tab holds the Successful Login regular expressions that you enter to describe the page that is sent in response to an accepted username-password. (Information entered here applies only when Form Authentication is tested.)


Option	Description
Successful Login Detection
Success Response	When selected, currently configured Success Responses are displayed in the pane below.
Error Response	When selected, currently configured Error Responses are displayed in the pane below.
Add/Remove	See Describe the application's login responses for instructions on adding responses to the lists; or About metacharacters to learn more about writing regular expressions.
Default Counterfeit Credentials
Username/Password	These fields show the strings that you will be asked to enter when creating the login request to configure Form Authentication (see Form authentication). They do not need to be valid credentials as they are not used to actually log in to the site. They are simply used to identify to Authentication Tester the location of the credentials in the login request (for use in Brute Forcing the site). The default values are `BruteUsername` and `BrutePassword`. If client-side logic will not allow these values to be used in a login request to the site (for example, if the application requires an email as the username, and client-side logic enforces this rule when creating the login request), change these values to a valid format. When changing the default counterfeit credentials, make sure that neither value is a sub-string of the other. For example, if you enter user@email.com as the username, you may not use user as the password.