General FAQ

This topic addresses general application questions.

What are the different ways available to scan web services?

A site is scanned by first exploring it, and then, based on the data gathered, testing it. "Explore data" can be gathered using one or more different Explore methods. In all cases, once the Explore data is gathered AppScan is used to create and send tests to the site during the Test stage.
Exploring web applications (sites with a user interface)
  • In the case of applications (sites) without web services it is often sufficient to supply AppScan with the start URL and login authentication credentials for it to be able to test the site.
  • Manual Explore: If necessary you can manually explore the site through AppScan,in order to get access to areas that can only be reached through specific user input.
  • Multi-Step Operations: For pages that can be reached only by accessing pages in a specific order, you can record a multi-step operation for AppScan to use.
While the Configuration Wizard lets you configure and start your scan in a few steps, for complex sites the Configuration Dialog Box lets you fine-tune and customize many more settings.
Exploring web services
There are two methods for doing this, the first is recommended.
  1. You can set up AppScan as a recording proxy for the device (such as a mobile phone or simulator) you use to explore the service. That way AppScan can analyze the Explore data collected, and send appropriate tests. You can also use AppScan to record traffic using external tool, such as a web services functional tester. See Using an external client.
  2. If you have Open API description files (JSON or YAML) for your web service, you can use the Web Services Wizard extension to configure a scan, and the multi-step sequences needed to use the service. AppScan will then automatically scan the service.

What is the difference between a manual exploring and a multi-step operation?

Manual Exploring

Manual exploring is when you explore your site to gather data that can be used by AppScan to ensure that when it tests the site it covers parts of the application or services that it might have missed with its automatic Explore stage. This may be because specific user input is required, or because the site responds only to a different type of tool or device. You can manually explore using AppScan, or using it as a recording proxy.

See Manual exploring

Multi-Step Operation
A multi-step operation is needed to explore parts of the site that can only be reached by clicking links in a specific order, such as an online shop where the user adds items to a cart before paying for them. Consider the following three pages:
  1. User adds one or more items to a shopping cart
  2. User fills in payment and shipping details
  3. User receives confirmation that the order is complete
Page 2 can be reached only via Page 1. Page 3 can be reached only via Page 1 followed by Page 2. This is a sequence. In order to be able to test Pages 2 and 3, AppScan® must send the correct sequence of HTTP requests before each test.

See Multi-Step Operations view

What is the difference between action-based playback and request-based playback?

When a procedure is recorded for use as the Login or a multi-step operation, two possible playback methods are available:
Request-based playback
Sends the raw HTTP requests from the recording. This method is usually faster.
Action-based playback
Replays the clicks and keystrokes of the user. Reasons for selecting this method could be that the site includes a lot of JavaScript, or that some of the requests in the request-based playback were marked with a red X when you attempted to validate them. This method can increase scan time.

See Configure > Explore > Review & Validate tab, and Configure > Multi-Step Operations view

What test policies can replace the Web Services, The Vital Few, and the Developers Essentials test policies when they are removed?

In version 10.0.5 we announced our intention of removing three test policies in a future release. The following methods can be used to obtain similar results. If you use these policies, you may wish to start using the suggested alternatives.

Current policy

Suggested alternative

Web Services


The Default test policy now covers web services, so a separate policy is not needed.

The Vital Few


Use the Default policy together with the fastest Test Optimization setting.

Developers Essentials

Application Only

Use the Application Only policy together with one of the faster Test Optimization settings.