Initial Configuration

About this task

Perform these basic configuration steps before attempting to start exploring the site, whether manually or automatically.


  1. Define and verify the starting URL for the scan.
    1. Click File > New and create a new web application scan using the wizard (or configure using the configuration dialog box, Scan Configuration > URL and Servers view).
    2. Type in the Starting URL for the scan.
    3. If your application is case-sensitive, make sure that the Case Sensitive Path check box is selected.

      In general, applications that run on Linux based operating systems tend to be case-sensitive, while those that run on Microsoft Windows are not case-sensitive. Java based applications are an exception, and tend to be case-sensitive on any operating system.

    4. Click the View in Browser icon, next to the URL field, and verify that the expected page appears in the AppScan browser.
  2. Record the login procedure. This enables AppScan to log in to the application both to start the scan and whenever it gets logged out during the scan.
    1. In Step 2 of the wizard, (or in Scan Configuration > Login Management view), click the red Record button to start recording your actions. The browser opens at the starting URL you defined previously.
    2. Perform all the steps a user needs to do in order to log in to the application.
    3. Look for some indication on the page that confirms you are logged in, such as "Welcome [Username]", or a "Log Out" link, that would only be seen by a logged-in user.
    4. Close the browser and look for the green key icon to confirm that an in-session pattern has been identified.
      If the icon is red , an in-session pattern has not been detected, and you must define it manually (see Select Detection Pattern dialog box).
      Note: Although, in general, the first URL whose response incudes the in-session pattern should be the "In-Session URL", and this is the URL that is selected automatically, sometimes you can improve performance by selecting a later URL (see Optimizing In-Session Detection).
  3. Validate the in-session pattern. The in-session pattern is a regular expression that matches a pattern or string on the page that appears to the user after successful login, such as "Welcome [Username]", or a "Log Out" link. Even though the icon is green, you should verify this pattern.
    1. In Step 2 of the wizard, select I want to configure In-session detection options, and then click Next (or go to Scan Configuration > Login Management > Details view).

      The Login sequence is shown.

    2. Double-click on the page marked "In Session" to open it in the browser.
    3. In the browser, click on the Request/Response tab to see the source code, and verify that the selected pattern does indeed indicate in-session status.
      Note: If the page content is JavaScript or CSS, then in all cases it is not suitable as the in-session page, and you should choose another page.

    If the key icon is green, but the selected pattern is not an in-session pattern, refer to Request-based login troubleshooting.

  4. Lockout configuration. During the Test stage, AppScan makes many invalid login attempts. If your site has an account lockout feature, that locks users out when invalid passwords are entered a certain number of times, AppScan will get locked out and be unable to complete the scan.
    • Disable account lockout, or (if this is not practical)
    • Configure AppScan not to test login and logout pages (Scan Configuration > Test Options, deselect Send tests on login and logout pages).