Welcome
Welcome to the documentation for HCL AppScan Standard version 10.2.0
Getting started
This section provides a short tour of basic product features and procedures, including using the wizard to set up a scan.
What's new
This section describes new AppScan Standard product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.
System requirements
A summary of the minimum hardware and software required for the machine that runs AppScan Standard.
Installing
The installation wizard guides you through the fast and simple process.
License
This section describes for the trial and paid versions of AppScan Standard.
How an automatic scan works
This topic explains the difference between the "stages" and "phases" of a scan.
Web application vs. web API
This topic explains the different methods available for exploring sites, before AppScan tests them.
Basic workflow
A diagram showing a simple AppScan workflow using the scan configuration wizard.
Home screen
Describes the options available from the home screen that opens when you load AppScan.
Tour of the main screens
Describes the components of the AppScan main screen (Issues view), and all menus and toolbars.
Tutorial
This simple tutorial goes through the steps of configuring a simple application scan using the Scan Configuration wizard, running the scan, and reviewing the results.
Sample files
The sample files can help give you a feel for using AppScan and what scan results look like.
Configuration
You configure a scan by choosing settings that best describe your application, and the kind of testing you want.
Presets
Presets give you the main configuration views needed for a particular type of scan.
Scan using a Postman Collection
If you have a Postman Collection of requests to your web API, you can import it and use it as the basis for a scan.
Incremental scan wizard
Lists the steps of this wizard.
Scan file structure
Explains the basic structure of an AppScan Standard SCAN file.
Scan templates
A scan template is simply a scan configuration that has been saved so that you can use it again.
Manual exploring
Manual exploring enables you to explore specific parts of your application, filling in fields and forms as you go. This can be a way of ensuring that particular areas of the site are covered, and that AppScan has the information needed to complete forms correctly.
Using a browser
For web applications, you can usually use the build-in Chromium browser for manual exploring. Where necessary the built-in IE vbrowser, or an external browser can be used.
Using an external client
You can manually explore RESTful or other non-SOAP web APIs - or SOAP APIs that do not require security envelopes - using a mobile phone, simulator, or emulator. AppScan displays the domains and requests in its External Traffic Recorder, and create appropriate tests from the input.
Scanning
Learn how to start a scan, and what happens during the scan; how to manually manipulate the Explore stage, and how to export the results of a scan.
Data
Data view is populated with information about the structure of the site during the Explore stage of the scan.
Issues
Issues view provides access to the results of a scan. You can view results at a high level or select specific tests or objects and access more details. These details include how to fix, requests/responses, and differences between the test variants that resulted in issues. You can manipulate the severity of issues, resend tests (with or without modifications), and create reports based on Issues.
Reports
This section describes how to generate reports from the scan results.
Security reports
The Security report provides information about security issues discovered, and you can choose from a variety of templates depending on the type of content you need.
Industry Standard and Compliance reports
Industry Standards reports let you know if your application complies with standards of a selected industry committee; Regulatory Compliance reports let you know if your application complies with specific regulations or legal standards.
Delta Analysis reports
The Delta Analysis report compares two sets of scan results and shows the difference in URLs and/or security issues that were discovered in them.
Template-based reports
The Template Based tab of the Create Report dialog box enables you to create reports in Microsoft® Word DOC and DOCX formats, with exactly the data you want, and the document formatting you define.
Tools
This section explains how to use additional tools provided with HCL AppScan Standard.
Options dialog box
This section describes options you can control, to customize AppScan, from the Options dialog box in Tools > Options.
Web API Wizard extension
This extension lets you scan using Open API description files. It is available from Tools > Extensions > Web Services Wizard (Open API), and the extension is enabled by default.
PowerTools
AppScan offers access to five utilities (PowerTools), each providing a specific feature to help you manage your application security or to help you use AppScan.
Logs
Logs can help you troubleshooting.
Searching Results
You can filter the Result List in any of the views, for specific data.
Integrations
This section describes integrations of other applications with AppScan Standard:
AppScan Enterprise
This section describes ways AppScan Standard and Enterprise editions can interact.
AppScan on Cloud
This section describes ways AppScan Standard can interact with HCL AppScan on Cloud, to scan apps on the cloud.
Automation Frameworks
You can use scripts written for your QA automation framework (such as Selenium) to create Manual Explore recordings for an AppScan scan.
Best practices
This section contains some best practices and use cases for advanced users.
Workflow for advanced users
This workflow can help users with experience in the field of web security achieve a more thorough scan.
Sites that use parameter-based navigation
Sites in which all pages are reached using a single URL, need a specific scan configuration.
Scanning live production environments
The following risks and suggestions should be considered before scanning a live site with AppScan.
Understanding Test Optimization
This section describes how Test Optimization works and how best to incorporate it into your development lifecycle.
General FAQ
This topic addresses general application questions.
External traffic recorder not recording
If your external device is configured correctly, AppScan's external login recorder and external traffic recorder will show the traffic sent from the device as you send it. This section offers suggestions if it does not.
Login troubleshooting
Tips for troubleshooting session detection problems in Scan Configuration > Login Management view.
Multi-step operation troubleshooting
Some suggestions for troubleshooting action-based multi-step operations.
Out-of-session troubleshooting
Some suggestions for troubleshooting out-of-session issues.
Postman Collection scan
Some suggestions for troubleshooting a Postman Collection scan.
Server not responding
Some suggestions for troubleshooting if the server is not responding.
Replacing unsigned extensions
If you want to use an unsigned extension that you used with a previous version of AppScan, you can either elect to trust it, or see if a signed version is available to replace it with.
Extended Support Mode
Extended Support Mode logs all AppScan activity, for packing and sending to your support provider to help troubleshooting a problematic procedure.
Changing the default browser
You can configure AppScan to use a browser other than its built-in browser.
Logs
This section includes explanations of Scan Log messages (View > Scan Log).
CLI
This section describes the syntax and options available using the Command line interface.
References
Menus and toolbar summaries, and glossary
Browser toolbar
The icons on the toolbar of the embedded AppScan® browser, used to display and save screenshots of application responses.
Keyboard shortcuts
AppScan offers these keyboard shortcuts.
Accessibility controls
Describes all keyboard shortcuts and controls.
Temp files
Describes where AppScan® saves its temporary files during normal operation, and how to change the location.
Glossary
This glossary explains terms and acronyms used in the AppScan® Standard user interface and documentation.
CWE support
CWE (Common Weakness Enumeration) is an industry standard list that provides common names for publicly known software weaknesses. The following CWE IDs, and their parent or child IDs, are supported in the current version of AppScan Standard.