Home
Configuration
You configure a scan by choosing settings that best describe your application, and the kind of testing you want.
Views
API
For scanning web APIs, define the your API type (improves coverage by better configuring custom parameters), explore method, and domains to be tested.

Configuration
You configure a scan by choosing settings that best describe your application, and the kind of testing you want.
- Presets
  Presets give you the main configuration views needed for a particular type of scan.
- Views
  - Starting URL and domains
    Configure the Starting URL for the scan, and any additional servers and domains to be included.
  - API
    For scanning web APIs, define the your API type (improves coverage by better configuring custom parameters), explore method, and domains to be tested.
    - SSL Certificate
      If your server uses HTTPS, you need to add the AppScan SSL root certificate (so that requests sent using AppScan as proxy will be accepted).
  - Exclude paths and files
    You can configure AppScan to ignore certain paths in the application, or specific types of file.
  - Multi-step operations
    Record and manage multi-step operations that are required to reach specific parts of the application that could otherwise be missed.
  - Login management
    Show AppScan® how to log in to your application.
  - One-time password (OTP)
    Configure AppScan® to use OTP (a kind of multi-factor authentication, or MFA) when logging in.
  - HTTP authentication
    Add server-level authentication and client-side certificates, if required by the application.
  - AWS authorization
    Configure AWS settings.
  - Communication and proxy
    Configure communication timeout and proxy server settings.
  - Parameters, cookies & headers
    Identify session IDs and list parameters to exclude from the scan.
  - Automatic form fill
    Provide AppScan® with valid parameter values for filling forms in your application during the scan.
  - Error pages
    Add strings, regular expressions and URLs to identify your application's custom error pages.
  - Explore options
    Define the explore method (action-based, request-based, or both) that AppScan will use to explore the application, as well as other basic and advanced explore settings.
  - Test policy and optimization
    Define the collection of tests that will be sent to the application during testing; the test policy, and apply optimization for faster scans at times in the product lifecycle when speed is more important to you than scan depth.
  - Environment definition
    Environment definition is not essential, but enables AppScan® to safely refrain from sending non-relevant tests during the scan, resulting in a faster and more accurate scan. Customizing CVSS 3.1 environmental scores will improve the accuracy of your scan results.
  - Test options
    Additional test options.
  - Privilege escalation
    Compare scans that used different user privileges, to discover if privileged resources are accessible to non-privileged users.
  - Content-based view
    Lets you define a logical structure for the application tree, for cases where a URL-based tree will just be a long list under one or two URLs. This is not essential, but can make it much easier to navigate results.
  - Advanced configuration
    This view gives you access to many advanced registry settings and it should only be used by experienced AppScan users, or when instructed to do so by the support team to troubleshoot a problem.
- Scan using a Postman Collection
  If you have a Postman Collection of requests to your web API, you can import it and use it as the basis for a scan.
- Incremental scan wizard
  Lists the steps of this wizard.
- Scan file structure
  Explains the basic structure of an AppScan Standard SCAN file.
- Scan templates
  A scan template is simply a scan configuration that has been saved so that you can use it again.
- Changing the configuration during a scan

API

For scanning web APIs, define the your API type (improves coverage by better configuring custom parameters), explore method, and domains to be tested.

Use Configuration > API to configure your web API scan.

Select your API type:
- Open API:
  1. If possible, add a description file, to help AppScan identify path parameters.
  2. Click Verify description file and AppScan will confirm that the file is valid.
- GraphQL
- Other
Explore method:
- If you have a Postman Collection file, choose and verify the file.
  Note: Once you add a Postman Collection to a configuration, you cannot export it as a SCANT (template) file, as the collection cannot be included in a template. You must either remove the collection or save as a SCAN file.
- Otherwise, you can use manual explore, or import explore data.
You must add at least one domain from the Postman Collection to be scanned.
Tip: The domains in the Postman Collection will not be scanned unless you add them here.

When you have configured any additional settings, such as Login or Test policy and optimization, you can run a full scan or Explore only.