Record a Sequence

About this task

If a login sequence has been configured (see Login tab), there are two options when recording a multi-step operation:

AppScan IE browser > Log in and then record
AppScan® will log in to the application automatically (using the login you recorded) before the browser opens. You can then record your multi-step operation without recording the login requests. This method has the advantage that the login requests will not be replayed every time this sequence is played, but only if AppScan is out-of-session.
Note: Parameters and cookies that are present in the Multi-Step sequence but not in the Login sequence, are always tracked as Dynamic, even if you change their tracking to Login Value.
AppScan IE browser > Record without login
AppScan will begin recording the sequence without logging in. When the browser opens you record your multi-step sequence directly. If you need to log in, the login will be part of the recording and will therefore be replayed every time the sequence is played, which can significantly increase scan time. Where login is required, the best practice is to use the previous option.
Note: If you use this option and then record login requests as part of the sequence, parameters and cookies received are always tracked as Dynamic, even if they are Login requests, and even if you change their tracking to Login Value.
AppScan Chromium browser
AppScan will record using the built-in Chromium-based browser, without logging in. When the browser opens you can log in, if needed, and then record your multi-step sequence.
Note: If you use this option and then record login requests as part of the sequence, parameters and cookies received will always be treated as Dynamic, even if they are Login requests, and even if you change their tracking to Login Value.

If no login sequence has been configured there is just one option: Record.

Important: During playback of a multi-step operation, in-session detection is Off (see Login tab). This means that AppScan does not verify that it is logged in. Therefore, if the failure of the multi-step operation will cause the user to be logged out of the application, it is important that login be recorded as part of the sequence (so it will be replayed each time the sequence runs). If this is not done the multi-step operation may fail.
Note: If your website does not support Internet Explorer, click > Use AppScan Chromium browser instead.

Procedure

  1. Click the red record button and select one of the record options (see above).

    The browser opens and begins recording.

  2. Click on links and fill in fields as necessary to reach the required pages. You can use the Pause button if you want to click links without recording them as part of the operation.
  3. Close the browser.

    The sequence appears in the Sequence pane (upper right). Sequences are automatically named in order: "Sequence 1", "Sequence 2" etc., but you can rename by typing into the name field.

    You can optionally change the Playback Method (bottom left of the dialog box):
    • Request-based playback (default) sends the raw HTTP requests from the recording. This method is usually faster.
      Sample sequence in Request-based view
    • Action-based playback replays the clicks and keystrokes of the user. Reasons for selecting this method could be that the site includes a lot of JavaScript, or that some of the requests in the request-based playback were marked with a red X when you attempted to validate them. This method can increase scan time.
      Sample sequence in ActionRequest-based view
    Note: If the scan is configured to use a browser other than the embedded browser (Tools > Options > Use external browser), request-based playback is always used.
    Note: If your site requires users to log in, and you selected Request-Based Login, you must select Request-based Multi-Step Operations too, otherwise the Multi-Step Operations will not be sent.
  4. Click Validate.
    AppScan replays the sequence, and a green check-mark appears next each request or action that is successfully replayed. If a request or action is not successful a red X appears next to it. Options:
    • View any URL by selecting it and clicking the Show in browser button
    • Remove any unnecessary step by selecting it and clicking the minus button. After doing this click the Validate button, to check that the sequence still keeps in-session.
    • Right-click on a step in the sequence and set to Don't Test. The URL will still be included when playing the sequence, but will not be tested individually.
    • Right-click on a step that is set to be tested individually, and select Play sequence before testing request > No if it is not necessary to play the previous steps in the sequence each time this URL is tested.