Exploring with the External Traffic Recorder

This is an example of a simple workflow for a non-SOAP web services scan.

About this task

This sample workflow shows each conceptual step separately.
Note: You can configure and send requests from more than one mobile device through the same instance of the External Traffic Recorder. All domains and requests will be listed together.

Procedure

  1. Select a template

    Click File > New and select a template:

    • For IBM® Worklight® Developer:
      1. Select the Worklight template
      2. If your Worklight application code uses app authentication (authenticity): In the Worklight server, open the Worklight console, and make sure that application authentication (authenticity) is disabled, or disable it in the application code
    • For other environments: Use the Regular Scan template
    Note: If Internet Explorer is configured on your machine to use AppScan as a proxy, you must verify that AppScan is not configured to use your Internet Explorer proxy settings, as this would result in a loop. To resolve this conflict, in Configuration > Communication and Proxy tab, select one of the other two options:
    • Don't use proxy
    • Use custom proxy settings
    If you record a Manual Explore using the External Traffic Recorder without doing this, the setting will automatically be changed to Don't use proxy. The Test stage Redundancy Tuning is used whether or not the check box is selected.
  2. In the wizard welcome dialog box, select External device/client (with AppScan as recording proxy), and then click Next.
  3. Follow the wizard steps:
    1. Recording Proxy
    2. (Optional;) Connection Settings
    3. SSL Certificate
    4. Login Management
    5. (Optional;) Login Management Details
    6. Test Policy
    7. Complete
  4. When the External Traffic Recorder opens with status "Waiting for incoming connections, manually Explore the web service from your device/application:
    1. Using your device or application, explore the web service.

      As you explore, domains detected are listed in the left pane of the recorder, and URLs are listed in the right pane.

    2. When finished, in AppScan click Stop Recording.
  5. Review and edit the Manual Explore data:
    Domains detected
    All domains to which requests were sent are listed, and by default selected for adding to the list of Additional Servers and Domains (Configuration > URLs and Servers > Additional Servers and Domains) so they can be included in the scan. You can deselect any you do not want included in the scan.
    Tip: You should deselect any domains that belong to other companies.
    Requests sent
    All requests sent by the device to domains that are selected (in the left pane), are listed. If you select/clear domains in the left pane, the requests list is updated. You can delete specific requests if they are not needed.
    Tip: If the total number of filtered requests is more than 200, deleting some of them may produce a more efficient scan.
    Note: At this stage you can click Export to save the Explore data for use on another machine.
  6. Click OK to close the recorder.

    AppScan takes a few moments to process and display the data.

  7. To start the Test stage, click Scan > Test Only

    The Test stage starts and when complete the scan results are displayed.

    Related topics: