Have you ever encountered a scenario where you have just deployed a new version of your Web application to staging, navigated to the changes that you made on your website, and mulled around recording only those changes, in order to perform a quick dynamic scan to figure out your security vulnerabilities?

Look no further. HCL AppScan has the right solution for you – HCL AppScan Activity Recorder Chrome browser extension. This small utility enables you to record traffic and actions from your website and upload those recordings to the AppScan Dynamic analysis tool of your choice – HCL AppScan Enterprise or HCL AppScan Standard. The recordings can either be a login sequence or multi-step data. And, if you are an HCL AppScan On Cloud (ASoC) user, we have something in store for you as well. ASoC lets you upload login sequences recorded via AppScan Activity Recorder for its dynamic scans.

Now that you are more familiar with our Chrome extension, let us take a deep dive into its simple installation and easy to use features.

Installation

To install AppScan Activity Recorder in your Chrome browser, perform these steps:

  1. Go to Chrome Web store and search for “AppScan”. The search results will be displayed as shown in the snapshot below:

 

 

 

 

 

Alternatively, AppScan tools also include a link to Chrome web store for AppScan Activity Recorder installation. Snapshots from AppScan Enterprise and AppScan on Cloud appear below:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  1. In the Chrome web store link, click on ”Add to Chrome”.
  2. You will be prompted with a message as shown below: Don’t panic. Your software is not going to be harmed in any way. Click on “Add Extension”.

 

 

 

 

 

 

3. Once the installation is successful, you will see a small HCL AppScan icon in your address bar on the top right-hand side, with the message that appears below.

     

 

 

 

 

 

4. In case you are unable to view the icon, click on the “Extensions” icon and pin AppScan Activity Recorder, so you can view the extension icon in your address bar.

 

 

 

 

 

 

 

 

There are a couple of things you should remember, before we move forward to its usage:

  • You can enable the extension to work in incognito mode by navigating to Manage Extensions and enabling the “Allow in incognito” option.
  • Speaking about options, the AppScan Activity Recorder includes an option for you to view your activity in a separate debugger window. Just right-click on the extension and choose “Options”. Check the option and click on save. For the remainder of this blog, we will keep that option unchecked.

 

 

 

 

Usage:

To start using AppScan Activity Recorder, follow the steps below:

  1. Navigate to your website page that needs to be scanned.
  2. Click on the AppScan Activity Recorder icon. It should start blinking to indicate that the recording has started. For purposes of this blog, we have used the demo site testfire.net.

 

 

 

 

 

 

 

 

3.    Notice the message above that shows the domain URL. This will come in handy when you have multiple websites open in the same browser window and potentially forget which one you are recording.

4.   Start your manual crawl and let AppScan Activity Recorder do the work for you.

5.  Once you are done browsing, you can stop recording via:

    • Clicking on the blinking icon.
    • Clicking “Cancel” in the browser window:

 

6.  The moment you stop recording, you will be prompted to save the recording in dast.config This format is chosen, as it is recognized by all AppScan tools. The file name includes the domain and current timestamp for reference. Feel free to modify it, per your requirements. For example, your login sequence file can be appended with a login tag for ease of  use.

7.  An additional step for inquisitive minds: If you want to confirm the recording, unzip the saved file and copy-paste the contents of the enclosed. seqe file into the JSON viewer of your choice, to see manual data that’s explored. My recommendation would be to use the Online JSON Viewer.

Debug Option in AppScan Activity Recorder

Remember we spoke about a debug option earlier? This option has been added to AppScan Activity Recorder to let you view the browsing activity by recording cookies, actions and the requests being hit. 

Let’s see what happens if you enable the debug option.

As soon as you start recording, a new window will pop-up, displaying an option to Finish Recording whilst recording your actions.

 

 

 

One important point to note is that when the debugging option is enabled, the extension icon will not be blinking. This is not a bug, but it can be considered a design limitation. However, this will in no way prevent you from completing and saving the recording. On a save, we do not close the debug window automatically. This is not a design limitation, but a design consideration to let you view the data at your own pace. In case you notice any grayed-out information, that’s the filtered response, and it will not be visible in your sequence file.

At this point, you are ready to start using AppScan Activity Recorder to record traffic and actions in an AppScan tool of your choice.

Using AppScan Activity Recorder Recordings in HCL AppScan Enterprise

HCL AppScan Enterprise is a large-scale, multi-user, multi-app Dynamic Application Security Testing (DAST) tool, to identify, understand, and remediate vulnerabilities, and help you to achieve regulatory compliance. It allows you to configure Content scans and ADAC jobs to suit your dynamic testing needs.

The login sequence and application explore data files recorded via AppScan Activity Recorder are compatible with both content scan and ADAC jobs. And to top it off, we support imports via the AppScan Enterprise UI as well as REST APIs. How? To learn more, follow the detailed steps that are shown here.

On a successful import, you will see the manually explored URLs as listed below for a content scan job.

 

 

 

 

 

 

 

 

 

 

 

Using AppScan Activity Recorder in HCL AppScan on Cloud

HCL AppScan on Cloud (ASoC) is a SaaS solution for all application security testing needs that can scan web, mobile and desktop applications using dynamic and static techniques. ASoC has a Web UI that enables all of its functionality. While creating a dynamic scan through this Web UI, you can use AppScan Activity Recorder to record a login sequence that ASoC can use whenever it needs to log in to the app during the scan, as shown in the snapshot below:

 

 

 

 

 

 

 

 

 

ASoC has also exposed this feature via its REST API: /api/v2/Scans/DynamicAnalyzer for ease of integration.

Conclusion

To summarize, AppScan Activity Recorder is an effective tool to help you with your recording needs. Use this extension and let us know all the features and enhancements you would like to see via the Reviews section on our Chrome page. To test-drive HCL AppScan on Cloud, please visit our free trial page

           

Comment wrap
Further Reading
article-img
Secure DevOps  /  August 11, 2020
HCL AppScan – Constructing Continuous Security
By: Rob Cuddy
In Blog #2 of our "Continuous Security" blogging series, you'll learn about the Construct phase. Check out the link to our companion webinar to learn more.
article-img
Secure DevOps  /  August 5, 2020
ESG Report Validates How HCL AppScan Helps Developers to Continuously Secure Applications
By: Eitan Worcel, Product Lead, AppScan
This blog summarizes recent findings from ESG's Technical Validation of HCL AppScan, and provides links to ESG's comprehensive report & our YouTube video.
a/icon/common/search Created with Sketch.