HCL SW Blogs
HCL SW Blogs
Select Page
Secure DevOps
  |  July 27, 2020

A Closer Look at HCL AppScan Activity Recorder’s Features and Usage

Vinita Sanghi
Vinita Sanghi
Engineering Manager at HCL AppScan
HCL AppScan Activity

Have you ever encountered a scenario where you have just deployed a new version of your Web application to staging, navigated to the changes that you made on your website, and mulled around recording only those changes, in order to perform a quick dynamic scan to figure out your security vulnerabilities?

Look no further. HCL AppScan has the right solution for you – HCL AppScan Activity Recorder Chrome browser extension. This small utility enables you to record traffic and actions from your website and upload those recordings to the AppScan Dynamic analysis tool of your choice – HCL AppScan Enterprise or HCL AppScan Standard. The recordings can either be a login sequence or multi-step data. And, if you are an HCL AppScan On Cloud (ASoC) user, we have something in store for you as well. ASoC lets you upload login sequences recorded via AppScan Activity Recorder for its dynamic scans.

Now that you are more familiar with our Chrome extension, let us take a deep dive into its simple installation and easy to use features.

Installation

To install AppScan Activity Recorder in your Chrome browser, perform these steps:

  1. Go to Chrome Web store and search for “AppScan”. The search results will be displayed as shown in the snapshot below:

appscan activity recorder

 

 

 

 

 

Alternatively, AppScan tools also include a link to Chrome web store for AppScan Activity Recorder installation. Snapshots from AppScan Enterprise and AppScan on Cloud appear below:

manual explore

 

 

 

 

 

 

scan dynamic

 

 

 

 

 

 

 

 

 

 

 

  1. In the Chrome web store link, click on ”Add to Chrome”.
  2. You will be prompted with a message as shown below: Don’t panic. Your software is not going to be harmed in any way. Click on “Add Extension”.

add appscan activity recorder

 

 

 

 

 

 

3. Once the installation is successful, you will see a small HCL AppScan icon in your address bar on the top right-hand side, with the message that appears below.

      appscan activity recorder added

 

 

 

 

 

4. In case you are unable to view the icon, click on the “Extensions” icon and pin AppScan Activity Recorder, so you can view the extension icon in your address bar.

pin extension

 

 

 

 

 

 

 

 

There are a couple of things you should remember, before we move forward to its usage:

  • You can enable the extension to work in incognito mode by navigating to Manage Extensions and enabling the “Allow in incognito” option.
  • Speaking about options, the AppScan Activity Recorder includes an option for you to view your activity in a separate debugger window. Just right-click on the extension and choose “Options”. Check the option and click on save. For the remainder of this blog, we will keep that option unchecked.

appscan activity recorder configuration

 

 

 

 

Usage:

To start using AppScan Activity Recorder, follow the steps below:

  1. Navigate to your website page that needs to be scanned.
  2. Click on the AppScan Activity Recorder icon. It should start blinking to indicate that the recording has started. For purposes of this blog, we have used the demo site testfire.net.

appscan activity recording

 

 

 

 

 

 

 

 

3.    Notice the message above that shows the domain URL. This will come in handy when you have multiple websites open in the same browser window and potentially forget which one you are recording.

4.   Start your manual crawl and let AppScan Activity Recorder do the work for you.

5.  Once you are done browsing, you can stop recording via:

    • Clicking on the blinking icon.
    • Clicking “Cancel” in the browser window:

appscan activity recorder debugging

 

6.  The moment you stop recording, you will be prompted to save the recording in dast.config This format is chosen, as it is recognized by all AppScan tools. The file name includes the domain and current timestamp for reference. Feel free to modify it, per your requirements. For example, your login sequence file can be appended with a login tag for ease of  use.

7.  An additional step for inquisitive minds: If you want to confirm the recording, unzip the saved file and copy-paste the contents of the enclosed. seqe file into the JSON viewer of your choice, to see manual data that’s explored. My recommendation would be to use the Online JSON Viewer.

Debug Option in AppScan Activity Recorder

Remember we spoke about a debug option earlier? This option has been added to AppScan Activity Recorder to let you view the browsing activity by recording cookies, actions and the requests being hit. 

Let’s see what happens if you enable the debug option.

As soon as you start recording, a new window will pop-up, displaying an option to Finish Recording whilst recording your actions.

appscan recording information

 

 

 

One important point to note is that when the debugging option is enabled, the extension icon will not be blinking. This is not a bug, but it can be considered a design limitation. However, this will in no way prevent you from completing and saving the recording. On a save, we do not close the debug window automatically. This is not a design limitation, but a design consideration to let you view the data at your own pace. In case you notice any grayed-out information, that’s the filtered response, and it will not be visible in your sequence file.

At this point, you are ready to start using AppScan Activity Recorder to record traffic and actions in an AppScan tool of your choice.

Using AppScan Activity Recorder Recordings in HCL AppScan Enterprise

HCL AppScan Enterprise is a large-scale, multi-user, multi-app Dynamic Application Security Testing (DAST) tool, to identify, understand, and remediate vulnerabilities, and help you to achieve regulatory compliance. It allows you to configure Content scans and ADAC jobs to suit your dynamic testing needs.

The login sequence and application explore data files recorded via AppScan Activity Recorder are compatible with both content scan and ADAC jobs. And to top it off, we support imports via the AppScan Enterprise UI as well as REST APIs. How? To learn more, follow the detailed steps that are shown here.

On a successful import, you will see the manually explored URLs as listed below for a content scan job.

appscan new

 

 

 

 

 

 

 

 

 

 

 

Using AppScan Activity Recorder in HCL AppScan on Cloud

HCL AppScan on Cloud (ASoC) is a SaaS solution for all application security testing needs that can scan web, mobile and desktop applications using dynamic and static techniques. ASoC has a Web UI that enables all of its functionality. While creating a dynamic scan through this Web UI, you can use AppScan Activity Recorder to record a login sequence that ASoC can use whenever it needs to log in to the app during the scan, as shown in the snapshot below:

create scan dynamic

 

 

 

 

 

 

 

 

 

ASoC has also exposed this feature via its REST API: /api/v2/Scans/DynamicAnalyzer for ease of integration.

Conclusion

To summarize, AppScan Activity Recorder is an effective tool to help you with your recording needs. Use this extension and let us know all the features and enhancements you would like to see via the Reviews section on our Chrome page. To test-drive HCL AppScan on Cloud, please visit our free trial page

           

Comment wrap
Vinita Sanghi
Vinita Sanghi
Engineering Manager at HCL AppScan
Vinita Sanghi is currently an Engineering Manager at HCL AppScan, focussing on development of integration components for DevSecOps. She has 17 years of professional experience in the IT space, including contribution toward the Application Security domain for the past 3 years. When not on her laptop, she likes to travel, explore, blog and share her experiences.
Read more

Topics in this article:

Application SecurityApplication Security TestingAppSecChromeDASTDevOps

Submit a Comment

Your email address will not be published. Required fields are marked *

* HCL provides software and services to the U.S. Federal Government through its partner Four, Inc. Please contact Four, Inc. at the U.S. Federal Government contact page.


Further Reading
appscan
appscan
AppScan's February Innovation Workshop
Secure DevOps | February 14, 2023
What You’ll Learn in AppScan’s February Innovation Workshop
This month, we are pleased to present the second installment of our Integrated tools innovation workshops.
Courtney Coleman
Courtney Coleman
appscan
appscan
The Customers have spoken
Secure DevOps | November 2, 2022
The Customers Have Spoken!
HCL Technologies is excited to announce our recognition as a Customers’ Choice vendor for 2022 in the Application Security Testing category on Gartner® Peer Insights™.
Adam Cave
Adam Cave
Product Marketing Manager, HCL AppScan
appscan
appscan
Strengths and Weaknesses in Application Security Technologies
Secure DevOps | September 26, 2022
Strengths and Weaknesses in Application Security Technologies
With the rise of remote work and cloud-based services, there are more potential threats to your web applications than ever. Learn more about app security.
Adam Cave
Adam Cave
Product Marketing Manager, HCL AppScan
Close
Filters result by
Sort:
|
ProductsRESET