10/9/25, 2:08 PM Advanced configuration

Version 10.9.0 English

Advanced configuration
This view provides access to numerous advanced settings and should only be used by experienced AppScan users or when instructed to do so by the support team to troubleshoot a problem.

Tip: Settings that impact AppScan at a broader level, applicable to its overall functionality rather than a specific scan, can be found in the Advanced tab of the Options dialog box (Tools > Options > Advanced tab), not in this
section

Note: Each setting has an ID that you can use when discussing settings with the Support team. The items in the grid can be sorted by Name or ID, by clicking the relevant column heading.

Note: Where the default setting is a regular expression, deleting it altogether will result in the setting being treated as undefined (and not as a regular expression that includes everything).

Table 1. Advanced configuration settings

Name Description Possible use cases

Action-Based:

Automatically approve JS dialogs in the Automatically press "OK" in the Javascript dialogs: alert, confirm, prompt.
browser
Default: False

Memory consumption limit If AppScan memory usage reaches this threshold, AppScan will try to reduce resource usage by limiting the number of threads.

Default = 1000 MB

Multi-step playback no-interaction The no-interaction timeout (in seconds) for stopping playback of a multi-step operation.
timeout
Default: 10

Number of browser instances allowed Sets how many browser instances can be used during the Test stage of the scan. If your site uses a client JavaScript
during Test Stage code intensively, and as a result
Default = 3
AppScan freezes during the scan,
reduce this number.

Save screenshots in automatic Explore AppScan can save a screenshot of every page it visits during automatic Explore, but this can impact performance and greatly increase the size of the Change to True if you want to review
temp folder where the data is saved. these screenshots to verify the
automatic Explore stage. Note that
By default, explore data is saved in:
when you close AppScan the
C:\ProgramData\HCL\AppScan Standard\temp\[run number] screenshots are not saved.
\AutoCrawler\dom-states\[page identifier]

The data is deleted when AppScan closes.

Default: False

Timeout for single login attempt The time (in seconds) that AppScan waits for the browser to replay a single action-based login attempt before forcing the browser to close.

Default: 120

API Automatic Explore:

Include "Delete" requests in web API

Set to true, if you want AppScan to include "Delete" requests in the automatic exploration. "Delete" requests will be included only within multi-step
automatic explore
sequences.

Default: False

Detect Multi-step sequences during

Not enabled by default as multi-step sequence analyzing might take a long time. Set to true if you want AppScan to detect multi-step sequences .
web API explore
during web API exploration.

Default: False

AWS Authorization

Cognito Refresh Interval The interval in seconds between requests for Cognito key updates.

Default: 270

Communication:

[Link] 1/10
10/9/25, 2:08 PM Advanced configuration

Name Description Possible use cases

Accept-Language request-header value The string sent for the Accept-Language header in all HTTP requests. During the Explore stage AppScan
might receive an unexpected
If not defined by the user, AppScan will use the value that was sent by the browser the first time in this scan that the user opened it to record the login
response, due to the Internet Explorer
procedure, a multi-step operation, or to view a page.
header value. In such cases you

Note: If you change the default browser, refer to the conditions listed in Changing the default browser should check which value should be
used in the Accept-Language header
Default: en-US when interacting with the site, and
define it in this setting (or in Internet
Explorer).

Force an HTTP request without In some cases, server-side logic may behave differently when a form submission without parameters is received. If you notice, when viewing traffic
parameters to every form action during the scan, that form submissions
When set to True, AppScan will send an additional request, without parameters, to every form. This may result in the return of custom error pages
without parameters cause timeouts or
with links to additional web pages and functionality.
crash the application, you may decide

Default: True to set this option to False.

HTTP preference Defines the preferred HTTP version for AppScan to use when scanning. If the server does not support the chosen version, AppScan will choose the Important: AppScan can scan HTTP/2
best option that is supported. Options are: websites only if they also use TLS 1.2.
0 = HTTP/1.0 Non-HTTPS websites, and websites
1 = HTTP/1.1 that use earlier versions of TLS, will be
2 = HTTP/2 scanned with HTTP/1.1.

Default: 1

Include a Content-Length header in all Some servers require a Content-Length header even in requests for which message body semantics are not defined (such as the GET method). If If the default behavior causes 400
requests missing, the server will reject the request. To solve this, AppScan will add a Content-Length header to requests that do not have one. Bad Request responses from the
server, because it does not expect a
When True, AppScan will add a Content-Length header to any request that does not already include one.
Content-Length header for a GET
When False, AppScan will add a Content-Length header to any request that does not already include one, only if: request (since GET requests do not
There is a non-zero length request body typically include a request body),
There is a zero length request body in a POST, PUT or PATCH request change this setting to False.
An HTTP 411 LengthRequired was received from the server

Default: True

Include AppScan debug headers in all When set to True, an HTTP header is added to all requests sent by AppScan to the site. The header name is "X-AppScan-Debug", and its value Configuring the scan to send "X-
requests includes information about AppScan's reason for sending this particular request (Explore, Test, Login Playback, Server Down Check, and so on). AppScan-Debug" headers can be
useful in tracking AppScan® traffic in
Default: False
external tools such as web debuggers,
proxies, analyzers and sniffers.

Note: Some sites may reject any

requests that include special headers
such as this.

Maximum response length AppScan truncates long responses to avoid memory consumption issues. This setting defines the maximum allowed response length in Megabytes. If AppScan seems to miss links or get
Longer responses are treated as errors. out of session, and the application is
known to send long responses,
Default: 8
increasing the maximum response
length may solve the problem.

Remove 'Accept-Encoding' header AppScan does not support all encodings, and removes the encodings it does not support. If this setting is enabled AppScan® will remove the entire If the server rejects AppScan requests,
header and not just the encodings it does not support. returns unexpected responses, or
AppScan is unable to maintain
Default: True
session, you should check the traffic
log and compare the requests
AppScan sends with those of your
usual browser. If the Accept-Encoding
header is different or missing in your
browser, you should enable this
setting.

Reuse server connections By default, AppScan closes TCP connections after use, since open connections, and saved data, may affect scan results. If there are network resource
exhaustion errors on the web server,
When set to True, AppScan leaves connections open after use, and attempts to reuse open connections whenever possible.
changing this setting to True may solve

Default: False the problem.

Security package order AppScan supports Basic, Digest, NTML, Negotiate, and Kerberos HTTP authentication. If you want to force AppScan to use or not use a specific If your site uses a specific
method, or apply an order of preference for method selection when the site/proxy allows more than one, you can edit this value. authentication method and AppScan is
denied access, defining the required
For example, if you want to allow only NTLM and Basic, and prefer to use NTLM if available, edit this string to: ntlm, basic
method as the only method can solve

Default: basic, digest, ntlm, negotiate, kerberos the problem.

If you want to test your site with

specific methods - say Basic and
NTLM - you could configure one scan
with Basic only, and another with
NTLM only.

[Link] 2/10
10/9/25, 2:08 PM Advanced configuration

Name Description Possible use cases

Slash Normalization Normalize URLs by replacing two or more consecutive slashes with a single slash. If your site URLs utilize consecutive
slashes, deactivate this setting.
Default: True

TLS support Lists which TLS protocols are allowed. AppScan will choose the most secure protocol allowed by the user’s configuration and by the server. The If necessary, SSL 3.0 can be added to
value of this field should be a comma-separated list. the list of allowed protocols.

Default: TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0

Note: TLS 1.3 is supported only when AppScan is running on OS: Windows Server 2022, Windows 11, or later.

Treat error response as valid AppScan treats error pages differently to regular pages (for example, by not parsing for links). This setting lets you tell AppScan to treat error pages If your starting URL response is an
as regular pages for the starting URL only, or always. error page, change the setting to 1.

When set to 0, AppScan treats all error responses as invalid. If you want the scan to extract data
from error pages, and test them,
When set to 1, AppScan treats all error responses to the starting URL (4xx and 5xx) as valid
change this setting to 2.

When set to 2, AppScan treats all error responses as valid for both regular pages and the starting URL.
Note that changing the default setting

Default: 0 is likely to affect performance.

Custom script:

Content type filter For example, if the content type is an

Regular expression pattern applied to the Content-type header to determine if the request body can be modified by matching the specified Content-
image, the response body is empty
type.
and cannot be read or modified.

Default: text\/.*|application\/json

General:

AppScan Browser script-error-popup Suppresses script-error popups in the AppScan built-in browser during action-based login recording and playback, manual explore, multi-step If irrelevant error popup messages
suppression recording, and Show-in-browser. interfere with action-based login
recording and playback, you can
Default: False
suppress them by setting this value to
True. Note that other popups such as
"HTTP Authentication" errors and
"Install ActiveX control" prompts will
also be suppressed.

When set to true, AppScan utilizes the pattern to identify specific JavaScript requests that should be retained and not filtered out in the proxy.
Enable “Pattern for JS requests to be
excluded from proxy filter” Default: False

Encrypt sensitive data When True, the following data is encrypted in all files saved or exported though AppScan (SCANT, LOGIN, SEQ, ASFF):
All form filler content
All session management requests
All multi-step operations
All TOTP data

When False, only password and TOTP secret key are encrypted in these files.

Default: True

Merge redundant tests When set to True, AppScan sends only a single set of tests on two (or more) requests that are identical except for additional cookies. If set to False, Changing this setting to False can
all such requests will be tested separately. impair performance; do so only if
advised to by Support.
Default: True

Pattern for JS requests to be excluded A regular expression, applied to response headers, defining which JavaScript requests should not be filtered by the proxy content-type filter.
from proxy filter
Default: Cache-Control:[ ]*([^\n\r]*)(no-store|no-cache|max-age=0)

Proxy file extension filter A regular expression that defines file extensions which will be removed from the list of URLs that is saved when you record a login, Manual Explore In rare cases where you need a
or Multi-Step operation. If you remove an extension from the regexp., URLs ending with that extension will not be filtered out of recordings. particular kind of file, such as a
CAPTCHA image file, included in your
Default: "\.(zip|Z|tar|t?gz|sit|cab|pdf|
Login recording for reference, you

ps|doc|ppt|xls|rtf|dot|mp(p|t|d|e|a|3| could remove its file extension (in this

case jp?g) from the regular
4|ga)|m4p|mdb|csv|pp(s|a)|xl(w|a)| expression.

dbf|slk|prn|dif|avi|mpe?g|mov(ie)?|

qt|moov|rmi?|as(f|x)|m1v|wm(v|f|

a)|wav|ra|au|aiff|midi?|m3u|gif|

jpe?g|bmp|png|tif?f|ico|pcx|css|

xml)$"

[Link] 3/10
10/9/25, 2:08 PM Advanced configuration

Name Description Possible use cases

Sanitize logs Removes sensitive information from logs. If you need to remove sensitive
information from logs, activate this
Default: True
option and define the pattern to be
removed in the "Sensitive information
pattern" option.

Note that changing this setting does

not affect logs already generated.

Sanitize reports Removes sensitive information from reports. If you need to remove sensitive
information from reports, activate this
Default: True
option and define the pattern to be
removed in the "Sensitive information
pattern" option.

The password defined in Scan

Configuration > Automatic Form Fill is
excluded from all reports even if no
pattern is defined.

Note that changing this setting does

not affect reports already generated.

Sensitive Information pattern A regular expression that defines one or more groups that will be filtered out of logs and reports, if the Sanitize Logs or Sanitize Reports options are If you need to remove sensitive
activated. information from reports or logs,
activate the relevant option ("Sanitize
Default: empty
logs" or "Sanitize reports"), and define
one or more groups in a regular
expression here.

The sensitive text is replaced with:

**CONFIDENTIAL 1**,
**CONFIDENTIAL 2**, and so on.

The password defined in Scan

Configuration > Automatic Form Fill is
excluded from all reports even if no
pattern is defined.

Sensitive parameter names A regular expression that defines one or more parameter names that will not be displayed.

Default: refresh_token|secret|KeySecret|client_secret

IAST

Enable communication with IAST agent Customers using AppScan On Cloud

Enable this option to enhance your DAST scanning with AppScan IAST (Interactive Application Security testing), which significantly improves scan
(when IAST agent is installed) or AppScan Enterprise with active
accuracy and remediation times.
AppScan IAST subscriptions can
Default: False choose to enable this configuration
when scanning a site that has an
active IAST agent deployed.

JavaScript

JavaScript link pattern

AppScan uses a variety of patterns to identify links in JavaScript™ code. If your site uses unusual patterns they should be defined in this regular If AppScan seems to miss links from
expression. your JavaScript code, and your site
uses unusual JavaScript link patterns,
Default: empty
define one or more patterns here to tell
AppScan what to search for.

Applies only to to Request-Based

exploring.

Localization:

HTML encoding Overrides the encoding defined in your site's HTML responses. If the content of responses in the scan
results looks distorted, this may mean
Default: empty
that:

1) The encoding method was not

correctly identified by AppScan®, or

2) The encoding method is incorrectly

defined in your site's HTML

To solve 1: Select the correct method

in the Explore Options drop-down list.

To solve 2: Enter the correct encoding

method here.

Parameters & Cookies:

[Link] 4/10
10/9/25, 2:08 PM Advanced configuration

Name Description Possible use cases

Exclude redundant JSON parameters JSON content type body can contain multiple values of a single parameter that need not be tested individually. When set to True, AppScan attempts If you find that a particular, significant
from testing to identify redundant values and limit testing to a subset, reducing scan time. parameter was not tested, change the
setting to False.
Default: True

Exclude redundant XML parameters XML content type body can contain multiple values of a single parameter that need not be tested individually. When set to True, AppScan attempts to If you find that a particular, significant
from testing identify redundant values and limit testing to a subset, reducing scan time. parameter was not tested, change the
setting to False.
Default: True

Track custom parameters in headers This setting applies only to scans saved with AppScan v. [Link] or earlier. In later versions the default behavior changed to True, and the setting is If AppScan gets out of session due to
controlled for individual parameters and cookies in: Scan Configuration > Parameters and Cookies > Parameter Definition > Tracking Options > changes to a parameter in the
Match: Header and Body (default) or Body only (see Parameters, cookies and headers definition). response header, changing this setting
may solve the problem. Note that this
By default AppScan [Link] and earlier searches for custom parameters only in the body of responses, not in their headers. If you change this setting
may increase scan time.
to True, AppScan will search in headers too.

Default: False

Track dynamic parameters in Test stage Tracking dynamic parameters during the Test stage may result in performance problems. Therefore, by default, dynamic parameters are tracked Change this setting to False only if this
only when inline content exists during the Test stage only in responses with inline content. kind of tracking is essential.

Default: True

Postman:

Login analysis sample size When a Postman Collection is uploaded, AppScan analyzes it to try to identify an in-session pattern. AppScan uses this pattern to detect when it gets If AppScan fails to identify a valid in-
logged out during the scan. This setting defines how many requests from the collection are analyzed to try to identify a valid pattern. session pattern automatically, try
increasing this value.
Default: 7

Server Down Detection:

Check for "server down" in Explore Enables the sending of heartbeat requests to check for "Server Down" during Explore stage. If AppScan® gets server-down errors
during the Explore stage, and the
Default: True
server is not down, this may be due to
the server blocking the frequent
heartbeat requests.

If AppScan® frequently gets out-of-

session during scanning, this may be
due to the Starting URL being sent to
the server as a heartbeat, without
cookies.

Deactivating this setting may solve the

problem, but note that AppScan will
not be able to verify server status.

Check for "server down" in Test Enables the sending of heartbeat requests to check for "Server Down" during Test stage. If AppScan gets server-down errors
during the Test stage, and the server is
Default: True
not down, this may be due to the
server blocking the frequent heartbeat
requests.

If AppScan® frequently gets out-of-

session during scanning, this may be
due to the Starting URL being sent to
the server as a heartbeat, without
cookies.

Deactivating this setting may solve the

problem, but note that AppScan will
not be able to verify server status.

Explore stage reconnect attempts When AppScan is about to finish the Explore stage but several tests failed due to "server down", and the server is still down, AppScan will try to If you know that your server is
connect to the server several times. sensitive, or you see that the scan
stopped due to a communication error
Default: 5
while several tests failed due to
communication errors, you should
increase this number.

Request retry interval Interval in seconds before resending failed requests (including failed heartbeat requests). If you know that you have a poor
connection or an unstable server
Default: 1
(which would result in false negative
results, or reduced coverage), you can
increase this interval to reduce the
impact.

[Link] 5/10
10/9/25, 2:08 PM Advanced configuration

Name Description Possible use cases

Request retry limit Number of times to retry sending failed requests. Increasing this setting may result in a
more efficient scan if your server is
Default: 2
unstable or communication is poor.

Server down timeout When AppScan is unable to connect to the server or gets out-of-session, this setting defines (in seconds) for how long AppScan will try to reconnect If you have a slow connection, or your
or get back into session before stopping the scan. server takes a long time to reload after
down time, you might want to increase
Default: 185
this setting.

Server-down heartbeat interval Interval in seconds between "server down" heartbeats. If AppScan gets server-down errors
during the scan, it may be due to a
Default: 3 s
poor connection or unstable server.
Max: 60 s Increasing this interval may solve the
problem.

Test stage reconnect attempts When AppScan is about to finish the Test stage but several tests failed due to "server down", and the server is still down, AppScan® will try to If you know that your server is
connect to the server several times. sensitive, or you see that the scan
stopped due to a communication error
Default: 5
while several tests failed due to
communication errors, you should
increase this number.

Session Management:

Ad domains Regular expression describing common web advert domains. Requests sent to these domains when the login sequence is recorded, will be Since the login sequence is replayed
discarded. continually during the scan, you can
improve scan efficiency by filtering out
Default: ad\[Link]| doubleclick\.net|coremetrics\.|webtrends\ .|112\.2o7\.net|[Link]| [Link]|[Link]|
these unnecessary requests.
[Link]| [Link]"
Note that if you delete the regexp
altogether, no domains will be filtered
out.

Analyze login recording When you record a login sequence (Scan Configuration > Login Management), AppScan will analyze it and update in-session detection settings (in- If the analysis takes too long, you can
session pattern, in-session request, and session IDs received during login). change this setting to False. However,
if you do this you will need to configure
Default: True
the in-session detection settings
manually.

Clear cookies before playing login Determines whether cookies are deleted before replaying the login sequence.

Default: True

Common static parameter values Common static parameter values. Used for the detection of non-random parameter values, which should not be tracked during login.

Default: |true|false|\bon\b|\boff\b|\ bout\b|checked|enabled|log\s?in|log\ s?out|exit|submit|sign|ever|disabled| agree

Disable Explore stage in-session During the Explore stage: If the response to a request indicates that the user was out-of-session when it was sent, AppScan queues the request to If your site throws the user out of
buffering send again. This insures that as much of the site as possible is scanned. session frequently, in-session buffering
may result in the Explore stage
Default: False
continuing indefinitely. Setting this
option to True will make the Explore
stage faster, but may reduce site
coverage.

In-session before multi-step operations By default AppScan verifies in-session status before replaying multi-step operations. If you want to test multi-step
operations with a non-authenticated
Default: True
user, or if your multi-step sequence
includes login steps, change this
setting to False.

Important: If Scan
Configuration > Login
Management > Details >
Activate In-session detection
is deselected, and this
advanced setting is set to True
(default), the entire login
sequence will be replayed
before each multi-step
operation.

[Link] 6/10
10/9/25, 2:08 PM Advanced configuration

Name Description Possible use cases

In-session heartbeat interval Interval in seconds between in-session heartbeats. If AppScan® gets out-of-session
during the scan, it may be due to a
Default: 5
poor connection or an unstable server.
Increasing this interval may solve the
problem.

Login retry interval Interval in seconds before re-sending failed login requests. If AppScan® gets out of session, and
repeated login retry attempts fail, this
Default: 3
may be because the server is sensitive
to frequent login attempts. Increasing
this interval may solve the problem.

Multipart Content Type Filter To reduce unnecessary memory consumption, certain content types are automatically filtered out of multipart requests (requests that contain more If an important content type is filtered
than one content type). Only content types defined in this regular expression are included in multipart requests; all others are filtered out. out of requests, add it to this regular
expression. You may also be able to
Content that has no content type header, is included by default and defined by the value:
reduce memory consumption by
content_without_content_type_header removing unnecessary content types
so they will not be sent.
Default: text/|text/plain|application/javascript|

application/json|application/rtf|application/xml|

text/xml|content_without_content_type_header

Navigational parameter hosts Regular expression describing hosts. Used for the detection of navigational parameters (by value), which should not be tracked during the login If your site uses unusual hosts in
sequence. navigational parameters, that are not
filtered out by the default regexp, you
Default: https?://
can add them to improve scan
efficiency.

If you delete the item navigational

parameters might not be identified
properly.

Navigational parameter scripts Regular expression describing server-side scripts used in the detection of navigational parameters (by parameter value) which should not be tracked If your site uses unusual server-side
during the login sequence. scripts in navigational parameters, that
are not filtered out by the default
Default: /[^/\.]+\.(htm|jsp|jsf|ws|dll|asp|php|do)
regexp, you can add them to improve
scan efficiency.

If you delete the item navigational

parameters might not be identified
properly.

Navigational parameters Regular expression describing navigational parameters, which should not be tracked during the login sequence. If your site uses unusual navigational
parameters that are not filtered out by
Default: \bnav|url|page|step|redirect|request|
the default regexp, you can add them

location|target|argument|item|article| to improve scan efficiency.

goto|node|action|ctrl|control|source| Modifying this regular expression might

result in insufficient scan coverage or
menu|frame|command improper session tracking.

Parse In-session page If set to False AppScan will not parse the in-session page, and will not update tracked parameters or cookies whose values were changed in the in- If your in-session page does not
session page. contain tracked cookies or parameters,
you can improve performance by
Default: True
changing this setting to False. Note,
that if set to False, AppScan will not
update cookie/parameter values on the
in-session page, which could result in
getting out-of-session.

Password parameter name Used by Recorded Login Analysis to identify the password parameter. Its full name is needed. Sometimes, when you import a login
(rather than record it using Action-
Default: password|pass|pswd|pwd
Based Login) AppScan may fail to
identify the password parameter name.
If this happens the Password field in
Scan Configuration > Automatic Form
Fill will be empty. If this happens, add
the full password parameter name
here.

Requests between heartbeats Following an in-session detection request, AppScan will send at least the number of requests defined here before sending another in-session In cases where a slow response from
detection request. the server results in the scan
consisting mostly of in-session
Default: 1
detection requests (see Traffic Log),
increasing this value can reduce scan
time.

[Link] 7/10
10/9/25, 2:08 PM Advanced configuration

Name Description Possible use cases

Sequence Content Type Filter

A regular expression defining content types that will be filtered out of the login, multi-step sequences and manual explore.

Default: text/javascript|application/javascript|application/x-javascript|image|text/css|application/x-msdownload|application/zip|application/octet-
stream|application/java-archive|application/font-|application/x-font

Special Patterns:

Exclude from Automatic Form Fill Parameter names listed here are excluded from the Automatic Form Filler. Parameters with very long values may
slow down the scan and increase file
Default: ^CFID __EVENTVALIDATION __VIEWSTATE ^CFTOKEN __EVENTARGUMENT __EVENTTARGET ^BV_
size. If your application uses
parameters with long values, and they
are not needed for filling forms, add
them to this list.

Tests:

CSRF: Pattern of meaningful request By default AppScan tests POST requests, and requests whose response was "Transaction Successful", for Cross-Site Request Forgery. If you want to test for Cross-Site
Request Forgery on GET requests too,
This setting lets you define additional requests as "meaningful" for Cross-Site Request Forgery vulnerability, in addition to POST requests.
change this regular expression.
This definition is used in conjunction with "CSRF: Pattern of meaningful response".

Default: ^POST

CSRF: Pattern of meaningful response By default AppScan® tests POST requests, and requests whose response was "Transaction Successful", for Cross-Site Request Forgery. If you want to test for Cross-Site
Request Forgery on requests that
This setting lets you define additional responses as "meaningful" for Cross-Site Request Forgery vulnerability, in addition to "Transaction Successful".
receive other kinds of responses,

This definition is used in conjunction with "CSRF: Pattern of meaningful request". define them in this regular expression.

Default: Transaction Successful

Difference threshold AppScan often needs to compare two responses, and decide whether that are "similar" or "different", in order to know whether a test was successful If your site has no "dynamic" text that
or not. In these cases, AppScan uses a variety of algorithms to assign a Similarity Percentage (where 100% means the two responses are identical). causes the similar responses to be
In some cases it decides the test outcome based on whether the Similarity Percentage is above the "Similarity Threshold", and in others based on slightly different, setting a value lower
whether it is below the "Difference Threshold". Both thresholds can be configured. than 75 may reduce false positive
results.
For most tests the default Similarity Threshold is 95%, and the default Difference Threshold is 75%. This means that:
For tests results whose outcome depends on similarity, a Similarity Percentage of 95% or more indicates the two pages are similar.
Tip: You may also want to
For tests results whose outcome depends on difference, a Similarity Percentage of 75% or less indicates the two pages are different.
adjust the Similarity Threshold
If you enter a value between 1 and 100 (percent) for this setting, it will override the default Difference Threshold for all tests. You may also want to (see below).
adjust the Similarity Threshold.

Default: 0 (Use AppScan thresholds)

Disable cookie testing This setting is used to turn off cookie testing altogether. If cookie testing for your application
results in a very long scan, you might
Default: False
want to disable it. However, doing so
might result in security issues being
missed ("false negatives").

Disable cookie testing for static content Don't test cookies in requests for pages with this extension. In order to reduce scan time and
memory consumption, you may want
Default: ;htm;html;ahtm;ahtml;
to exclude additional types of page

chtm;chtml;fhtm;fhtml;mht; extension. If so, add them to the list of

extensions to exclude, separated by a
mhtm;mhtml;css;css1;js; semicolon.

Don't test directory or page This option lets you define a regular expression to exclude specific directories or pages from attacks during the Test stage. Note that this will only If you know that certain directories or
exclude the directories or pages defined, and not any subdirectories or files. pages are not vulnerable, or are
concerned that testing them might
Default: /wps/[^/]*/!ut/
harm site stability, you can exclude
them from the scan by defining them in
this regular expression.

For excluding a folder and all its sub-

folders, see Excluded paths and files

Extract links from all responses By default during the test stage AppScan will only search for new links in vulnerable responses. If you think AppScan® might miss
links, or that its coverage isn't
Default: False
sufficient, you can enable this setting,
though doing so will increase scan
time and file size.

[Link] 8/10
10/9/25, 2:08 PM Advanced configuration

Name Description Possible use cases

Follow all automatic links By default AppScan only follows automatic links* that are likely to contain vulnerabilities. These are: iFrame, Frame and Redirect. You can configure If you think your site may contain a
it to follow all types of automatic link. vulnerability in other types of automatic
link, such as scripts, enable this
Note that requests that match the regular expression defined in "Automatic links to ignore" will never be sent, regardless of this setting.
setting. This will increase scan time
Default: False and file size.

* Automatic link: A link on the web page that the browser sends automatically, without any user interaction.

List of entities, separated by "pipe". By default all valid entities are included: HttpServer | Directory | Path | Parameter | Cookie Name | Html
List of entities to test To prevent specific tests from
Comment | Request | ClientScript | Response Cookie | Link | Page | Privilege Escalation Request | Header
running without modifying the
Test Policy.
In the case of tests that run on
several entity types, let's say
headers, parameters, and
cookies: To allow the tests to run
on parameters and cookies, but
prevent them running on
headers, you can remove
"headers" from this list.

Login after test Send tests in a single thread, and verify in-session, or send login sequence, after every test. Settings 1 or 2 may be needed for
applications with a sensitive session,
0 = False
or that require frequent logouts to
1 = Send tests in a single thread, and verify in-session after every test. If out-of-session, send login sequence. avoid session or memory issues. They
significantly increase scan time.
2 = Send tests in a single thread, and sent login sequence after every test.

Default: 0

Multi-step Operation: Validation limit The maximum number of subsequent requests from a Multi-Step Operation sequence that will be validated, after the step currently being tested. For details see Sequence validation

Default: 0

Omit response body if not needed For certain types of test it is not the response body that confirms the vulnerability. Saving this content as part of the scan data increases scan size n/a
with no benefit, so by default AppScan does not save it in these cases. Note that setting this value to False may significantly increase scan size.

Default: True

Parse and test WebSocket traffic AppScan analyzes and tests WebSocket traffic during scans by sending test payloads. If this feature prevents your application from working correctly,
n/a
you can disable this feature by setting the to False. If your application doesn't use WebSockets then this feature should not have any effect.

Default: True

Pattern to ignore in response This regular expression defines sections of the response that AppScan® will ignore when analyzing test responses. If your site sends responses that
include long sections that are not
When comparing responses to decide if a test succeeded, AppScan measures the percentage of change in the entire response. If the response is
important, defining them here can
very long, and the change very small, AppScan® might ignore the difference and miss the vulnerability.
improve scan accuracy and

Default: <input[^>]+(__VIEWSTATE|__ performance.

EVENTTARGET|

__EVENTARGUMENT|

__EVENTVALIDATION)

[^>]+>

Refresh original response interval Interval in seconds before refreshing the original response (by sending the request again) during the Test stage. If you are sure that your application's
responses will never become outdated
One of the ways AppScan decides whether a Test response reveals a vulnerability is by comparing it with the Explore response. When an Explore
in this way, you can change this setting
response is older than the value set here, the Explore request will be sent again, before sending tests, so that an updated Explore response can be
to zero to reduce scan time. Explore
used for the comparison. This is important for cases where the Explore response is likely to vary with time, and comparing the Test response to the
stage requests will then never be
outdated Explore response might result in a false positive.
resent.
Default: 30 (seconds)

Send port listener tests By default AppScan doesn't send port listener tests because of the likelihood of failure and the time it takes to validate. If the external site is part of your
network, so that it is aware of local IP
Default: False
addresses, you might want to activate
this type of blind SQL injection test.

Similarity threshold AppScan often needs to compare two responses, and decide whether that are "similar" or "different", in order to know whether a test was successful If your site has no "dynamic" text that
or not. In these cases, AppScan uses a variety of algorithms to assign a Similarity Percentage (where 100% means the two responses are identical). causes the similar responses to be
In some cases it decides the test outcome based on whether the Similarity Percentage is above the "Similarity Threshold", and in others based on slightly different, increasing this
whether it is below the "Difference Threshold". Both thresholds can be configured. percentage may reduce false positive
results.
For most tests the default Similarity Threshold is 95%, and the default Difference Threshold is 75%. This means that:
For tests results whose outcome depends on similarity, a Similarity Percentage of 95% or more indicates the two pages are similar.
Tip: You may also want to
For tests results whose outcome depends on difference, a Similarity Percentage of 75% or less indicates the two pages are different.
adjust the Difference
If you enter a value between 1 and 100 (percent) for this setting, it will override the Similarity Threshold for all tests. Threshold (see above).

Default: 0 (Use AppScan thresholds)

[Link] 9/10
10/9/25, 2:08 PM Advanced configuration

Name Description Possible use cases

XSS: Revalidate using browser For some cross-site scripting issues, checking the site’s response using an actual browser can identify alert popups better, and reduce false positive
results.

Default: True

XSS: Test all reflected probes Usually multiple occurrences of the payload text in a response from the site have the same level of vulnerability, therefore AppScan tests only one of Set this to True if you want to test all
them. occurrences of the payload text in a
single response.
Default: False

[Link] 10/10