While AppCheck's headless browser crawler is very good at crawling web applications, some applications have user journeys that are impossible to comprehensively crawl without manual assistance.
This can be because they require valid data, or specific choices to be made in order to reach particular functionality within the application, for example entering a valid ID number, or clicking elements in a certain order.
A Workflow GoScript allows users to direct the scanner through these user journeys in order to ensure that critical areas of the application are reached. The scanner will then include these areas in its attack surface along with the ones it found entirely though automated crawling.
The scanner will also continue automated crawling after running each workflow, so once you have directed the scanner to the hard-to-reach locations you do not need to then directed it to every child page.
How do I write a WorkFlow GoScript?
For each workflow journey you want to include, create a new function with a name beginning "seeding.", for example "seeding.workflow1" or "seeding.findMyCat".
The below code creates two such functions, workflow1 and workflow2:
wait for: Home
wait for: Home
wait for: OUR SOFTWARE
Finally, create a function named seeding.general, then list your workflow functions within it. For example:
Where should I put my WorkFlow GoScript to use with my scan?
You can find the designated WorkFlow GoScripts box at:
Web Application Scanner Settings
-> Advanced Settings
If I have an authentication GoScript and a WorkFlow GoScript, which one runs first?
The scanner will try to authenticate first if provided with authentication information.
The auth.login, auth.confirm and auth.logout functions used in authentication GoScripts are used by the scanner to analyse the authentication of the application. The analysis identifies a means of obtaining authentication tokens from the application, and a request which can be used to determine if the token is still valid.
Once that analysis is complete, the scanner uses the information to obtain authentication tokens which it can then use within the scan session.
When running WorkFlow GoScripts, a new browser is started within the scan session, and the authentication tokens are applied to the browser causing all subsequent requests to have the tokens and therefore be in the authenticated session with the server.
between calls to the functions in WorkFlow scripts. You may need to take this into account when writing your script, particularly if the application does not allow simply navigating to the root URL of the application directly while maintaining the authenticated session.