IBM Application Security Insider

If you have ever worked with an AppScan expert they probably got you to install the AppScan Traffic Viewer. This tool is the Swiss army knife of the AppScan Power user containing a multitude of support features and giving you ultimate visibility on what happens under the covers.

If you didn't use the tool yet you should definitely give it a try. Starting with AppScan 8.6 the tool will be located in the AppScan tools folder ([AppScan Installation Directory]\Tools\Traffic Viewer\TrafficViewerSetup.msi) or can be downloaded from the AppScan Enterprise portal (by going to http://[appscan_server]/appscan_instance/downloads/TrafficViewerSetup.msi).

Built using the model of other HTTP Debuggers such as Fiddler or Paros, it can actually work in both online and offline mode, by loading the AppScan traffic dumps and can give you a post mortem of the security scan without interfering with the scan itself. For example, if your site crashed during the scan and you want to find out which request is responsible for this Denial of Service, Traffic Viewer is ideal to do that.

To obtain the AppScan Standard traffic log you will need to enable it from Tools > Options > Enable Request/Response Logging. In AppScan Enterprise you enable it from the Scan Properties > Log Settings and can download it from the Scan Statistics screen.

I started building this tool when I was part of the AppScan support team and over the years every time when we needed an extra tool or capability in a troubleshooting situation I would add it to Traffic Viewer, so the tool kind of adapted to our support needs. Latest version allows you to text diff HTTP traffic, reproduce HTTP requests, do regex searches, replacements, export traffic to various formats, encode/decode strings and many many other things.

Please watch the video to see a demo of Traffic Viewer and take full advantage of this tool in this release of AppScan Standard and AppScan Enterprise.