...
You will be prompted to enter a starting URL. Enter the URL of your application and then check the box that says "Scan only links in and below this directory." NOTE: This step is very important. If you leave this box unchecked, AppScan will attempt to scan the entire internet instead of only your application and things it links to. This will exponentially increase the amount of time your scan will take to complete. Leaving the box unchecked also violates the Tufts responsible use policy. Please check this box.
Click next. If your application requires a log-in, press "Record." This will open your application's URL and you should then navigate to the log-in screen. AppScan will record how you get there and the credentials that you enter.
NOTE: NEVER give AppScan administrator credentials. AppScan will open EVERY link in your application. For Administrators, this almost always includes a link which will shut down the application. AppScan will not know to differentiate the disable links from other links and it will shut down your application. Please give AppScan a user credential and preferably a demo credential. AppScan will record the credentials that are used for login purposes in plain text which will be readable to anyone who opens the saved scan file. For extra security, if your application is on a virtual machine, take a snapshot of it before running the scan. Also notify any others who might be working on the application that it may be disrupted during the time of the scan.
...