Supported technologies
Some technologies used by your site might affect AppScan’s ability to scan it, while others do not affect the scan at all.
- AppScan is a "Black-Box" (DAST) tool, and scans your site by using the same mechanisms as a browser. Therefore, in general, server-side technologies that are transparent to a browser are also transparent to AppScan, and do not affect the scan.
- Client-side technologies such as JavaScript and the HTTP protocol itself, do affect AppScan. For successful scanning, AppScan utilizes an actual browser, embedded in the product, to process webpages just like a commercially available browser. This ensures support of all common technologies. Occasionally additional configuration might be required to help AppScan understand the context of an element, for proper processing beyond simple browsing, usually specifically for the Test stage of the scan.
- WebSocket login recording and login playback are supported.
An AppScan scan consists of two main stages: Explore and Test. For each stage, the following table offers guidelines for understanding which server-side and client-side technologies might affect the scan, and in which cases configuration is needed.
Server-side technologies | Client-side technologies | |
---|---|---|
Explore stage |
Any server-side technology that does not affect the client – such as the specific database used - does not affect the scan in any way. Many mechanisms that do affect the client (like session management) will not limit the scan if AppScan is configured correctly. For example, web servers and application servers affect how session IDs are managed, and AppScan must be able to track these IDs. Many common session IDs are predefined or can be automatically detected by AppScan and do not require additional configuration. However, additional configuration might still be required for some custom mechanisms. AppScan specifically supports WebSphere Portal custom URLs. WebSphere Portal encodes the URLs in a way that makes it difficult to track them as they appear. AppScan decodes the URLs so they can be understood and tuned. |
AppScan uses a full embedded browser, and all the major technologies are suported automatically (HTML5), including many of the popular JavaScript frameworks such as Angular, React, and JQuery. If the automatic Explore stage misses pages due to a specific technology or implementation that blocks automatic exploring, the pages can be added to the scan by exploring them manually after the automatic Explore stage, and before the Test stage. |
Test stage | AppScan is designed to test the application and not its supporting technologies, therefore they do not affect testing. To consider databases again: AppScan’s suite of SQL Injection tests are independent of the database used. It also offers specific tests for 3rd Party testing (Common Vulnerabilities testing). | Client-side JavaScript vulnerabilities are tested for using the embedded browser. Testing is also performed using a Black-Box (DAST) approach. The browser environment is manipulated, and JavaScript is executed as-is to expose vulnerabilities. All executing methodologies supported by modern browsers are supported by AppScan. |