Supported technologies

It's important to understand which of the technologies that are used by your site might affect AppScan’s ability to scan the site, and which ones do not affect the scan at all.

  • AppScan is a "black box" (DAST) tool, and scans your site by using the same mechanisms as a browser. Therefore, in general, server-side technologies that are transparent to a browser are also transparent to AppScan, and do not affect the scan.
  • Client-side technologies such as JavaScript and the HTTP protocol itself, do affect AppScan. Unlike a browser, AppScan needs to understand these technologies at a level that allows automatic crawling, session maintenance, and testing. In these cases, you need to configure AppScan to scan correctly.

An AppScan scan consists of two main stages: Explore and Test. For each stage, the table offers guidelines for understanding which server-side and client-side technologies might affect the scan, and in which cases configuration is needed.

Table 1. Supported technologies
Server-side technologies Client-side technologies
Explore stage

Any server-side technology that does not affect the client – such as the specific database used - does not affect the scan in any way.

Many mechanisms that do affect the client (like session management) will not limit the scan if AppScan is configured correctly. For example, web servers and application servers affect how session IDs are managed, and AppScan must be able to track these IDs. Many common session IDs are predefined or can be automatically detected by AppScan and do not require extra configuration. However, extra configuration might still be required for some custom mechanisms.

AppScan specifically supports WebSphere Portal custom URLs. WebSphere Portal encodes the URLs in a way that makes it difficult to track them as they appear. AppScan decodes the URLs so they can be understood and tuned.

Glass box scanning is supported for Java and .NET only.

The two main client-side technologies used today are HTML5 and JavaScript, and both affect the Explore stage of the scan:

AppScan supports HTML in the Explore stage. This means links can be extracted, forms can be understood and filled, etc.

AppScan supports (executes) plain JavaScript. Several major frameworks are supported, including JQuery, AngularJS, and PrototypeJS. Many other JS frameworks though not specifically supported, do not limit the scan in any way.

If the automatic Explore stage misses pages due to a specific technology, the pages can be added to the scan by exploring the site manually after the automatic Explore stage, and before the Test stage.

Test stage AppScan is designed to test the application and not its supporting technologies; they do not affect testing. To consider databases again: AppScan’s suite of SQL Injection tests are independent of the database used. It also offers specific tests for third-party testing (Common Vulnerabilities testing).

Client-side testing is performed only on JavaScript code. Currently, only plain JS vulnerabilities are detected.

JS Frameworks are not supported; JS code that uses a framework might not be properly analyzed.

HTML5 is fully supported.