This glossary provides terms and definitions for the [product name] software and products.

The following cross-references are used in this glossary:
  • See refers you from a nonpreferred term to the preferred term or from an abbreviation to the spelled-out form.
  • See also refers you to a related or contrasting term.

For other terms and definitions, see the HCL Terminology website (opens in new window).


abuse of functionality
A technique that uses a website's own features and functionality to consume, defraud, or thwart access control mechanisms.
accepted cookie
A cookie that is accepted by Internet Explorer without restriction.
access control
In computer security, the process of ensuring that users can access only those resources of a computer system for which they are authorized.
A document that contains information and analysis about a threat or vulnerability.
A program that performs a specific task and is typically portable between operating systems. Often written in Java, applets can be downloaded from the Internet and run in a web browser.
One or more computer programs or software components that provide a function in direct support of a specific business process or processes. See also application server.
application server
A server program in a distributed network that provides the execution environment for an application program. See also application.
application tree counter
The series of numbers in parentheses next to each node of the application tree, indicating the number of items in that branch.
Any attempt by an unauthorized person to compromise the operation of a software program or networked system. See also attacker.
A user (human or computer program) that attempts to cause harm to an information system or to access information not intended for general access. See also attack, hacker.
authentication point
A content asset that contains an authenticator (in the case of form-based authentication), or was accessed by means of an authenticator (in the case of HTTP, NT Lan Manager, or certificate-based validation).
In the Kerberos protocol, a string of data that is generated by the client and sent with a ticket that is used by the server to certify the identity of the client.


back door
A hole in the security of a system. It can be used by hackers to access sensitive information, or by programmers for maintenance and testing.
Boolean expression
An expression that evaluates to a Boolean value. See also Boolean value.
Boolean value
A value that can be either true or false, sometimes coded as 1 or 0, respectively. See also Boolean expression.
broken access control
A vulnerability that results from inadequate enforcement of restrictions for authenticated users. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions.
broken authentication and session management
An issue that occurs when account credentials and session tokens are not properly protected. Attackers can compromise passwords, keys, session cookies, or other tokens, and can assume other users' identities.
brute force attack
An attack that uses a repetitive method of trial and error to obtain the user name and password for a valid account on a web application. If successful, the attacker can then access credit card numbers, cryptographic keys, profile data for confidential documents, and tools that are used to manage the user privileges and content of the web application.
buffer overflow
An exploitation technique that alters the flow of an application by overwriting parts of memory. Buffer overflows are a common cause of malfunctioning software.


See certificate authority.
In computer security, a digital document that binds a public key to the identity of the certificate owner, thereby enabling the certificate owner to be authenticated. A certificate is issued by a certificate authority and is digitally signed by that authority. See also certificate authority.
certificate authority (CA)
A trusted third-party organization or company that issues the digital certificates. The certificate authority typically verifies the identity of the individuals who are granted the unique certificate. See also certificate, Secure Sockets Layer.
certificate revocation list (CRL)
A list of certificates that have been revoked before their scheduled expiration date. Certificate revocation lists are maintained by the certificate authority and used, during a Secure Sockets Layer (SSL) handshake to ensure that the certificates involved have not been revoked.
A state of being in accordance with established software and security specifications on target computers, or the process of becoming so.
configuration file
A file that specifies the characteristics of a program, system device, system, or network.
content spoofing
An attack technique used to trick a user into believing that certain content appearing on a website is legitimate and not from an external source.
The information about an issue that is captured during a scan.
Information that a server stores on a client machine and accesses during subsequent sessions. Cookies allow servers to retrieve specific information about clients.
cookie ID
See cookie identifier.
cookie identifier (cookie ID)
A unique identifier assigned to a cookie discovered during a scan.
cookie poisoning
A technique used for conducting identity theft or session hijacking. By manipulating the information stored in a browser cookie, hackers assume the user’s identity and have access to that user’s information for malicious purposes.
credential prediction
A method of hijacking or impersonating a website user by guessing the unique value that identifies a particular session or user.
See certificate revocation list.
cross-site scripting (XSS)
An attack technique that forces a website to echo client-supplied data, which execute in a user’s web browser.
custom error page
A feature of most web server software that allows the user to replace default error messages with messages that are custom designed for the application.


An interface that integrates data from a variety of sources and provides a unified display of relevant and in-context information.
Data Encryption Standard (DES)
A cryptographic algorithm designed to encrypt and decrypt data using a private key.
denial-of-service attack (DoS)
In computer security, an assault on a network that brings down one or more hosts on a network such that the host is unable to perform its functions properly. Network service is interrupted for some period.
denied cookie
A cookie whose information will not be available to store and pass back to the specified domain.
The number of clicks required for a user, or an automatic crawler, to get from a source page to a target page.
See Data Encryption Standard.
digital signature
Information that is encrypted with a private key and is appended to a message or object to assure the recipient of the authenticity and integrity of the message or object. The digital signature proves that the message or object was signed by the entity that owns, or has access to, the private key or shared-secret symmetric key.
directory indexing
A web server feature that exposes contents of a directory when no index page is present.
See Domain Name System.
document type declaration
A markup declaration that contains the formal specification of the document type definition.
In the Internet, a part of a naming hierarchy in which the domain name consists of a sequence of names (labels) separated by periods (dots).
domain name
In Internet communications, a name of a host system. A domain name consists of a sequence of subnames that are separated by a delimiter character, for example, See also Domain Name System.
Domain Name System (DNS)
The distributed database system that maps domain names to IP addresses. See also domain name.
See denial-of-service attack.
downgraded cookie
A persistent cookie whose status has been changed to a session cookie.


encoding attack
An exploitation technique that aids an attack by changing the format of user-supplied data to bypass sanity checking filters.
In computer security, the process of transforming data into an unintelligible form in such a way that the original data either cannot be obtained or can be obtained only by using a decryption process.
entity expansion attack
A type of XML-level denial-of-service attack that causes application servers to echo back user data.
To save a copy of the current document, database or image into the file format required by another application.
The degree to which information can be accessed using authorized or unauthorized methods.
external domain
A domain that has a different URL, up to the first backslash, from the starting URL of the site being scanned.


false positive
A test result classed as positive (indicating that the site is vulnerable to attack), that the user decides is in fact negative (not a vulnerability).
A collection of related data that is stored and retrieved by an assigned name.
fix recommendation
The specific and technical details on fixing a web application to secure it against the issue that was discovered.
fixed status
The status that indicates an issue has been addressed.
folder role
A set of permissions that apply to all jobs, report packs and dashboards within the folder. See also user type.
forceful browsing
See Predictable Resource Location.
format string attack
An attack that alters the flow of an application by using string formatting library features to access other memory space. Vulnerabilities occur when user-supplied data is used directly as formatting string input for certain C/C++ functions, such as fprintf, printf, sprintf.


In HTTP, a parameter on the METHOD attribute of the <FORM> tag that specifies that a browser will append form data to the end of a URL when sending the form data to a server.


An unauthorized person who tries to gain access to protected resources on a system. See also attacker.
hazardous character
A character which is used for performing web application attacks, such as XSS or SQL injection.
hidden parameter
An HTML form parameter that is not rendered in the web page.
hidden field
A field in a display file that is passed to and from the program but is not sent to the display.
A computer that is connected to a network and that provides an access point to that network. The host can be a client, a server, or both a client and server simultaneously. See also server.
host name
In Internet communication, the name given to a computer. The host name might be a fully qualified domain name such as, or it might be a specific subname such as mycomputer.


information leakage
The exposure of sensitive data from a website, which may help an attacker exploit the application.
injection flaw
A flaw that allows attackers to relay malicious code through a web application to an external system.
insecure storage
Information and credentials stored on the client's hard drive that have not been protected using cryptographic functions.
in-session detection
The detection of the in-session pattern in the responses AppScan receives, to verify that it is still logged in.
in-session pattern
A pattern identified in the login page, such as a logout link, that AppScan can use to verify that it is still logged in.
insufficient anti-automation
The result when a website permits an attacker to automate a process that should only be performed manually.
insufficient authentication
A vulnerability that occurs when a website allows an attacker to access sensitive content or functionality, such as a web-based administration tool, without properly authenticating the attacker's access permissions.
insufficient authorization
A vulnerability that occurs when a website allows access to sensitive content or functionality that should require access control restrictions.
insufficient process validation
A vulnerability that occurs when a website allows an attacker to bypass the intended step sequence of an application.
insufficient session expiration
A vulnerability that occurs when a website allows an attacker to reuse old session identifiers for authorization.
internal domain
A domain that is included in the content scan and that appears in the list of starting URLs.
invasive test
An optional test which, if run on the application, may cause a denial-of-service situation.
A security risk to which a web application is vulnerable, or possibly sensitive information that is visible to unauthorized users.
issue ID
See issue identifier.
issue identifier (issue ID)
The number assigned to every instance of an issue found during a content scan.


job owner
The person or group that is responsible for the overall completion of a job.


A cryptographic mathematical value that is used to digitally sign, verify, encrypt, or decrypt a message.
key exchange protocol
A protocol governing how two parties exchange keys to use in securing a transaction. Once keys have been exchanged, data can be encrypted at the sender’s end and decrypted at the receiver’s end.
key length
A measure of the size of the data that makes up a key, and determines how robust the key is. Longer keys, such as 128 bit, are considered to be harder to crack than shorter keys (48 bit).


See Lightweight Directory Access Protocol.
LDAP injection
See Lightweight Directory Access Protocol injection.
leashed cookie
A cookie that will be accepted in a first-party context and blocked in a third-party context.
Lightweight Directory Access Protocol (LDAP)
An open protocol that uses TCP/IP to provide access to directories that support an X.500 model and that does not incur the resource requirements of the more complex X.500 Directory Access Protocol (DAP). For example, LDAP can be used to locate people, organizations, and other resources in an Internet or intranet directory. See also Lightweight Directory Access Protocol injection.
Lightweight Directory Access Protocol injection (LDAP injection)
An attack technique used to exploit websites that construct LDAP statements from user-supplied input. See also Lightweight Directory Access Protocol.
In hypertext, an author-defined association between two information nodes.
login sequence
An automatically or manually recorded sequence of URLs and user input that allows AppScan to log into a web application.
See long description.
long description (longdesc)
An HTML attribute used within the image element, frame element, or iframe element. It associates an image description with the code that places the image in the web page. See also alternative text.


A modification by an attacker of a data element, group of elements, action, or group of actions based on one or more properties. For example, modification of input by removing a required argument, or performing steps out of order.
manual explore
The process of manually crawling a web application to access and test parts of the site that are dependent on input from a real user.
MIME type
An Internet standard for identifying the type of object being transferred across the Internet.
multiphase scan
A scan that consists of two or more phases. See also phase.


navigation trail
An object that shows the route to the current page.
noise status
The status that indicates an issue is irrelevant and should no longer be considered an issue. Noise status can indicate a false positive.


operating system commanding (OS commanding)
A technique used to exploit websites by executing operating system commands through manipulation of application input.
OS commanding
See operating system commanding.


See Platform for Privacy Preferences.
P3P compact policy
A list of three or four-letter codes that communicate the privacy policy of a web page to the browser. The codes indicate what type of information is collected by a cookie and to whom the information is distributed. See also Platform for Privacy Preferences.
parameter tampering
An attack technique used to change information in a site’s URL parameters. Hackers use parameter tampering to conduct fraud.
To break down a string of information, such as a command or file, into its constituent parts.
The part of the URL which points to the location of an Internet resource.
path filtering
The process of filtering out or including pages according to set criteria.
path traversal
An attack technique that alters a document or resource location requested in a URL and forces access to files, directories, and commands that reside outside the web document root directory.
penetration test
A method of evaluating the security of a web application by simulating an attack by a hacker.
Authorization to perform activities, such as reading and writing local files, creating network connections, and loading native code.
persistent cookie
A cookie that is stored on a user’s computer until it expires or until the user deletes the cookie. Persistent cookies are used to collect identifying information about the user, such as web surfing behavior or user preferences for a specific website.
A process that includes the Explore stage followed by the Test stage of a scan. See also multiphase scan.
phase limit
The maximum number of phases allowed in a scan. The limit is configurable.
See public key infrastructure.
Platform for Privacy Preferences (P3P)
The World Wide Web Consortium (W3C) specification that enables websites to define their privacy practices in a standard format. For more information, see the P3P project website ( See also P3P compact policy.
An end point for communication between applications, generally referring to a logical connection. A port provides queues for sending and receiving data. Each port has a port number for identification.
In HTTP, a parameter on the METHOD attribute of the FORM tag that specifies that a browser will send form data to a server in an HTTP transaction separate from that of the associated URL.
Predictable Resource Location
An attack technique used to uncover hidden website content and functionality. The attack searches for content in standard locations that is not intended for public viewing, such as temporary files, backup files, configuration files or sample files.
privacy seal
A logo indicating that the organization displaying it on their website meets certain industry standards for online privacy practices.
private key
In computer security, the secret half of a cryptographic key pair that is used with a public key algorithm. The private key is known only to its owner. Private keys are typically used to digitally sign data and to decrypt data that has been encrypted with the corresponding public key. See also public key.
public key
The non-secret half of a cryptographic key pair that is used with a public key algorithm. The public key is made available to everyone. Public keys are typically used to verify digital signatures and to encrypt data that can be decrypted only with the corresponding private key. See also private key, public key infrastructure.
public key infrastructure (PKI)
A system of digital certificates, certification authorities, and other registration authorities that verify and authenticate the validity of each party involved in a network transaction. See also public key.


redundant path limit
The maximum number of times identical paths may be scanned in a scan, in order to reduce scan time and eliminate duplicate results.
See regular expression.
regular expression (regex)
A set of characters, meta characters, and operators that define a string or group of strings in a search pattern.
relative path
A path that begins with the current working directory.
A suggestion for how to fix an issue.
risk analysis
An analysis of the security issues found in a web application. See also risk assessment.
risk assessment
An evaluation of the benefits and consequences of an action or scenario. See also risk analysis.
risk management
The optimal allocation of resources to arrive at a cost-effective investment in defensive measures within an organization.
Pertaining to system that handles exceptional conditions, such as abnormalities in input, effectively.
root authority
The end point in the signing path of a certificate.


The process of AppScan exploring and testing an application and providing the results.
An automated security program that searches for software vulnerabilities within web applications.
scan schedule
The time and frequency for scans to be run automatically.
scan template
A scan configuration that can be loaded to use for a scan.
Secure Sockets Layer (SSL)
A security protocol that provides communication privacy. With SSL, client/server applications can communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery. See also certificate authority.
security audit
A manual or systematic measurable technical assessment of a system or application.
security risk
The potential success of a threat and the damage that could ensue.
A software program or a computer that provides services to other software programs or other computers. See also host.
server group
A group of items, usually applications, that can be tested as a unit.
server-side application technology
A technology enabled for a web server that produces dynamic Web content.
server-side include (SSI)
A facility for including dynamic information in documents sent to clients, such as current date, the last modification date of a file, and the size or last modification of other files. See also server-side include injection.
server-side include injection (SSI injection)
An attack technique that exploits a web application's failure to sanitize user-supplied data before it is inserted into an HTML file. This could give an attacker the ability to execute arbitrary operating system commands, or include a restricted file's contents the next time the page is served. See also server-side include.
session cookie
A cookie that stores information in the form of session identification that does not personally identify the user. It is stored in temporary memory and is not retained after the browser is closed.
session credential
A string of data provided by the web server, stored within a cookie or URL, which identifies a user and authorizes that user to perform various actions.
session fixation
An attack technique that allows an attacker to fixate a user's session identifier and assume their online identity.
session ID
See session identifier.
session identifier (session ID)
A unique string of data provided by the web server that is used in network communications to identify a session, and is stored within a cookie or URL.
session token
An identifier that is sent by the browser as a parameter or a cookie, in order to correlate between a user and their current session on the web application.
severity rating
The level assigned to an issue by the scan, indicating the security risk it represents.
See Structured Query Language.
SQL injection
See Structured Query Language injection.
See server-side include.
SSI injection
See server-side include injection.
See Secure Sockets Layer.
stealth commanding
An attack technique that conceals dangerous commands through a Trojan horse with the intent to run malicious or unauthorized code that is damaging to the site.
Structured Query Language (SQL)
A standardized language for defining and manipulating data in a relational database. See also Structured Query Language injection.
Structured Query Language injection (SQL injection)
An attack technique used to exploit websites by altering back-end SQL statements through manipulating application input. See also Structured Query Language.
style sheet
See stylesheet.
symmetric key cryptography
A system of cryptography in which the sender and receiver of a message share a single, common, secret key that is used to encrypt and decrypt the message.


test policy
A policy that limits the scan to certain categories and types of tests.
Test stage
The stage of the scan during which the objects and logic of the scanned application are submitted to a comprehensive barrage of typical, erroneous, and simulated-malicious usage techniques, resulting in a complete inventory of security vulnerabilities.
transport layer
In OSI architecture, the layer that provides services for flow control and recovery between open systems with a predictable quality of service.


See Universal Naming Convention.
Uniform Resource Locator (URL)
The unique address of an information resource that is accessible in a network such as the Internet. The URL includes the abbreviated name of the protocol used to access the information resource and the information used by the protocol to locate the information resource.
Universal Naming Convention (UNC)
The server name and network name combined. These names together identify the resource on the domain.
See Uniform Resource Locator.
user type
A description of a particular user’s abilities and the role they assume in a folder. User types include Standard User, Administrator and No Access. See also folder role.


See Wireless Communications Transfer Protocol.
weak password recovery validation
A vulnerability that occurs when a website permits an attacker to illegally acquire or change another user's password. An attacker can thwart a website’s recovery mechanism when the information required to validate a user's identity for recovery is easily guessed or circumvented.
web server
A software program that is capable of servicing Hypertext Transfer Protocol (HTTP) requests.
Wireless Communications Transfer Protocol (WCTP)
A type of service used for passing alphanumeric and binary messages to and from wireline systems and two-way capable wireless devices.


XML Path Language (XPath)
A language that is designed to uniquely identify or address parts of source XML data, for use with XML-related technologies, such as XSLT, XQuery, and XML parsers. XPath is a World Wide Web Consortium standard. See also XML Path Language injection.
XML Path Language injection (XPath injection)
An attack technique used to exploit websites that construct XPath queries from user-supplied input. If an application embeds unsafe user input into the query, it may be possible for the attacker to inject data into the query so that the newly formed query will be parsed differently from the programmer's intention. See also XML Path Language.
XML Rule Language (XRule)
An XML text string that the scan should search for in a website.
See XML Path Language.
XPath injection
See XML Path Language injection.
See XML Rule Language.
See cross-site scripting.