Overview

HCLAppScan Standard is a penetration-testing component of the HCL AppScan application security testing suite, used to test web applications and services. It features cutting edge methods and techniques to identify security vulnerabilities to help protect applications from the threat of cyber-attacks.

HCLAppScan Standard is a Dynamic Analysis tool, evaluating application security at runtime by attacking the application using techniques analogous to methodologies used by hackers. The result of the tests includes a rich set of data ranging from application inventory to detailed attack traffic which can be reproduced for validation and fix. This data can be examined and processed in the UI or exported in various formats for sharing in other tools.

Beyond the cutting-edge testing facilities AppScan includes additional capabilities to help you run your testing program as efficiently as possible. Some of these are:
  • General and regulatory compliance reporting, with over 40 different templates available out-of-the-box
  • Customization and extensibility through the AppScan eXtension Framework, or by direct integration into existing systems using the AppScan SDK
  • Built-in optimization mechanism to help focus the test for the most likely issues in the most likely parts of your application

AppScan Standard helps you decrease the risk of web application attacks and data breaches both before site deployment and for ongoing risk assessment in production.

Supported technologies

Some technologies used by your site might affect AppScan’s ability to scan it, while others do not affect the scan at all.
  • AppScan is a "Black-Box" (DAST) tool, and scans your site using the same mechanisms as a browser. Therefore, in general, server-side technologies that are transparent to a browser are also transparent to AppScan, and do not affect the scan.
  • Client-side technologies such as JavaScript and the HTTP protocol itself, do affect AppScan. For successful scanning, AppScan utilizes an actual browser, embedded in the product, to process webpages just like a commercially available browser. This ensures support of all common technologies. Occasionally additional configuration might be required to help AppScan understand the context of an element, for proper processing beyond simple browsing, usually specifically for the Test stage of the scan.
  • WebSocket login recording and login playback are supported.

An AppScan scan consists of two main stages: Explore and Test. For each stage, the table below offers guidelines for understanding which server-side and client-side technologies might affect the scan, and in which cases configuration is needed.

Server-side technologies

Client-side technologies

Explore stage

Any server-side technology that does not affect the client – such as the specific database used - does not affect the scan in any way.

Many mechanisms that do affect the client (like session management) will not limit the scan as long as AppScan is configured correctly. For example, web servers and application servers affect how session IDs are managed, and AppScan must be able to track these IDs. Many common session IDs are predefined or can be automatically detected by AppScan and do not require additional configuration. However, additional configuration may still be required for some custom mechanisms.

AppScan specifically supports WebSphere Portal custom URLs. WSP encodes the URLs in a way that makes it difficult to track them as they appear. AppScan decodes the URLs so they can be understood and tuned.

AppScan uses a full embedded browser, and all the major technologies are suported automatically (HTML5), including many of the popular JavaScript frameworks such as Angular, React, and JQuery.

If the automatic Explore stage misses pages due to a specific technology or implementation that blocks automatic exploring, the pages can be added to the scan by exploring them manually after the automatic Explore stage, and before the Test stage.

Test stage

AppScan is designed to test the application and not its supporting technologies, therefore they do not affect testing. To consider databases again: AppScan’s suite of SQL Injection tests are independent of the database used. It also offers specific tests for 3rd Party testing (Common Vulnerabilities testing).

Client-side JavaScript vulnerabilities are tested for using the embedded browser. Testing is also performed using a Black-Box (DAST) approach. The browser environment is manipulated, and JavaScript is executed as-is to expose vulnerabilities. All executing methodologies supported by modern browsers are supported by AppScan.