Glossary

This glossary explains terms and acronyms used in the AppScan® Standard user interface and documentation.

A

access control
In computer security, the process of ensuring that users can access only those resources of a computer system for which they are authorized.
action-based login
This type of login replay reproduces the actions performed when you recorded the login sequence, and is usually the preferred login method.
action-based login player
A browser with two panes in which action-based login is replayed for verification and troubleshooting. The left pane shows the list of actions and highlights which is currently being performed; the right pane shows the result of the current action.
advisory
A document that contains information and analysis about a threat or vulnerability.
application lifecycle
The succession of stages a product goes through, from development to production.
application server
A server program in a distributed network that provides the execution environment for an application program.
application test
A type of test which focuses on application logic and issues resulting from insecure software development.
application tree
A tree-view display of a web application's structure, including directories and files.
attack
Any attempt by an unauthorized person to compromise the operation of a software program or networked system. See also attacker.
attacker
A user (human or computer program), that attempts to cause harm to an information system or to access information not intended for general access. See also hacker, attack.
authentication
The process of validating the identity of a user or server.
Authentication Tester
A brute-force-like testing utility. One of the PowerTools. It detects weak username-password combinations that could be used to gain access to a user's web application.
authorization
The right granted to a user to communicate with or make use of a computer system.

B

back end
The set of support components of a computer system, such as the database management system.
black box
When the output of an application is examined without reference to its internal code, the application can be described as a "black box", and the testing as "black box testing", because it treats the application as a "black box" the contents of which cannot be seen. Compare with "white box".
broken link
A link that returns an invalid response when selected.
brute force
An attack by a program that tries every possible credential to compromise the security of a system.
buffer
A reserved segment of memory used to hold data while it is being processed.
buffer overflow
An exploitation technique that alters the flow of an application by overwriting parts of memory. Buffer overflows are a common cause of malfunctioning software.

C

case-sensitive
Pertaining to the ability to distinguish between uppercase and lowercase letters.
CGI
See Common Gateway Interface.
character encoding
A character set consisting of a code that pairs a sequence of characters from a given set with something else, such as a sequence of natural numbers, octets or electrical pulses. Encoding facilitates the storage and transmission of text through telecommunication networks.
child node
A node within the scope of another node.
client
The user's workstation that is connected to a network. See also host.
client-side
Pertaining to an operation that is performed on the client application and not on the server.
code injection
A technique that introduces new code into an application. Code injection can be used by an attacker to introduce code into a computer program to change the course of execution.
Common Gateway Interface (CGI)
An Internet standard for defining scripts that pass information from a web server to an application program, through an HTTP request, and vice versa.
communication timeout
The intentional ending of an incomplete task after waiting a specified amount of time.
concurrent login
A login that occurs simultaneously with other logins.
condition pattern
In regular expressions, a pattern that the regular expression defines. The regular expression can be used to find items that match the pattern.
cookie
Information that a server stores on a client machine and accesses during subsequent sessions. Cookies allow servers to retrieve specific information about clients.
crawl
To search for information across various web pages on the Internet or on an intranet. During the Explore stage of a scan, AppScan "crawls" your site to map its structure and prepare tests for the Test stage of the scan.
cross-site scripting (XSS)
An attack technique that forces a website to echo client-supplied data, which execute in a user's web browser.
custom error page
A feature of most web server software that allows the user to replace default error messages with messages that are custom designed for the application.
CVE
Common Vulnerabilities and Exposures. An industry standard list that provides common names for publicly known information security vulnerabilities and exposures.
CVSS
Common Vulnerability Scoring System. An open framework for scoring the risk associated with vulnerabilities. AppScan uses CVSS version 3.1.
CWE
Common Weakness Enumeration. An industry standard list that provides common names for publicly known software weaknesses.

D

database management system (DBMS)
A software system that controls the creation, organization, and modification of a database and the access to the data that is stored within it.
database service
A service that provides the storage and retrieval of data in a database.
DBMS
See database management system.
debug command
A feature or command that assists in identifying programming errors during the software development process.
delta
A difference, or an incremental value, between two instances.
denial-of-service attack (DoS)
In computer security, an assault on a network that brings down one or more hosts on a network such that the host is unable to perform its functions properly. Network service is interrupted for some period.
depth
The number of clicks required for a user, or an automatic crawler, to get from a source page to a target page.
directory indexing
A web server feature that exposes contents of a directory when no index page is present.
directory traversal
A technique used to exploit websites by accessing files and commands beyond the document root directory.
domain
A subnetwork of clients and servers under the control of one security database.
DoS
See denial-of-service attack.
dump file
The contents of memory without any report formatting.

E

embedded browser
The web browser that is embedded in AppScan® and opens with a special toolbar for working with scans.
encoding attack
An exploitation technique that aids an attack by changing the format of user-supplied data to bypass sanity checking filters.
encryption
The process of transforming data into an unintelligible form in such a way that the original data either cannot be obtained or can be obtained only by using a decryption process.
exclusion
A parameter or process whose values are excepted during tests.
executable
A program file that is ready to run in a particular environment.
Explore setting
A setting that configures the parameters governing how an application will be explored by AppScan®.
Explore stage
The stage of an AppScan® scan during which the logic and objects of an application are identified, prior to testing.
export
To save a copy of the current document, database or image into the file format required by a different application.
extended support mode
A mode that allows the user to record usage options and behavior, and to save the data in a file to send to technical support.

F

false positive
A test result classed as positive by AppScan (indicating that the site is vulnerable to attack), that the user decides is in fact negative (not a vulnerability).
fix recommendation
The specific and technical details on fixing a web application to secure it against the issue that was discovered.
Flash
A programming technique that enables movies and animation to display seamlessly in a web browser.
form property
A value used when forms are filled out automatically.
full path name
The name of any directory or file expressed as a string of directories and files beginning with the root directory.

G

graphical user interface (GUI)
A type of computer interface that presents a visual metaphor of a real-world scene, often of a desktop, by combining high-resolution graphics, pointing devices, menu bars and other menus, overlapping windows, icons and the object-action relationship.
GUI
See graphical user interface.

H

hard-coding
The software development practice of embedding output or configuration data directly into the source code of a program or other executable object.
hazardous character
A character which is used for performing web application attacks, such as XSS or SQL injection.
hidden parameter
An HTML form parameter that is not rendered in the web page.
host
A computer that is connected to a network and that provides an access point to that network. The host can be a client, a server, or both a client and server simultaneously. See also client
HTML form element
An element that allows the user to enter information, such as text fields, text area fields, drop-down menus, radio buttons, or check boxes, in a form.
HTTP request
A request sent to the site either during the Explore or Test stage of the scan.
HTTP response
A response sent by the server.

I

ID
See identifier.
identifier (ID)
One or more characters used to identify or name a data element and possibly to indicate certain properties of that data element.
import
To read a file in a format that is not native to the application in use.
Industry Standards report
A report of issues found on the user's web application and relevant information according to a selected industry standard. AppScan® Industry Standard reports include SANS Top 20, OWASP Top 10, and WASC Threat Classification.
in-session detection
The detection of the in-session pattern in the responses AppScan® receives, to verify that it is still logged in.
in-session pattern
A pattern identified in the login page, such as a logout link, that AppScan® can use to verify that it is still logged in.
insufficient anti-automation
The result when a website permits an attacker to automate a process that should only be performed manually.
interactive URL
A URL that includes forms to be filled out manually by the user.
invasive test
An optional test which, if run on the application, may cause a denial-of-service situation.
issue
A security risk to which a web application is vulnerable, or possibly sensitive information that is visible to unauthorized users.

J

Java applet
An applet that is written in Java, and that can run in a web browser using a Java virtual machine (JVM).
Java virtual machine (JVM)
A software implementation of a processor that runs compiled Java code (applets and applications).

L

link extraction
The parsing or executing of code for discovery and collection of links from a web application.
login sequence
The sequence of user inputs that enables AppScan® to log into your web application to scan it. It is recommended to record the login manually. AppScan then replays this sequence whenever it needs to log in during the scan. When you record a login sequence, AppScan analyzes both the actions and the requests. When replaying the login it attempts (by default) to reproduce the action-based login; if this is unsuccessful it will revert to the request-based login.

M

manipulation
A modification by an attacker of a data element, group of elements, action, or group of actions based on one or more properties. For example, modification of input by removing a required argument, or performing steps out of order.
manual explore
The process of manually crawling a web application to access and test parts of the site that are dependent on input from a real user.
metacharacter
ASCII character with special meaning during pattern processing. Such characters are used to represent single-byte or multibyte character patterns that can be matched during processing.
multipart request
A request that contains more than one content type. To reduce unnecessary memory consumption, some content types are automatically filtered out of multipart requests during the scan. You can configure which types will not be filtered in Configuration > Advanced Configuration > Multipart Content Type Filter.
multiphase scan
A scan that consists of two or more phases. Each phase includes an Explore stage followed by a Test stage.
multi-step operation | multi-step sequence
A sequence of two or more requests that must be sent in a specific order to access certain parts of the application. (Example: Add item to shopping cart > Enter payment details > Receive order confirmation.) Recording such multi-step operations as part of the scan configuration ensures that these parts of the site are scanned.

N

network service
A service that transmits data or provides conversion of data in a network.
non-vulnerables
Negative tests or false positives that are not susceptible to vulnerabilities or security threats.
NTLM
See Windows NT® LAN Manager.
numeric overflow
The result from an arithmetic calculation that exceeds the space designated to hold it.

P

parent node
The node that contains the current node.
parse
To break down a string of information, such as a command or file, into its constituent parts.
path
The part of the URL which points to the location of an Internet resource.
path filtering
The process of filtering out or including pages according to set criteria.
path traversal
An attack technique that alters a document or resource location requested in a URL and forces access to files, directories, and commands that reside outside the web document root directory.
pattern
A method of describing text to be identified, using one or more regular expressions.
PCI
See Peripheral Component Interconnect.
penetration test
A method of evaluating the security of a web application by simulating an attack by a hacker.
Peripheral Component Interconnect (PCI)
A local bus that provides a high-speed data path between the processor and attached devices.
permission
Authorization to perform activities, such as reading and writing local files, creating network connections, and loading native code.
personal identification number (PIN)
In Cryptographic Support, a unique number assigned by an organization to an individual and used as proof of identity. PINs are commonly assigned by financial institutions to their customers.
phase
A process that includes the Explore stage followed by the Test stage of a scan.
phase limit
The maximum number of phases allowed in a scan. The limit is configurable.
PIN
Personal Identification Number.
platform
The combination of an operating system and hardware that makes up the operating environment in which a program runs.
port
An end point for communication between applications, generally referring to a logical connection. A port provides queues for sending and receiving data. Each port has a port number for identification.
port listener
A mechanism that allows the product to validate certain tests by listening to out-of-bound connections.
Predictable Resource Location
An attack technique used to uncover hidden website content and functionality. The attack searches for content in standard locations that is not intended for public viewing, such as temporary files, backup files, configuration files or sample files.
privilege escalation
The process of referring to scans that were run using different user privileges, in order to test whether privileged resources are accessible to users with insufficient access permissions.
prompt
A message or a displayed symbol that requests information or user action. The user must respond to allow the program to proceed.
proxy
An application gateway from one network to another for a specific network application such as Telnet or FTP, for example, where a firewall's proxy Telnet server performs authentication of the user and then lets the traffic flow through the proxy as if it were not there. Function is performed in the firewall and not in the client workstation, causing more load in the firewall.

R

redundant path limit
The maximum number of times identical paths may be scanned in a scan, in order to reduce scan time and eliminate duplicate results.
regular expression | regexp
A set of characters, meta characters, and operators that define a string or group of strings in a search pattern.
regulatory compliance report
A report of issues found on a web application that do not comply with a selected regulation or legal standard. The regulations include legal Acts, Bills, and Laws of Canada, EU, Japan, UK, USA, and regulations of MasterCard and Visa. Custom regulatory compliance report templates can also be created.
relative path
A path that begins with the current working directory.
remediation
A suggestion for how to fix an issue.
request-based login
This type of login replay reproduces the requests that were sent when you recorded the login sequence.
restriction
A type of filter that limits a scan to listed URLs only.
Result Expert
An optional function that can be run after scanning to add CVSS settings, screen captures, and other information to the Issue Information tab of scan results.
reverse engineer
To analyze a device or system in order to learn details of its design, construction, and operation.
risk analysis
An analysis of the security issues found in a web application.
risk assessment
An evaluation of the benefits and consequences of an action or scenario.
risk management
The optimal allocation of resources to arrive at a cost-effective investment in defensive measures within an organization.
role
A set of permissions.

S

sanitize
In web application security, to clean user input from harmful or hazardous characters, before using it.
scan
The process of AppScan® exploring and testing an application and providing the results.
scan configuration
A collection of AppScan® settings that define the user's application/service, environment, and chosen scan methods.
scan template
A scan configuration that can be loaded to use for a scan.
scheduler
A multithread, multiprocess background server designed to handle the scheduling and launching of jobs, based on a simple timing scheme.
security audit
A manual or systematic measurable technical assessment of a system or application.
security risk
The potential success of a threat and the damage that could ensue.
sequence
A list of recorded URLs.
session
A logical or virtual connection between two stations, software programs, or devices on a network that allows the two elements to communicate and exchange data. See also transaction
session credential
A string of data provided by the web server, stored within a cookie or URL, which identifies a user and authorizes that user to perform various actions.
session fixation
An attack technique that allows an attacker to fixate a user's session identifier and assume their online identity.
session hi-jacking
The compromise of a user's session by an attacker. The attacker could reuse this stolen session to masquerade as the user.
session ID
See session identifier
session identifier (session ID)
The compromise of a user's session by an attacker. The attacker could reuse this stolen session to masquerade as the user.
session token
An identifier that is sent by the browser as a parameter or a cookie, in order to correlate between a user and their current session on the web application. See also session identifier, transient token.
severity rating
The level assigned to an issue by the scan, indicating the security risk it represents.
shell
A software interface between users and an operating system. Shells generally fall into one of two categories: a command line shell, which provides a command line interface to the operating system; and a graphical shell, which provides a graphical user interface (GUI).
source code
A computer program in a format that is readable by people. Source code is converted into binary code that can be used by a computer.
spoofing
The technique of faking the sending address of a transmission in order to gain illegal entry into a secure system.
SQL
See Structured Query Language.
SQL injection
See Structured Query Language injection.
stage
Part of a scan phase in which AppScan® either explores or tests the site.
stateless protocol
A protocol that does not maintain a relationship between commands. HTTP is an example of a stateless protocol.
Structured Query Language (SQL)
A standardized language for defining and manipulating data in a relational database.
Structured Query Language injection (SQL injection)
An attack technique used to exploit websites by altering back-end SQL statements through manipulating application input.
syntax
The rules for the construction of a command or statement.

T

test fix
A temporary fix that is supplied to specific customers for testing in response to a reported problem.
test policy
A policy that limits the scan to certain categories and types of tests.
Test request
A request sent to the application during the Test stage of the scan. Test requests are designed to reveal security vulnerabilities.
Test stage
The stage of the scan during which the objects and logic of the scanned application are submitted to a comprehensive barrage of typical, erroneous, and simulated-malicious usage techniques, resulting in a complete inventory of security vulnerabilities.
thread
A stream of computer instructions that is in control of a process. In some operating systems, a thread is the smallest unit of operation in a process. Several threads can run concurrently, performing different jobs.
threat
A security issue, or a harmful act, such as the deployment of a virus or illegal network penetration.
threat classification
A group of security issues. For each threat class, there are numerous specific tests; and for each test, numerous variants. WASC Threat Classification is a cooperative effort to classify the weaknesses and attacks that can lead to the compromise of a website, its data, or its users. In AppScan Standard not all WASC threat classifications are used, and there are additional classifications (for example Server-Side Request Forgery), that do not have a WASC classification. More details about the WASC Treat Classification can be found at:http://projects.webappsec.org/w/page/13246978/Threat%20Classification
transaction
A request (to an application) and the response (from the application) that it generated.
transient token
A token whose value changes (usually a session token). Sending an expired transient token could result in AppScan® getting logged out of the application it is testing, so it must keep them up to date. See also session token.

U

UI
User interface, see graphical user interface.
Uniform Resource Locator (URL)
The unique address of an information resource that is accessible in a network such as the Internet. The URL includes the abbreviated name of the protocol used to access the information resource and the information used by the protocol to locate the information resource.
UNIX®
A highly portable operating system that features multiprogramming in a multiuser environment. The UNIX® operating system was originally developed for use on minicomputers, but was adapted for mainframes and microcomputers. The AIX® operating system is IBM's implementation of the UNIX® operating system.
URL
See Uniform Resource Locator.
user-defined test
A test that is created by a user in addition to the tests that are automatically created and run.

V

validation
The process of verifying whether a certain test succeeded or failed to achieve its goal.
vulnerability
A security exposure in an operating system, system software, or application software component.

W

web application
An application that is accessible by a web browser and that provides some function beyond static display of information, for instance by allowing the user to query a database. Common components of a web application include HTML pages, JSP pages, and servlets.
web browser
A client program that initiates requests to a web server and displays the information that the server returns.
web content
Files and other resources that compose a website. web content may consist of image files, audio files, HTML files, JSP files, style sheets, database entries, or anything you can see on a website.
web security
The theory and practice of information security relating to the World Wide web, HTTP and web application software.
web server
A software program that is capable of servicing Hypertext Transfer Protocol (HTTP) requests.
web service
An application that performs specific tasks and is accessible through open protocols such as HTTP and SOAP.
Web Services Description Language (WSDL)
An XML-based specification for describing networked services as a set of endpoints operating on messages containing either document-oriented or procedure-oriented information.
white box
White box scanning analyzes actual code, such as JavaScript code in the case of Static Analysis. Compare with "black box".
Windows NT® LAN Manager (NTLM)
A protocol used in a variety of Microsoft® network protocols for authentication purposes.
WSDL
See Web Services Description Language.

X

XSS
See cross-site scripting.