Supported technologies

Helps you understand which technologies used by your site might affect AppScan®’s ability to scan it.

Some technologies used by your site might affect AppScan’s ability to scan it, while others do not affect the scan at all.
  • AppScan is a "Black-Box" (DAST) tool, and scans your site using the same mechanisms as a browser. Therefore, in general, server-side technologies that are transparent to a browser are also transparent to AppScan, and do not affect the scan.
  • Client-side technologies such as JavaScript and the HTTP protocol itself, do affect AppScan. Unlike a browser, AppScan needs to understand these technologies at a level that allows automatic crawling, session maintenance, and of course testing. In these cases you need to configure AppScan to scan correctly.

An AppScan scan consists of two main stages: Explore and Test. For each stage, the table below offers guidelines for understanding which server-side and client-side technologies might affect the scan, and in which cases configuration is needed.

Server-side technologies

Client-side technologies

Explore stage

Any server-side technology that does not affect the client – such as the specific database used - does not affect the scan in any way.

Many mechanisms that do affect the client (like session management) will not limit the scan as long as AppScan is configured correctly. For example, web servers and application servers affect how session IDs are managed, and AppScan must be able to track these IDs. Many common session IDs are predefined or can be automatically detected by AppScan and do not require additional configuration. However, additional configuration may still be required for some custom mechanisms.

AppScan specifically supports WebSphere Portal custom URLs. WSP encodes the URLs in a way that makes it difficult to track them as they appear. AppScan decodes the URLs so they can be understood and tuned.

The two main client-side technologies used today are HTML5 and JavaScript, and both affect the Explore stage of the scan:

AppScan supports HTML in the Explore stage. This means links can be extracted, forms can be understood and filled, etc.

AppScan supports (executes) plain JavaScript. Several major frameworks are specifically supported, including JQuery, AngularJS, and PrototypeJS. Many other JS frameworks though not specifically supported, do not limit the scan in any way.

If the automatic Explore stage misses pages due to a specific technology, the pages can be added to the scan by exploring the site manually after the automatic Explore stage, and before the Test stage.

Test stage

AppScan is designed to test the application and not its supporting technologies, therefore they do not affect testing. To consider databases again: AppScan’s suite of SQL Injection tests are independent of the database used. It also offers specific tests for 3rd Party testing (Common Vulnerabilities testing).

Client-side testing is performed only on JavaScript code. Currently only plain JS vulnerabilities are detected.

JS Frameworks are not supported, and therefore JS code that uses a framework may not be properly analyzed.

HTML5 is fully supported.