About testing AJAX-based web applications

Technote (FAQ)


Question

Can IBM Security AppScan Standard explore a web site using AJAX (Asynchronous JavaScript and XML) and test for vulnerabilities?

Answer

Yes. AppScan Standard can be configured to explore and test an AJAX based web application.


However, Manual Explore may need to be used to explore some URLs that are generated by AJAX. After exploring those URLs you can continue to explore the rest of the URLs using an Automatic Explore.


Since AJAX itself is the technology that runs on the client side, all of the testing techniques (such as SQL Injection, XSS, Buffer Overflows) are still relevant. The following occurs in this background of the testing phase:

  1. When the browser reaches JavaScript (including AJAX) code, it is subsequently executed
  2. The AJAX code tries to fire HTTP requests
  3. HTTP Requests are fired in the background (asynchronous requests)
  4. AppScan fetches the requests
  5. AppScan runs tests (XSS, SQL Injection, etc.) on the fetched requests

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Security AppScan Standard
Configuration

Software version:

8.0, 8.5, 8.7, 8.8, 9.0

Operating system(s):

Windows

Software edition:

Express, Standard

Reference #:

1287436

Modified date:

2011-10-05

Translate my page

Machine Translation

Content navigation