About testing AJAX-based web applications

Technote (FAQ)


Can IBM Security AppScan Standard explore a web site using AJAX (Asynchronous JavaScript and XML) and test for vulnerabilities?


Yes. AppScan Standard can be configured to explore and test an AJAX based web application.

However, Manual Explore may need to be used to explore some URLs that are generated by AJAX. After exploring those URLs you can continue to explore the rest of the URLs using an Automatic Explore.

Since AJAX itself is the technology that runs on the client side, all of the testing techniques (such as SQL Injection, XSS, Buffer Overflows) are still relevant. The following occurs in this background of the testing phase:

  1. When the browser reaches JavaScript (including AJAX) code, it is subsequently executed
  2. The AJAX code tries to fire HTTP requests
  3. HTTP Requests are fired in the background (asynchronous requests)
  4. AppScan fetches the requests
  5. AppScan runs tests (XSS, SQL Injection, etc.) on the fetched requests

Document information

More support for:

IBM Security AppScan Standard

Software version:

8.0, 8.5, 8.7, 8.8, 9.0

Operating system(s):


Software edition:

Express, Standard

Reference #:


Modified date:


Translate my page

Content navigation