Can AppScan test AJAX-based web applications?

Automated crawling

Yes. Since AJAX itself is the technology that runs on the client side, all of the testing techniques (e.g., SQL Injection, XSS, Buffer Overflows, etc.) are still relevant. In addition, when performing automatic crawling of an AJAX-based web application, AppScan will execute JavaScript code and will automatically send requests that were created by XMLHttpRequest and other objects (e.g. ActiveX objects) that are commonly used in AJAX applications. Finally, AppScan users who prefer to traverse the AJAX application manually can do so using AppScan’s embedded browser, just as they do with a regular browser.

AJAX based applications

If your AJAX application uses JSON messages, AppScan supports manipulation of JSON protocol parameters, which are widely used in AJAX-based applications (e.g. ASP.NET AJAX Framework)


In addition to the above, AJAX applications often contain client-side JavaScript vulnerabilities such as DOM-based XSS. Using AppScan’s JavaScript Security Analyzer, which uses static analysis techniques to locate such vulnerabilities, AppScan users can locate such issues with high accuracy and precision.