IBM Rational AppScan Standard Edition is a Web application security testing tool that automates vulnerability assessments.
Here’s a short list of the interesting new features and capabilities in version 7.8:
- Flash execution & Testing: AppScan now automatically crawls Flash applications to reveal web application vulnerabilities, including vulnerabilities unique to Flash such as XSS in Flash, Phishing through Flash (Redirections), Cross Site Flashing, Insecure Direct Object Reference, Over permissive Flash Sandbox, Over permissive crossdomain.xml files.
- AMF Parsing & Testing: On the same subject of Flash testing, AppScan is now capable of parsing and analyzing AMF communications between Flash applications and their back-end server side application.
- Content-based Application Mapping: many modern web applications (especially those designed with the MVC paradigm) make use of a single URL, and serve contents based upon different parameters. In such scenarios, it is irrelevant to report vulnerabilities based on URLs. AppScan 7.8 allows you to create or modify the application tree by defining a criteria by which AppScan will assign content elements to the application tree. This allows for a more clear and real view of the results.
- Support for widget-based and Mashup sites: The new Content-Based configuration (see previous item) view lets you define the structure of widget-based and Mashup sites and display their structure logically.
- WebSphere Portal support: Dedicated template for WebSphere Portal applications incorporating a WebSphere Portal Test Policy and other configurations designed to increase performance and accuracy. The same capability can be adjusted for other Java Portlet based web applications.
- Improved Web services support: The new GSC utility replaces “Web Services Explorer” (a WSDL analyzer that generates SOAP traffic) to provide improved Web Services scanning, including support for MIME attachments, WS encryption and WS signatures. This means you can now test SOAP Web Services that make use of WS-Security standards.
- IPv6 Support: no need to explain
- CVSS-based Severity Reporting & Configuration: AppScan is now capable of reporting vulnerability severity using CVSS. In addition, users can modify CVSS settings as they wish, in order to create more accurate reports.