When it comes to detecting Cross-Site Scripting (XSS), AppScan is the industry's #1 tool. Today we're making it even better.

AppScan's "XSS Analyzer" is one of the most significant DAST innovations in recent years. It breaks the mold of the standard way of doing black-box testing, that has been essentially unchanged for the last twelve years, and really does something new. Something fresh. Something exciting.

Here's why we believe XSS Analyzer sets itself apart from any other scanner out there: XSS Analyzer works and thinks like a human pentester does. We've packaged the experience and expertise of the best pentesters in the industry, together with the broadest possible knowledge about the different ways to exploit XSS. Essentially, we've created an "expert human pentester in a box".

Let's dive right in and describe how it works.

1. Detecting Reflection Context

XSS Analyzer starts by detecting and accurately classifying reflection context. This means understanding exactly where in the HTML page the reflected payload gets injected, with great attention to detail. This is a crucial step, because different contexts are vulnerable in different ways, and require different payloads in order to be exploitable.

Here is a small list of sample contexts:


<img src="[HERE]">

<div style=[HERE]:bla>


<div onmouseover=`XX(1,'[HERE]')`></div>

<frameset><frame src=http://[HERE]></frame></frameset>

There are plenty of small but important details to each context. For example:

  • The injection could be in one of many tag values or tag attributes
  • A string value may be wrapped in single quotes, double quotes, back-quotes or may appear with no quotes at all
  • There may be adjacent letters, digits or dividers right before or after

An exploit that works in one context may not work in another, so it is very important to get it absolutely right. We've classified about 1000 different unique contexts. Each context requires its own special handling, its own set of rules.

Once reflection context has been established, XSS Analyzer moves on to find an exploit that is uniquely suited to this context.

2. Learning and Defeating Server Defenses

Any pentester knows that very often, finding an XSS exploit that really works involves finding ways to work-around input-validation mechanisms implemented by the developer of the web application. Putting in such mechanisms is good practice, but they often end up blocking certain "easy" exploits while allowing other, more "creative" ones. An experienced pentester may sometimes find ways to defeat these defenses.

XSS Analyzer does exactly that. It mimics human pentesters and the iterative learning process that they follow. It learns constraints about which inputs the server allows or disallows. Constraints can include things such as "the tag <script> is not allowed", or "all input goes through HTML encoding", or "the character '(' is stripped out".

The process looks generally like this:

  1. Begin with an empty set of constraints
  2. Pick from a knowledge base a test that matches all known constraints
  3. Send the test, find its reflected value in the response
  4. If the reflected value is identical to the test, report a vulnerability and finish.
  5. Else: split the test into parts, send them one by one to see which one triggers the input-validation mechanism
  6. Learn a new constraint (based on the results of step 5)
  7. Go to step #2

The process repeats until a vulnerability is found, or until there is no test left in the knowledge base that matches the known constraints. On average, this requires only 20 requests to the server.

The knowledge base contains more than 700 million XSS exploits, for every conceivable scenario, with every little trick in the book. It is probably the world's largest cheat sheet of XSS exploits. Compare that with the hundred or so exploits that any other scanner has, and you'll begin to grasp the magnitute of the research and engineering effort that went into XSS Analyzer.

We've prepared a little video for you, that we'd love to share with you today:


All this amazing technology works seamlessly in AppScan, with no extra configuration to worry about. XSS Analyzer is finding those hard to catch XSS vulnerabilities that would not be detected before.

We've worked very hard to bring you this groundbreaking new innovative technology in AppScan. We are very proud of it, and hope it helps make the web safer.

What do you think? Are you excited about XSS Analyzer? Leave us a comment!