When it comes to detecting Cross-Site Scripting (XSS), AppScan is the industry's #1 tool. Today we're making it even better.
AppScan's "XSS Analyzer" is one of the most significant DAST innovations in recent years. It breaks the mold of the standard way of doing black-box testing, that has been essentially unchanged for the last twelve years, and really does something new. Something fresh. Something exciting.
Here's why we believe XSS Analyzer sets itself apart from any other scanner out there: XSS Analyzer works and thinks like a human pentester does. We've packaged the experience and expertise of the best pentesters in the industry, together with the broadest possible knowledge about the different ways to exploit XSS. Essentially, we've created an "expert human pentester in a box".
1. Detecting Reflection Context
XSS Analyzer starts by detecting and accurately classifying reflection context. This means understanding exactly where in the HTML page the reflected payload gets injected, with great attention to detail. This is a crucial step, because different contexts are vulnerable in different ways, and require different payloads in order to be exploitable.
Here is a small list of sample contexts:
<script>XX=[HERE]</script>
<img src="[HERE]">
<div style=[HERE]:bla>
<style>div{'aa:a[HERE]aaa'}</style>
<div onmouseover=`XX(1,'[HERE]')`></div>
<frameset><frame src=http://[HERE]></frame></frameset>
There are plenty of small but important details to each context. For example:
- The injection could be in one of many tag values or tag attributes
- A string value may be wrapped in single quotes, double quotes, back-quotes or may appear with no quotes at all
- There may be adjacent letters, digits or dividers right before or after
An exploit that works in one context may not work in another, so it is very important to get it absolutely right. We've classified about 1000 different unique contexts. Each context requires its own special handling, its own set of rules.
Once reflection context has been established, XSS Analyzer moves on to find an exploit that is uniquely suited to this context.
2. Learning and Defeating Server Defenses
Any pentester knows that very often, finding an XSS exploit that really works involves finding ways to work-around input-validation mechanisms implemented by the developer of the web application. Putting in such mechanisms is good practice, but they often end up blocking certain "easy" exploits while allowing other, more "creative" ones. An experienced pentester may sometimes find ways to defeat these defenses.
XSS Analyzer does exactly that. It mimics human pentesters and the iterative learning process that they follow. It learns constraints about which inputs the server allows or disallows. Constraints can include things such as "the tag <script> is not allowed", or "all input goes through HTML encoding", or "the character '(' is stripped out".
The process looks generally like this:
- Begin with an empty set of constraints
- Pick from a knowledge base a test that matches all known constraints
- Send the test, find its reflected value in the response
- If the reflected value is identical to the test, report a vulnerability and finish.
- Else: split the test into parts, send them one by one to see which one triggers the input-validation mechanism
- Learn a new constraint (based on the results of step 5)
- Go to step #2
The process repeats until a vulnerability is found, or until there is no test left in the knowledge base that matches the known constraints. On average, this requires only 20 requests to the server.
The knowledge base contains more than 700 million XSS exploits, for every conceivable scenario, with every little trick in the book. It is probably the world's largest cheat sheet of XSS exploits. Compare that with the hundred or so exploits that any other scanner has, and you'll begin to grasp the magnitute of the research and engineering effort that went into XSS Analyzer.
We've prepared a little video for you, that we'd love to share with you today:
All this amazing technology works seamlessly in AppScan, with no extra configuration to worry about. XSS Analyzer is finding those hard to catch XSS vulnerabilities that would not be detected before.
We've worked very hard to bring you this groundbreaking new innovative technology in AppScan. We are very proud of it, and hope it helps make the web safer.
What do you think? Are you excited about XSS Analyzer? Leave us a comment!
Want to give it a spin? Dowload a trial of AppScan Standard 8.6 now!
Hi there.
When will it be available and in which version of AppScan can I test it?
Thanks!
Posted by: Diogenes De Jesus | July 05, 2012 at 10:27 AM
XSS Analyzer is available today in AppScan Enterprise 8.6.
Posted by: Omri Weisman | July 12, 2012 at 12:58 AM
I think this is a great advancement and accomplishment, but I have a problem with the way this is positioned and marketed.
Look at your title... 700 million reasons to feel secure. The ability to locate and fix all the xss flaws in your application does not mean that your application is secure. There are many other types of vulnerabilities that an application can exposed to which could be far more dangerous than XSS. Secondly, calling it an 'expert human pen tester in a box' is insulting to actual expert human pen testers. As I mentioned, xss is just a small fraction of what an expert human pentester will look for in an application.
I do see the value in tools such as Appscan and other scanners. For certain types of vulnerabilities (like xss) a tool can be much better and much more thorough at finding flaws. An expert human pen tester uses these tools as a part of their testing, to compliment their manual testing, and provide a more complete assessment of the application. However the tool on its own does not make your application secure.
Posted by: Trevor Stevado | July 12, 2012 at 08:22 PM
700 Million ge? tai duo le!!!
Posted by: dumbz | August 03, 2012 at 02:29 PM
AppScan Standard 8.6 is now available with XSS Analyzer. To get a free trial you can click on the "now" that has been added to the last line of the blog. Or just follow this link www.ibm.com/developerworks/downloads/r/appscan
Posted by: LawrenceDGerard | August 27, 2012 at 07:22 PM
So this seems interesting enough. All the advertisements for this specifically mention reflective XSS. Is the scanner not equipped to find stored or DOM? If so, why not? Stored is definitely the most dangerous of the three even if it is less common.
Posted by: Jonn Callahan | January 15, 2013 at 04:26 PM