In-depth automated testing that allows ad-hoc, scheduled and continuous security testing
Full OWASP vulnerability coverage including injection, XSS, RCE, zero days, plus 100,000+ known security flaws
Deliver automated vulnerability testing through your build servers such as MS Azure DevOps, Jenkins and Team City
Manage and distribute discovered vulnerabilities through your in-house ticketing systems such as JIRA
Automate the discovery of vulnerabilities within complex web applications such as single page applications
Thoroughly scan and test your APIs including WSDL, Swagger and Graph QL endpoints for security flaws
Track vulnerabilities, spot trends and instantly see which areas of your environment are most at risk
AppCheck emulates the process of a manual penetration test to scan your websites and infrastructure for 100,000+ known vulnerabilities as well as OWASP Top 10, SQLi, XSS, RCE, and zero-day vulnerabilities.
Our DAST Tool is built and maintained by leading penetration testing experts, AppCheck has been designed from the ground up to ensure unparalleled accuracy and detection rates.
With just a click you can produce professional penetration testing style reports which include a detailed technical narrative and remediation steps for all findings.
Deploy tests instantly using pre-configured scan templates or schedule scans for out of hours testing. Each scan can be configured on a repeat cycle to ensure they are run continuously to catch new vulnerabilities as soon as they are introduced.
Emulates the process of a manual penetration test to provide full coverage of the OWASP Top 10, zero day vulnerabilities, and 100,000+ known security flaws.
All vulnerabilities are tracked and managed through the vulnerability management platform and includes easy to understand remedial advice.
Signature GoScript allows the scanner to flex key user journeys and complete multi-stage authentication. API, OAuth, scriptable.
Ability to crawl Single Page Applications (SPAs). AppCheck implements a browser-based crawler that combines application modelling techniques and subtle heuristical cues to automatically discover the complete attack surface of any given application and build an event graph in the shortest time possible.
AppCheck offers a specific integration with JetBrains TeamCity build management and continuous integration server, as well as an API that can be used to configure, trigger and query scan results from all other major CI/CD pipeline tools.
Dynamic Application Security Testing (DAST) is a method of security testing in which a running instance of an application is actively tested and probed using real traffic and requests: it contrasts to Static Analysis (SAST) testing, which performs “offline” analysis of the source code. Often referred to as ‘black box testing’ DAST tools do not have direct access to any server-side code, and will attempt to identify potential vulnerabilities within the application using much the same methods and access perspective as a manual, real-world hacker would – via its public interface.
DAST mirrors the way that a penetration tester would approach an attack, in that first it identifies injection points (paths or pages that are designed to receive and process data – such as contact forms) and then sends payloads (crafted sets of data designed to permit malicious behaviour) to an application, before analysing the response.
Dynamic Application Security Testing (DAST) works by acting in the manner of a malicious hacker in order to find any potential vulnerabilities in your applications.
The crawler combines traditional web scraping with a browser-based crawler which implements artificial intelligence to mimic typical application user behaviour. By simulating the processes which hackers use to interfere with your systems and applications, our DAST tool ensures maximum coverage and accuracy.
Common vulnerabilities detected during the web application scan include; Injection flaws such as SQL, NoSQL, XML, Code, and Command injection, Cross-Site Scripting and hundreds of other vulnerability classes arising from insecure code which can cause serious issues for your business.
DAST should be used as an integral part of your security processes to uncover a wide range of web application vulnerabilities and can be used alongside an array of other testing tools and systems in order to maximise your security. By incorporating DAST into your testing processes you can help cover your applications from external attacks by discovering potential vulnerabilities and removing these before they can be exploited.
AppCheck is a comprehensive security scanning platform that is designed to cover and test each layer of an organisations key external IT systems for vulnerabilities, in one seamless and intuitive solution. AppCheck enables users to test across all facets of their web application and network targets, rather than focussing on testing one specific area, offering unparalleled accuracy and detection rates. All the benefits of a DAST tool and so much more.
Using multiple Open-Source Intelligence (OSINT) to gather information that can be seeded into the assessment process.
During the discovery phase, the scanner consults multiple open-source intelligence databases to learn as much about the target
system as possible. For example, host names registered to the target IP address, web components indexed by search engines, and
historical network data. Data that is in scope for the scan is then seeded into the scan configuration.
Scanning systems such as firewalls, remote access, and management solutions to identify security flaws.
AppCheck uses multiple dedicated infrastructure scanners to identify vulnerabilities on each accessible network device. The scan
begins by port scanning each IP address within the scope to identify accessible services. Each identified service is then probed for
vulnerabilities using tens of thousands of checks.
Identifying vulnerabilities within hosting infrastructure used to manage and optimise network traffic to web application servers.
AppCheck combines infrastructure scanning with web application build review check to analyse the flow of data from the scanning
node to the target system. Identified systems are checked for known vulnerabilities using a regularly updated vulnerability database
that combines well know sources such as the National Vulnerability Database (NVD) with our own internally maintained vulnerability
Identifying vulnerabilities within Application Frameworks such as ASP .NET, PHP, NodeJS, Java, Apache Tomcat/Struts, Spring,
WebLogic, Django, Ruby on Rails and many more.
The AppCheck Web Application scanning engine includes dedicated scanners for a wide range of popular CMS systems and
Application Servers and Frameworks. Each scanner is integrated with the Dynamic Security Testing engine so that it can be deployed
in the correct way as applicable systems are identified during web crawling and discovery.
Checks for known vulnerabilities, such as those with a CVE identifier, are deployed in the same way and are regularly updated based
via AppCheck’s own vulnerability database and several community driven vulnerability feeds (updated daily).
By integrating platform checks within the web application scanning engine, components enumerated during this phase can be passed
forward into other scanning layers for further scanning. For example, CMS plugins enumerated during forced browsing checks can
then be passed to the DAST scanning engine to discover previously undisclosed vulnerabilities (0day).
Detecting security flaws within application code through Dynamic Application Security Testing (DAST).
For each URL configured with the scan, AppCheck performs online reconnaissance to gather information pertaining to the site
that is publicly available in search engines and other online indexing services. Next AppCheck will map out the application using
a sophisticated crawling engine. The crawler combines traditional web scraping with a browser-based crawler which implements
artificial intelligence to mimic typical application user behaviour.
The “Mapped Attack Surface” enumerated during the initial phases of the scan is then subject to methodical security testing. Typically,
the assessment process works by taking each user supplied data component, such as a form field of query string parameter, then
modifies it to include a specific test case before submitting it to the server.
Identify third-party components and trust relationships and identify vulnerabilities that arise through the use of vulnerable
components and Cloud Service configuration vulnerabilities.
AppCheck audits all third-party trust relationships for subdomain takeover and related flaws.
AppCheck assesses Amazon Simple Storage Service (S3) buckets for misconfigurations. This includes insecure permissions and bucket
Some vulnerabilities such as Server-Side Request Forgery (SSRF) can have a greater impact when hosted within a cloud environment.
AppCheck includes several cloud specific checks to detect and safely exploit vulnerabilities in cloud systems.
software including domain age, geolocation and susceptibility to domain takeover.