Enter your email below to sign up for latest updates from Appcheck NG.


Simply complete the info below and we'll send you all you need to activate AppCheck NG and undertake your FREE scan.

Please enter individual IP addresses or ranges

Please enter full URLs for your web applications, and both http and https where appropriate

< Back

How It Works

Intelligent Discovery

Accurate and efficient component discovery (crawling) is commonly cited as one of the key challenges when performing an automated web application assessment.

Many existing web application scanners rely on parsing web pages in order to discover application components (e.g. links and forms). This approach is no longer effective when testing modern web 2.0 based applications. Components generated at runtime using JavaScript, Flash or Silverlight components will remain invisible to traditional discovery techniques.

The AppCheck NG scanning engine employs two integrated crawling technologies to overcome this challenge. Our HTTP/HTML based crawler is used to discover components quickly and to identify hidden components through forced browsing. A second integrated crawling engine then executes web pages in the same way a normal browser would. Any embedded scripts or components are then able to run as intended whilst allowing full visibility to the discovery engine. If a modern web browser such as Google Chrome can access the application, AppCheck NG can crawl it.

Sophisticated Assessment Techniques

AppCheck NG has been designed from the ground up to offer the most sophisticated scanning engine available. By working closely with some of the UK’s leading penetration testers, each scanning module has been designed to maximise detection accuracy whilst minimising false positives.

Advanced, platform agnostic fuzzing technology

The AppCheck NG scanner incorporates dynamic fuzzing technology whereby arbitrary protocol structures treated blindly by other scanners as opaque single inputs are broken down accurately into their true and deeper attack surface.

For example, cookie values often encode multiple sub parameters using bespoke serialisation encodings (e.g. “the_cookie=1234|65[a=b;c=[1,2,3]]”), and so vulnerable server-side code paths are frequently missed using traditional fuzzing technology.

Eliminate False Positives through Vulnerability Exploitation

A false positive is where a vulnerability scanner indicates there is a vulnerability when in fact there isn’t one. Sorting through scanner results to determine which reported issues are real and which are false positive is a time consuming process.

To eliminate false positives, and to provide proof of concept evidence, the AppCheck NG scanner employs safe custom exploit techniques to actively confirm discovered vulnerabilities.

Intelligent Authentication

Complex authentication schemes are supported when AppCheck NG is supplied with the minimal information, such as a username and password pair. Optionally, a login URL may be provided to direct the scanner where to use the credentials and for scenarios such as single sign-on.

The scanner may easily be adapted to support bespoke authentication schemes that require non-standard credentials or processes.

Hosting Environment

AppCheck NG can provide comprehensive vulnerability assessment and analysis against remote hosts to determine if a misconfiguration exists that could allow an attack to get behind the application and into sensitive data.

Now read 'Reporting'.