Detecting Error Pages with AI in HCL AppScan DAST 10.7.0

Dynamic Application Security Testing (DAST) is a black-box testing technique that involves scanning a running web application to identify security vulnerabilities by simulating external attacks. This is done by crawling websites and injecting faulty inputs to observe how an application handles unexpected or erroneous data. These types of inputs should trigger an Error Page; and when they don’t, they can signal that a page is revealing sensitive information or indicate underlying vulnerabilities due to improper error handling.

Validation Methods and Edge Cases

HCL AppScan DAST has two primary methods to validate these types of vulnerabilities. In one case the DAST engine has been trained on what to look for and uses heuristics to recognize common patterns in error messages indicative of vulnerabilities. These can include common database error messages (e.g., MySQL or SQL Server errors), or certain keywords or phrases like "null reference," "syntax error," or "exception" that need to be flagged as potential security issues. 

Additionally, DAST uses a second method that looks at all faulty inputs without being trained on what to look for. This second process, in particular, relies on Error Page Detection. A faulty input should trigger an error page; and if it doesn’t, the results are considered vulnerabilities. However, there are challenging edge cases where the error message is not very pronounced, or the page with an error looks very similar to a regular page. If the scan misses these signs, the page can be misinterpreted as a non-erroneous response and result in a false positive. In other words, the scan reports a potential vulnerability or mishandling of information when it’s not there.

Introducing GenAI

Beginning with HCL AppScan Version 10.7.0, the DAST technology now has the ability to leverage Gen AI to reduce the risks inherent in these edge cases. Simply put, a prompt is sent to the AI asking whether a given page displays an error to the user. Based on real-world tests with issues raised by customers, the AI has an excellent record of detecting errors in edge cases and compliments HCL AppScan DAST heuristics.

In order to keep any increase in scan time to a minimum, the AI is only queried when the scan rules require error page detection; and even then, only if HCL AppScan DAST fails to detect the error page using heuristics alone. If HCL AppScan managed to detect a response as erroneous without the help of AI, verification isn’t necessary as false positives in this regard are rare or non-existent. 

Screenshot showing the AI configuration in HCL AppScan Standard (DAST tool)
(Note: The customer will need to provide their own LLM endpoint and token.)

HCL AppScan has been incorporating AI into testing tools for years now, primarily to reduce false positives in static application security testing (SAST). This new adoption of Gen AI in the DAST engine, along with its use in a new AutoFix function for faster remediation, both represent cutting-edge innovation that is defining HCL AppScan as a global leader in application security testing.

Learn more here about additional updates in HCL AppScan Version 10.7.0; and contact us today to see how we can help you improve your application security posture and reduce business risk in the Digital+ economy.