What's new

This section describes new product features and enhancements in this fix pack.

A complete list of fixes can be found at: http://www.ibm.com/support/docview.wss?uid=swg27021374

New in IBM Security AppScan® Standard 9.0.3.12

System Requirements
Microsoft .NET Framework 4.7.2 is now required.
Request-Based JavaScript Execution
Due to the efficiency of Action-Based JavaScript Execution, Request-Based JavaScript Execution (Config > Explore Options > Request-Based > Execute JavaScript to discover URLs and dynamic content) is now redundant, and the check box is cleared by default. If you load a scan in which the option was selected, it will remain selected, though we recommend clearing it. See the section below for the reasoning behind this change.
Security Reports
Reports are now sanitized by default (the password defined in Automatic Form Fill is not shown in reports). You can change this setting in Configuration > Advanced Configuration > General: Sanitize Reports.
Scan Configuration Wizard
In the last step of the wizard, the Start Scan Expert check box is now disabled by default.

Understanding the JavaScript Execution change

Over the last few years we have developed a replacement mechanism for "Request-Based Exploring", which imitated and approximated the workings of a browser. The new mechanism, “Action-Based Exploring”, utilizes an actual, embedded (Chromium-based) browser. Both mechanisms include JavaScript Execution (JSX), but we are now in the process of retiring the Request-Based JSX mechanism, as the newer technology duplicates and surpasses it.
Action-Based JSX more closely resembles the way a user interacts with the browser. It offers increased coverage and accuracy, and better support for new JavaScript frameworks as they emerge. Request-Based JSX is therefore being phased out by stages:
  • In this fix pack, the JSX check box is cleared by default, but you can still select it if you find that Action-Based Exploring fails for a specific application.
  • In future releases the mechanism will be removed entirely.
Note that when you load a saved scan or template in which the JSX check box was selected (Config > Explore Options > Request-Based > Execute JavaScript to discover URLs and dynamic content) it will remain selected. However, we suggest clearing the check box.

If you see a difference in the results due to this change, we urge you to open a Support Ticket so we can either explain the difference to you, or fix the Action-Based mechanism.