• Close

    Discover security holes in even the most complex applications.

    While today's malicious attackers pursue a variety of goals, they share a preferred channel of attack - the millions of custom web, mobile, and cloud applications companies deploy to serve their customers. AppSpider dynamically scans these applications for vulnerabilities across all modern technologies, provides tools that speed remediation, and monitors applications for changes.


    AppSpider Trial

    Application Assessment for the Modern World

    Get the Trial Today

    Know Your Weak Points

    Dynamic Application Security Testing

    Close the Coverage Gap with Universal Translator

    You can't find what you can't see. Only AppSpider gives you full automated coverage throughout all corners of your application ecosystem to identify web application vulnerabilities.

    Coverage is the first step to scanner accuracy. Scanners were originally built with a crawl and attack architecture, but crawling doesn't work for dynamic rich clients, APIs, and microservices. AppSpider goes beyond testing traditional name=value pair formats in HTML. It's Universal Translator interprets newer technologies used in web and mobile applications,including API’s and microservices (AJAX, GWT, REST, JSON, etc.). AppSpider provides broad coverage needed for today's wide variety of web applications.

    Intelligent Web Application Testing

    Attack with intelligence

    AppSpider doesn't test known application vulnerabilities because we know today's applications are custom with unique site structures, parameter names, and responses. It creates custom attacks based on your architecture to give you the most accurate results. To more accurately simulate real world attacks, AppSpider conducts positioning and proximity form analysis to intelligently input the data that the form is expecting.

    Continuous Web Application Monitoring

    Continuously monitor your applications

    Don't let unknown risks keep you up at night. AppSpider's continuous site monitoring identifies changes in your application ecosystem that inadvertently inject new vulnerabilities. It then triggers a re-scan according to configurable settings.

    Authenticate Application Security Tools

    Stay authenticated for deep assessment

    Most applications are custom and each application has its own authentication approach. Scanners must be able to recognize the authentication form, know whether the login was successful, and handle single sign-on. AppSpider is capable of authenticating on even the most complex authentication approaches as well as the following web service solutions: Oauth, HMAC, Integrated NONCE, and user defined.

    Microsoft trusts Rapid7 AppSpider

    During the proof of concept, we looked at all the industry leaders – AppSpider had the right mix of what we were looking for...The fact that it has a rich API makes our lives a heck of a lot easier.

    How a leading company built a world-class web application security program.
    Read the customer story

    Prioritize What Matters Most

    Deeper Web Application Testing

    Conduct deeper analysis with interactive reports

    AppSpider includes interactive actionable reports that prioritize the highest risk and streamline remediation efforts by enabling users to quickly get to and analyze the data that matters most. With one click, you can drill deep into a vulnerability to get more information and replay attacks in real-time.

    Shifting through pages and pages of application vulnerabilities in a PDF report takes too much time. AppSpider provides interactive actionable reports that behave like web pages with great organization and links for deeper analysis. Analysis is easy because findings are organized and consolidated by attack types (XSS, SQLi, etc.) and with one click, you can drill deep into a vulnerability to get more information. AppSpider's sophisticated reports reduce remediation time and streamline communication with developers.

    Re-play Web Application Attacks

    Quickly re-play web attacks

    When reviewing a vulnerability report, it helps to be able to reproduce vulnerabilities to confirm that they are exploitable or to demonstrate the vulnerability to others. AppSpider's attack replay feature allows you to reproduce individual attacks in real-time with just one click.

    Organized Web Application Testing

    Categorize applications for easy reporting

    Every organization is different and needs to organize their data and reports in different ways. AppSpider enables this flexibility through user-defined meta-data. The meta-data facilitates custom reporting and provides a graphical view of your security posture across all enterprise applications. You can define tags to view applications and vulnerabilities from different vantage points, including business unit, business risk/criticality, owner, location, or any other category that helps you organize your applications. In addition, you can define trending data to show vulnerability trends over time.

    Web application attacks are the most common attack pattern, representing 40% of all breaches.

    - 2016 Verizon Data Breach Investigations Report

    Improve Your Position

    Controlled Application Security Scanner

    Manage and control application security programs

    Attackers don't wait until you remediate your vulnerabilities. AppSpider helps speed remediation efforts by enabling meaningful, automated collaboration between developers and security experts. And, while you are working to fix vulnerabilities at the source, AppSpider enables you to quickly patch your WAF or IPS.

    In order to improve your overall security posture, you need a high-level view of your application security program that enables you to see where things stand and if they are improving. AppSpider provides centralized control and reporting over all aspects of your program, including scan configuration, scheduling, and monitoring. Through the easy-to-use list of scans configured in the system, you can see and manage the entire list of completed scans, search by scan configuration, start time, finish time, or configuration name.

    Automate virtual patching

    Automate virtual patching

    Using innovative automated rule generation, AppSpider Defend helps security professionals patch web application vulnerabilities in a matter of minutes, instead of days or weeks. Unlike broad facing rules, AppSpider's unique virtual patching capabilities allow you to automatically create targeted patches that address web application vulnerabilities without negatively impacting your business critical application. By eliminating the need to build a custom rule for a web application firewall (WAF) or intrusion prevention system (IPS), AppSpider allows you to identify the root cause of the problem and fix it in the code quickly.

    Meet Web Application Scanning Compliance Requirements

    Meet compliance requirements

    Keeping up with industry best practices, legal and regulatory compliance issues is no easy task. AppSpider helps your team quickly see gaps in compliance and well known best practices including: PCI, FISMA, SOX, HIPAAA, GLBA, OWASP, and more.

    Setting up the web application scanner

    Integrate SDLC into your workflow

    Your development team is already using build, QA, and ticketing systems. AppSpider easily integrates with these tools to improve productivity and address web application security issues before they reach your production environment. You'll be able to find security issues earlier in the development lifecycle by incorporating it into your Continuous Integration (Jenkins) process and testing through QA testing automation tools and scripts (Selenium). AppSpider is also capable of adding tickets to the most popular bug tracking systems (RSA Archer, HP Quality Center, and Atlassian's JIRA).

    [AppSpider] should be considered by enterprises seeking an easy-to-use, full-featured DAST that is competitively priced as an alternative to the larger players' DAST technologies.

    Critical Capabilities Report, 2014,
    22 September 2014,
    Neil MacDonald, Joseph Feiman

    AppSpider Attack Types

    Our research and product teams keep up with the latest application security attacks and best practices, so that you can rely on us. AppSpider goes way beyond the OWASP Top 10 to test for the following 83 attack types and best practices. Users can also create custom checks to address additional issues and risks that are custom to your environment.

    • Apache Struts 2 Framework Checks
    • Apache Struts Detection
    • Arbitrary File Upload
    • ASP.NET Misconfiguration
    • Autocomplete attribute
    • Browser Cache directive (web application performance)
    • Browser Cache directive (leaking sensitive information)
    • Brute Force (HTTP Auth)
    • Brute Force (Form Auth)
    • Blind SQL
    • HTTP Authentication over insecure channel
    • HTTPS Downgrade
    • HTTP Headers
    • HTTP Response Splitting
    • Information Disclosure in response
    • Information Leakage in responses
    • Integer overflow
    • Java Grinder
    • LDAP Injection
    • Local File Include (LFI)
    • Local Storage Usage
    • Secure and non-secure content mix
    • Sensitive data over an insecure channel
    • Server Configuration
    • Server Side Include (SSI) Injection
    • Session Fixation
    • Session Strength
    • Shellshock check
    • Source Code Disclosure
    • SQL Information Leakage
    • SQL Injection
    • SQL injection Auth Bypass

    View All

    AppSpider Product Sheet

    Application Assessment for the
    Modern World
     Download now

    Rapid7 AppSpider Achieves Highest Score from Gartner for Web Application Security Testing

     Read Now

    Free Trial Download

    Request a free 15-day trial today