OP 29 June, 2026 - 01:20 PM
HCLAppScan Standard is a Dynamic Analysis tool, evaluating application security at runtime by attacking the application using techniques analogous to methodologies used by hackers. The result of the tests includes a rich set of data ranging from application inventory to detailed attack traffic which can be reproduced for validation and fix. This data can be examined and processed in the UI or exported in various formats for sharing in other tools.
HCL AppScan Standard employs the latest algorithms and techniques with its dynamic application security testing tool to ensure the most accurate crawl coverage and testing.
HCL AppScan Standard simulate real-world attack patterns to uncover issues that malicious users could exploit. Common vulnerabilities detected include: SQL Injection (SQLi) – unauthorized database access, Cross-Site Scripting (XSS) – execution of malicious scripts in user browsers, Command Injection – execution of system-level commands, Authentication and Session Management Flaws – insecure login, token reuse, session fixation, Cross-Site Request Forgery (CSRF) – unauthorized actions triggered from a user’s browser, Unvalidated Redirects and Forwards – attackers redirecting users to malicious sites, API Vulnerabilities – improperly secured endpoints, excessive data exposure, outdated third party components, business logic vulnerabilities and many more.
New in HCL AppScan Standard 10.10.0
November, 2025
• DAST for LLM-augmented applications: Exposes LLM weaknesses before attackers do! Protect your Large Language Models (LLMs) with AppScan Dynamic Application Security (DAST), specifically engineered to identify critical vulnerabilities like Sensitive Information Disclosure, Prompt Injection, Misinformation, and more.
• Custom scripts: The editor enhancements include improved autocomplete features. These enhancements provide additional JavaScript methods and types, as well as more activation triggers, such as starting a new word or typing a period ('.').
• Multi-step enhancements: The user-interface is revamped for an enhanced user experience. Troubleshooting options added to view replayed requests (raw data and browser) and compare recorded vs. replayed requests, available only after sequence validation.
• Compliance reports
o New reports:
OWASP Top 10 for LLM Applications 2025
[Canada]- ITSG-33 industry standard report
o Updated reports:
International Standard - ISO 27001:2022
International Standard - ISO 27002:2022
The Payment Card Industry Data Security Standard (PCI DSS) - V4.0.1
NIST Special Publication 800-53 - 5.2.0
[EU] Regulation 2016/679 Of The European Parliament And Of The Council (GDPR)
[US] Healthcare Services (HIPAA)
o Compliance reports now include Fix recommendation details.
• Masking improvements: Enhanced masking across AppScan for more consistent protection of sensitive information.
• Automatic login improvements: AppScan now crawls Angular applications more reliably, fixes rare login recording failures, and adds a delay between actions on the second attempt after a playback failure, improving overall success rates.
• Improved support for Single Page Applications (SPA) scans that use AngularJS framework.
Fixes and security updates
New security rules in this release include:
• COOP - Missing or insecure Cross-Origin-Opener-Policy (COOP) header
• CORP - Missing or insecure Cross-Origin-Resource-Policy (CORP) header
• COEP - Missing or insecure Cross-Origin-Embedder-Policy (COEP) header
• attCSPAPI - Missing or insecure "frame-ancestors" directive in CSP (for API endpoints)
• attApacheOFBizRCECVE202445195 - Apache OFBiz RCE for CVE-2024-45195
• attApacheOFBizRCECVE202445507 - Apache OFBiz RCE for CVE-2024-45507
• attSpringFrameworkPathTraversalCVE202438816 - Spring Framework Path Traversal CVE-2024-38816 and CVE-2024-38819
• attWordpressPiePluginAuthenticationBypassCVE202534077 - Wordpress Pie Register Insufficient Authentication CVE-2025-34077
• attWordPressKubioPathTraversalCVE20252294 - Wordpress Kubio AI Page Builder plugin Path Traversal CVE-2025-2294
• Vulnerable component database updated to version 1.8
For a complete list of fixes, new and updated security rules, and RFEs in this release, see AppScan Standard Fix List.
Changed in this release
• AI configuration moved from Test Options to Tools > Options > AI settings.
• To improve security, the following configurations are removed:
o Advanced scan configuration
Sanitize logs
Sanitize reports
Encrypt sensitive data
o Tools options
EncryptPdfReportData
• Recording login and multi-step actions with an external browser now supports action-based recording.
• AppScan connect: ASoC users can now publish issues along with the scan file to ASoC which helps to rescan instead of creating a new scan thus saving time and resources.
• URL limit changed to 4096 from 1024 characters.
• Web API Wizard (OpenAPI) extension was removed.
• AppScan Standard versions 10.6.0 and earlier reached End of Support (EOS) on June 30, 2025. The documentation for these versions is no longer available on the public documentation site.
• Support for Microsoft® Windows® 10 was removed.
• Windows 2025 support.
• Option to capture human-readable license lease ID for server based licenses. For more information, see How to capture license lease ID in human-readable format for server based licenses.
Upcoming change
• The report component will only be available through the product level (UI/AppScanCMD) and not at the SDK level.
Download
https://1drv.ms/u/c/dfa08dfa1b37689d/IQD...Y?e=bsozbl
https://mega.nz/file/ehpD2ALR#yHocsUB8pE...hRFPFfyiuA
Archive Password:
https://mega.nz/file/ehpD2ALR#yHocsUB8pE...hRFPFfyiuA
Archive Password:
HCL AppScan Standard employs the latest algorithms and techniques with its dynamic application security testing tool to ensure the most accurate crawl coverage and testing.
HCL AppScan Standard simulate real-world attack patterns to uncover issues that malicious users could exploit. Common vulnerabilities detected include: SQL Injection (SQLi) – unauthorized database access, Cross-Site Scripting (XSS) – execution of malicious scripts in user browsers, Command Injection – execution of system-level commands, Authentication and Session Management Flaws – insecure login, token reuse, session fixation, Cross-Site Request Forgery (CSRF) – unauthorized actions triggered from a user’s browser, Unvalidated Redirects and Forwards – attackers redirecting users to malicious sites, API Vulnerabilities – improperly secured endpoints, excessive data exposure, outdated third party components, business logic vulnerabilities and many more.
New in HCL AppScan Standard 10.10.0
November, 2025
• DAST for LLM-augmented applications: Exposes LLM weaknesses before attackers do! Protect your Large Language Models (LLMs) with AppScan Dynamic Application Security (DAST), specifically engineered to identify critical vulnerabilities like Sensitive Information Disclosure, Prompt Injection, Misinformation, and more.
• Custom scripts: The editor enhancements include improved autocomplete features. These enhancements provide additional JavaScript methods and types, as well as more activation triggers, such as starting a new word or typing a period ('.').
• Multi-step enhancements: The user-interface is revamped for an enhanced user experience. Troubleshooting options added to view replayed requests (raw data and browser) and compare recorded vs. replayed requests, available only after sequence validation.
• Compliance reports
o New reports:
OWASP Top 10 for LLM Applications 2025
[Canada]- ITSG-33 industry standard report
o Updated reports:
International Standard - ISO 27001:2022
International Standard - ISO 27002:2022
The Payment Card Industry Data Security Standard (PCI DSS) - V4.0.1
NIST Special Publication 800-53 - 5.2.0
[EU] Regulation 2016/679 Of The European Parliament And Of The Council (GDPR)
[US] Healthcare Services (HIPAA)
o Compliance reports now include Fix recommendation details.
• Masking improvements: Enhanced masking across AppScan for more consistent protection of sensitive information.
• Automatic login improvements: AppScan now crawls Angular applications more reliably, fixes rare login recording failures, and adds a delay between actions on the second attempt after a playback failure, improving overall success rates.
• Improved support for Single Page Applications (SPA) scans that use AngularJS framework.
Fixes and security updates
New security rules in this release include:
• COOP - Missing or insecure Cross-Origin-Opener-Policy (COOP) header
• CORP - Missing or insecure Cross-Origin-Resource-Policy (CORP) header
• COEP - Missing or insecure Cross-Origin-Embedder-Policy (COEP) header
• attCSPAPI - Missing or insecure "frame-ancestors" directive in CSP (for API endpoints)
• attApacheOFBizRCECVE202445195 - Apache OFBiz RCE for CVE-2024-45195
• attApacheOFBizRCECVE202445507 - Apache OFBiz RCE for CVE-2024-45507
• attSpringFrameworkPathTraversalCVE202438816 - Spring Framework Path Traversal CVE-2024-38816 and CVE-2024-38819
• attWordpressPiePluginAuthenticationBypassCVE202534077 - Wordpress Pie Register Insufficient Authentication CVE-2025-34077
• attWordPressKubioPathTraversalCVE20252294 - Wordpress Kubio AI Page Builder plugin Path Traversal CVE-2025-2294
• Vulnerable component database updated to version 1.8
For a complete list of fixes, new and updated security rules, and RFEs in this release, see AppScan Standard Fix List.
Changed in this release
• AI configuration moved from Test Options to Tools > Options > AI settings.
• To improve security, the following configurations are removed:
o Advanced scan configuration
Sanitize logs
Sanitize reports
Encrypt sensitive data
o Tools options
EncryptPdfReportData
• Recording login and multi-step actions with an external browser now supports action-based recording.
• AppScan connect: ASoC users can now publish issues along with the scan file to ASoC which helps to rescan instead of creating a new scan thus saving time and resources.
• URL limit changed to 4096 from 1024 characters.
• Web API Wizard (OpenAPI) extension was removed.
• AppScan Standard versions 10.6.0 and earlier reached End of Support (EOS) on June 30, 2025. The documentation for these versions is no longer available on the public documentation site.
• Support for Microsoft® Windows® 10 was removed.
• Windows 2025 support.
• Option to capture human-readable license lease ID for server based licenses. For more information, see How to capture license lease ID in human-readable format for server based licenses.
Upcoming change
• The report component will only be available through the product level (UI/AppScanCMD) and not at the SDK level.
Virustotal link https://www.virustotal.com/gui/file/e1ad0c5eaa08def07efbd06da1680f4d5e464c84930b823a8a36af345a8c584e