The Veracode Dynamic Analysis scan engine is designed to test production web applications or API specifications with minimal impact. It uses testing approaches that do not harm or accidentally delete any data on the target website or API server. For example, the Veracode SQL injection test patterns use timing-based methods that append to the existing query without altering its logic. In addition, the XSS test strings inject JavaScript that is benign and does not execute outside the embedded browser used by the Dynamic Analysis scan engine.
A small number of applications may experience issues during Dynamic Analysis scanning, which typically happens when a legacy application is not capable of supporting a moderate amount of traffic or when an application contains user input forms with CAPTCHA controls. Forms that lack input validation may be associated to business logic that generates email notifications or tickets. In these cases, the activity generated by the Dynamic Analysis scan engine can reduce the availability of applications or generate redundant test data. For these reasons, Veracode recommends notifying the application owners that are responsible for its management prior to performing scans.