WebApp Sec mailing list archives
RE: AJAX and Web application scanners
From: "Tate Hansen" <tate () clearnetsec com>
Date: Tue, 28 Mar 2006 01:29:20 -0700
One of the keywords there to watch is 'parsers'. This chart by Secure Enterprise a few months ago reports all scanners 'parse' JavaScript: http://i.cmpnet.com/secureenterprisemag/0209/graphics/0209f1a.gif My experience is the same; these scanners fail to fully crawl an application which "builds" URLs dynamically.
From my understanding (I may be wrong) what most of these products do is
search for static URL paths like http://www.mysite.com. In order to automate crawling, execution is required, not just parsing. For example, if JavaScript is used to generate a URL like: window.location = "http://www.mysite.com?tracking=" + getelementbyname(element_name).value;, then these scanners will miss it. Obviously you can miss a lot depending on what is dynamic and how you can interact with those views. The work-around is you must manually crawl the web application in order to seed the scanners with the dynamic views (I've also heard this confirmed by engineers whom work for these vendors). A month or so ago I viewed a README note for the latest WebInspect version which reports: Support for Advanced Asynchronous JavaScript and XML (AJAX) Applications / Improvements to the JavaScript and Audit engines now allow WebInspect to crawl and audit AJAX-based applications. I'm not sure what that exactly means, but I think all the major players are adding some type of execution capabilities. Tate Hansen ClearNet Security -----Original Message----- From: rajeshdilli () yahoo com [mailto:rajeshdilli () yahoo com] Sent: Monday, March 27, 2006 1:12 PM To: webappsec () securityfocus com Subject: AJAX and Web application scanners Hi, I've been recently going around the web for a couple of challenges that AJAX faces. One thing that struck me was the web application scanners. I've seen a few vendors (i don't to mention any vendor or product name here) products that claim that they have javascript parsers and support for AJAX driven applications. My personal experience with these tools is that they could not spare well against apps that are heavily JavaScript driven and with the introduction of AJAX based apps it's a case of uncertainity in choosing the right product (if at all there can be one which can progress in auditing AJAX applications). Do any of you have any insights or experinces on these tools against AJAX based apps. Thanks Rajesh ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl -------------------------------------------------------------------------- ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- AJAX and Web application scanners rajeshdilli (Mar 27)
- RE: AJAX and Web application scanners Tate Hansen (Mar 28)
- Re: AJAX and Web application scanners Rogan Dawes (Mar 28)
- <Possible follow-ups>
- RE: AJAX and Web application scanners thomas.jones (Mar 28)
- RE: AJAX and Web application scanners Evans, Arian (Mar 28)
- Re: RE: AJAX and Web application scanners rajeshdilli (Mar 28)
- RE: AJAX and Web application scanners Jeff Robertson (Mar 29)
- Re: AJAX and Web application scanners Andrew van der Stock (Mar 29)