WebApp Sec mailing list archives
RE: AJAX and Web application scanners
From: "Jeff Robertson" <jeff.robertson () digitalinsight com>
Date: Wed, 29 Mar 2006 08:04:54 -0500
Side question: If you find yourself in the position to influence the design of a new application, would you encourage the people coding it to optimize it for "scannability" so as to make your own job easier?
-----Original Message----- From: Evans, Arian [mailto:Arian.Evans () fishnetsecurity com] Sent: Tuesday, March 28, 2006 15:46 To: Tate Hansen; rajeshdilli () yahoo com; webappsec () securityfocus com Subject: RE: AJAX and Web application scanners So two things here... it is not uncommon with AJAX to have the URL seeded with a something unique like a time/date stamp to prevent caching issues, and then obviously if that is part of the path almost any scanner will go into infinite loop (or simply choke), if they get that far at all. SPI's 5.5 release changed their parsing ability significantly; we had a client with AJAX and *heavy* client side javascript that *no* tool could parse, until WI 5.5, which managed to crawl all (most? memory isn't great, heh) the dynamic links etc, but still didn't find anything. WI 5.8 has gotten better. Watchfire isn't bad either. I just tested about 15 tools on a number of different apps and was surprised at how many tools still made basic mistakes in "automated" mode (parse 302 DOM body for one example) or had pretty limited crawling abilities, and rely heavily on static URL 'guessing'. In these cases most tools allow you to manually crawl through and then they run their *tests*. I've had varying results with the different vendors 'manual' modes, try for yourself, YMMV. Like any new market, these tools are improving, and several vendors appear to be going in the right direction, but they are far from mature or complete solutions and the complexity of apps in the wild seems to scale just ahead of the pace the scanners can keep up. Take all the new rich-client/RCP over HTTP stuff, like FLEX and Eclipse-based clients, and we're starting to see a lot of that but I don't see anything in the automated scanner realm that can do much here (yet, today). -ae-----Original Message----- From: Tate Hansen [mailto:tate () clearnetsec com] Sent: Tuesday, March 28, 2006 2:29 AM To: rajeshdilli () yahoo com Cc: webappsec () securityfocus com Subject: RE: AJAX and Web application scanners One of the keywords there to watch is 'parsers'. Thischart by SecureEnterprise a few months ago reports all scanners 'parse' JavaScript: http://i.cmpnet.com/secureenterprisemag/0209/graphics/0209f1a.gif My experience is the same; these scanners fail to fully crawl an application which "builds" URLs dynamically. From my understanding (I may be wrong) what most of theseproducts dois search for static URL paths like http://www.mysite.com.In orderto automate crawling, execution is required, not just parsing. For example, if JavaScript is used to generate a URL like: window.location = "http://www.mysite.com?tracking=" + getelementbyname(element_name).value;, then these scanners will miss it. Obviously you can miss a lot depending on what is dynamic and how you can interact with those views. The work-around is you must manually crawl the web application in order to seed the scanners with the dynamic views (I've also heard this confirmed by engineers whom work for these vendors). A month or so ago I viewed a README note for the latest WebInspect version which reports: Support for Advanced Asynchronous JavaScript and XML (AJAX) Applications / Improvements to theJavaScript and Auditengines now allow WebInspect to crawl and audit AJAX-based applications. I'm not sure what that exactly means, but Ithink allthe major players are adding some type of execution capabilities. Tate Hansen ClearNet Security -----Original Message----- From: rajeshdilli () yahoo com [mailto:rajeshdilli () yahoo com] Sent: Monday, March 27, 2006 1:12 PM To: webappsec () securityfocus com Subject: AJAX and Web application scanners Hi, I've been recently going around the web for a couple of challenges that AJAX faces. One thing that struck me was the web application scanners. I've seen a few vendors (i don't to mention any vendor orproduct namehere) products that claim that they have javascript parsers and support for AJAX driven applications. My personal experience with these tools is that they could not spare well against apps that are heavily JavaScript driven and with the introduction of AJAXbased appsit's a case of uncertainity in choosing the right product(if at allthere can be one which can progress in auditing AJAXapplications). Doany of you have any insights or experinces on these toolsagainst AJAXbased apps. Thanks Rajesh -------------------------------------------------------------- ----------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl -------------------------------------------------------------- ------------ -------------------------------------------------------------- ----------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013
00000003gRl
-------------------------------------------------------------- ------------ -------------------------------------------------------------- ----------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013
00000003gRl
-------------------------------------------------------------- ------------
------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- AJAX and Web application scanners rajeshdilli (Mar 27)
- RE: AJAX and Web application scanners Tate Hansen (Mar 28)
- Re: AJAX and Web application scanners Rogan Dawes (Mar 28)
- <Possible follow-ups>
- RE: AJAX and Web application scanners thomas.jones (Mar 28)
- RE: AJAX and Web application scanners Evans, Arian (Mar 28)
- Re: RE: AJAX and Web application scanners rajeshdilli (Mar 28)
- RE: AJAX and Web application scanners Jeff Robertson (Mar 29)
- Re: AJAX and Web application scanners Andrew van der Stock (Mar 29)