Re: AJAX and Web application scanners

[Andrew van der Stock <vanderaj () greebo net>]

Yes, but this is actually really hard; most scanners are completely  
unaware of the security aspects of Javascript:

* Client side validation
* DOM injection
* XSS etc

Until scanners become more competent, a well written Manual of Style  
which encourages / mandates how validation works and variables are  
named is more desirable. Look at Chris Shifflett's approach for PHP:

$clean = array();
$clean['foo'] = someValidation($_POST['foo']);

That sort of naming scheme can truncate audits by literally days and  
days on bigger apps. There's no reason not to encourage it in JS as  
well.

thanks,
Andrew


On 30/03/2006, at 12:04 AM, Jeff Robertson wrote:

> Side question:
>
> If you find yourself in the position to influence the design of a new
> application, would you encourage the people coding it to optimize  
> it for
> "scannability" so as to make your own job easier?

Attachment: smime.p7s
Description: