WebApp Sec mailing list archives
Re: AJAX and Web application scanners
From: Andrew van der Stock <vanderaj () greebo net>
Date: Thu, 30 Mar 2006 00:26:13 +1100
Yes, but this is actually really hard; most scanners are completely unaware of the security aspects of Javascript:
* Client side validation * DOM injection * XSS etcUntil scanners become more competent, a well written Manual of Style which encourages / mandates how validation works and variables are named is more desirable. Look at Chris Shifflett's approach for PHP:
$clean = array(); $clean['foo'] = someValidation($_POST['foo']);That sort of naming scheme can truncate audits by literally days and days on bigger apps. There's no reason not to encourage it in JS as well.
thanks, Andrew On 30/03/2006, at 12:04 AM, Jeff Robertson wrote:
Side question: If you find yourself in the position to influence the design of a newapplication, would you encourage the people coding it to optimize it for"scannability" so as to make your own job easier?
Attachment:
smime.p7s
Description:
Current thread:
- AJAX and Web application scanners rajeshdilli (Mar 27)
- RE: AJAX and Web application scanners Tate Hansen (Mar 28)
- Re: AJAX and Web application scanners Rogan Dawes (Mar 28)
- <Possible follow-ups>
- RE: AJAX and Web application scanners thomas.jones (Mar 28)
- RE: AJAX and Web application scanners Evans, Arian (Mar 28)
- Re: RE: AJAX and Web application scanners rajeshdilli (Mar 28)
- RE: AJAX and Web application scanners Jeff Robertson (Mar 29)
- Re: AJAX and Web application scanners Andrew van der Stock (Mar 29)