WebApp Sec: RE: AJAX and Web application scanners

From: Evans, Arian <Arian.Evans_at_fishnetsecurity.com>
Date: Tue, 28 Mar 2006 14:46:23 -0600

So two things here... it is not uncommon with AJAX to have
the URL seeded with a something unique like a time/date stamp
to prevent caching issues, and then obviously if that is
part of the path almost any scanner will go into infinite
loop (or simply choke), if they get that far at all.

SPI's 5.5 release changed their parsing ability significantly;
we had a client with AJAX and *heavy* client side javascript
that *no* tool could parse, until WI 5.5, which managed to
crawl all (most? memory isn't great, heh) the dynamic links
etc, but still didn't find anything.

WI 5.8 has gotten better. Watchfire isn't bad either. I just
tested about 15 tools on a number of different apps and was
surprised at how many tools still made basic mistakes in "automated"
mode (parse 302 DOM body for one example) or had pretty limited
crawling abilities, and rely heavily on static URL 'guessing'.

In these cases most tools allow you to manually crawl through
and then they run their *tests*. I've had varying results with
the different vendors 'manual' modes, try for yourself, YMMV.

Like any new market, these tools are improving, and several vendors
appear to be going in the right direction, but they are far from
mature or complete solutions and the complexity of apps in the
wild seems to scale just ahead of the pace the scanners can keep
up. Take all the new rich-client/RCP over HTTP stuff, like FLEX
and Eclipse-based clients, and we're starting to see a lot of
that but I don't see anything in the automated scanner realm
that can do much here (yet, today).

-ae

> -----Original Message-----
> From: Tate Hansen [mailto:tate_at_clearnetsec.com]
> Sent: Tuesday, March 28, 2006 2:29 AM
> To: rajeshdilli_at_yahoo.com
> Cc: webappsec_at_securityfocus.com
> Subject: RE: AJAX and Web application scanners
>
>
> One of the keywords there to watch is 'parsers'. This chart by Secure
> Enterprise a few months ago reports all scanners 'parse' JavaScript:
> http://i.cmpnet.com/secureenterprisemag/0209/graphics/0209f1a.gif
>
> My experience is the same; these scanners fail to fully crawl
> an application
> which "builds" URLs dynamically.
>
> From my understanding (I may be wrong) what most of these
> products do is
> search for static URL paths like http://www.mysite.com. In order to
> automate crawling, execution is required, not just parsing.
> For example, if
> JavaScript is used to generate a URL like: window.location =
> "http://www.mysite.com?tracking=" +
> getelementbyname(element_name).value;,
> then these scanners will miss it. Obviously you can miss a
> lot depending on
> what is dynamic and how you can interact with those views.
>
> The work-around is you must manually crawl the web
> application in order to
> seed the scanners with the dynamic views (I've also heard
> this confirmed by
> engineers whom work for these vendors).
>
> A month or so ago I viewed a README note for the latest
> WebInspect version
> which reports: Support for Advanced Asynchronous JavaScript
> and XML (AJAX)
> Applications / Improvements to the JavaScript and Audit
> engines now allow
> WebInspect to crawl and audit AJAX-based applications. I'm
> not sure what
> that exactly means, but I think all the major players are
> adding some type
> of execution capabilities.
>
> Tate Hansen
> ClearNet Security
>
> -----Original Message-----
> From: rajeshdilli_at_yahoo.com [mailto:rajeshdilli_at_yahoo.com]
> Sent: Monday, March 27, 2006 1:12 PM
> To: webappsec_at_securityfocus.com
> Subject: AJAX and Web application scanners
>
> Hi,
>
> I've been recently going around the web for a
> couple of challenges
> that AJAX faces. One thing that struck me was the web
> application scanners.
> I've seen a few vendors (i don't to mention any vendor or
> product name here)
> products that claim that they have javascript parsers and
> support for AJAX
> driven applications. My personal experience with these tools
> is that they
> could not spare well against apps that are heavily JavaScript
> driven and
> with the introduction of AJAX based apps it's a case of
> uncertainity in
> choosing the right product (if at all there can be one which
> can progress in
> auditing AJAX applications). Do any of you have any insights
> or experinces
> on these tools against AJAX based apps.
>
> Thanks
> Rajesh
>
> --------------------------------------------------------------
> -----------
> This List Sponsored by: SpiDynamics
>
> ALERT: "How A Hacker Launches A Web Application Attack!"
> Step-by-Step - SPI Dynamics White Paper
> Learn how to defend against Web Application Attacks with real-world
> examples of recent hacking methods such as: SQL Injection, Cross Site
> Scripting and Parameter Manipulation
>
> https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013
00000003gRl
--------------------------------------------------------------------------

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Mar 28 2006