Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: AJAX and Web application scanners

RE: AJAX and Web application scanners

From: Jeff Robertson <jeff.robertson_at_digitalinsight.com>
Date: Wed, 29 Mar 2006 08:04:54 -0500

Side question:

If you find yourself in the position to influence the design of a new
application, would you encourage the people coding it to optimize it for
"scannability" so as to make your own job easier?

> -----Original Message-----
> From: Evans, Arian [mailto:Arian.Evans_at_fishnetsecurity.com]
> Sent: Tuesday, March 28, 2006 15:46
> To: Tate Hansen; rajeshdilli_at_yahoo.com; webappsec_at_securityfocus.com
> Subject: RE: AJAX and Web application scanners
>
> So two things here... it is not uncommon with AJAX to have
> the URL seeded with a something unique like a time/date stamp
> to prevent caching issues, and then obviously if that is part
> of the path almost any scanner will go into infinite loop (or
> simply choke), if they get that far at all.
>
> SPI's 5.5 release changed their parsing ability
> significantly; we had a client with AJAX and *heavy* client
> side javascript that *no* tool could parse, until WI 5.5,
> which managed to crawl all (most? memory isn't great, heh)
> the dynamic links etc, but still didn't find anything.
>
> WI 5.8 has gotten better. Watchfire isn't bad either. I just
> tested about 15 tools on a number of different apps and was
> surprised at how many tools still made basic mistakes in "automated"
> mode (parse 302 DOM body for one example) or had pretty
> limited crawling abilities, and rely heavily on static URL 'guessing'.
>
> In these cases most tools allow you to manually crawl through
> and then they run their *tests*. I've had varying results
> with the different vendors 'manual' modes, try for yourself, YMMV.
>
> Like any new market, these tools are improving, and several
> vendors appear to be going in the right direction, but they
> are far from mature or complete solutions and the complexity
> of apps in the wild seems to scale just ahead of the pace the
> scanners can keep up. Take all the new rich-client/RCP over
> HTTP stuff, like FLEX and Eclipse-based clients, and we're
> starting to see a lot of that but I don't see anything in the
> automated scanner realm that can do much here (yet, today).
>
> -ae
>
> > -----Original Message-----
> > From: Tate Hansen [mailto:tate_at_clearnetsec.com]
> > Sent: Tuesday, March 28, 2006 2:29 AM
> > To: rajeshdilli_at_yahoo.com
> > Cc: webappsec_at_securityfocus.com
> > Subject: RE: AJAX and Web application scanners
> >
> >
> > One of the keywords there to watch is 'parsers'. This
> chart by Secure
> > Enterprise a few months ago reports all scanners 'parse' JavaScript:
> > http://i.cmpnet.com/secureenterprisemag/0209/graphics/0209f1a.gif
> >
> > My experience is the same; these scanners fail to fully crawl an
> > application which "builds" URLs dynamically.
> >
> > From my understanding (I may be wrong) what most of these
> products do
> > is search for static URL paths like http://www.mysite.com.
> In order
> > to automate crawling, execution is required, not just parsing.
> > For example, if
> > JavaScript is used to generate a URL like: window.location =
> > "http://www.mysite.com?tracking=" +
> > getelementbyname(element_name).value;,
> > then these scanners will miss it. Obviously you can miss a lot
> > depending on what is dynamic and how you can interact with those
> > views.
> >
> > The work-around is you must manually crawl the web application in
> > order to seed the scanners with the dynamic views (I've also heard
> > this confirmed by engineers whom work for these vendors).
> >
> > A month or so ago I viewed a README note for the latest WebInspect
> > version which reports: Support for Advanced Asynchronous JavaScript
> > and XML (AJAX) Applications / Improvements to the
> JavaScript and Audit
> > engines now allow WebInspect to crawl and audit AJAX-based
> > applications. I'm not sure what that exactly means, but I
> think all
> > the major players are adding some type of execution capabilities.
> >
> > Tate Hansen
> > ClearNet Security
> >
> > -----Original Message-----
> > From: rajeshdilli_at_yahoo.com [mailto:rajeshdilli_at_yahoo.com]
> > Sent: Monday, March 27, 2006 1:12 PM
> > To: webappsec_at_securityfocus.com
> > Subject: AJAX and Web application scanners
> >
> > Hi,
> >
> > I've been recently going around the web for a couple of
> > challenges that AJAX faces. One thing that struck me was the web
> > application scanners.
> > I've seen a few vendors (i don't to mention any vendor or
> product name
> > here) products that claim that they have javascript parsers and
> > support for AJAX driven applications. My personal experience with
> > these tools is that they could not spare well against apps that are
> > heavily JavaScript driven and with the introduction of AJAX
> based apps
> > it's a case of uncertainity in choosing the right product
> (if at all
> > there can be one which can progress in auditing AJAX
> applications). Do
> > any of you have any insights or experinces on these tools
> against AJAX
> > based apps.
> >
> > Thanks
> > Rajesh
> >
> > --------------------------------------------------------------
> > -----------
> > This List Sponsored by: SpiDynamics
> >
> > ALERT: "How A Hacker Launches A Web Application Attack!"
> > Step-by-Step - SPI Dynamics White Paper Learn how to defend against
> > Web Application Attacks with real-world examples of recent hacking
> > methods such as: SQL Injection, Cross Site Scripting and Parameter
> > Manipulation
> >
> > https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013
> 00000003gRl
> --------------------------------------------------------------
> ------------
>
>
> --------------------------------------------------------------
> -----------
> This List Sponsored by: SpiDynamics
>
> ALERT: "How A Hacker Launches A Web Application Attack!"
> Step-by-Step - SPI Dynamics White Paper
> Learn how to defend against Web Application Attacks with
> real-world examples of recent hacking methods such as: SQL
> Injection, Cross Site Scripting and Parameter Manipulation
>
> https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013
00000003gRl
> --------------------------------------------------------------
> ------------
>
>
> --------------------------------------------------------------
> -----------
> This List Sponsored by: SpiDynamics
>
> ALERT: "How A Hacker Launches A Web Application Attack!"
> Step-by-Step - SPI Dynamics White Paper
> Learn how to defend against Web Application Attacks with
> real-world examples of recent hacking methods such as: SQL
> Injection, Cross Site Scripting and Parameter Manipulation
>
> https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013
00000003gRl
> --------------------------------------------------------------
> ------------
>
>

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Mar 29 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos