RE: AJAX and Web application scanners

["Jeff Robertson" <jeff.robertson () digitalinsight com>]

Side question:

If you find yourself in the position to influence the design of a new
application, would you encourage the people coding it to optimize it for
"scannability" so as to make your own job easier? 

> -----Original Message-----
> From: Evans, Arian [mailto:Arian.Evans () fishnetsecurity com] 
> Sent: Tuesday, March 28, 2006 15:46
> To: Tate Hansen; rajeshdilli () yahoo com; webappsec () securityfocus com
> Subject: RE: AJAX and Web application scanners
>
> So two things here... it is not uncommon with AJAX to have 
> the URL seeded with a something unique like a time/date stamp 
> to prevent caching issues, and then obviously if that is part 
> of the path almost any scanner will go into infinite loop (or 
> simply choke), if they get that far at all.
>
> SPI's 5.5 release changed their parsing ability 
> significantly; we had a client with AJAX and *heavy* client 
> side javascript that *no* tool could parse, until WI 5.5, 
> which managed to crawl all (most? memory isn't great, heh) 
> the dynamic links etc, but still didn't find anything.
>
> WI 5.8 has gotten better. Watchfire isn't bad either. I just 
> tested about 15 tools on a number of different apps and was 
> surprised at how many tools still made basic mistakes in "automated"
> mode (parse 302 DOM body for one example) or had pretty 
> limited crawling abilities, and rely heavily on static URL 'guessing'.
>
> In these cases most tools allow you to manually crawl through 
> and then they run their *tests*. I've had varying results 
> with the different vendors 'manual' modes, try for yourself, YMMV.
>
> Like any new market, these tools are improving, and several 
> vendors appear to be going in the right direction, but they 
> are far from mature or complete solutions and the complexity 
> of apps in the wild seems to scale just ahead of the pace the 
> scanners can keep up. Take all the new rich-client/RCP over 
> HTTP stuff, like FLEX and Eclipse-based clients, and we're 
> starting to see a lot of that but I don't see anything in the 
> automated scanner realm that can do much here (yet, today).
>
> -ae
>
> > -----Original Message-----
> > From: Tate Hansen [mailto:tate () clearnetsec com]
> > Sent: Tuesday, March 28, 2006 2:29 AM
> > To: rajeshdilli () yahoo com
> > Cc: webappsec () securityfocus com
> > Subject: RE: AJAX and Web application scanners
> >
> >
> > One of the keywords there to watch is 'parsers'.  This 
> chart by Secure 
> > Enterprise a few months ago reports all scanners 'parse' JavaScript:
> > http://i.cmpnet.com/secureenterprisemag/0209/graphics/0209f1a.gif
> >
> > My experience is the same; these scanners fail to fully crawl an 
> > application which "builds" URLs dynamically.
> >
> > From my understanding (I may be wrong) what most of these 
> products do 
> > is search for static URL paths like http://www.mysite.com.  
> In order 
> > to automate crawling, execution is required, not just parsing.
> > For example, if
> > JavaScript is used to generate a URL like: window.location = 
> > "http://www.mysite.com?tracking="; + 
> > getelementbyname(element_name).value;,
> > then these scanners will miss it.  Obviously you can miss a lot 
> > depending on what is dynamic and how you can interact with those 
> > views.
> >
> > The work-around is you must manually crawl the web application in 
> > order to seed the scanners with the dynamic views (I've also heard 
> > this confirmed by engineers whom work for these vendors).
> >
> > A month or so ago I viewed a README note for the latest WebInspect 
> > version which reports: Support for Advanced Asynchronous JavaScript 
> > and XML (AJAX) Applications / Improvements to the 
> JavaScript and Audit 
> > engines now allow WebInspect to crawl and audit AJAX-based 
> > applications.  I'm not sure what that exactly means, but I 
> think all 
> > the major players are adding some type of execution capabilities.
> >
> > Tate Hansen
> > ClearNet Security
> >
> > -----Original Message-----
> > From: rajeshdilli () yahoo com [mailto:rajeshdilli () yahoo com]
> > Sent: Monday, March 27, 2006 1:12 PM
> > To: webappsec () securityfocus com
> > Subject: AJAX and Web application scanners
> >
> > Hi,
> >
> >           I've been recently going around the web for a couple of 
> > challenges that AJAX faces. One thing that struck me was the web 
> > application scanners.
> > I've seen a few vendors (i don't to mention any vendor or 
> product name 
> > here) products that claim that they have javascript parsers and 
> > support for AJAX driven applications. My personal experience with 
> > these tools is that they could not spare well against apps that are 
> > heavily JavaScript driven and with the introduction of AJAX 
> based apps 
> > it's a case of uncertainity in choosing the right product 
> (if at all 
> > there can be one which can progress in auditing AJAX 
> applications). Do 
> > any of you have any insights or experinces on these tools 
> against AJAX 
> > based apps.
> >
> > Thanks
> > Rajesh
> >
> > --------------------------------------------------------------
> > -----------
> > This List Sponsored by: SpiDynamics
> >
> > ALERT: "How A Hacker Launches A Web Application Attack!" 
> > Step-by-Step - SPI Dynamics White Paper Learn how to defend against 
> > Web Application Attacks with real-world examples of recent hacking 
> > methods such as: SQL Injection, Cross Site Scripting and Parameter 
> > Manipulation
> >
> > https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013
> 00000003gRl
> --------------------------------------------------------------
> ------------
>
>
> --------------------------------------------------------------
> -----------
> This List Sponsored by: SpiDynamics
>
> ALERT: "How A Hacker Launches A Web Application Attack!" 
> Step-by-Step - SPI Dynamics White Paper
> Learn how to defend against Web Application Attacks with 
> real-world examples of recent hacking methods such as: SQL 
> Injection, Cross Site Scripting and Parameter Manipulation
>
> https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013
00000003gRl
> --------------------------------------------------------------
> ------------
>
>
> --------------------------------------------------------------
> -----------
> This List Sponsored by: SpiDynamics
>
> ALERT: "How A Hacker Launches A Web Application Attack!" 
> Step-by-Step - SPI Dynamics White Paper
> Learn how to defend against Web Application Attacks with 
> real-world examples of recent hacking methods such as: SQL 
> Injection, Cross Site Scripting and Parameter Manipulation
>
> https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=7013
00000003gRl
> --------------------------------------------------------------
> ------------

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------