WebApp Sec mailing list archives
Static vs Dynamic Analysis (was RE: AJAX and Web application scanners)
From: "James Walden" <waldenj1 () nku edu>
Date: Wed, 29 Mar 2006 16:02:59 -0500
There are two types of program analysis: static and dynamic. It's important to know the difference so you can understand the capabilities of different security analysis tools. In the past, most web and network application security scanners used dynamic analysis, while general purpose tools used static analysis. However, both forms of analysis have their advantages and disadvantages, so an increasing number of tools use static and dynamic techniques. Static analysis tools parse and analyze the source code without running it. Type checking is a familiar form of static analysis. Static analysis tools typically perform a conservative and sound analysis, that is, since the tools don't run the program, their results need to be generalizable across any executions. This limits what static analysis tools can tell you and means that they will produce false positives. Static analysis tools take a long time to run, so they typically approximate program behavior to run faster, which introduces the possibilty of false negatives. Dynamic analysis tools execute the program and observe its behavior over a number of runs. The advantage is that you don't have to abstract or approximate as static analysis tools do; you know exactly which control paths the program followed and what data was used. Dynamic tools are as fast as your program execution. However, the disadvantage of dynamic analysis is the problem of determining whether the input you used and the executions you observed are generalizable to all possible inputs and executions. Both forms of analysis are useful. Each form of analysis observes a different set of program executions, limited by approximations (static analysis) or by the input set (dynamic analysis.) Dynamic analysis tools have to worry more about false negatives, while static analysis tools have to worry more about false positives. Dynamic analysis is fast, while static analysis is slow (and more accurate if it runs longer.) However, it's often easier to introduce static analysis early in the development cycle. Some organizations introduce a fast static analysis as an automatic step in compilation or source code checkin, while using a longer, more in depth static analysis for security reviews. Dr. James Walden Dept. of Computer Science Northern Kentucky University http://www.nku.edu/~waldenj1 -----Original Message----- From: Tate Hansen [mailto:tate () clearnetsec com] Sent: Tuesday, March 28, 2006 3:29 AM To: rajeshdilli () yahoo com Cc: webappsec () securityfocus com Subject: RE: AJAX and Web application scanners One of the keywords there to watch is 'parsers'. This chart by Secure Enterprise a few months ago reports all scanners 'parse' JavaScript: http://i.cmpnet.com/secureenterprisemag/0209/graphics/0209f1a.gif My experience is the same; these scanners fail to fully crawl an application which "builds" URLs dynamically.
From my understanding (I may be wrong) what most of these products do is
search for static URL paths like http://www.mysite.com. In order to automate crawling, execution is required, not just parsing. For example, if JavaScript is used to generate a URL like: window.location = "http://www.mysite.com?tracking=" + getelementbyname(element_name).value;, then these scanners will miss it. Obviously you can miss a lot depending on what is dynamic and how you can interact with those views. The work-around is you must manually crawl the web application in order to seed the scanners with the dynamic views (I've also heard this confirmed by engineers whom work for these vendors). A month or so ago I viewed a README note for the latest WebInspect version which reports: Support for Advanced Asynchronous JavaScript and XML (AJAX) Applications / Improvements to the JavaScript and Audit engines now allow WebInspect to crawl and audit AJAX-based applications. I'm not sure what that exactly means, but I think all the major players are adding some type of execution capabilities. Tate Hansen ClearNet Security -----Original Message----- From: rajeshdilli () yahoo com [mailto:rajeshdilli () yahoo com] Sent: Monday, March 27, 2006 1:12 PM To: webappsec () securityfocus com Subject: AJAX and Web application scanners Hi, I've been recently going around the web for a couple of challenges that AJAX faces. One thing that struck me was the web application scanners. I've seen a few vendors (i don't to mention any vendor or product name here) products that claim that they have javascript parsers and support for AJAX driven applications. My personal experience with these tools is that they could not spare well against apps that are heavily JavaScript driven and with the introduction of AJAX based apps it's a case of uncertainity in choosing the right product (if at all there can be one which can progress in auditing AJAX applications). Do any of you have any insights or experinces on these tools against AJAX based apps. Thanks Rajesh ------------------------------------------------------------------------ - This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR l ------------------------------------------------------------------------ -- ------------------------------------------------------------------------ - This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR l ------------------------------------------------------------------------ -- ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- Static vs Dynamic Analysis (was RE: AJAX and Web application scanners) James Walden (Mar 29)