WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Static vs Dynamic Analysis (was RE: AJAX and Web application scanners)

From: "James Walden" <waldenj1 () nku edu>
Date: Wed, 29 Mar 2006 16:02:59 -0500
There are two types of program analysis: static and dynamic.  It's
important to know the difference so you can understand the capabilities
of different security analysis tools.  In the past, most web and network
application security scanners used dynamic analysis, while general
purpose tools used static analysis.  However, both forms of analysis
have their advantages and disadvantages, so an increasing number of
tools use static and dynamic techniques.

Static analysis tools parse and analyze the source code without running
it.  Type checking is a familiar form of static analysis.  Static
analysis tools typically perform a conservative and sound analysis, that
is, since the tools don't run the program, their results need to be
generalizable across any executions.  This limits what static analysis
tools can tell you and means that they will produce false positives.
Static analysis tools take a long time to run, so they typically
approximate program behavior to run faster, which introduces the
possibilty of false negatives.

Dynamic analysis tools execute the program and observe its behavior over
a number of runs.  The advantage is that you don't have to abstract or
approximate as static analysis tools do; you know exactly which control
paths the program followed and what data was used.  Dynamic tools are as
fast as your program execution.  However, the disadvantage of dynamic
analysis is the problem of determining whether the input you used and
the executions you observed are generalizable to all possible inputs and
executions.

Both forms of analysis are useful.  Each form of analysis observes a
different set of program executions, limited by approximations (static
analysis) or by the input set (dynamic analysis.)  Dynamic analysis
tools have to worry more about false negatives, while static analysis
tools have to worry more about false positives.  Dynamic analysis is
fast, while static analysis is slow (and more accurate if it runs
longer.)  However, it's often easier to introduce static analysis early
in the development cycle.  Some organizations introduce a fast static
analysis as an automatic step in compilation or source code checkin,
while using a longer, more in depth static analysis for security
reviews.

Dr. James Walden                            
Dept. of Computer Science
Northern Kentucky University
http://www.nku.edu/~waldenj1
 
-----Original Message-----
From: Tate Hansen [mailto:tate () clearnetsec com] 
Sent: Tuesday, March 28, 2006 3:29 AM
To: rajeshdilli () yahoo com
Cc: webappsec () securityfocus com
Subject: RE: AJAX and Web application scanners

One of the keywords there to watch is 'parsers'.  This chart by Secure
Enterprise a few months ago reports all scanners 'parse' JavaScript:
http://i.cmpnet.com/secureenterprisemag/0209/graphics/0209f1a.gif

My experience is the same; these scanners fail to fully crawl an
application which "builds" URLs dynamically.  


From my understanding (I may be wrong) what most of these products do is

search for static URL paths like http://www.mysite.com.  In order to
automate crawling, execution is required, not just parsing.  For
example, if JavaScript is used to generate a URL like: window.location =
"http://www.mysite.com?tracking="; +
getelementbyname(element_name).value;,
then these scanners will miss it.  Obviously you can miss a lot
depending on what is dynamic and how you can interact with those views.

The work-around is you must manually crawl the web application in order
to seed the scanners with the dynamic views (I've also heard this
confirmed by engineers whom work for these vendors).  

A month or so ago I viewed a README note for the latest WebInspect
version which reports: Support for Advanced Asynchronous JavaScript and
XML (AJAX) Applications / Improvements to the JavaScript and Audit
engines now allow WebInspect to crawl and audit AJAX-based applications.
I'm not sure what that exactly means, but I think all the major players
are adding some type of execution capabilities.

Tate Hansen
ClearNet Security

-----Original Message-----
From: rajeshdilli () yahoo com [mailto:rajeshdilli () yahoo com]
Sent: Monday, March 27, 2006 1:12 PM
To: webappsec () securityfocus com
Subject: AJAX and Web application scanners

Hi,

          I've been recently going around the web for a couple of
challenges that AJAX faces. One thing that struck me was the web
application scanners.
I've seen a few vendors (i don't to mention any vendor or product name
here) products that claim that they have javascript parsers and support
for AJAX driven applications. My personal experience with these tools is
that they could not spare well against apps that are heavily JavaScript
driven and with the introduction of AJAX based apps it's a case of
uncertainity in choosing the right product (if at all there can be one
which can progress in auditing AJAX applications). Do any of you have
any insights or experinces on these tools against AJAX based apps.

Thanks
Rajesh

------------------------------------------------------------------------
-
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR
l
------------------------------------------------------------------------
--


------------------------------------------------------------------------
-
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR
l
------------------------------------------------------------------------
--



-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: