As I have discussed in previous posts and at conferences, like OWASP AppSecUSA, while the number of attacks continue to increase, the attack techniques aren’t new at all. They are actually the same old attacks like SQL Injection showing up in new places including mobile application services and AJAX applications. Because these newer technologies have exploded in popularity and become more mainstream, we keep seeing these same old vulnerabilities popping up in new places. I always say its like Where’s Waldo, and we simply need to understand the new landscape and start looking for Waldo again.
Over the last several years, there has been a major evolution in how applications are being built with new underlying technologies, application architectures and data formats, but have application scanners evolved with them? These new technologies have grown at such a fast rate, we haven’t been able to keep up at either end. On one end, developers aren’t able to build these new applications securely because they are up against deadlines from the business and delivering on new technologies. And on the other end, web application scanners were architected in the golden days of web application security when almost all web applications were static and relatively simple HTML pages. While scanners have never and will never cover all types of every web application, our belief is that they can and should cover as much as possible. Unfortunately, most application security scanners haven’t kept pace with the changing applications.
Over the next few weeks, I’ll be posting a series on these technologies and how developers, security professionals and application scanning vendors can help to close the coverage gap detailed above to improve both the efficiency (reduce manual efforts) and effectiveness (find more vulnerabilities) of security efforts.
By the way, a new beta version of our NTOSpider product is currently available. We believe its the only scanner that truly begins to address these newer technologies and formats like AMF, JSON and REST. But feel free to check it out for yourself. We welcome input and feedback.
In this series of posts, I’ll detail the technologies used in modern applications and demonstrate why they create challenges for modern web scanners. In addition, I’ll give you pointers on how you can determine if your application security scanners are effectively scanning and attacking these newer technologies.
We will discuss the following kinds of applications and technologies:
1. RIA & HTML5
- AJAX applications: JSON (JQuery), REST, GWT (Google WebToolkit) ∙ Flash remoting: AMF
- HTML5 applications (addressed in subsequent paper)
- Backends powered by JSON, REST and other custom formats
3. Web services
- JSON, REST
- XML-RPC, SOAP (addressed in subsequent paper)
4. Challenging application workflows
- Sequences: Shopping Cart and other strict processes ∙ XSRF/CSRF Tokens
If you would like to read the full whitepaper on this topic, you can download it here.