One of the keywords there to watch is 'parsers'. This chart by Secure
Enterprise a few months ago reports all scanners 'parse' JavaScript:
http://i.cmpnet.com/secureenterprisemag/0209/graphics/0209f1a.gif
My experience is the same; these scanners fail to fully crawl an application
which "builds" URLs dynamically.
From my understanding (I may be wrong) what most of these products do is
search for static URL paths like http://www.mysite.com. In order to
automate crawling, execution is required, not just parsing. For example, if
JavaScript is used to generate a URL like: window.location =
"http://www.mysite.com?tracking="; + getelementbyname(element_name).value;,
then these scanners will miss it. Obviously you can miss a lot depending on
what is dynamic and how you can interact with those views.
The work-around is you must manually crawl the web application in order to
seed the scanners with the dynamic views (I've also heard this confirmed by
engineers whom work for these vendors).
A month or so ago I viewed a README note for the latest WebInspect version
which reports: Support for Advanced Asynchronous JavaScript and XML (AJAX)
Applications / Improvements to the JavaScript and Audit engines now allow
WebInspect to crawl and audit AJAX-based applications. I'm not sure what
that exactly means, but I think all the major players are adding some type
of execution capabilities.
Tate Hansen
ClearNet Security
-----Original Message-----
From: rajeshdilli@yahoo.com [mailto:rajeshdilli@yahoo.com]
Sent: Monday, March 27, 2006 1:12 PM
To: webappsec@securityfocus.com
Subject: AJAX and Web application scanners
Hi,
I've been recently going around the web for a couple of challenges
that AJAX faces. One thing that struck me was the web application scanners.
I've seen a few vendors (i don't to mention any vendor or product name here)
products that claim that they have javascript parsers and support for AJAX
driven applications. My personal experience with these tools is that they
could not spare well against apps that are heavily JavaScript driven and
with the introduction of AJAX based apps it's a case of uncertainity in
choosing the right product (if at all there can be one which can progress in
auditing AJAX applications). Do any of you have any insights or experinces
on these tools against AJAX based apps.
Thanks
Rajesh
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
