|
Companies that make heavy use of Ajax and don't want to expose themselves to attack should have some protection, whether a skilled in-house security tester, Ajax-capable software as a service, or the most expensive option, a consultant. With the exception of IBM's Watchfire AppScan, automated Web application scanners are simply not yet up to the task of finding security flaws in Ajax code. And it's not like we made it hard on them: The Ajax applications we used in testing were relatively simple. None of the vulnerabilities we expected our scanners to find was advanced or required complex analysis of client-side code. Rather, they were traditional Web application security vulnerabilities, just exposed through an updated Ajax interface. As long as the scanners being tested could navigate the application, identifying the vulnerabilities should have been a walk in the park.
Instead, most ended up unable to automatically crawl the applications, requiring a human to surf through the site to teach the scanner where to prod and poke. As we wrap up our four-month Rolling Review series, we want to award some partial credit. While only IBM's Watchfire AppScan automatically handled our Ajax applications, Acunetix Web Vulnerability Scanner, Cenzic Hailstorm, and Hewlett-Packard WebInspect (after an update) were capable of analyzing and detecting vulnerabilities in the Ajax application, albeit only when we manually walked them through the relevant bits. Unfortunately, that's just not good enough. Much of the value of a scanner is that it's a repeatable, exhaustive crawler. Requiring a human to replace the automated spider reduces the code coverage, and thus the effectiveness, of the scanner. So while we don't give those products a complete failing grade, they have a ways to go before they can claim to be truly Ajax-capable. Until then, expect to dig into code manually.
Real-World Analyst Assessment Finding Security Flaws In Ajax |