The Emperor’s New Clothes: Why Vulnerabilities in RIA, Mobile and Web Services are Invisible

The Emperor’s New Clothes: Why Vulnerabilities in RIA, Mobile and Web Services are Invisible to Most Web Application Scanners

New Research from NT OBJECTives Identifies Nine Application Technologies Overlooked by Most Web Scanners; Company Releases a Re-architected NTOSpider 6 to Close the Gap

APPSEC USA – AUSTIN, TX and IRVINE, CA – October 25, 2012 – In recent years, a new generation of web applications leveraging technologies such as Mobile, JSON, REST, HTML5 and AJAX, have emerged to deliver highly complex and dynamic web experiences, but the web application scanner industry has not kept pace to detect vulnerabilities in these new formats. With a widening scanner coverage gap, security teams have had to turn to manual testing practices to discover vulnerabilities associated with these new formats.  Today, NT OBJECTives has released, The Widening Web Application Security Scanner Coverage Gap in RIA, Mobile and Web Services: Is Your Scanner like the Emperor’s New Clothes? a research report that identifies nine common underlying web application technologies in mobile applications, Rich Internet Applications (RIA) and web services being overlooked by today’s scanners with practical guidance on how to improve security efficiency and effectiveness with each.

“The spread of mobile applications, web services and complex Rich Internet Applications (RIA) has made a bad situation worse for security professionals, who are constantly playing catch up to stay ahead of vulnerabilities and frantically defending against persistent hackers. Security teams have been forced to test new applications manually which has become time consuming, a drain on resources and insufficient for understanding risk,” says Kuykendall.

Today, many web scanners can effectively scan classic HTML and Javascript sites, but are unable to translate and assess these modern technologies that have become increasingly prevalent and necessary to deliver the rich experience users demand via RIA, mobile and web services applications.  In the report, NT OBJECTives (NTO) offers an explanation of each technology, demonstrates why and how each creates challenges for web scanners and provides step-by-step instructions for how security professionals can determine if their scanners are effectively scanning and attacking these newer technologies.

The report is being issued today in conjunction with the company’s beta release of NTOSpider 6, a new dynamic application security testing (DAST) solution that includes a proprietary Universal Translator technology that can automatically crawl, detect and attack vulnerabilities that exist in these modern applications.

Application Technologies Invisible to Most Web Scanners

The technologies most commonly overlooked by most web scanners include:

RIA and HTML5

a.  AJAX applications: JSON (JQuery), REST, GWT (Google WebTookit)
b.  Flash remoting: AMF
c . HTML5 applications

Mobile

d.  Backends powered by JSON, REST and other custom formats

Web services

e.  JSON, REST
f.   XML-RPC, SOAP

Complex application workflows

Sequences: Shopping Cart and other strict processes
XSRF/CSRF Tokens

About NTOSpider 6

Available in beta today, NTOSpider 6 provides comprehensive, automated coverage of Mobile, AJAX, SOAP, JSON and other modern application technologies that were previously only discoverable manually.  NTOSpider 6 provides security professionals with the following major benefits:

  • Broader coverage: NTO’s new Universal Translator provides rapid, broad coverage of complex, modern applications with an automated tool requiring minimal per scan manpower.
    • Mobile and Web Services – Enables simulated attacks of web and mobile back-end services by detecting rich client traffic, to decode and attack popular formats including JSON, REST, Flash Remoting (AMF), SOAP, and XML.
    • RIA – Dynamically crawls and attacks rich client traffic including AJAX, JQuery and GWT.
    • Complex workflows – Enables proper testing of features such as shopping cart and business workflows. Includes true sequence crawling and attacking to enable proper testing of sites with XSRF protection. NTOSpider performs XSRF token detection to enable collection and use of valid tokens during each attack.
  • Increased level automation Executes repeatable, rapid and comprehensive automated application security testing.
  • Reduces risk: Systematically reduces risk more effectively than ever before by leveraging a more automated process.
  • Frees pen testers: Frees up expert pen testers to test the parts of the application that must be tested manually like business logic.

NTO invites security researches and security professionals who want to stay current against modern applications to participate in the NTOSpider 6 beta program.  For more information or to register for beta program participation visit http://www.ntobjectives.com/security-software/ntospider-trial-download-request/

The full research report can be accessed at www.ntobjectives.com/go/widening-web-application-security-scanner-coverage-gap-in-ria-mobile-and-web-services/

Recent Posts

Leave a Comment