Cenzic's Hailstorm: Augment Your Web Security Toolbox
The updated vulnerability assessment tool can scan Ajax-enabled sites and applications for a wide range of security weaknesses.
Cenzic's Hailstorm detects vulnerabilities in both Web and AJAX-enabled sites, using differencing techniques rather than signatures. Hailstorm's AJAX-specific features are aimed at catching authorization and authentication holes and ensuring that dynamic AJAX links are examined for potential vulnerabilities, especially ones that could allow SQL injection and cross-site scripting.
The rapid growth of AJAX-enabled sites and applications on the Web and in the enterprise has raised the hackles of security administrators who are rightfully concerned about securing this popular Web 2.0 technology. In general, most AJAX-based sites are vulnerable to Web attacks, as many developers still fail to implement proper security. Furthermore, the technology is open to a wide range of XML attacks, which standard vulnerability-assessment tools haven't addressed.
While Cenzic's Hailstorm uncovers conventional Web-based vulnerabilities applicable to AJAX, it can't find those that could lead to more sinister XML-based attacks, such as XML bombs and entity expansion attacks. Rival Parasoft's SOAPtest has a firmer XML base on which to build its vulnerability-testing software. Hailstorm can root out vulnerabilities to SQL injection and session tampering in AJAX applications as well as validate authentication mechanisms. The product's thorough scanning of Web sites makes it a good companion for products that spot XML vulnerabilities.
Cenzic, a long-time player in the application security field, has updated its Hailstorm vulnerability-assessment tool to include the ability to scan AJAX-enabled applications for a wide range of security weaknesses. Though Hailstorm remains Web-focused and does not include many of the top 10 XML/SOA-specific vulnerabilities, the tool is able to discover vulnerabilities that even its SOA security-focused counterparts may not be able to root out. This is largely due to AJAX's reliance on the browser's scripting capabilities. Security enforcement products such as Forum Systems' XWall and Sentry, Reactivity's XML Security Gateway and Layer 7 Technologies' Secure- Span XML Gateway don't account for such factors as session management and security, because they don't interact with the browser. A pairing of Hailstorm with any of these XML/SOA-specific security tools would constitute a complete Web 2.0 and SOA security strategy.
No Single Solution
No vulnerability assessment product finds all the holes in AJAX, SOAP and conventional Web apps. But Hailstorm competitors such as SPI Dynamics' WebInspect and Watchfire AppScan Audit have long been able to scan for Web application vulnerabilities to SQL injection attacks and buffer overflows in Web services and XML, and they're ahead of Cenzic in their ability to seek out SOA vulnerabilities. However, the rivals - with the exception of SPI Dynamics - don't address AJAX issues, such as authentication and authorization of dynamic links to scripts on the server; nor do they handle session-based vulnerabilities as well as Hailstorm.
Hailstorm's AJAX-specific security assessment capabilities are available as an update to the latest version. There's not much outward indication of the product's AJAX support other than the ability to edit AJAX request formats in the same way it offers editing of SQL injection strings. Hailstorm scans for AJAX vulnerabilities whenever it encounters an AJAX-enabled site. The product must be configured to test for security holes relevant to the technology, such as SQL injection, authentication and authorization, and a limited number of XML structural vulnerabilities.
Hailstorm does not perform signature-based scans. Instead, the program uses its internal Firefox browser to detect errors based on actual responses received. With AJAX-enabled sites, Hailstorm performs a complete XML structural analysis of the pages. First, the product retrieves pages with appropriate data, then it purposefully injects errors into the requests and evaluates the response based on the original correct response. This technique lets Hailstorm detect vulnerabilities that allow attacks such as privilege escalation, which generally appear on a page as additional options that are structurally correct.
The use of an internal browser lets Hailstorm perform session-based assessments of vulnerabilities such as session hijacking, which cannot be discovered using signature-based scans. There are drawbacks, however, to using its Firefox browser as the medium for vulnerability assessment, as it is unable to detect security holes in VBScript or Microsoft-specific technologies like ActiveX. As a workaround, Hailstorm provides a proxy-based scan that employs Internet Explorer for these technologies.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 7, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program!