Clean Up Ajax Security Problems: A Comparative Review - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Clean Up Ajax Security Problems: A Comparative Review

The CRN Test Center compares Cenzic, SPI, Finjan, and Apache products that help developers mitigate the vulnerabilities posed by Ajax-based Web applications.

Examples of internal end users are those who evaluate forms for banks and other financial firms. To determine what those Ajax requests caused, Hailstorm comes with a browser on the server side to follow through internal users' event-based responses and trace those requests back to page loads from client browsers.

For instance, after performing Ajax injections on form data, Hailstorm users can analyze data size responses. If internal users click on a JavaScript pop-up generated from Ajax-based SQL injections, data pulled from the Web app can produce a security leak, enabling hackers to view table dumps of financial data. Hailstorm output can determine the specific instance on a page load that created this flaw by tagging each transaction with a watermark ID. That feature provides stateful assessments by mimicking what hackers actually do to maintain the state of Web apps.

SPI Dynamics also offers a comprehensive app security testing solution. The SPI Dynamics suite provides tools for every stage of a software development life cycle, covering black box assessments, code inspection, testing and unified viewing of all results.

For black box testing, the WebInspect tool provides highly interactive UIs for the suite's scanning and test results features. WebInspect shows vulnerability results and sports a dashboard for tracking the scanning process. Users can edit vulnerability sessions to get results from individual scans and produce custom reports.

The Policy Manager tool lets end users configure multiple scanning engines to run on a job and specify which tests each scan can execute. Users also can generate custom agents to trace test code.

According to SPI Dynamics, Ajax apps are flawed whenever developers don't identify cross-site scripting and Web services vulnerabilities. For cross-site scripting attacks, WebInspect identifies all the manipulated parameters and the byte-size characters used to achieve penetration.

Consequently, WebInspect's engine generates multiple combinations of characters inside Ajax-based JavaScript code to identify what apps are allowed to pass. From those results, WebInspect figures out how to craft a cross-site scripting attack. The tool also provides information on the page that generated the flaw.

Another tool, DevInspect, enables developers to correlate the vulnerabilities found on pages with specific code. DevInspect performs source code analysis and black box testing within an IDE such as Visual Studio 2005, and Eclipse support is due at the year's end. Such hybrid analysis is unique to SPI Dynamics.

DevInspect, too, can show raw HTTP requests from injection results. SPI Dynamics offers an HTTP editor as well, which will send requests back to a Web server to help developers track what happens on the server side. Both tools also allow developers to retest fixed vulnerabilities. Developers can pull the results from attacks and resend them to a Web server.

Even with strong data filtering and server-side validation code, DevInspect tries to infiltrate code by generating responses that could bypass those routines. Developers can change attacks in midstream to flag Ajax response flaws through XMLHTTP requests. DevInspect checks for Web services vulnerabilities by applying SQL injections and identifying input validation threats. The tool also can automatically fix vulnerabilities for developers, make code modifications for input validation problems and repair configuration problems.

By the first quarter of 2007, SPI Dynamics plans to integrate WebInspect with DevInspect via its Assessment Management Platform (AMP) product to cover entire application development life cycle. Ideally, AMP will be able to analyze and correlate data from WebInspect and DevInspect users so that different groups can share results.

NEXT: Finjan Vital Security Appliance and Apache's XAP.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2 of 3
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Is Cloud Migration a Path to Carbon Footprint Reduction?
Joao-Pierre S. Ruth, Senior Writer,  10/5/2020
IT Spending, Priorities, Projects: What's Ahead in 2021
Jessica Davis, Senior Editor, Enterprise Apps,  10/2/2020
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll