NT OBJECTives has found in a new report that most web scanners can effectively scan classic HTML and Javascript sites, but are unable to translate and assess more modern technologies that have become increasingly prevalent and necessary to deliver the rich experience users demand. So far, manual testing has been the only way to detect vulnerabilities in formats like JSON, REST, HTML5 and AJAX – a time-consuming drain on resources.
“The spread of mobile applications, web services and complex RIA has made a bad situation worse for security professionals, who are constantly playing catch up to stay ahead of vulnerabilities and frantically defending against persistent hackers,” said Dan Kuykendall, co-CEO and CTO of NT OBJECTives, which issued its paper on the subject at this week’s AppSec USA conference. “Security teams have been forced to test new applications manually which has become time consuming, a drain on resources and insufficient for understanding risk.”
AJAX applications using JSON (JQuery), REST and Google WebTookit, and Flash remoting format AMF join HTML5 applications in being under the radar screen. For mobile, back-ends powered by JSON, REST and other custom formats are often “invisible,” as are web services apps using JSON, REST, XML-RPC and SOAP formats. Complex application workflows that are often missed include sequences like Shopping Cart and other strict processes, and XSRF/CSRF Tokens.
The report is being issued in conjunction with the company’s beta release of NTOSpider 6, a new dynamic application security testing (DAST) solution that includes a proprietary Universal Translator technology that can automatically crawl, detect and attack vulnerabilities that exist in these modern applications.