Darren,
On Wed, Sep 8, 2010 at 2:47 PM, Darren Hartford <[email protected]> wrote:
> With regards to AJAX support, that is a very weak area in security scanners
> at the moment, and a real opportunity for someone like W3AF to get the jump
> on the problem and get ahead of
> the curve (and, therefore, increase adoption). My personal bias is the
> extensive adoption of GWT ajax technology and lack of supporting security
> scanning.
>
> >From a user point of view, there are two different points of interest:
>
> -comprehensive scanning (i.e. wivet/etc to create the crawl list, which
> doesn't identify ajax calls that well).
>
> -specific/user-driven scanning(usually accomplish user interacting with a
> record proxy, which captures the HTTP ajax request/responses. Think Jmeter
> recording proxies).
>
> However, with AJAX there is a single problem to work with -- a single action
> (button or hyperlink click) will make 0-N ajax requests (or normal non-ajax
> requests). It isn't a one-to-one, nor is > it a 'page' from normal security
> scanning (i.e. the crawler problem). Also, there are poll/push ajax requests,
> but that is for another time.
And the problem is even bigger, 0..N action(s) can create 0..N request(s).
> Probably the best approach is combining a crawler (that follows
> buttons/clickable divs/etc) with a proxy recorder for the time being just to
> re-use what already exists and (mostly) works to
> get the items that need an actual security scan from a comprehensive point of
> view, and just re-use the proxy recorder for the specific user driven scans.
We kind-of already do this. If you want to scan a website that
uses ajax/flex/java applets you can use the discovery.spiderMan plugin
that will record user traffic with a proxy and then use that knowledge
to scan. That's easy. The difficult part is to "understand" javascript
and work with that in an automated way.
> The actual security review of the requests/responses once you have the list,
> well, I'll leave that to the more knowledgeable folks...which coincides with
> previous discussions about
> authenticated sessions over the span of the scan/security review, which is
> also relevant to ajax :-)
>
> my two coppers from an outside point of view,
Thanks! :)
> -D
>
>
>
>
> =============
> 1. Re: [W3af-develop] W3AF for enterprise? (Andres Riancho)
>>> For the future - we really need more powerful AJAX support:
>>> ?- FF plugin
>>> ?- own parsing engine (webkit+v8)?
>>> ?- selenium
>>> What do you guys think about these thigns?
>>>
>>
>> All these are on the roadmap. I suggest you check it out ;-)
>> I think Andres has made a good plan. ?Just waits to be seen:
>> 1) How the funding works out/ how long it lasts
>> 2) if lazy lurkers like me get off their butt and contribute more ;-)
>>
>> Hitting the 1.0 milestone should make w3af much more useful for me, and
>> hence easier to justify spending time on. ?Digging in enough to fix a
>> few of the major 1.0 bugs seems tough even for the author of the code,
>> so it's hard for anyone else to want to touch them.
>>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
>
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
> http://p.sf.net/sfu/intel-thread-sfd
> _______________________________________________
> W3af-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:
Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
