The IBM Application Security Insider is a blog devoted to dissecting today’s latest industry trends, observations and evolving threats in the growing web application security industry.
The IBM AppScan portfolio provides web application security and compliance solutions that pinpoint vulnerabilities and helps manage the process of fixing them.
Looking to do dynamic security testing of your mobile apps? Look no further!
In this hands-on article, learn how to use IBM Security AppScan Standard with mobile user agents, as well as emulators and actual devices for Android and iOS.
2012 IBM CAS Project of the Year: Efficient and Scalable Mapping of Mobile and Complex Rich Internet
Applications for Automated Security Testing
The ability
to “crawl” Web sites and Web applications is at the core of the Internet.
Crawling is necessary to indexing, searching and security testing operations.
With the rise of “Rich Internet Applications” (RIA) there is a tremendous gain
in end-user experience, but it is becoming harder to automatically crawl these
Web sites. Another recent evolution in computing is the move to everything
mobile. Mobile applications are bound to replace desktop applications in the
coming years. It is therefore critical to develop crawling tools adapted to
this new paradigm.
The objective of
this research is to provide efficient and scalable crawling techniques that
work on real life RIAs and mobile applications, and does so entirely
automatically. It builds on the results of our previous research, but tackles
the open problem that some RIA are simply too large to be crawled exhaustively.
The project was awarded by
IBM with the "Project of the year 2012" distinction based on the
following criteria:
Excel as a research center for the
advancements of applied science in research areas strategic to IBM
Harvest and transfer results from advanced research to strategic products and
initiatives
Build and foster relationships among researchers, IBM and Customers
Expose IBM developers to current research directions, and identify new and
emerging technology issues for academic research.
Mobile security can be tested in a variety of ways. You can apply black box testing to test the server side logic that your mobile app is working with, as we've recently blogged about.
You can also apply static analysis to test the client side. The following short video shows exactly how that's done using IBM Security AppScan Source Edition:
For a more complete overview of mobile security, check out the webcast we've recently published.
IBM Security Appscan provides automated security scanning of web applications.
Did you know that you can apply test policies within IBM Security AppScan to cover particular aspects of the scan? Using the right policy produces optimal scanning results and reduces false positives.
In this great article, you can get an overview of IBM Security AppScan test policies, and learn which policy is optimal based on the type of application and its stage of development. The article also provides a side-by-side policy comparison that details each scan policy that is offered by the IBM Security AppScan tool.
In today's world any self respecting web site must provide access to its services through a desktop browser as well as a mobile device. This basically means that there are two versions to every site, one for desktop users and one for mobile users. Are both secure? How do we know for sure?
First, let's take a quick look at some of the reasons why companies would prefer to have mobile users visit a mobile-based site instead of directing them to the original desktop site.
Technologies - There are certain technologies that are not supported on a mobile device (e.g. Flash on iOS) that would have to be re-designed to meet smartphone requirements.
User experience - The user experience is completely different. For example, take the hover action, a desktop user can hover over a certain area and have menus sliding this way and that. But on a mobile device hovering does not exist.
Like the web itself, security scanners are advancing at a fast pace. Here are the top 5 technologies that leading security professionals are applying to stay ahead of the curve:
5. XSS Analyzer
The "classic" black box approach for detecting XSS relies on sending a bulk of tests based on a “cheat sheet” of around a hundred different payloads. This is a reasonable approach for an automated tool, but it isn’t very sophisticated.
Mimicking a human attacker, XSS Analyzer is a learning system that follows a disciplined step-by-step approach. XSS Analyzer learns the defense patterns of an application, and finds ways to defeat those defenses. This allows XSS Analyzer to find vulnerabilities that could never be found automatically before, with higher accuracy and less time.
var str = document.URL; var url_check = str.indexOf('login.html'); if (url_check > -1) { result = str.substring(0,url_check); result = result + 'login.jsp' + str.substring((url_check+search_term.length), str.length); document.URL = result; }
Any standard taint analysis would argue that this code is vulnerable to Open Redirect, since the value of the untrusted variable "str" flows into the assignment "document.URL = result"; this presumably allows an attacker to control the URL target of a redirect operation, which means that phishing is possible.
However, closer inspection reveals there is no vulnerability here: while part of the target URL can indeed be controlled by an attacker (the request parameters), the target hostname of the redirection is beyond the attacker's control.
The best technologies are often the ones that you, as a user, never have to worry about. They work automatically, behind the scenes, making a product or service work better. With nothing to configure, nothing new to learn. They just work.
String Analysis is such a technology. If you think of it, it's a thing of beauty. Because String Analysis is actually one of the most complicated analysis technologies that IBM (or anyone) has ever developed in the world of static analysis.
Exploiting this vulnerability, an attacker could steal arbitrary files from a DropBox / Google Drive user by tricking him into viewing a malicious
HTML file inside the mobile app. By abusing the way in which these app
render HTML files, an attacker could bypass Same Origin Policy restrictions and read files that are accessible
to the app itself, including sensitive user content and application confi guration.
Cross-Zone Scripting was once quite common in Desktop environments until it was mitigated by browser vendors. Unfortunately, this vulnerability type has been carried on to the Mobile world, where it is still a threat. As always, it is interesting to see how old vulnerabillities sneak up to new products.
If you have ever worked with an AppScan expert they probably got you to install the AppScan Traffic Viewer. This tool is the Swiss army knife of the AppScan Power user containing a multitude of support features and giving you ultimate visibility on what happens under the covers.
If you didn't use the tool yet you should definitely give it a try. Starting with AppScan 8.6 the tool will be located in the AppScan tools folder ([AppScan Installation Directory]\Tools\Traffic Viewer\TrafficViewerSetup.msi) or can be downloaded from the AppScan Enterprise portal (by going to http://[appscan_server]/appscan_instance/downloads/TrafficViewerSetup.msi).
Built using the model of other HTTP Debuggers such as Fiddler or Paros, it can actually work in both online and offline mode, by loading the AppScan traffic dumps and can give you a post mortem of the security scan without interfering with the scan itself. For example, if your site crashed during the scan and you want to find out which request is responsible for this Denial of Service, Traffic Viewer is ideal to do that.
To obtain the AppScan Standard traffic log you will need to enable it from Tools > Options > Enable Request/Response Logging. In AppScan Enterprise you enable it from the Scan Properties > Log Settings and can download it from the Scan Statistics screen.
I started building this tool when I was part of the AppScan support team and over the years every time when we needed an extra tool or capability in a troubleshooting situation I would add it to Traffic Viewer, so the tool kind of adapted to our support needs. Latest version allows you to text diff HTTP traffic, reproduce HTTP requests, do regex searches, replacements, export traffic to various formats, encode/decode strings and many many other things.
Please watch the video to see a demo of Traffic Viewer and take full advantage of this tool in this release of AppScan Standard and AppScan Enterprise.
