« October 2012 | Main | December 2012 »

November 2012

November 26, 2012

Have you scanned your mobile site for vulnerabilities yet?

Mobile sites - Resurrecting security risks

In today's world any self respecting web site must provide access to its services through a desktop browser as well as a mobile device. This basically means that there are two versions to every site, one for desktop users and one for mobile users. Are both secure? How do we know for sure?

First, let's take a quick look at some of the reasons why companies would prefer to have mobile users visit a mobile-based site instead of directing them to the original desktop site.

  • Technologies - There are certain technologies that are not supported on a mobile device (e.g. Flash on iOS) that would have to be re-designed to meet smartphone requirements.
  • User experience - The user experience is completely different. For example, take the hover action, a desktop user can hover over a certain area and have menus sliding this way and that. But on a mobile device hovering does not exist.

Continue reading "Have you scanned your mobile site for vulnerabilities yet?" »

Posted by on November 26, 2012 in Mobile, Research, Web Application Scanners, Web Application Security, Web Application Threat Classification | | Comments (0) | TrackBack (0)

| |

November 19, 2012

Top 5 Innovations Transforming Security Scanners

Like the web itself, security scanners are advancing at a fast pace. Here are the top 5 technologies that leading security professionals are applying to stay ahead of the curve:


5. XSS Analyzer

The "classic" black box approach for detecting XSS relies on sending a bulk of tests based on a “cheat sheet” of around a hundred different payloads. This is a reasonable approach for an automated tool, but it isn’t very sophisticated.

Mimicking a human attacker, XSS Analyzer is a learning system that follows a disciplined step-by-step approach. XSS Analyzer learns the defense patterns of an application, and finds ways to defeat those defenses. This allows XSS Analyzer to find vulnerabilities that could never be found automatically before, with higher accuracy and less time.

 

Continue reading "Top 5 Innovations Transforming Security Scanners" »

Posted by on November 19, 2012 | | Comments (0) | TrackBack (0)

| |

November 13, 2012

String Analysis in AppScan/JSA

Let's see how String Analysis is used to improve the accuracy of JSA

Consider the following real-world example:

var str = document.URL;
var url_check = str.indexOf('login.html');
if (url_check > -1) {
   result = str.substring(0,url_check);
   result = result + 'login.jsp' + str.substring((url_check+search_term.length), str.length);
   document.URL = result;
}

Any standard taint analysis would argue that this code is vulnerable to Open Redirect, since the value of the untrusted variable "str" flows into the assignment "document.URL = result"; this presumably allows an attacker to control the URL target of a redirect operation, which means that phishing is possible.

However, closer inspection reveals there is no vulnerability here: while part of the target URL can indeed be controlled by an attacker (the request parameters), the target hostname of the redirection is beyond the attacker's control.

So what could we do? 

Continue reading "String Analysis in AppScan/JSA" »

Posted by on November 13, 2012 | | Comments (0) | TrackBack (0)

| |

November 08, 2012

What is String Analysis? A look at one of AppScan's breakthrough technologies

The best technologies are often the ones that you, as a user, never have to worry about. They work automatically, behind the scenes, making a product or service work better. With nothing to configure, nothing new to learn. They just work.

String Analysis is such a technology. If you think of it, it's a thing of beauty. Because String Analysis is actually one of the most complicated analysis technologies that IBM (or anyone) has ever developed in the world of static analysis.

Continue reading "What is String Analysis? A look at one of AppScan's breakthrough technologies" »

Posted by on November 08, 2012 | | Comments (0) | TrackBack (0)

| |

Follow us on Twitter

IBM Application Security Insider
IBM Application Security Insider

AppScan Free Trial


Try IBM Security AppScan software at no charge.

Search

Recent Posts

Archives

Categories

Pages

Become a Fan