The IBM Application Security Insider is a blog devoted to dissecting today’s latest industry trends, observations and evolving threats in the growing web application security industry.
The IBM AppScan portfolio provides web application security and compliance solutions that pinpoint vulnerabilities and helps manage the process of fixing them.
In today's world any self respecting web site must provide access to its services through a desktop browser as well as a mobile device. This basically means that there are two versions to every site, one for desktop users and one for mobile users. Are both secure? How do we know for sure?
First, let's take a quick look at some of the reasons why companies would prefer to have mobile users visit a mobile-based site instead of directing them to the original desktop site.
Technologies - There are certain technologies that are not supported on a mobile device (e.g. Flash on iOS) that would have to be re-designed to meet smartphone requirements.
User experience - The user experience is completely different. For example, take the hover action, a desktop user can hover over a certain area and have menus sliding this way and that. But on a mobile device hovering does not exist.
Like the web itself, security scanners are advancing at a fast pace. Here are the top 5 technologies that leading security professionals are applying to stay ahead of the curve:
5. XSS Analyzer
The "classic" black box approach for detecting XSS relies on sending a bulk of tests based on a “cheat sheet” of around a hundred different payloads. This is a reasonable approach for an automated tool, but it isn’t very sophisticated.
Mimicking a human attacker, XSS Analyzer is a learning system that follows a disciplined step-by-step approach. XSS Analyzer learns the defense patterns of an application, and finds ways to defeat those defenses. This allows XSS Analyzer to find vulnerabilities that could never be found automatically before, with higher accuracy and less time.
var str = document.URL; var url_check = str.indexOf('login.html'); if (url_check > -1) { result = str.substring(0,url_check); result = result + 'login.jsp' + str.substring((url_check+search_term.length), str.length); document.URL = result; }
Any standard taint analysis would argue that this code is vulnerable to Open Redirect, since the value of the untrusted variable "str" flows into the assignment "document.URL = result"; this presumably allows an attacker to control the URL target of a redirect operation, which means that phishing is possible.
However, closer inspection reveals there is no vulnerability here: while part of the target URL can indeed be controlled by an attacker (the request parameters), the target hostname of the redirection is beyond the attacker's control.
The best technologies are often the ones that you, as a user, never have to worry about. They work automatically, behind the scenes, making a product or service work better. With nothing to configure, nothing new to learn. They just work.
String Analysis is such a technology. If you think of it, it's a thing of beauty. Because String Analysis is actually one of the most complicated analysis technologies that IBM (or anyone) has ever developed in the world of static analysis.
