Rich Internet applications security testing checklist

With Web 2.0 technologies like Ajax, Flash and Web services being all the rage, rich Internet applications (RIAs) are popping up everywhere. More developers are creating rich apps in-house and integrating such third-party code into existing environments. However you slice it, RIAs and Web 2.0 technologies cannot be ignored.

Likewise, we can't ignore the slew of security flaws RIAs tend to introduce. Rich Internet applications not only place more control into the user's hands, they also broaden the attack surface and open previously non-existent entry points into networks.

The big thing with rich Internet applications is that you can't just scan 'em and forget 'em. Current scanning technologies for penetration testing and code analysis are still pretty limited relative to the complexity of these applications. But don't worry! You can still check for the security holes that matter, and a few more to boot, if you approach your Web 2.0 code and technologies from all the right angles.

In this checklist, you can find out what you can do to find and eliminate security flaws from your rich Internet applications.

1. Understand the scope of the vulnerabilities rich Internet applications present. They're similar to common Web vulnerabilities but often have their own twist. Common rich Internet application flaws include XSS, SQL injection, embedded passwords in media files, as well as easily-manipulated client-side variables and exposed business logic.

Gather good tools. There are numerous free and commercial options. Among my favorite freebies are the following:


• Firefox WebDeveloper is a Firefox plugin for manual manipulation of client-side code.
• SWFScan is a tool for decompiling/analyzing Shockwave Flash (.swf) files.
• WSFuzzer is a tool for performing fuzzing of SOAP Web services.
• My favorite commercial tools are HP's Acunetix Web Vulnerability Scanner. These are all-in-one Web vulnerability scanners that include specific tools for further manual analysis. Plus they're well-maintained so you know you're going to be scanning for the latest and greatest Web 2.0 flaws.


2. Scan your systems as an un-trusted outsider as well as a trusted user. That said, you have to understand that your scans may not find each and every flaw when you set them on auto-pilot. If possible, set your scanner to "manual crawl" mode and step through the application yourself, clicking on every link and submitting every form. This will allow your scanner to find parts of the ...
   
   To continue reading for free, register below or login

   Requires Membership to View

   To gain access to this and all member only content, please provide the following information:

   Email Address:
   
   
   

   By joining SearchSoftwareQuality.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   To read more you must become a member of SearchSoftwareQuality.com

   As an existing member of the TechTarget network please activate your SearchSoftwareQuality.com account 

   By joining SearchSoftwareQuality.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   
   
   

   Digg This!     StumbleUpon     Del.icio.us

   
   
   
   

   RELATED CONTENT Software security testing tools Put a stop to software espionage by watermarking source code How to make your software tamperproof How can I tell if my software security has been breached? Lesser-known free software testing tools testers should try Demo: Using WebGoat, a free software testing tool Finding cross-site scripting (XSS) application flaws checklist Webgoat Tutorial Retaking command of your hacked software Identifying whether or not your site or software has been hacked Selecting the best tool for stress and load testing Software testing models and approaches (Context-driven, Factory, Analytic, Quality, IV&V) Put a stop to software espionage by watermarking source code Testing databases, train yourself some new testing tricks Software Testing: New software testing technologies bring new challenges Software Testing Ezines Recognizing appropriate scenarios for context testing Seven steps for a quality change and configuration management program How to create performance testing workload models How to apply modeling techniques to support software testing Transitioning from AJAX to .NET what changes to expect in RIA's Oracle VM Template Builder aims to speed deployment of VMs Application Security Strategies The lowdown on PCI compliance Web 2.0 application security troubleshooting, testing tutorial Expert resolves issues plaguing OpenSTA users Fixing four Web 2.0 input validation security mistakes Social engineering training could disrupt botnet growth Web security problems: Five ways to stop login weaknesses Preparing for testing applications in the cloud The role of quality assurance (QA) pros in software security Common software security risks and oversights Using the Firefox Web Developer extension to find security flaws

   RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary penetration testing  (SearchSoftwareQuality.com)

   RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

   
   
   application it'd never be able to find otherwise. The manual crawl process can take a while in complicated applications but it's the only reasonable way to get your Web vulnerability scanner(s) to find what matters.
   
   

3. Use multiple Web vulnerability scanners if you can. I often find vulnerabilities using a second scanner that the first one completely missed. This is especially true for rich Internet applications. I've also found that using a higher-level vulnerability scanner such as QualysGuard or Nessus can often find server and application weaknesses that dedicated Web scanners don't know about.
   
   
4. Scan your Web services. They're easy to configure and forget, but XML-based Web services can be one of your greatest Web security weaknesses. There's something for everyone, ranging from XPath injection to SQL injection to command execution to password cracking. Tools such as WebInspect, Acunetix and others can scan for specific Web services flaws, and I highly encourage you do to do those scans.
   
   
5. Scan your Flash, using SWFScan, and other media files, using Web and general network vulnerability scanners. Even your local antivirus software can highlight security flaws in these files when you download or run them. I've seen and heard about all sorts of security flaws related to rich media. Everything from embedded encryption keys to business logic to malware can turn up in these files, so be sure to include them in the scope of your testing.
   
   
6. Check for other common flaws that affect all Web applications regardless of the technologies being used. This includes weak passwords, lack of intruder lockout which facilitates password cracking, weak authentication mechanisms -- especially home-grown multi-factor systems -- form manipulation, URL tampering and sensitive files stored on the server unprotected.

Work through each of these steps -- and ensuring the issues are remediated -- will bring you that much closer to reasonable security in your rich Internet applications. Perhaps most importantly, never let your guard down. The security issues surrounding rich Internet applications are only going to become more complex. Getting your arms around the issues that matter now will allow you to scale your efforts as your applications continue to grow.