With Web 2.0 technologies like Ajax, Flash and Web services being all the rage, rich Internet applications (RIAs) are popping up everywhere. More developers are creating rich apps in-house and integrating such third-party code into existing environments. However you slice it, RIAs and Web 2.0 technologies cannot be ignored.
Likewise, we can't ignore the slew of security flaws RIAs tend to introduce. Rich Internet applications not only place more control into the user's hands, they also broaden the attack surface and open previously non-existent entry points into networks.
The big thing with rich Internet applications is that you can't just scan 'em and forget 'em. Current scanning technologies for penetration testing and code analysis are still pretty limited relative to the complexity of these applications. But don't worry! You can still check for the security holes that matter, and a few more to boot, if you approach your Web 2.0 code and technologies from all the right angles.
In this checklist, you can find out what you can do to find and eliminate security flaws from your rich Internet applications.
- Understand the scope of the vulnerabilities rich Internet applications present. They're similar to common Web vulnerabilities but often have their own twist. Common rich Internet application flaws include XSS, SQL injection, embedded passwords in media files, as well as easily-manipulated client-side variables and exposed business logic.
Gather good tools. There are numerous free and commercial options. Among my favorite freebies are the following:
- Firefox WebDeveloper is a Firefox plugin for manual manipulation of client-side code.
- SWFScan is a tool for decompiling/analyzing Shockwave Flash (.swf) files.
- WSFuzzer is a tool for performing fuzzing of SOAP Web services.
- My favorite commercial tools are HP's Acunetix Web Vulnerability Scanner. These are all-in-one Web vulnerability scanners that include specific tools for further manual analysis. Plus they're well-maintained so you know you're going to be scanning for the latest and greatest Web 2.0 flaws.
Work through each of these steps -- and ensuring the issues are remediated -- will bring you that much closer to reasonable security in your rich Internet applications. Perhaps most importantly, never let your guard down. The security issues surrounding rich Internet applications are only going to become more complex. Getting your arms around the issues that matter now will allow you to scale your efforts as your applications continue to grow.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic, LLC. He has over 20 years experience in the industry and specializes in performing independent information security assessments revolving around compliance and information risk management. Kevin has authored/co-authored seven books on information security including the ethical hacking books, Hacking for Dummies and Hacking Wireless Networks for Dummies (Wiley). He's also the creator of the Security On Wheels IT security audio books.
This was first published in October 2009