First off, we've been hearing a lot about Ajax vulnerabilities. Be it vendor marketing hype or the Facebook, Twitter, and similar exploits around the world I do see client-side attacks as an evolving problem. There are also Web services concerns. I'm finally starting to see developers, QA analysts, and security managers question how safe their Web services really are and rightly so.
Before I go any further, I want to be clear that finding vulnerabilities in Web 2.0 apps is as much -- often more -- of a manual analysis task. This is due in part to the complexity of these applications as well as the relative immaturity of the testing tools available.
Here are some free tools to help you in your work with RIAs:
HTTrack is not a RIA-specific tool, but you can use it for general site perusal as well as local application logic analysis. A tool like this is great for analyzing sites and code locally without having to be connected to the application in real time.
Ratproxy is Google's answer to security scanning that uncovers scripting problems that can lead to XSS and XSRF. In practicaly every security testing situation, you need to use multiple tools. A tool like Ratproxy provides a good way to get yet another security perspective of your Internet presence.
SWFScanM is a tool with its roots in HP's WebInspect that decompiles Shockwave Flash (.swf) files to find vulnerabilities within the source code. This type of tool allows you to view Flash like never before. Many people don't consider the issues that a Flash-based applicaiton can pose. A quick search of the National Vulnerability Database shows dozens over the past few years alone.
Sandboxie is free for personal use only. Still, this tool can be handy when used to isolate the Web browser and everything that's going on within it. That process allows you to probe and analyze rich Internet application behavior on a clean-browser install in a sandboxed environment without any other plug-ins or applications getting in the way.
WSDigger is a Web services scanning/analysis framework for exploiting XSS, SQL injection and more. This class of tool allows you to uncover and exploit XSS, SQL injection and more security issues associated with often-overlooked Web services.
WSFuzzer is a SOAP Web services penetration testing tool for creating fuzz attack strings and more. It can give you yet another perspective of your Web services.
Web 2.0 and rich Internet applications are a broadly defined group, and the security tools are still relatively sparse. In my article on techniques for testing RIAs, you'll find more information. Again, don't overlook the manual analysis component of these Web technologies when seeking out security weaknesses.
The reality is that rich Internet applications and their associated attack vectors aren't going away. Familiarizing yourself with this set of tools now will get you off to a solid start in the right direction towards enhanced Web application security overall.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic, LLC. He has over 20 years experience in the industry and specializes in performing independent information security assessments revolving around compliance and information risk management. Kevin has authored/co-authored seven books on information security including the ethical hacking books, Hacking for Dummies and Hacking Wireless Networks for Dummies (Wiley). He's also the creator of the Security On Wheels IT security audio books.
This was first published in May 2009