Rich Internet applications security testing checklist

Fix common RIA and Web 2.0 application problems typically caused by Ajax, Flash and other technologies with these tips. Software expert Kevin Beaver explains why add-ons, plug-ins and multimedia features are causing more security flaws.

Kevin Beaver

With Web 2.0 technologies like Ajax, Flash and Web services being all the rage, rich Internet applications (RIAs) are popping up everywhere. More developers are creating rich apps in-house and integrating such third-party code into existing environments. However you slice it, RIAs and Web 2.0 technologies cannot be ignored.

Likewise, we can't ignore the slew of security flaws RIAs tend to introduce. Rich Internet applications not only place more control into the user's hands, they also broaden the attack surface and open previously non-existent entry points into networks.

More solutions to RIA and Web 2.0 issues
Spotting rich Internet application security flaws with WebGoat
Learn how Web 2.0. and other rich internet application security flaws are missed by automated tools that can easily be spotted with WebGoat and similar free online tools.

Testing rich Internet applications: 2009's best free tools
Battle security threats to Ajax, Web services and other software with these free tools for testing rich Internet applications.

The big thing with rich Internet applications is that you can't just scan 'em and forget 'em. Current scanning technologies for penetration testing and code analysis are still pretty limited relative to the complexity of these applications. But don't worry! You can still check for the security holes that matter, and a few more to boot, if you approach your Web 2.0 code and technologies from all the right angles.

In this checklist, you can find out what you can do to find and eliminate security flaws from your rich Internet applications.

  1. Understand the scope of the vulnerabilities rich Internet applications present. They're similar to common Web vulnerabilities but often have their own twist. Common rich Internet application flaws include XSS, SQL injection, embedded passwords in media files, as well as easily-manipulated client-side variables and exposed business logic.

  2. Gather good tools. There are numerous free and commercial options. Among my favorite freebies are the following:

    • Firefox WebDeveloper is a Firefox plugin for manual manipulation of client-side code.
    • SWFScan is a tool for decompiling/analyzing Shockwave Flash (.swf) files.
    • WSFuzzer is a tool for performing fuzzing of SOAP Web services.
    • My favorite commercial tools are HP's Acunetix Web Vulnerability Scanner. These are all-in-one Web vulnerability scanners that include specific tools for further manual analysis. Plus they're well-maintained so you know you're going to be scanning for the latest and greatest Web 2.0 flaws.

  3. Scan your systems as an un-trusted outsider as well as a trusted user. That said, you have to understand that your scans may not find each and every flaw when you set them on auto-pilot. If possible, set your scanner to "manual crawl" mode and step through the application yourself, clicking on every link and submitting every form. This will allow your scanner to find parts of the application it'd never be able to find otherwise. The manual crawl process can take a while in complicated applications but it's the only reasonable way to get your Web vulnerability scanner(s) to find what matters.

  4. Use multiple Web vulnerability scanners if you can. I often find vulnerabilities using a second scanner that the first one completely missed. This is especially true for rich Internet applications. I've also found that using a higher-level vulnerability scanner such as QualysGuard or Nessus can often find server and application weaknesses that dedicated Web scanners don't know about.

  5. Scan your Web services. They're easy to configure and forget, but XML-based Web services can be one of your greatest Web security weaknesses. There's something for everyone, ranging from XPath injection to SQL injection to command execution to password cracking. Tools such as WebInspect, Acunetix and others can scan for specific Web services flaws, and I highly encourage you do to do those scans.

  6. Scan your Flash, using SWFScan, and other media files, using Web and general network vulnerability scanners. Even your local antivirus software can highlight security flaws in these files when you download or run them. I've seen and heard about all sorts of security flaws related to rich media. Everything from embedded encryption keys to business logic to malware can turn up in these files, so be sure to include them in the scope of your testing.

  7. Check for other common flaws that affect all Web applications regardless of the technologies being used. This includes weak passwords, lack of intruder lockout which facilitates password cracking, weak authentication mechanisms -- especially home-grown multi-factor systems -- form manipulation, URL tampering and sensitive files stored on the server unprotected.

Work through each of these steps -- and ensuring the issues are remediated -- will bring you that much closer to reasonable security in your rich Internet applications. Perhaps most importantly, never let your guard down. The security issues surrounding rich Internet applications are only going to become more complex. Getting your arms around the issues that matter now will allow you to scale your efforts as your applications continue to grow.

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic, LLC. He has over 20 years experience in the industry and specializes in performing independent information security assessments revolving around compliance and information risk management. Kevin has authored/co-authored seven books on information security including the ethical hacking books, Hacking for Dummies and Hacking Wireless Networks for Dummies (Wiley). He's also the creator of the Security On Wheels IT security audio books.

Dig Deeper on Topics Archive