Dan Kuÿkendall

Mobile App & API Security – Application Security’s “Where’s Waldo”

Blog Post created by Dan Kuÿkendall on Jul 6, 2015

[A version of this blog was originally posted on February, 1 2013]

 

Waldo.pngAs I have discussed in previous posts and at conferences, like OWASP AppSecUSA, while the number of attacks continue to increase, the attack techniques aren’t new at all. They are actually the same old attacks like SQL Injection showing up in new places including API’s, mobile application services and AJAX applications. Because these newer technologies have exploded in popularity and become more mainstream, we keep seeing these same old vulnerabilities popping up in new places. I always say it’s like Where’s Waldo, and we simply need to understand the new landscape and start looking for Waldo again.

 

Over the last several years, there has been a major evolution in how applications are being built with new underlying technologies, application architectures and data formats, but have application scanners evolved with them? These new technologies have grown at such a fast rate, we haven’t been able to keep up at either end. On one end, developers aren’t able to build these new applications securely because they are up against deadlines from the business and delivering on new technologies. And on the other end, web application scanners were architected in the golden days of web application security when almost all web applications were static and relatively simple HTML pages. While scanners have never and will never cover all 100% of a web application, our belief is that they can and should cover as much as possible. Unfortunately, most application security scanners haven’t kept pace with the changing applications.

Coverage Gap.png

 

Security professionals and application scanning vendors should be actively working to close the coverage gap detailed above to improve both the efficiency (reduce manual efforts) and effectiveness (find more vulnerabilities) of security efforts. The AppSpider team at Rapid7 continues to be committed to closing this gap. Our customers tell us that AppSpider automatically tests their AJAX applications and API’s much more thoroughly than other options.

 

We believe AppSpider is the only scanner that truly begins to address these newer technologies and formats like AMF, JSON and REST. But feel free to check it out for yourself. We welcome input and feedback.

 

In my blogs, I’ll detail the technologies used in modern applications and demonstrate why they create challenges for modern web scanners. In addition, I’ll give you pointers on how you can determine if your application security scanners are effectively scanning and attacking these newer technologies.

 

We will discuss the following kinds of applications and technologies:

 

1. RIA & HTML5

    • AJAX Applications: JSON (JQuery), REST, GWT (Google WebToolkit)
    • Flash Remoting (AMF)
    • HTML5 Applications (addressed in subsequent paper)

 

2. Mobile

    • Backends powered by JSON, REST and other custom formats

3. Web Services

    • JSON, REST
    • XML-RPC, SOAP (addressed in subsequent paper)

 

4. Challenging Application Workflows

    • Sequences: Shopping Cart and other strict processes
    • XSRF/CSRF Tokens

 

If you would like to read the full whitepaper on this topic, you can download it here.

 

[Note: This blog has been transferred from Dan Kuykendall’s blog, manvswebapp.com, as part of Rapid7’s acquisition of NT OBJECTives. For more information on the acquisition, click here.]

Outcomes