Monday, October 8th, 2007

Automated security scanners choke on Ajax

Category: Ajax, Security

It looks like some of the most expensive security scanners can’t handle Ajax code. Information Week reviewed and tested 5 pricey application scanners, including software from IBM & HP, and all, sans IBM’s scanner, failed to pinpoint vulnerabilities with Ajax code:

With the exception of IBM(IBM)’s Watchfire AppScan, automated Web application scanners are simply not yet up to the task of finding security flaws in Ajax code. And it’s not like we made it hard on them: The Ajax applications we used in testing were relatively simple. None of the vulnerabilities we expected our scanners to find was advanced or required complex analysis of client-side code. Rather, they were traditional Web application security vulnerabilities, just exposed through an updated Ajax interface. As long as the scanners being tested could navigate the application, identifying the vulnerabilities should have been a walk in the park.

This doesn’t bode well for companies that are relying on some form of automated testing to provide a baseline for their application security assessment efforts.

The full 5-page review can be found on Information Week’s site.

Posted by Rey Bango at 8:30 am

3.5 rating from 25 votes


Comments feed TrackBack URI

Security is not necessarily an inherent AJAX problem. For specified environments the problem simply does not exist. see this framework paradigm. One should be aware that I am not, and do not pretend to be objective, nevertheless I believe that one can judge for himself. Visual WebGui is an AJAX framework that doesn’t expose logic, data or open services on client requests and therefore is not as vulnerable as common AJAX solution. Worth a look at

Comment by navot — October 9, 2007

What? IBM being more up-to-date and quicker-to-react that its competitors? Are they turning a new leaf?

Comment by mdmadph — October 9, 2007


Comment by resim — October 23, 2007

Leave a comment

You must be logged in to post a comment.