Rapid7 Updates Vulnerability Scanner

Rapid7 analyzes Web application and Web 2.0 vulnerabilities in JavaScript and AJAX

• By James E. Powell
• 11/28/2007

Vulnerabilities and exploits will increase exponentially as more organizations develop Web and Web 2.0 applications. Web application scanners can mitigate the risk but they often can’t recognize or uncover vulnerabilities in new functionality such as JavaScript, AJAX, Flash Flex, ActionScript, ASP.NET 2.0 (Atlas) and .NET 3.0. According to Gartner in Web 2.0 Needs Security by John Pescatore, “The dynamic and distributed nature of Web 2.0 applications means that some new approaches will be required to maintain the necessary level of business strength security. Vulnerability assessment techniques will need to be extended to deal with client-side executables and service-oriented architectures.”

In 2006, Rapid7 released Browser Emulation Scanning Technology (BEST) for scanning Web and Web 2.0 applications for vulnerabilities in JavaScript code. The latest release improves the product’s automatic Web spidering and analysis capabilities and provides a vulnerability scanner that analyzes JavaScript, Ajax and Flash applications in testing, quality assurance, deployment, and ongoing management.

Rapid7 says it developed BEST in response “to the increased use of Asynchronous JavaScript and XML (AJAX) for dynamic Web programming, which makes Web sites and applications vulnerable to Document Object Model or DOM-based cross-site scripting (XSS) and other risks.” DOM-based XSS permits attackers to trick a Web application into produce malicious JavaScript or HTML code that appears to come from the application when it runs in a user’s browser.

“With version 4.6, NeXpose allows organizations to leverage their investment in Web applications and secure their entire network,” according to Alan Matthews, president of Rapid7 LLC, in a statement issued by the company. “Web applications, including Web 2.0, consist of many moving parts such as databases, operating systems and third-party applications. At Rapid7, we understand that customers require a solution like NeXpose that provides optimal web scanning and is completely integrated with network vulnerability management”.

NeXpose 4.6 includes the following new and enhanced features include client-side scanning of Web applications in JavaScript, AJAX, Flash, Flex, ActionScript, ASP.NET 2.0 (Atlas) and .NET 3.0; Web application pass-through scanning (which passes through the initial vulnerability to scan for deeper vulnerabilities), improved spidering performance and scalability, and batched scanning to reduce scan times.

More information is available at http://www.rapid7.com