This week I got a chance to ask a couple of questions about Syhunt SandCat and the future of web application security. Here is the exchange with some great insights into where the web and attackers are heading!
Quick Interview with Felipe Aragon, CEO of Syhunt.
Q: The 3.8 release represents a significant step forward in application security scanning, especially around Javascript. What are the key features that application testers should know about in the 3.8 product?
R: Browsers and the web evolved significantly over the past years. Sandcat has evolved together with the new advancements and now has a lot in common with modern web browsers. This is essential because if you want to seriously hunt security breaches in web 2.0 applications you have to emulate modern Web technologies. So, naturally Sandcat evolved to understand JavaScript, AJAX and PHP and is now what is known as a hybrid web application security scanner. We also implemented multi-thread sessions, making each host scan a different process (Google Chrome, for example, employ a similar technique, making each tab a different process). Other important features we got working in Sandcat is the ability to simulate user interaction and multi-layer defense evasion. Sometimes, after evading a WAF (web application firewall), the last layer of defense against exploitation is a regular expression filter, which can also be bypassed by using many different techniques, so we got this working in Sandcat. Unfortunately weak filters were popularized and today many websites are vulnerable to this attack.
Q: How are Javascript threats influencing the state of application security today?
R: Thanks to JavaScript, Web applications are becoming increasingly more sophisticated, so next-generation web applications must be handled like desktop applications. Browsers like Opera, Firefox, Safari, Chrome are now adding faster JavaScript VMs each release because this is where the Web is going. Increased usage of JavaScript changes everything. It changes the way web developers build web sites, and the way hackers search for vulnerabilities or take advantage of weak spots in web applications. It makes more difficult for web developers to build secure web applications and, of course, for pen-testers that are unskilled web programmers to fit in in this new world. JavaScript can be used to steal cookies, spread worms, launch XSRF attacks and many other malicious purposes. The attacks are limited only by the attacker’s imagination.
Q: Where do you see application security heading in the next 12 months? What types of attacks should we be paying attention to that are slipping below our radar right now?
R: Right now we are monitoring the emergence of new web platforms (such as the recently announced Google Wave) that will make the 3.0 version of the Web possible. I believe we are heading towards the end of an era for the Web, a Web OS is materializing. These web 3.0 platforms and extensions built for these platforms will be a major target for cybercriminals. We have a set of new vulnerability classes and combined attacks (using both old and new classes) on the horizon. It will take a lot of time for web developers to understand how certain lines of code, client-side or server-side, translate to some serious security issues and how to avoid them. It might actually never happen because the Web and attack methods will continue to evolve faster. Without innovation, there is no future for the web, but I hope organizations will do whatever they can to understand and minimize security risks within their Web systems and not allow the cyberspace to become more insecure than it is today.
Check out SandCat’s new release at http://www.syhunt.com.
PS – In fair disclosure, MSI has a business relationship with Syhunt.