Earlier this week IBM announced a new methodology for automated XSS vulnerability assessment. The new methodology more accurately detects XSS vulnerabilities with less interaction with the application. In fact, it detects more vulnerabilities other automated utilities with roughly 20 requests. These 20 requests will actually evaluate millions of potential XSS tests. Here’s how it works:
1. An area where user input is allowed is detected
First, like always an area where input can be submitted is detected. In other words, an area that will be tested is determined.
2. An a request is submitted where the application will accept input
Next a piece of code is submitted to make a few determinations.
3. The response is analyzed to determine information
The applications response is analyzed for several pieces of information. Specifically, where the submitted code ends up in the application e.g. is it in a div or part of the CSS? In addition, how the code is represented is also analyzed e.g. was the data escaped or encoded in a certain way.
4. AppScan makes a decision on what next step to take based on gained knowledge.
Once information is determined about how the application is handling input, AppScan determines what to submit to the application next. The process then repeats from step two until the number of possible tests are depleted.
This methodology is beneficial as it more closely mimics the intelligence of a targeted manual scan conducted by a penetration test. What that means is that there are more XSS vulnerabilities detected with less arbitrary checks attempted. The key here is the development of a comprehensive decision tree. This is no simple task as it essentially requires analyzation of all possible avenues for testing vulnerabilities. Regardless, anyone using this technology will benefit from less application interaction and therefore less potential for interruption of production applications. This of course is key in black box application assessment. One can expect other competitive black box application scanning products to follow suit within the next few years.