SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link Number Two Link Number Two Link Number One Link Number One Link Number Two Link Number Two Entire Site Advisories Calendar Columnists Elsewhere Guest Feature Infocus Library Links Mailing Lists (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF NEWS -- VULN-DEV News Products Services Tools Vulns BUGTRAQ ARCHIVE [ Message Index ] [ Thread Index ][ Reply ] [ prev Msg by Date ][ next Msg by Date ] To: BugTraq Subject: Sanctum AppScan 4 misses potential vulnerabilities in wrapped links Date: Sep 24 2003 9:10PM Author: RAFAEL SAN MIGUEL CARRASCO Message-ID: <272f2826c257.26c257272f28@tid.es> "AppScan 4.0 Audit Edition, the market leading application vulnerability assessment tool, accurately detects security vulnerabilities automatically as an integrated component of an enterprise security process review." AppScan 4 have a flaw regarding the way the "Explore stage" is implemented when the "Automatic Scan" is selected. When a reference to a URL in a "a href" tag is made using a wrapper function instead of directly calling "window.open" or "document.location" javascript functions, AppScan will not detect the link and the URL will not be tested against any attack. As this is a common way to reference URLs (it enables the coder to do some stuff before the window is actually opened), many pages of a website may not be analyzed by AppScan, hiding potential vulnerabilities to the user. An attacker with this knowledge would scan first pages referenced in the way explained above, speeding up the vulnerability discovery process. Here is an example of a link that will be ignored by AppScan: I contacted SanctumInc, and this was the solution proposed: "We are aware of this limitation and in case of extensive usage of Java Script we recommend the user to choose "Interactive" Scan Type and explore the site manually. If you do so, just like a normal user will explore your site, AppScan will test the encapsulated links." More information about this product: www.sanctuminc.com Rafael San Miguel Carrasco División de Infraestructura y Seguridad en Redes IP Telefónica I+D Want to link to this message? Use this URL: Disclaimer, Terms & Conditions About this List Featured Lists: ARIS Users bugtraq bugtraq-es bugtraq-french NEW bugtraq-jp firewalls focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics forensics-es honeypots incidents libnet pen-test secevents secpapers secprog sectools secureshell security-basics security-management NEW securityjobs vpn vuln-dev webappsec Newsletters: sf-news ms-secnews linux-secnews [ more . . . ] Privacy Statement Copyright © 1999-2003 SecurityFocus