Modern web applications completely change how we approach security assessments. To understand why, we need to understand how different modern web applications are from traditional.
Web application security has always been complicated because of all the tiers involved. You’ve got code running on the untrusted client’s browser, code in the web server platform, code running in the database server and other 3rd tier services.
That complexity is growing as we implement modern web applications. What is a modern web app? Let’s start with traditional web applications. You browse to a page, it displays, you interact with some controls in a form and click submit. The browser sends that information to the server to process the form data and composes a new page which is displayed back on the client by the browser. That display page, submit, display page, submit cycle first started to blur with the advent of Ajax programming techniques 10 years ago. An example of Ajax is where you select a customer name from a list on a web page and the browser, via JavaScript, sends that selection to the webserver and gets back the detail information for that customer and displays it in the existing web page without doing a whole page refresh. But modern web apps go way beyond that.
The traditional page – submit – page – submit cycle was really a step back in terms of user interface. In fact, it was a lot like the old mainframe user interface style where web pages are replaced with “screens”. That’s very different than the desktop GUI applications we are accustomed to that were so much more interactive and dynamic.
Traditional web applications have a very tight coupling between the http protocol and the way the user interacts with the application. Each click of Submit has a one-to-one correspondence to a HTTP GET or POST request followed by a new page being rendered from the server’s response. The web browser was largely a dumb terminal with use of JavaScript mostly limited to immediate data validation and later with the rise of Ajax and some dynamic updates to the pages content. But the user was very aware of each time they submitted information to the server and got back a result.
In addition, the rise of mobile devices demanded a change in web applications because the screen size and proportions were so different – not to mention the touch factor. Some organizations rushed to redesign their web sites and applications to embrace a mobile-first priority to the chagrin of users still working from their desktops using big screens, keyboard and mouse.
So, there are multiple forces exerting pressure to make applications far more flexible and dynamic.
Modern web applications seek to completely erase that coupling so that the user is really interacting with the browser and the JavaScript running there. And that client-side code communicates with the server as necessary in order to get data and/or new client-side JavaScript to interact with the user as the context of the application and session state changes.
The epitome of a modern web application is a so-called single page app. MSDN defines SPAs as:
Single-Page Applications (SPAs) are Web apps that load a single HTML page and dynamically update that page as the user interacts with the app. SPAs use AJAX and HTML5 to create fluid and responsive Web apps, without constant page reloads. However, this means much of the work happens on the client side, in JavaScript.
That last sentence really gets at the heart of what makes security assessments of SPA/modern web applications different and more difficult than with traditional web apps.
A web application security scanner used to be able to use a sitemap of a website or web application to fully exercise the app and test it for vulnerabilities. It could either utilize a provided set of urls or build its own site map by spidering the application/site itself. The concept of a sitemap as a comprehensive path to all of the application’s functionality really just goes away with modern web applications.
In this real training for free event, we will explore:
- Examples of traditional and modern web applications
- Demonstrate how traditional web application vulnerability scanning “can’t see” and thus never tests more than a fraction of a modern web application’s functionality
- How new types of vulnerabilities arise with modern web applications
In today's world of modern web applications, we have to deal with an all new set of issues and complexities. Understanding these complexities, how they hide data and interactions with the web application and what they are really doing behind the scenes are key to understanding how secure your application is and how best to address these issues. Understanding how client-side frameworks use javascript to hide your interactions with, and the availability of, data/parameters being exposed by your data, helps you understand why it's important to bring security into your application earlier as well. Server-side programming techniques and performance enhancements also play a role in this game. Without the ability to look into the Virtual DOM, you will always be missing key and/or large parts of your application which cannot be found using traditional methods. Additionally, to make these types of techniques easier and your applications faster/more responsive, organizations have begun using routes to communicate with their APIS behind the scenes which further obfuscate the data.
Here's some of the questions we’ll answer:
- What are Web 2.0 applications, how are they different from legacy web applications and why does it matter?
- What kinds of modern frameworks are there and how do they differ?
- Does this introduce additional complexities to how we do unit and security testing?
- How do I make sure that I'm taking these things into consideration as I grow my security/DevOps maturity
- Why does this create problems for automatic tools such as DAST/IAST Tools?
I’m joined by David Howe from our sponsor Rapid7. David is a subject matter expert in vulnerability scanning of web applications and brings a lot of substance to this conversation. He will also briefly show how Rapid7 and their cloud-powered dynamic application security testing solution, InsightAppSec addresses these issues.
Please join us for this real training for free session.