Rapid7 Introduces Browser Emulation Scanning Technology (BEST) for Detecting JavaScript Code Vulnerabilities in Web Applications.Rapid7 is First to Deliver a Vulnerability Scanning Solution That Analyzes Code in Deployed Web Applications BOSTON -- Rapid7, provider of the award-winning NeXpose enterprise vulnerability management solution, today introduces Browser Emulation Scanning Technology (BEST) for scanning Web applications for vulnerabilities in JavaScript code. With BEST, Rapid7 takes NeXpose's robust, automatic Web spidering and analysis capabilities to the next level, and is the first to provide a vulnerability scanning solution that analyzes JavaScript code in deployed, running Web applications. Rapid7 developed BEST in response to the increased use of Asynchronous Refers to events that are not synchronized, or coordinated, in time. The following are considered asynchronous operations. The interval between transmitting A and B is not the same as between B and C. The ability to initiate a transmission at either end. JavaScript and XML XML in full Extensible Markup Language. Markup language developed to be a simplified and more structural version of SGML. It incorporates features of HTML (e.g., hypertext linking), but is designed to overcome some of HTML's limitations. (AJAX) for dynamic Web programming, which makes Web sites and applications vulnerable to Document Object Model or DOM-based cross-site scripting See XSS. (XSS (CROSS-Site Scripting) Causing a user's Web browser to execute a malicious script. There are several ways this is done. One approach is to hide code in a "click here" hyperlink attached to a URL that points to a non-existent Web page. ) and other risks. DOM-based XSS allows an attacker to trick a Web application into emitting malicious JavaScript or HTML HTML in full HyperText Markup Language Markup language derived from SGML that is used to prepare hypertext documents. Relatively easy for nonprogrammers to master, HTML is the language used for documents on the World Wide Web. code that appears to come from the application when it runs in the browser of an unsuspecting user. NeXpose thinks like the browser and performs static analyses of the JavaScript code embedded in Web applications. As a result, NeXpose uncovers exposures not found by other vulnerability assessment A Department of Defense, command, or unit-level evaluation (assessment) to determine the vulnerability of a terrorist attack against an installation, unit, exercise, port, ship, residence, facility, or other site. solutions, which only scan for vulnerabilities at the server and application levels. "With the explosion of AJAX for developing interactive Web applications, there is more complex, rich-client functionality via JavaScript, which creates further opportunities for exposures that can put organizations at risk," said Alan Matthews, president of Rapid7 LLC (Logical Link Control) See "LANs" under data link protocol. LLC - Logical Link Control . "Web 2.0 contains numerous threats, such as DOM-based cross-site scripting, race conditions, cross-site request forgery Cross-site request forgery, also known as one click attack or session riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of malicious exploit of websites. (XSRF (CROSS-Site Request Forgery) See CSRF. ) and data manipulation. NeXpose eliminates these threats by taking a multi-pronged approach that includes front and back-end scanning of the Web server, Web applications and the embedded JavaScript code." "Because Web applications are frequently modified, they are more susceptible to vulnerabilities, particularly within their source code," stated Neil MacDonald, VP and Distinguished Analyst, Gartner. "The increasing use of rich user interface designs in AJAX-based Web applications means that JavaScript source code scanning must become a standard part of Web application security scanning." Rapid7's BEST is available in the current release of NeXpose, Version 4.1. Future NeXpose releases will extend BEST coverage to Adobe/Macromedia Flash and ActionScript. About NeXpose The award-winning NeXpose enterprise vulnerability management solution scans Web server applications, Databases, Operating Systems, and Network Devices to locate threats, assess their risk to the environment, devise a remediation plan and implement the ticketing process. NeXpose incorporates an expert system to build a knowledge base of facts on the environment it's exploring and model potential targeted attacks to expose all existing threats. NeXpose provides reporting capabilities that ensure compliance with governmental regulations and corporate security configuration policies. NeXpose PCI (1) (Payment Card Industry) See PCI DSS. (2) (Peripheral Component Interconnect) The most widely used I/O bus (peripheral bus). Compliance services meet the security scanning requirements of the MasterCard Site Data Protection (SDP (Session Description Protocol) An IETF protocol that defines a text-based message format for describing a multimedia session. Data such as version number, contact information, broadcast times and audio and video encoding types are included in the message. ) Program. About Rapid7 Rapid7 was founded in 1999 by a team of software industry veterans who were major contributors to product development and subsequent growth and success at Percussion Software, Bond Technologies and Stride & Associates. Rapid7 launched NeXpose, its award-winning enterprise vulnerability management solution, in 2001. Since introduced, NeXpose has been sold to over 130 organizations in the U.S. and abroad. Rapid7 sells NeXpose to corporate enterprises, Global 2000 companies, and government entities, and serves the full range of vertical markets. Rapid7 is headquartered in Boston, MA, with offices in California and the United Kingdom. For more information on the company and its product, NeXpose, visit http://www.rapid7.com. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion