Vulnerability Scanning Technique in AJAX Application
The development of internet technology and the needs of web-based application gave birth to a new technology called AJAX, which allows web application to update its content without reloading the entire page. Like other web application, an AJAX application also has vulnerabilities. To detect ulnerabi...
Saved in:
| Main Author: | |
|---|---|
| Format: | Final Project |
| Language: | Indonesia |
| Online Access: | https://digilib.itb.ac.id/gdl/view/39150 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Institut Teknologi Bandung |
| Language: | Indonesia |
| Summary: | The development of internet technology and the needs of web-based application gave birth to a new technology called AJAX, which allows web application to update its content without reloading the entire page. Like other web application, an AJAX application also has vulnerabilities. To detect ulnerabilities, web developers use a tool called vulnerability scanner, to prevent vulnerabilities after application deployment. Generally, there are three process in vulnerability scanner, crawling, payload generation, and response analysis. However, AJAX introduces new challenges, one of which is dynamic DOM. A crawling process will, generally, read only the HTML. In AJAX application, however, the DOM may change by JavaScript execution. Because of this, the current crawling method isn’t effective in extracting URLs in AJAX application, and so, makes vulnerability scanning incomplete. One way to solve this problem is by using AJAX crawler. AJAX crawler extracts URLs by running JavaScript events, recording state changes, and extracting URLs from all states generated. With this approach, adynamic DOM can be converted into some instances of static DOM and crawling can be done. Experiment result shows that AJAX crawler can extract a more complete result compared to current crawling method. This result leads to a wider detection area for vulnerability scanner and chances to detect vulnerabilities increases. This is proved by the second experiment where a vulnerability scanner W3AF with AJAX crawler installed is able to detect new vulnerabilities in AJAX-called URLs. From this result, we can conclude that installing AJAX crawler in a vulnerability scanner, without changing the payload generation and response analysis proess , can be used to detect vulnerabilities in AJAX application. |
|---|