A question we are getting recently is:
How can eValid be used to support cybersecurity work?
In other words, given the very specialized needs of searching
for and pinpointing cybersecurity vulnerabilities,
what resources can eValid bring to the table?
For one thing, cybersecurity is a big area,
involving a wide range of techniques
-- static analysis, dynamic analysis, inspection, and a variety of other options.
Because
eValid's view is 100% client-side, its technology is only able to provide insight
on how things operate from the browser, that is, at the client-side.
But that is in some ways one of the most potentially fruitful areas for
which cyber vulnerability analysis can be performed.
As OWASP's section on
Testing for AJAX Vulnerabilities points out,
the use of AJAX "...
the advent of AJAX accounts for an "...Increased Attack Surface..."
because AJAX
"...throws in additional ways to potentially inject malicious content."
In other words, AJAX is an untapped issue in the security world.
eValid can easily handle AJAX applications, and resources inside
eValid can then be used to extract the information needed to expose
problems due specifically to AJAX application's asynchronous,
client-server cooperative nature.
So eValid seems to be a good fit for this kind of work,
in an area in which it is already strong.
The capabilities eValid can supply to a cyberthreat analysis effort
are summarized in this
CyberSecurity Resource Summary.
Wednesday, June 19, 2013
Saturday, June 15, 2013
Selected Recent Forum Posts
- Which browser eValid is imitating? -- Details of eValid's neat trick to emulate ANY device!
- Can I use eValid to find out why my pages are loading slowly -- The general method eValid uses to measure detailed timing is revealed.
- A way of capturing the value into a variable in memory -- Tricky manipulations with DOM values have big payoffs.
- Can you do a search from the Address field? -- Guidelines for getting good simple searches done.
- eValid synchronize playback -- The big issue: synchronization of AJAX! Here' the scoop.
Monday, June 10, 2013
How to get a good playback on an AJAX site?
Question:
Do you have any special recommendations for me on how to get a good playback on an AJAX site?
Answer:
Fair question, but also a very broad question.
Web applications that employ AJAX can range from very simple (for example, a simple autocomplete activity), to the very, very complex (for example, the recently introduced http://www.outlook.com email system from Microsoft which they are pitching as better that Gmail).
At a very high level we have found this method of using eValid to test and measure AJAX applications to be the most effective:
(1) Make a recording from life first. "From life" means, using the out-of-the-box settings, make a recording from the starting URL to the point where you are going to be validating a result. The Wait times that eValid puts into your script will, at playback time, provide a crude level of synchronization.
(2) Play the recording back...it ought to work the first time assuming you have not edited the script and are not multiplying the Wait times by the Wait Time Multiplier to make things "go faster."
(3) Now, play back the script increasing the speed -- and increasing the changes for a script de-sync due to AJAX. When the script de-sync's, mark that spot in the playback, go back to that point, and record some kind of synchronization step. Repeat this until you can run your script with the Wait Time Multiplier = 0 -- that is, with NO wait times, but only synchronizations.
To a first level, this will get you a good script. Of course it can become more complex if you want to do structural testing on the page or if you want to replace some parts of your script with fancy DOM manipulations.
_________________
eValid Support
Do you have any special recommendations for me on how to get a good playback on an AJAX site?
Answer:
Fair question, but also a very broad question.
Web applications that employ AJAX can range from very simple (for example, a simple autocomplete activity), to the very, very complex (for example, the recently introduced http://www.outlook.com email system from Microsoft which they are pitching as better that Gmail).
At a very high level we have found this method of using eValid to test and measure AJAX applications to be the most effective:
(1) Make a recording from life first. "From life" means, using the out-of-the-box settings, make a recording from the starting URL to the point where you are going to be validating a result. The Wait times that eValid puts into your script will, at playback time, provide a crude level of synchronization.
(2) Play the recording back...it ought to work the first time assuming you have not edited the script and are not multiplying the Wait times by the Wait Time Multiplier to make things "go faster."
(3) Now, play back the script increasing the speed -- and increasing the changes for a script de-sync due to AJAX. When the script de-sync's, mark that spot in the playback, go back to that point, and record some kind of synchronization step. Repeat this until you can run your script with the Wait Time Multiplier = 0 -- that is, with NO wait times, but only synchronizations.
To a first level, this will get you a good script. Of course it can become more complex if you want to do structural testing on the page or if you want to replace some parts of your script with fancy DOM manipulations.
_________________
eValid Support
Subscribe to:
Posts (Atom)