Wednesday, June 19, 2013

CyberSecurity Resources

A question we are getting recently is: How can eValid be used to support cybersecurity work? In other words, given the very specialized needs of searching for and pinpointing cybersecurity vulnerabilities, what resources can eValid bring to the table?

For one thing, cybersecurity is a big area, involving a wide range of techniques -- static analysis, dynamic analysis, inspection, and a variety of other options. Because eValid's view is 100% client-side, its technology is only able to provide insight on how things operate from the browser, that is, at the client-side.

But that is in some ways one of the most potentially fruitful areas for which cyber vulnerability analysis can be performed.

As OWASP's section on Testing for AJAX Vulnerabilities points out, the use of AJAX "... the advent of AJAX accounts for an "...Increased Attack Surface..." because AJAX "...throws in additional ways to potentially inject malicious content." In other words, AJAX is an untapped issue in the security world.
eValid can easily handle AJAX applications, and resources inside eValid can then be used to extract the information needed to expose problems due specifically to AJAX application's asynchronous, client-server cooperative nature. So eValid seems to be a good fit for this kind of work, in an area in which it is already strong. The capabilities eValid can supply to a cyberthreat analysis effort are summarized in this CyberSecurity Resource Summary.

Saturday, June 15, 2013

Selected Recent Forum Posts

Here is a selection of some of the posts that we think would be of general interest.

Monday, June 10, 2013

How to get a good playback on an AJAX site?

Do you have any special recommendations for me on how to get a good playback on an AJAX site?

Fair question, but also a very broad question.

Web applications that employ AJAX can range from very simple (for example, a simple autocomplete activity), to the very, very complex (for example, the recently introduced email system from Microsoft which they are pitching as better that Gmail).

At a very high level we have found this method of using eValid to test and measure AJAX applications to be the most effective:

(1) Make a recording from life first. "From life" means, using the out-of-the-box settings, make a recording from the starting URL to the point where you are going to be validating a result. The Wait times that eValid puts into your script will, at playback time, provide a crude level of synchronization.

(2) Play the recording ought to work the first time assuming you have not edited the script and are not multiplying the Wait times by the Wait Time Multiplier to make things "go faster."

(3) Now, play back the script increasing the speed -- and increasing the changes for a script de-sync due to AJAX. When the script de-sync's, mark that spot in the playback, go back to that point, and record some kind of synchronization step. Repeat this until you can run your script with the Wait Time Multiplier = 0 -- that is, with NO wait times, but only synchronizations.

To a first level, this will get you a good script. Of course it can become more complex if you want to do structural testing on the page or if you want to replace some parts of your script with fancy DOM manipulations.

eValid Support