TUCoPS :: Web :: General :: bt1213.txt

Sanctum AppScan 4 misses potential vulnerabilities in wrapped links

"AppScan 4.0 Audit Edition, the market leading application vulnerability
assessment tool, accurately detects security vulnerabilities
automatically as an integrated component of an enterprise security
process review."

AppScan 4 have a flaw regarding the way the "Explore stage" is
implemented when the "Automatic Scan" is selected. When a reference to a
URL in a "a href" tag is made using a wrapper function instead of
directly calling "window.open" or "document.location" javascript
functions, AppScan will not detect the link and the URL will not be
tested against any attack.

As this is a common way to reference URLs (it enables the coder to do
some stuff before the window is actually opened), many pages of a
website may not be analyzed by AppScan, hiding potential vulnerabilities
to the user. An attacker with this knowledge would scan first pages
referenced in the way explained above, speeding up the vulnerability
discovery process.

Here is an example of a link that will be ignored by AppScan:

function openBrWindow(theURL,winName,features)
{ window.open(theURL,winName,features); }

<a href="#" onClick="openWindow('bla.html','','');">
<img src="bla.jpg"></a>

I contacted SanctumInc, and this was the solution proposed:

"We are aware of this limitation and in case of extensive usage of Java
Script we recommend the user to choose "Interactive" Scan Type and
explore the site manually. If you do so, just like a normal user will
explore your site, AppScan will test the encapsulated links."

More information about this product: www.sanctuminc.com

Rafael San Miguel Carrasco
Division de Infraestructura y Seguridad en Redes IP
Telefonica I+D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH