Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cenzic's Hailstorm

The Upshot

Cenzic's Hailstorm detects vulnerabilities in both Web and AJAX-enabled sites, using differencing techniques rather than signatures. Hailstorm's AJAX-specific features are aimed at catching authorization and authentication holes and ensuring that dynamic AJAX links are examined for potential vulnerabilities, especially ones that could allow SQL injection and cross-site scripting.

The rapid growth of AJAX-enabled sites and applications on the Web and in the enterprise has raised the hackles of security administrators who are rightfully concerned about securing this popular Web 2.0 technology. In general, most AJAX-based sites are vulnerable to Web attacks, as many developers still fail to implement proper security. Furthermore, the technology is open to a wide range of XML attacks, which standard vulnerability-assessment tools haven't addressed.

While Cenzic's Hailstorm uncovers conventional Web-based vulnerabilities applicable to AJAX, it can't find those that could lead to more sinister XML-based attacks, such as XML bombs and entity expansion attacks. Rival Parasoft's SOAPtest has a firmer XML base on which to build its vulnerability-testing software. Hailstorm can root out vulnerabilities to SQL injection and session tampering in AJAX applications as well as validate authentication mechanisms. The product's thorough scanning of Web sites makes it a good companion for products that spot XML vulnerabilities.

Cenzic Hailstorm 3.1

starts at $10,000 per application

The explosion of AJAX-enabled Web sites and applications has raised security concerns about this dynamic, XML-based technology. Most scripting technologies are restricted to the server or the client--not both, as is the case with Asynchronous JavaScript and XML. Combining scripting on both the client and server would be problematic enough with the introduction of dynamic URLs and data in both environments, but when these elements join with XML and a SOA-like execution paradigm, security concerns are serious. XML security vendor Forum Systems, for example, issued an AJAX security alert earlier this year, and version 2.1 of the Open Web Application Security Project Guide will include a chapter on AJAX.

Cenzic, a long-time player in the application security field, has updated its Hailstorm vulnerability-assessment tool to include the ability to scan AJAX-enabled applications for a wide range of security weaknesses. Though Hailstorm remains Web-focused and does not include many of the top 10 XML/SOA-specific vulnerabilities, the tool is able to discover vulnerabilities that even its SOA security-focused counterparts may not be able to root out. This is largely due to AJAX's reliance on the browser's scripting capabilities. Security enforcement products such as Forum Systems' XWall and Sentry, Reactivity's XML Security Gateway and Layer 7 Technologies' Secure- Span XML Gateway don't account for such factors as session management and security, because they don't interact with the browser. A pairing of Hailstorm with any of these XML/SOA-specific security tools would constitute a complete Web 2.0 and SOA security strategy.

No Single Solution

  • 1