>I'm getting crazy to find a vulnerability scanner that evaluates the
security of a website done with Ajax. I need it to have a API or a
console mode so I would be able to integrate it into a cron.
> Any ideas?
Only ideas
Why do you want to cron it? I would run the tests whenever there is a new test or a change to the application.
Divide and conquer. You have something like a rich client and a API, right?
First the api: make your tests with your favorite language/technology (I like wget/curl with some grep magic and shunit), first the positive cases then the negative ones: try to trespass the workflow of calls, bypass the authentication and authorization scheme, inject html, javascript or sql, overflows
For the "rich client" perhaps you will have to repeat, reuse or extend some tests, like the xss.
Use the owasp top ten for both.
I know that I am not answering your question, but hope it help you
Carlos Pantelides
-----------------
http://seguridad-agile.blogspot.com/
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
Joel:
>I'm getting crazy to find a vulnerability scanner that evaluates the
security of a website done with Ajax. I need it to have a API or a
console mode so I would be able to integrate it into a cron.
> Any ideas?
Only ideas
Why do you want to cron it? I would run the tests whenever there is a new test or a change to the application.
Divide and conquer. You have something like a rich client and a API, right?
First the api: make your tests with your favorite language/technology (I like wget/curl with some grep magic and shunit), first the positive cases then the negative ones: try to trespass the workflow of calls, bypass the authentication and authorization scheme, inject html, javascript or sql, overflows
For the "rich client" perhaps you will have to repeat, reuse or extend some tests, like the xss.
Use the owasp top ten for both.
I know that I am not answering your question, but hope it help you
Carlos Pantelides
-----------------
http://seguridad-agile.blogspot.com/
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]