Our core security researcher, Benjamin Daniel Mussler, has been invited to Paul’s Security Weekly podcast to participate in a discussion about new web technologies and their impact on automated security testing.
Benjamin primarily talked about the fact that web browsers have gone a long way since serving static pages and web applications are becoming more and more like desktop applications. This means that the web browser is taking on the role of an operating system.
The biggest challenges related to this are:
- Browsers will gain more and more access to the underlying operating system without user confirmation (for example, direct file system access). Therefore, web vulnerabilities may have even more serious implications on the client side. Security professionals must find ways to secure such functionality.
- Web application security scanners can only protect you well if they follow all the web developments. To make this possible, they must use a modern headless browser that has all those capabilities. Acunetix uses Chromium for that purpose.
- The more complex web applications become, the more difficult it is to follow their business logic automatically. That is why solutions that let you record the interaction and then replay it are needed for full coverage (in the case of Acunetix: Login Sequence Recorder and Business Logic Recorder).
If you want to follow the development of web browser and web application capabilities, Benjamin recommended the Fugu project. Just like the Japanese fugu fish is highly poisonous when prepared improperly, new web capabilities may pose a great danger if used without security in mind.
Watch the full episode:
Get the latest content on web security
in your inbox each week.