What web security scanner supports JSON & Javascript?

dae mongmong's picture
dae mongmong asked on September 16, 2014 - 11:15am | Replies (1).

I am working in a software company. I am testing a web application for security issues.

The web application contains the following characteristics:
1. The web application does not use <FORM> for user authentication and form filling. Javascript is used for handling HTTP POST instead.
2. JSON is largely used for HTTP requests and responses. Even viewing page source from a web browser, the source does not include dynamic data. Dynamic data is handled and displayed by Javascript.
3. After user authentication, dynamic links will be shown on web pages. These links consist of parameters and are generated by Javascript on loading a page.
4. Anti-CSRF token checking is implemented in GET/POST requests to prevent CSRF. These anti-CSRF tokens are included in parameters of GET/POST requests.

I am finding a web security scanner. The scanner should handle the following:
1. The scanner supports <FORM> and non-<FORM> authentication for scanning web pages requiring user authentication.
2. The scanner can scan the whole web application in a few steps (specifying the URL of the login page of the web application, user authentication information, the URL of the user logout link for exclusion).
3. Dynamic data is stored in JSON and HTML pages read JSON responses for displaying dynamic data. If a data field contains injected Javascript codes, the scanner can scan for XSS automatically.
4. The web crawler can find out links generated by Javascript.
5. The scanner can scan each GET/POST request for finding out missing anti-CSRF tokens.

What tools you suggest me to use? Thanks.


1 Answer

Ken De Souza's picture

Have you tried the OWASP ZAP tool? https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

This will help you decode/debug and exploit an application. Note, you should watch the videos found on the wiki to get a handle on how to use the tool.

The tool won't do the testing, but it will make it easier to execute any tests you are trying to do.

StickyMinds is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.