New MIT Scanner Finds Web App Flaws in a Minute

A Berkeley postdoctoral researcher and former MIT student will soon unveil Space, a static-analysis web-application security tool that can find vulnerabilities in a minute.

A new web application security scanner, developed by a former MIT student now Berkeley postdoctoral researcher, could be a real find for developers wishing to lock down bugs that live outside the OWASP top 10.

The static-analysis tool is called Space and will be unveiled at the upcoming International Conference on Software Engineering (ICSE). Space, used in conjunction with two other MIT-built web application security tools called Alloy (a language that describes programming structures) and Derailer (a tool that enumerates how app data might be exposed), can make bug-hunting in web apps more efficient.

Its developer Joseph P. Near, under the supervision of MIT Computer Science and Artificial Intelligence Laboratory professor Daniel Jackson, ran the scanner against 50 open source Ruby on Rails applications that were favorited on Github for one reason or another. The scans turned up 23 new vulnerabilities that were reported to the respective developers; the maximum time per scan, MIT said, was 64 seconds.

“The classic flaws we detect are basically inadequate mechanisms to protect read-write access to critical resources,” Jackson told Threatpost.

“We were very interested from the beginning in application-specific bugs,” Jackson said. “We saw so much progress on generic anomalies such as SQL injection and cross-site scripting, things that blacklisting, whitelisting and sanitization could take care of, that we saw a need to address application-specific errors.”

Jackson said that web application developers make assumptions about context when it comes to securing applications and therefore certain behaviors are allowed. Without checking whether those assumptions about context are correct, vulnerabilities could arise that could enable unwanted read-write access, Jackson said. Space, Jackson said, brings a catalog of known common patterns to scans. It checks code independent of context and extracts the conditions used to determine whether access should be allowed, he said.

Space was part of Near’s PhD work, MIT said. In building Space, he identified seven ways Web applications control access to data such as the public availability of data, or administrative access, for example. For each access pattern, MIT said, Near built a model that describes the level of access users should be granted. Space then evaluates whether the application conforms to policy, and if not, flags behavior as potentially malicious.

Space is still a prototype, and Jackson said developers can run it free-standing or it someday could be packaged as part of a bigger scanner.

“It has great promise,” Jackson said. “It’s exciting for the potential it has and the paths it could open for better application security.

Suggested articles

Discussion

  • reza on

    How can it possible when you have to test every entry point. I think this is not correct and it just a show off.
    • Rob Shein on

      Note that it's a static analysis tool; it runs through the code and models behavior, rather than scanning the web application as though it were coming across the network. I don't see how it would have to take all that long, given the lack of latency for request/response events or the need to fuzz every entry point. What it's doing is looking for ways in which the code has the ability to do more than it should. There's a certain brilliance to the approach, because ultimately excessive access at that granular level is the core of a real vulnerability.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.