The Emperor's New Clothes: Why Vulnerabilities in RIA, Mobile and Web Services are Invisible to Most Web Application Scanners

New Research from NT OBJECTives Identifies Nine Application Technologies Overlooked by Most Web Scanners; Company Releases a Re-architected NTOSpider 6 to Close the Gap

Oct 25, 2012, 07:00 ET from NT OBJECTives

AUSTIN, Texas and IRVINE, Calif., Oct. 25, 2012 /PRNewswire/ -- APPSEC USA -- In recent years, a new generation of web applications leveraging technologies such as Mobile, JSON, REST, HTML5 and AJAX, have emerged to deliver highly complex and dynamic web experiences, but the web application scanner industry has not kept pace to detect vulnerabilities in these new formats. With a widening scanner coverage gap, security teams have had to turn to manual testing practices to discover vulnerabilities associated with these new formats.  Today, NT OBJECTives has released, "The Widening Web Application Security Scanner Coverage Gap in RIA, Mobile and Web Services: Is Your Scanner like the Emperor's New Clothes?" a research report that identifies nine common underlying web application technologies in mobile applications, Rich Internet Applications (RIA) and web services being overlooked by today's scanners with practical guidance on how to improve security efficiency and effectiveness with each.

(Photo: )

(Logo: )

"The spread of mobile applications, web services and complex Rich Internet Applications (RIA) has made a bad situation worse for security professionals, who are constantly playing catch up to stay ahead of vulnerabilities and frantically defending against persistent hackers. Security teams have been forced to test new applications manually which has become time consuming, a drain on resources and insufficient for understanding risk," says Dan Kuykendall, co-CEO and CTO of NT OBJECTives.

Today, many web scanners can effectively scan classic HTML and Javascript sites, but are unable to translate and assess these modern technologies that have become increasingly prevalent and necessary to deliver the rich experience users demand via RIA, mobile and web services applications.  In the report, NT OBJECTives (NTO) offers an explanation of each technology, demonstrates why and how each creates challenges for web scanners and provides step-by-step instructions for how security professionals can determine if their scanners are effectively scanning and attacking these newer technologies. 

The report is being issued today in conjunction with the company's beta release of NTOSpider 6, a new dynamic application security testing (DAST) solution that includes a proprietary Universal Translator technology that can automatically crawl, detect and attack vulnerabilities that exist in these modern applications. 

Application Technologies Invisible to Most Web Scanners

The technologies most commonly overlooked by most web scanners include:


a         AJAX applications: JSON (JQuery), REST, GWT (Google WebTookit)

       Flash remoting: AMF

c         HTML5 applications


d        Backends powered by JSON, REST and other custom formats

Web services

e        JSON, REST

f          XML-RPC, SOAP

Complex application workflows

        Sequences: Shopping Cart and other strict processes

h        XSRF/CSRF Tokens

About NTOSpider 6
Available in beta today, NTOSpider 6 provides comprehensive, automated coverage of Mobile, AJAX, SOAP, JSON and other modern application technologies that were previously only discoverable manually.  NTOSpider 6 provides security professionals with the following major benefits:

  • Broader coverage: NTO's new Universal Translator provides rapid, broad coverage of complex, modern applications with an automated tool requiring minimal per scan manpower.
    • Mobile and Web Services - Enables simulated attacks of web and mobile back-end services by detecting rich client traffic, to decode and attack popular formats including JSON, REST, Flash Remoting (AMF), SOAP, and XML.
    • RIA - Dynamically crawls and attacks rich client traffic including AJAX, JQuery and GWT.
    • Complex workflows - Enables proper testing of features such as shopping cart and business workflows. Includes true sequence crawling and attacking to enable proper testing of sites with XSRF protection. NTOSpider performs XSRF token detection to enable collection and use of valid tokens during each attack.
  • Increased level automation Executes repeatable, rapid and comprehensive automated application security testing.
  • Reduces risk: Systematically reduces risk more effectively than ever before by leveraging a more automated process.
  • Frees pen testers: Frees up expert pen testers to test the parts of the application that must be tested manually like business logic.

NTO invites security researches and security professionals who want to stay current against modern applications to participate in the NTOSpider 6 beta program.  For more information or to register for beta program participation visit

The full research report can be accessed at

About NT OBJECTives

NT OBJECTives (NTO) is a provider of most automated, comprehensive and accurate web application security software, services and SaaS. NTO has been dedicated to solving the most difficult application security challenges for over 10 years. NTO's software, SaaS and services solutions are designed to help organizations build the most comprehensive, efficient, accurate web application security program. NT OBJECTIVES is privately held with headquarters in Irvine, CA.  For more information visit or follow us on Twitter @ntobjectives or @dan_kuykendall.