Effectiveness of Web Application Security Scanners at Detecting Vulnerabilities behind AJAX/JSON

Web applications are used by almost all organizations in all sectors and are accessed by a large number of anonymous users, including malicious users. This wide visibility makes them susceptible to various attacks, such as SQL Injection (SQLI). Web application vulnerability scanners (WAVS) are automated black-box testing tools that examine web applications for security vulnerabilities. Evaluations of WAVSs have shown that executing client-side code is a major challenge to many scanners. However, despite the popularity of AJAX (Asynchronous JavaScript and XML) and JSON (JavaScript Object Notation) in modern web applications, no evaluation implemented test cases for the support for both AJAX and JSON technologies. This paper presents a test application and an assessment of the capability of 5 state-of-the-art black-box scanners to detect vulnerabilities hidden behind AJAX requests and JSON data. The test suite contains many vulnerability instances, with different levels of exploitation difficulty. Our experimental results show that executing AJAX code and analyzing JSON parameters are still challenges to many tools. We provide recommendations for assessing complete capability of WAVSs as evaluations did not cover all the main features.