A few odd ones lurking around …
This is at least partially an appeal for information – if anyone knows of a web application scanner that does what I describe here, please let me know!
All the web application scanners I have come across so far seem to only try “online” scanning where the work is done by connecting to a web server using the same method as someone with a web browser would use. Or in other words the scanning tools replicate what an attacker might do. Hardly the wrong thing to do – it is probably the best method given that so much can only be determined by going through the web server.
In addition, there are also tools to scan the source code of web applications that you have written yourself. These pick out bits of the application that could do with looking at. Fair enough for a web developer, but I’m after something a bit different.
What I want is a tool that will when given the directory containing the website, will go through it looking for weaknesses like the following :-
- Look for problems with the permissions – such as directories and files writeable by the web server owner.
- Look for common applications and components – such as WordPress – and identify them, and indicate whether they’re out of date or not.
- Look for signs of exploits – PHP ‘shells’ and the like.
- Look for content that isn’t linked to as an indication that it shouldn’t be present.
Of course most people could think of a few more things to add to that list! It would be a handy additional source of information when it comes to securing a website.
According to an article on The Register, our friends at Adobe are somewhat irritated by Apple’s insistence on not allowing Flash to run on the iPhone and now the iPad. Because Apple’s platform for both products is closed, Adobe has to live with Apple’s decision on whether to allow it or not. Complaining about it amuses me, because Adobe is effectively guilty of the same kind of actions.
Almost all desktop web browsers have had the Flash plugin installed so “enhance the web browsing experience”. The fact is that we do not have much choice in the matter – many web developers insist on putting Flash elements onto web pages; sometimes the lack of Flash is merely irritating, but in many cases the whole purpose of the web service is list without Flash. For instance a Flash-less YouTube would be somewhat short on video (there is an experimental HTML5 video interface for YouTube which looks interesting but I am overlooking that for now).
Mind you that Flash plugin is also responsible for most the occasions when your web browser crashes, and it also has a tendency to “spin the wheel” and consume huge quantities of cpu time to no purpose. Admittedly it may be that the Flash experience on more conservative platforms (such as Windows) may be less unpleasant, but from what I have heard, Flash doesn’t much like Windows either.
Perhaps Apple does not want their products to get the reputation of being unreliable and unresponsive ? Of course the reason that Apple gives is that the Flash plugin is an interpreter and that they do not allow such software onto the iPhone/iPad platform for security reasons. Now on a phone, the lack of Flash can be overcome by producing specialist applications such as the YouTube app, or by accepting a phone just is not as effective at browsing the web. Of course on something like the iPad, it is going to be a little harder to accept when web sites appear broken.
Which is of course Adobe’s point. And to some extent they are right. But you do suspect that Adobe are actually more worried about their own business than the interests of consumers.
If the iPad takes off, those web sites that use Flash extensively are going to have a big incentive to produce alternate versions of their sites. Some may well opt to “wrap” their site into a iPhone/iPad app; others may simply opt to switch to HTML5 and it’s support for video (which is not quite ready for prime time just yet). The modern standard of HTML provides for much more options in generating dynamic content.
Of course this hypothetical shift away from Flash content would be bad for Adobe, because people will be less interested in paying for Adobe’s content production software. Perhaps Adobe should admit defeat and modify their software to generate standards-based web pages rather than closed binary “blobs”. It will certainly be easier to do that than to persuade Apple to unlock their platform!
According to an article from The Register, there has been a study to show that people in Britain rarely use their smartphones to “connect to the Internet”, and in the very next sentence mentions “surfing the web”. Well which one do they mean ?
Yes there is a difference, and that difference is important as we’ll go on to find out …
The exception to the trend are iPhone users who do use their smartphones to connect to the Internet more than other smartphone users. As an iPhone user myself, I can point out two things that to anyone who thinks that “accessing the Internet” and “surfing the web” are the same thing appears to be contradictory :-
- I very rarely browse the web on the iPhone.
- I frequently connect to the Internet using different applications on the iPhone – in particular instant messaging, email, and various reference tools (such as Wikipanion).
Now that’s got most of the dumb IT industry analysts going “Uh?”.
The reason that nobody browses the web on a smartphone is that the screen is just too small. Ok, the iPhone screen is pretty nice, but it is still too small for browsing the web – all that pinching in and out so you can see the web page as a whole and then read the content, is just a little tedious. And why not wait a few minutes until you have access to a better screen ?
Where the Internet usage comes from are the little applications that effectively present the Internet in an appropriate way for such a small screen – the map that shows the nearest bars, the search tool that looks up what you enter in a dictionary, in Wikipedia, etc. And of course instant messaging and VoIP.
So a few days ago I was idly looking at the “StatPress” page on my site to look how few people were visiting to see something rather surprising :-
What was happening here ? Have I been slashdotted ? Is my income from those silly ads down the side going to shoot through the roof to a level worth letting a certain company send me the payments ?
No. Nothing so exciting. All (well, the overwhelming majority) were from an MSN robot – presumably indexing this site. Well fair enough, but why so many accesses ? It is not as if my site has much on it – nowhere near the nearly 100,000 page fetches they tried. A closer look at the Apache logs shows that the msn robot repeatedly fetched many pages including one page 1,300 times!
Sounds like Microsoft has a bug somewhere.
It just occurred to me that there’s a somewhat different way of finding the latest and hottest new websites out there – just take a look in CPAN (Perl’s third-party library repository) or the equivalent for other languages for modules that match “WebService”.
If someone has gone to the trouble of writing a module for communicating with a site, it probably is at least worth looking at.