Some Modeling Challenges When Testing Rich Internet Applications for Security

Abstract

Web-based applications are becoming more ubiquitous day by day, and among these applications, a new trend is emerging: rich Internet applications (RIAs), using technologies such as Ajax, Flex, or Silverlight, break away from the traditional approach of Web applications having server-side computation and synchronous communications between the web client and servers. RIAs introduce new challenges, new security vulnerabilities, and their behavior makes it difficult or impossible to test with current web-application security scanners. A new model is required to enable automated scanning of RIAs for security. In this paper, we evaluate the shortcomings of current approaches, we elaborate a framework that would permit automated scanning of RIAs, and we provide some directions to address the open problems.