Products & Releases

Rapid7 Announces Flash Support For Web App Scanning

NeXpose is offering full Adobe Flash decompilation and analysis support
San Francisco, CA @ RSA Conference February 14, 2011 Rapid7', the leading provider of unified vulnerability management and penetration testing solutions, today announced that its flagship product, NeXpose', is offering full Adobe'Flash' decompilation and analysis support. With this feature, Rapid7s Web application scanning, already ranked top in the industry by a leading analyst firm, goes above and beyond basic Flash support with the ability to discover more vulnerabilities and improve intelligence in Flash analysis.

Today, Adobe estimates that 98 percent of Web users and 99.3 percent of Internet desktop users have installed the Flash player. Its wide adoption has made it an increasingly attractive target for malicious hackers, but the security industry has been slow to react. Although many vulnerability scanners check Flash player security, most are blind to the Flash applications that run in Adobe's Flash player, leaving both clients and servers unprotected from many dangerous security issues, including remote hijacking, SQL injections and malicious SWF files.

Rapid7s support for Web application Flash content enables NeXpose 4.10.4 users to conduct vulnerability scans that provide a deeper level of analysis on all websites and discover more vulnerabilities. This protects both the consumer of the website against XSS attacks, as well as the hosts of the website against other vulnerabilities. Unlike alternative solutions, this new capability enables Rapid7 users to analyze Flash forms, which can uncover more potential injection points in the application, information disclosures and coding mistakes. Specifically, users can now find pages only linked from Flash menus, discover hard-coded credentials in Flash elements and analyze HTTP POST requests in Flash forms for injection vulnerabilities.

With this new level of support, Rapid7 has taken another step in providing comprehensive Web application scanning and support, said Andrs Riancho, Rapid7 director of Web security and founder of w3af, the open source Web application attack and audit framework sponsored by Rapid7. While other vendors play catch up with Web application support features, Rapid7 now verifies the safety of both the Flash player as well as the Flash applications. Rapid7 and w3af have responded with an effective Flash scanning solution that enables rapid protection from these critical exposures.

This latest feature bolsters Rapid7s industry-leading Web application scanning capabilities and continued Web application security momentum. Rapid7 began its Web application dominance in 2001, when it was the first vulnerability management vendor to launch a unified vulnerability management solution that included Web application scanning and allowed organizations to chain multiple vulnerabilities across multiple IT tiers including Web applications, as well as source disclosure and directory traversal. The following year, Rapid7 expanded its scanner with an ability to provide checks for unencrypted sensitive form data, backup scripts and more.

In 2006, Rapid7 was the first to market client-side browser emulation security technology that allows static JavaScript analysis, AJAX analysis and DOM-based XSS detection. Today, no other vendor in the vulnerability management space has been able to introduce this full capability and competitive solutions simply provide checks against legacy Web technologies without providing complete XSS coverage. In 2007 and 2009, third and fourth generation scanners provided industry-first complex website decomposition to bypass application logic, support for header injections, scanning for sensitive content in Web pages, PDF scanning, complex Web authentication and all forms of XSS, including DOM, reflected and persistent. In addition, Rapid7 was the first vulnerability management vendor to introduce blind SQL injection testing in 2010.

That same year (July 2010), Rapid7 announced a sponsorship and partnership with w3af, leveraging the added intelligence to launch Rapid7s Worldwide Center of Excellence (COE) for Web security. Already recognized by Forrester Research analyst Chenxi Wang in the 2010 Forrester Wave Vulnerability Management Report, which stated Rapid7 leads on its strong application scanning capability its the only vendor in this evaluation whose scanning capabilities can handle Ajax and Web 2.0 technologies, this collaboration provided further enhancements in Rapid7s scan accuracy, the detection of a broader scope of vulnerabilities and superior support for widely used client-side technologies. This year, Rapid7 added support for LDAP injection and OS command injection.

In addition, as Rapid7 continues its industry-leading response to customers demand for vulnerability management and penetration testing convergence, the company has expanded Web security capabilities for JAVA and PHP within its open source and commercial Metasploit' solutions.

Rapid7 has always been committed to driving change in the security industry, and our collaborative research and development around Web application security with w3af is no different, said Mike Tuchen, president and CEO, Rapid7. As companies face increasing Web application attacks today, especially with Adobe Flash and its excessive risks, it has remained our goal to stay ahead and proactively offer a broad range of Web security best practices, including solutions for NeXpose and Metasploit.

About Rapid7

Rapid7 is the leading provider of unified vulnerability management and penetration testing solutions, delivering actionable intelligence about an organizations entire IT environment. Rapid7 offers the only integrated threat management solution that enables organizations to implement and maintain best practices and optimize their network security, Web application security and database security strategies.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading