Security Basics mailing list archives
Re: how to discover vulnerability?
From: "dwarkeeper" <dwarkeeper () hotmail com>
Date: Thu, 24 Apr 2003 14:53:15 -0400
Download spike fuzzer from immunitysec that is one of the few automated ways to search for overflows, use tools like RATS, FLAWFINDER, formatstring.pl to search through source code for use of possibly vulnerable code and last but not lease reading source code helps as well. /DK ----- Original Message ----- From: "Ali Saifullah Khan" <ali_saifullah () hotmail com> To: <security-basics () securityfocus com> Sent: Friday, April 18, 2003 12:48 AM Subject: Re: how to discover vulnerability?
Well, there has been debate for some time now over this issue. most ways of writing stack/heap/buffer overflows deal with searching for places in the code where there are either in-efficient or non-existent boundary checking conditions. using snprintf() instead of printf() is an example subject which has undergone considerable debate for a long time. But there are several other theologies you may consider when attempting to exploit a loophole in an application. it can be the way it takes input, not necessarily how it
takes
input. if one can structure ways to force input to the application while
not
necessarily attempting buffer overflows, but just by the way the
programmer
has designed the application to deal with input data, you have every
chance
of exploiting a new loophole, the programmer may have never even thought about, or written code to avoid. Regards, Ali Saifullah Khan----- Original Message ----- From: "Quynh Nguyen Anh" <quynh () sfc keio ac jp> To: <security-basics () securityfocus com> Sent: Thursday, April 17, 2003 2:39 AM Subject: how to discover vulnerability?hello, i have a question: almost every day, there are many security holes are discovered. i wonder how they can find these holes? 1. for open source softwares, they must read every source line ? 2. for closed source softwares, they must reverse engineering binarycode ?anway, i dont know exactly how they can discover holes! your ideas on this matter? many thanks. nguyen---------------------------------------------------------------------------Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,theworld's premier event for IT and network security experts. The
two-day
Training features 6 hand-on courses on May 12-13 taught byprofessionals.The two-day Briefings on May 14-15 features 24 top speakers with novendorsales pitches. Deadline for the best rates is April 25. Register
today
toensure your place.http://www.securityfocus.com/BlackHat-security-basics-------------------------------------------------------------------------------------------------------------------------------------------------------Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no
vendor
sales pitches. Deadline for the best rates is April 25. Register today
to
ensure your place. http://www.securityfocus.com/BlackHat-security-basics---------------------------------------------------------------------------
-
_________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus --------------------------------------------------------------------------
-
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today
to
ensure your place. http://www.securityfocus.com/BlackHat-security-basics --------------------------------------------------------------------------
--
--------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- how to discover vulnerability? Quynh Nguyen Anh (Apr 17)
- RE: how to discover vulnerability? David Gillett (Apr 17)
- Re: how to discover vulnerability? Andy Cuff [talisker] (Apr 17)
- Re: how to discover vulnerability? K. K. Mookhey (Apr 21)
- <Possible follow-ups>
- Re: how to discover vulnerability? Ali Saifullah Khan (Apr 21)
- Re: how to discover vulnerability? dwarkeeper (Apr 25)