Re: [Fwd: Why I love Spike..]

[Matt Hargett <matt () use net>]

Dave Aitel wrote:
> Hmm. I think maybe Cenzic has the right idea. Drop the whole arbitrary 
> protocol, and focus on the HTTP thing. Maybe even drop a shim into a 
> win32 process if you feel like it to detect CreateProcesA and fopen() 
> style bugs. Simple stuff. But a lot of QA depts I work with are still 
> cutting and pasting long strings into explorer windows to test for 
> overflows. And they use all sorts of tools for automation of 
> functionality testing, but if you priced it right, they'd use another 
> tool for overflows and SQL injection. I think the problem is selling it 
> sometimes - you really do want to have a large consulting arm that sells 
> it, rather than a sales force. It would have done well at @stake. :>

HTTP is harder than it sounds. Besides having to do full on javascript, 
DOM, cookies, etc; that won't get you anywhere with flash UIs or captchas.

Believe me, I copied and pasted long strings quite a bit, which is why I 
thought Hailstorm was so useful at first. I wrote about it in a blog 
entry about my stumbling into security QA a few weeks ago:
http://wiki.yak.net/538

Hailstorm and tools like it are almost passable for simple web apps and 
simple protocols, if it weren't for the fault detection problem. API 
shims aren't really going to help you for SQL Injection and buffer 
overflows, which is what most people are testing for. You are right that 
it would work for detecting command injection, but then you're modifying 
the environment for the testing, which is a QA no-no (generally).

I'll avoid commenting about the quality levels necessary to deliver a 
real product that QA people themselves will use every day, nevermind 
take seriously in the first place. If the product crashes during your 
own rigged demo, chances are you aren't cutting the mustard.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave