Dailydave mailing list archives
Re: bugs are bad.
From: "Matthew Franz" <mdfranz () gmail com>
Date: Mon, 31 Jul 2006 22:45:10 -0500
I don't know about the SPI tool, my limited experience with Appscan left a lot to be desired and the Open Source tools aren't much better. I think dave may be on to something here. The whole GUI spider/proxy/interceptor/manual-request-builder paradigm used by paros/webscrab/odysseus & friends leaves a lot to be desired IMO and is damn awkward except for demos to management. No decent export feature of data into something parseable. Automation over various data captures (URI, forms, parameters, etc.) is fairly difficult, Or just me? And it isn't *just* their klunky Swing interfaces. Even if in Windows Forms, entering a bunch values into a table to do fuzzing?! Yeah you are supposedly able to script webscarab, but BeanShell is sort of pointless as a scripting language. I'm thinking a set of console/command-line tools operating on a common lightweight "target database" (not based on pages) or perhaps breaking up some of the functionality from these Java tools, then scripting them with Jython/JRuby or building something on top of Jakarta HTTPClient or even the nasty urllib2.Or God-forbid, some sort of IOS-like shell, now that would be interesting. - mdf
One thing I've been thinking about lately is that the common thing to do with any security technology is turn it into a scanner. Scanners make lots of money. But writing and selling a scanner typically means you solve the boring parts of the problem. For example, recently I've been doing a lot of web application assessment work. I don't need to scan them for bugs a scanner is likely to be able to find. I need to browse them, and then store and manipulate different data in a lot of different ways. I want to draw a circle around some blocks that represent queries and say "This is the login sequence - go do this a thousand times and tell me what the cookies are like, and while you're at it try every other query in this other group afterwards". Then I want to draw a circle around the "order a widget" sequence and say "try this in every possible order after logging in and let me know if anything weird happens". Essentially I think the whole idea of storing a site based on it's "pages" is broken. GET /bob.php?method=login is very different from method=logout. Same "page", different code paths. But today's scanners can't help me. And I think this is because they're making tons of money rather than being useful to people who know what they're doing. -dave
-- Matthew Franz http://www.threatmind.net _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- bugs are bad. Dave Aitel (Jul 31)
- Re: bugs are bad. Jared DeMott (Jul 31)
- Re: bugs are bad. Matthew Franz (Aug 01)
- Message not available
- Re: bugs are bad. Matthew Franz (Aug 01)
- Re: bugs are bad. John Lampe (Aug 01)
- Re: bugs are bad. foofus (Aug 01)
- Re: bugs are bad. John Lampe (Aug 01)
- Re: bugs are bad. Matthew Franz (Aug 01)
- Re: bugs are bad. Jared DeMott (Jul 31)
- Re: bugs are bad. John Lampe (Aug 01)