Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Retests

From: Dave Aitel <dave () immunityinc com>
Date: Thu, 21 Sep 2006 14:15:27 -0700
Today I ran a retest on an app that had a couple of cross site
scriptings, directory traversals, and one response splitting thing. I
did it manually, but here's what I want for next time:

def login():
   ret=spkproxy.runLoginSequence(username,password)
   if not ret:
      bail()

AllSeqs=XSSSeqs+ResponseSplittingSeqs+DirectoryListingSeqs
for seq in AllSeqs:
   login()
   ret=spkproxy.testXSSsequence(seq)
   if ret.failed():
      report.output("Found a bug that was not fixed %s"%seq.name)
   else:
      report.output("Bug fixed %s"%seq.name)
   report.output("Request: %s \n Response %s\n"%(ret.request,ret.response)

Ah, and I notice that Outlook is vulnerable to the VML bug. How cool is
that? One thing we talked about a bit in China at Xcon was the
difference between an attack framework and an exploit framework. In my
mind, an attack framework brings you from the tactical world to the
operational world - you're taking on an organization, finding centers of
gravity in the processes of your targets. Essentially, a Customer
Relations Management tool + Exploits + process management + some other
magic sauce. I think people focus too much on spamming. Spamming is very
much a pre-mobile warfare kind of way to think about information
operations.

I.E. if a hacker wants to own you, he's likely to think about the
organizations and services you use. Your ISP, your bank, your myspace
account, your gmail, your lawyer, your accountant, your computer supply
store, your apartment building, etc. A true attack framework takes this,
wraps it up, and gives you the path of success custom to that target.
This may include attacking web applications in a real way, rather than
scanning them. This may include spamming people with email, and if so,
which people did you spam, and why. If you got caught or discovered,
which people in that organization would be informed? Can we build a
model of the information my adversary has about my operations?

The other thing we talked about in China at Xcon was:
1. There's no good book like Shellcoders for running real attacks.
Hacking is still a mystery beyond "Hacking Exposed" to most people.
2. Drugs are bad opsec. At best they give law enforcement something to
key in on and at worst something for someone to blackmail you with and
something to dull your edge. Most of the hacker community does a lot of
drugs, and people who don't have a slight edge, I think. Of course
they're more boring too, so there's that.

-dave


  

 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: