Dailydave mailing list archives
Re: From blackbox to grey-box during Web App tests
From: "Andre Gironda" <andreg () gmail com>
Date: Tue, 9 Oct 2007 19:13:44 -0400
On 10/9/07, Dave Aitel <dave () immunityinc com> wrote:
So Fortify has this out - it's interesting, but I think it's not what I want. Has anyone used it? http://www.fortifysoftware.com/products/tracer/
I know one person outside of Foritfy who gave me feedback on Tracer. Did you see the Iron Chef at BH-US-07? Ouncelabs has a bounty out to OWASP on a similar tool they call Blacktop.
I dunno why everyone gets so hung up on metrics when they should be going for the jugular.
You are right. The problem Tracer is trying to solve is simply knowledge of code coverage on inputs. The real problem we ideally want to see solved is the ability to use this coverage to create a fuzzer tracker - which would use the coverage results to improve time between findings by predicting which inputs/outputs can be exploited.
What I want is to use SPIKE Proxy and while I'm testing the web app have every CreateProcess and SQL Statement fed to me and then have a filter so I can look only at what I care about (and avoid spamming their network too much - especially on busy sites).
It sounds like you want a web file and SQL aware proxy fuzzer. The one that comes with taof is suitable, as is the internal DVLabs proxy fuzzer.
Theoretically you could then write something that autodetected and bypassed filters and automated getting you your SQL injection in the first place. And you would have at least one eye in the land of the blind SQL Injection.
There are a few open-source tools such as JDBC Spy or possibly FileMon which contain code or examples useful in this effort.
It's probably more work to write this email than write up the code using Immunity Debugger and SPIKE Proxy, so maybe I'll just go off and do that.
beSTORM is also working on something similar that could be complete at this point. They wanted it to be a DirBuster type proxy tool in addition to SQL. Cheers, Andre _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- From blackbox to grey-box during Web App tests Dave Aitel (Oct 09)
- Re: From blackbox to grey-box during Web App tests Andre Gironda (Oct 10)
- Re: From blackbox to grey-box during Web App tests Thomas Ptacek (Oct 10)
- Re: From blackbox to grey-box during Web App tests Andre Gironda (Oct 11)
- Re: From blackbox to grey-box during Web App tests J.M. Seitz (Oct 12)
- Re: From blackbox to grey-box during Web App tests Matt Hargett (Nov 07)
- Re: From blackbox to grey-box during Web App tests Andre Gironda (Oct 11)
- Re: From blackbox to grey-box during Web App tests Adriel Desautels (Oct 13)
- Re: From blackbox to grey-box during Web App tests Thomas Ptacek (Oct 14)
- Re: From blackbox to grey-box during Web App tests C Q (Oct 14)
- Re: From blackbox to grey-box during Web App tests J.M. Seitz (Oct 15)
- Re: From blackbox to grey-box during Web App tests C Q (Oct 14)
- Re: From blackbox to grey-box during Web App tests Thomas Ptacek (Oct 14)