Full Disclosure mailing list archives
Re: Vulnerability Disclosure Technics
From: "Oliver () greyhat de" <Oliver () greyhat de>
Date: Mon, 21 Jun 2004 20:13:29 +0200
There are several ways to search for vulnerabilities in applications.If you have the sourcecode, you can do a code review. There are many tools (like flawfinder etc.) wich will support you in finding "static" vulnerabilities like
buffer-overflows du to incorrect usage of commands like "strcpy" and family.If you dont have the source code, you can do a reverse engineering with debuggers, dissassemblers and other tools, to search for common
coding mistakes.You also can do a black-box testing, whereby you can use fuzzy-technologie to generate random parameters and requests, sending to the application. The last one is the one i often use, because in most cases you dont have the source code, and reverse engineering is not that easy :)
bye, Oliver Mr. John wrote:
Hi A question is in my mind everywhen I see a vulnerability disclosure. I want to know how a person finds a security vulnerability in a software. Is there a regular way? Suppose that I am technical chair of a software group and we have a software that security consideration is important for us. How can I test our software to ensure that no security vulnerabilities (like buffer overflow vuln) exists in our software product. Or it is question for me how for example eEye find many vulnerabilities in software products. Is there a regular and formal way? Is there some tools, technics, method, ... for this purpose, for finding a vulnerability in a software? Thanks John __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages!http://promotions.yahoo.com/new_mail_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Vulnerability Disclosure Technics Mr. John (Jun 19)
- Re: Vulnerability Disclosure Technics Oliver () greyhat de (Jun 21)
- Re: Vulnerability Disclosure Technics Mr. John (Jun 22)
- Re: Vulnerability Disclosure Technics Valdis . Kletnieks (Jun 21)
- Re: Vulnerability Disclosure Technics Oliver () greyhat de (Jun 21)