WebApp Sec mailing list archives
RE: Spi's products worth a try? Or any suggestions for developers' tool?
From: "Peine,Holger" <Holger.Peine () iese fraunhofer de>
Date: Tue, 8 Nov 2005 09:51:17 +0100
-----Original Message----- From: App Master [mailto:appmasterzero () hotmail com] Sent: Montag, 7. November 2005 22:05 To: araheja () techquotes com Cc: webappsec () securityfocus com Subject: Re: Spi's products worth a try? Or any suggestions for developers' tool? [...] You see, a lot of security products are just like machine guns that fire strings at an application and then grep the HTML for another response string. This is the reason that after you run them it takes so long to verify if the results are correct or not, because its mostly pure signature matching -- stateless -- of raw HTML and server response codes, without any visibility as to what is occuring in the browser (at the application level), or if the application is causally or statefully affected by injected values. Hailstorm does it differently, using what you might think of as active payloads. It monitors what each injected payload does and then monitors browser memory (it uses a baked-in version of Mozilla) to trap when code or events execute in the application space as a result of its actions. This is a world of difference between other black-box tools.
I'm not really convinced (yet) by this argument. While I generally agree that there should be room for improvement in security analysis by paying more attention to the application state, I don't see how the above statements support this. I see only a weak connection between the general statement about observing state and the second statement about observing browser behavior instead of HTTP traffic, and I don't see which observations could be derived from browser behavior that could not equally be derived from the HTTP data (after all, a browser's behavior is determined by its input data, leaving aside some vendor-specifc idiosyncrasies which are on topic here). For example, I can decide from parsing the HTML whether a certain XSS-Javascript would be executed or not; what's the added value of monitoring the Javascript interpreter in the browser? So, while I have a gut feeling that there is an interesting point hidden in your argument, could you please elaborate a bit (including an example) to bring out that point? Regards, Holger Peine -- Dr. Holger Peine, Security and Safety Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany Phone +49-631-6800-2134, Fax -1299 (shared) www.iese.fraunhofer.de/Staff/peine -- PGP key on request or via http://pgp.mit.edu
Current thread:
- Re: Spi's products worth a try? Or any suggestions for developers' tool? App Master (Nov 07)
- <Possible follow-ups>
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Peine,Holger (Nov 08)
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Ory Segal (Nov 08)