Re: bugs are bad.

[Jared DeMott <demottja () msu edu>]

SPI Fuzzer can help you automate some of those more complex tasks -- but
you'll have to create the tests you're thinking of manually.  Also their
web crawl/audit software is decent for the basic stuff.

Dave Aitel wrote:
> I was reading a couple of articles lately.
>
> http://www.darkreading.com/document.asp?doc_id=100156&WT.svl=news1_2
> "Client side bugs are bad. You can still get owned. Buy a HIPS!"
>
> http://www.zdnet.com.au/news/security/soa/JavaScript_opens_doors_to_browser_based_attacks/0,2000061744,39265130,00.htm
>
> "Javascript inside your browser is bad. You can still get owned! Buy a
> web scanner!"
>
> Or, as slacey said on http://technocrat.net/d/2006/7/28/6124:
> Is it me, or does this sound like it boils down to the javascript
> version of:
>
>  for i = 1 to 255: wget http://192.168.1.$i/ post results to tracker site.
>
>
> Either way, there should be some sort of filter you can apply in
> Firefox so that people who sell the "solution" to a problem shouldn't
> be able to comment on it. Not that bugs in non-MS apps are
> uninteresting, or Javascript things are lame - as CANVAS moves more
> and more into web application hacking we find ourselves doing more and
> more things like that. But if it's new and interesting, the people to
> quote will be the CTO's and CSO's of companies who are actually
> worried about such things.
>
> One thing I've been thinking about lately is that the common thing to
> do with any security technology is turn it into a scanner. Scanners
> make lots of money. But writing and selling a scanner typically means
> you solve the boring parts of the problem. For example, recently I've
> been doing a lot of web application assessment work. I don't need to
> scan them for bugs a scanner is likely to be able to find. I need to
> browse them, and then store and manipulate different data in a lot of
> different ways. I want to draw a circle around some blocks that
> represent queries and say "This is the login sequence - go do this a
> thousand times and tell me what the cookies are like, and while you're
> at it try every other query in this other group afterwards". Then I
> want to draw a circle around the "order a widget" sequence and say
> "try this in every possible order after logging in and let me know if
> anything weird happens". Essentially I think the whole idea of storing
> a site based on it's "pages" is broken. GET /bob.php?method=login is
> very different from method=logout. Same "page", different code paths.
> But today's scanners can't help me. And I think this is because
> they're making tons of money rather than being useful to people who
> know what they're doing.
>
> -dave
>
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave