Re: bugs are bad.

["Matthew Franz" <mdfranz () gmail com>]

I don't know about the SPI tool, my limited experience with Appscan
left a lot to be desired and the Open Source tools aren't much better.
I think dave may be on to something here. The whole GUI
spider/proxy/interceptor/manual-request-builder paradigm used by
paros/webscrab/odysseus & friends  leaves a lot to be desired IMO and
is damn awkward except for demos to management.

No decent export feature of data into something parseable. Automation
over various data captures (URI, forms, parameters, etc.) is fairly
difficult, Or just me? And it isn't *just* their klunky Swing
interfaces. Even if in Windows Forms, entering a bunch values into a
table to do fuzzing?! Yeah you are supposedly able to script
webscarab, but BeanShell is sort of pointless as a scripting language.

I'm thinking a set of console/command-line tools operating on a common
lightweight  "target database" (not based on pages) or perhaps
breaking up some of the functionality from these Java tools, then
scripting them with Jython/JRuby or building something on top of
Jakarta HTTPClient or even the nasty urllib2.Or God-forbid, some sort
of IOS-like shell, now that would be interesting.

- mdf

> > One thing I've been thinking about lately is that the common thing to
> > do with any security technology is turn it into a scanner. Scanners
> > make lots of money. But writing and selling a scanner typically means
> > you solve the boring parts of the problem. For example, recently I've
> > been doing a lot of web application assessment work. I don't need to
> > scan them for bugs a scanner is likely to be able to find. I need to
> > browse them, and then store and manipulate different data in a lot of
> > different ways. I want to draw a circle around some blocks that
> > represent queries and say "This is the login sequence - go do this a
> > thousand times and tell me what the cookies are like, and while you're
> > at it try every other query in this other group afterwards". Then I
> > want to draw a circle around the "order a widget" sequence and say
> > "try this in every possible order after logging in and let me know if
> > anything weird happens". Essentially I think the whole idea of storing
> > a site based on it's "pages" is broken. GET /bob.php?method=login is
> > very different from method=logout. Same "page", different code paths.
> > But today's scanners can't help me. And I think this is because
> > they're making tons of money rather than being useful to people who
> > know what they're doing.
> >
> > -dave

-- 
Matthew Franz
http://www.threatmind.net
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave