Dailydave mailing list archives
Win32 feedback during web app tests
From: "Dave Aitel" <dave.aitel () gmail com>
Date: Fri, 30 Mar 2007 08:48:58 -0400
One thing that always is funny is when Solaris developers get told by their management to port their applications to Windows. For some reason, the Windows file API is immeasurably complex, so invariably they screw it up and you can own them through some sort of file upload vulnerability. J2EE developers, I'm looking at you. :> It's not like I've released a ton of J2EE bugs lately, so you'll just have to buy this on faith. On the other hand, Sinan and I were talking a few months back on how to advance the art here a bit and here are some of our thoughts... Modern web application scanners don't find the cool bugs. But it's expensive to do a web application assessment right with people because they never know how close they are to a bug. Furthermore, web applications are built on thousands of different platforms, each slightly different as people connect various forms of middleware up and proprietary protocols and ERB and who the heck knows what else. What I'd like to do is push Immunity Debugger across to all the machines in the Web and Application tiers and use that to monitor various API's and have the results back in my SPIKE Proxy window as I'm testing. The GUI matters, of course. You need to be able to instrument, but filter out for tags and API's that are you, and not the 10000 other testers hitting the box. Just having a peak at CreateFileA is a big help when trying to avoid filters. If nothing else, it saves a ton of time following false leads. Likewise, watching the SQL queries on the other end of an application as you trigger various things saves time you could spend doing hard work. A Win32 debugger may not be the best way to instrument a web application for logic flaws and so on. But being at the Win32 layer is great for finding bugs that are where the application interacts with the operating system, and there's a side benefit of being able to look at network traffic and SQL queries. I think there's a talk at BlackHat EU today about injecting a web application with instrumenting code as well, but I couldn't tell from the abstract what it was really about. The drawback to injecting code into a web application is you never know where to do it (perhaps the bug is in some binary component in the middleware?), and there are tons of major flavors of bytecode to inject. It's not a small effort. But to find complex logic bugs faster, it's probably something we'll all have to do. :< -dave P.S. I'm just posting this SILICA review to annoy that one guy who always relies with "Shut up already about SILICA!" :> http://www.informit.com/guides/content.asp?g=security&seqNum=247&f1=rss&rl=1
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Win32 feedback during web app tests Dave Aitel (Mar 30)