Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Win32 feedback during web app tests

From: "Dave Aitel" <dave.aitel () gmail com>
Date: Fri, 30 Mar 2007 08:48:58 -0400
One thing that always is funny is when Solaris developers get told by their
management to port their applications to Windows. For some reason, the
Windows file API is immeasurably complex, so invariably they screw it up and
you can own them through some sort of file upload vulnerability. J2EE
developers, I'm looking at you. :> It's not like I've released a ton of J2EE
bugs lately, so you'll just have to buy this on faith. On the other hand,
Sinan and I were talking a few months back on how to advance the art here a
bit and here are some of our thoughts...

Modern web application scanners don't find the cool bugs. But it's expensive
to do a web application assessment right with people because they never know
how close they are to a bug. Furthermore, web applications are built on
thousands of different platforms, each slightly different as people connect
various forms of middleware up and proprietary protocols and ERB and who the
heck knows what else.

What I'd like to do is push Immunity Debugger across to all the machines in
the Web and Application tiers and use that to monitor various API's and have
the results back in my SPIKE Proxy window as I'm testing. The GUI matters,
of course. You need to be able to instrument, but filter out for tags and
API's that are you, and not the 10000 other testers hitting the box. Just
having a peak at CreateFileA is a big help when trying to avoid filters. If
nothing else, it saves a ton of time following false leads. Likewise,
watching the SQL queries on the other end of an application as you trigger
various things saves time you could spend doing hard work. A Win32 debugger
may not be the best way to instrument a web application for logic flaws and
so on. But being at the Win32 layer is great for finding bugs that are where
the application interacts with the operating system, and there's a side
benefit of being able to look at network traffic and SQL queries.

I think there's a talk at BlackHat EU today about injecting a web
application with instrumenting code as well, but I couldn't tell from the
abstract what it was really about. The drawback to injecting code into a web
application is you never know where to do it (perhaps the bug is in some
binary component in the middleware?), and there are tons of major flavors of
bytecode to inject. It's not a small effort. But to find complex logic bugs
faster, it's probably something we'll all have to do. :<

-dave

P.S. I'm just posting this SILICA review to annoy that one guy who always
relies with "Shut up already about SILICA!" :>
http://www.informit.com/guides/content.asp?g=security&seqNum=247&f1=rss&rl=1

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: