Re: From blackbox to grey-box during Web App tests

["Thomas Ptacek" <tqbf () matasano com>]

It's nice that they're doing this for JVM, but isn't this exactly what
PaiMei and BinNavi (and, if you want to get snarky, gcov) do for
native binaries?

Can someone help me understand what web app magic this tool adds?

On 10/9/07, Dave Aitel <dave () immunityinc com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> So  Fortify has this out - it's interesting, but I think it's not what
> I want. Has anyone used it?
>
> http://www.fortifysoftware.com/products/tracer/
>
> I dunno why everyone gets so hung up on metrics when they should be
> going for the jugular.
>
> What I want is to use SPIKE Proxy and while I'm testing the web app
> have every CreateProcess and SQL Statement fed to me and then have a
> filter so I can look only at what I care about (and avoid spamming
> their network too much - especially on busy sites).
>
> Theoretically you could then write something that autodetected and
> bypassed filters and automated getting you your SQL injection in the
> first place. And you would have at least one eye in the land of the
> blind SQL Injection.
>
> It's probably more work to write this email than write up the code
> using Immunity Debugger and SPIKE Proxy, so maybe I'll just go off and
> do that.
>
> - -dave
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFHC49wB8JNm+PA+iURAuZzAJ9FOIQ1NC3EABbOomT6DqeHButWLQCg4/jR
> SkYWfY9IHtoli4QpCuEGqUU=
> =TNSd
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave


-- 
---
Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave