Re: Vulnerability Disclosure Technics

["Mr. John" <johnspood () yahoo com>]

You are right, parameter passing or fuzzy input to a
software is good, but there is some problems:

 - Some applications like IE have many and many ways
for input.
 - Sequence of input may be very variant that reaching
to bug state want a very good chance. for tester.
 - More important, For example for buffer overflow
testing, it isn't easy to understand that Now, a
successful buffer overflow happend, at all. Or for a
XSS vulnerability, how a automatic vulnerability
testing application can detect XSS in a case of input?
Or suppose finding vulnerabiliy in MS RPC at last
year, how she detects that at that input sequence, MS
RPC is vulnerable?
 
But I see that some companies have ability to get
binary code of a software (like IE) and test it for
vulnerabilities and they will be found some
vulnerabilities in it after a short time. I think that
they have some automated machines for these testing,
but I don't have any IDEA about that.

Regards.
Mr. John
 
--------------------------------------------------
"Oliver () greyhat de" <Oliver () greyhat de> wrote:

There are several ways to search for vulnerabilities
in applications.
If you have the sourcecode, you can do a code review.
There are many 
tools (like flawfinder etc.) wich will support you in
finding "static" 
vulnerabilities like
buffer-overflows du to incorrect usage of commands
like "strcpy" and family.
If you dont have the source code, you can do a reverse
engineering with 
debuggers, dissassemblers and other tools, to search
for common
coding mistakes.
You also can do a black-box testing, whereby you can
use 
fuzzy-technologie to generate random parameters and
requests, sending to 
the application.
The last one is the one i often use, because in most
cases you dont have 
the source code, and reverse engineering is not that
easy :)

bye,

Oliver

Mr. John wrote:

> Hi
> A question is in my mind everywhen I see a
> vulnerability disclosure. I want to know how a person
> finds a security vulnerability in a software. Is
there
> a regular way?
> Suppose that I am technical chair of a software group
> and we have a software that security consideration
> is important for us. How can I test our software to
> ensure that no security vulnerabilities (like buffer
> overflow vuln) exists in our software product. Or it
> is question for me how for example eEye find many
> vulnerabilities in software products. Is there a
> regular and formal way? Is there some tools,
technics,
> method, ... for this purpose, for finding a
> vulnerability in a software?
>
> Thanks
> John






        
                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html