Secure Coding mailing list archives
Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis
From: ken at krvw.com (Kenneth Van Wyk)
Date: Tue, 27 Feb 2007 04:02:37 -0500
On Feb 27, 2007, at 3:33 AM, Steven M. Christey wrote:
Given the complex manipulations that can work in XSS attacks (see RSnake's cheat sheet) as well as directory traversal, combined with the sheer number of potential inputs in web applications, multipied by all the variations in encodings, I wouldn't be surprised if they were effective in finding those kinds of implementation bugs, even in well-designed software. Although successfully diagnosing some XSS without live verification smells like a hard problem akin to the Ptacek/Newsham "vantage point" issues in IDS. With the track record of non-web fuzzers and PROTOS style test suites, why do you think web app fuzzing is less likely to succeed?
It's not so much that I don't think fuzzing is useful, it's that I don't see "one size fits all" fuzzing _products_ being useful. To me, it gets to an issue of informed vs. uninformed (or "white box" vs. "black box" if you prefer) testing. While they're both useful and should both be exercised, I believe (though I have no hard statistics to validate) that issues of coverage/state are always going to doom uninformed testing to being less effective than informed testing. For a fuzzer to be really meaningful, I believe that a "smart fuzzing" approach is going to be the best bet, and that makes it hard for a "one size fits all" product solution to be feasible. To do smart fuzzing, a lot of setup time is necessary in establishing an appropriate test harness and cases that fully exercise the files, network interface data, user data, etc., that the software is expecting. Perhaps I'm totally off base, and I invite any product folks here to chime in and correct my misconceptions. Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://krvw.com/pipermail/sc-l/attachments/20070227/7085953c/attachment.bin
Current thread:
- Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis Kenneth Van Wyk (Feb 27)
- Message not available
- Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis Kenneth Van Wyk (Feb 27)
- Message not available
- Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis Michael Silk (Feb 27)
- Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis Kenneth Van Wyk (Feb 27)
- Dark Reading - Desktop Security - Here Comes the (Web) Fuzz- Security News Analysis J. M. Seitz (Feb 27)