WebApp Sec mailing list archives

RE: Spi's products worth a try? Or any suggestions for developers' tool?

From: "Peine,Holger" <Holger.Peine () iese fraunhofer de>
Date: Tue, 8 Nov 2005 09:51:17 +0100

-----Original Message-----
From: App Master [mailto:appmasterzero () hotmail com] 
Sent: Montag, 7. November 2005 22:05
To: araheja () techquotes com
Cc: webappsec () securityfocus com
Subject: Re: Spi's products worth a try? Or any suggestions 
for developers' tool?
[...]
 You see, a lot of security 
products are just 
like machine guns that fire strings at an application and 
then grep the HTML 
for another response string.  This is the reason that after 
you run them it 
takes so long to verify if the results are correct or not, 
because its 
mostly pure signature matching -- stateless -- of raw HTML and server 
response codes, without any visibility as to what is occuring 
in the browser 
(at the application level), or if the application is causally 
or statefully 
affected by injected values.

Hailstorm does it differently, using what you might think of 
as active 
payloads. It monitors what each injected payload does and 
then monitors 
browser memory (it uses a baked-in version of Mozilla) to 
trap when code or 
events execute in the application space as a result of its 
actions. This is 
a world of difference between other black-box tools.


I'm not really convinced (yet) by this argument. While I 
generally agree that there should be room for improvement
in security analysis by paying more attention to the application
state, I don't see how the above statements support this. 
I see only a weak connection between the general statement 
about observing state and the second statement about observing
browser behavior instead of HTTP traffic, and I don't see which
observations could be derived from browser behavior that could
not equally be derived from the HTTP data (after all, a browser's
behavior is determined by its input data, leaving aside some
vendor-specifc idiosyncrasies which are on topic here). 
For example, I can decide from parsing the HTML whether a
certain XSS-Javascript would be executed or not; what's
the added value of monitoring the Javascript interpreter
in the browser?

So, while I have a gut feeling that there is an interesting
point hidden in your argument, could you please elaborate a
bit (including an example) to bring out that point?

Regards,
Holger Peine

-- 
Dr. Holger Peine, Security and Safety
Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany
Phone +49-631-6800-2134, Fax -1299 (shared)
www.iese.fraunhofer.de/Staff/peine -- PGP key on request or via
http://pgp.mit.edu

Current thread:

Re: Spi's products worth a try? Or any suggestions for developers' tool? App Master (Nov 07)
- Re: Spi's products worth a try? Or any suggestions for developers' tool? bugtraq (Nov 08)
- <Possible follow-ups>
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Peine,Holger (Nov 08)
- RE: Spi's products worth a try? Or any suggestions for developers' tool? Ory Segal (Nov 08)