|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] bugs are bad.
From: Matthew Franz (mdfranz
gmail.com)
Date: Tue Aug 01 2006 - 11:51:07 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>
> Hi Matthew,
> I have to agree with you there. Most folks run the automated scanners
> (Nessus, retina, webinspect, appscan, etc.) and then spend the majority
> of their time trapping requests and manually attempting injects or
> overflows. The problem is that the application scanner doesn't really
> gather and use information that would be useful for *further*
> automation. For example, if you're testing a blind sql injection, it
> isn't enough to send a "+AND+1=1" and see if the page returned is the
> same as the page where the bogus data wasn't sent. It'd be nice to know
> if the application accepts the '+' sign. And, if it doesn't accept the
> '+' sign, is it due to a script running within the browser (like
> RegularExpressionValidator), or a server-side parsing? If the former,
> you can (and should) still attempt to inject via manual POSTs. If the
> latter, then the automated scanner should attempt other encoding options
> to see what permuations of the '+' sign are allowed (and where). And,
> there are hundreds of these cases which could be built and automated.
> If you gather this sort of knowledge, it should mean that the manual
> 'trap and modify' pen-testing gets minimized (or at least lessened).
> And, if I'm paying thousands of bucks for a web application scanner (not
> to be confused with a general network scanner) then this is the sort of
> data that I want. Heck, I'd even like to see a table of code inputs and
> what dangerous chars (and their encoding) were allowed, size
> restrictions, etc. *That* would be freaking useful.
>
The other I'd like to see in commercial products is mining information
from server configuration and feeding that into a scanner. For example
on J2EE apps you've got a wealth of info sprinkled across dozens of
XML config files. Struts-based apps also have juicy stuff about forms,
variables, types, and validation mechanisms that could drive specific
tests, much of it which will be in the .war
I assume there is comparable stuff on the Microsoft platform...
- mdf
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]