OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Dailydave] bugs are bad.

From: John Lampe (jwlampenessus.org)
Date: Mon Jul 31 2006 - 13:25:32 CDT

Matthew Franz wrote:

> I don't know about the SPI tool, my limited experience with Appscan
> left a lot to be desired and the Open Source tools aren't much better.
> I think dave may be on to something here. The whole GUI
> spider/proxy/interceptor/manual-request-builder paradigm used by
> paros/webscrab/odysseus & friends leaves a lot to be desired IMO and
> is damn awkward except for demos to management.

Hi Matthew,
I have to agree with you there. Most folks run the automated scanners
(Nessus, retina, webinspect, appscan, etc.) and then spend the majority
of their time trapping requests and manually attempting injects or
overflows. The problem is that the application scanner doesn't really
gather and use information that would be useful for *further*
automation. For example, if you're testing a blind sql injection, it
isn't enough to send a "+AND+1=1" and see if the page returned is the
same as the page where the bogus data wasn't sent. It'd be nice to know
if the application accepts the '+' sign. And, if it doesn't accept the
'+' sign, is it due to a script running within the browser (like
RegularExpressionValidator), or a server-side parsing? If the former,
you can (and should) still attempt to inject via manual POSTs. If the
latter, then the automated scanner should attempt other encoding options
to see what permuations of the '+' sign are allowed (and where). And,
there are hundreds of these cases which could be built and automated. If
you gather this sort of knowledge, it should mean that the manual 'trap
and modify' pen-testing gets minimized (or at least lessened). And, if
I'm paying thousands of bucks for a web application scanner (not to be
confused with a general network scanner) then this is the sort of data
that I want. Heck, I'd even like to see a table of code inputs and what
dangerous chars (and their encoding) were allowed, size restrictions,
etc. *That* would be freaking useful.

There is a large vendor (I won't pitch them here) that is supposed to be
making their scan engine more intelligent. They have a web broadcast on
Aug 10 and I'll be all ears. It'll be interesting to see what comes out
of that.

--
John Lampe
Senior Security Researcher
TENABLE Network Security, Inc.
jwlampe{nessus.org,tenablesecurity.com}
Tele: (410) 872-0555
www.tenablesecurity.com

Is your network TENABLE?
---------------------------------------
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave