OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: James Fleming (jamesfleming94588yahoo.com)
Date: Fri Jan 11 2002 - 16:49:05 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Well I guess there are a few ways to do it. I really
    was wanting to learn about source code analysis and
    how you do that from this list for a web application
    but cant find any hostoric threads so far. I usually
    do this.

    User Interactive applications - must take or allow
    some form of input from user so you can spider a site
    and intelligently parse html forms.....you usually can
    get a really good idea of the expected parameters
    passed as well.

    My normal way is

    Spider site
    Enumerate files (aka whisker type thing)

    then parse all output and build list of potential
    targets and attacks that could be applied to the
    targets. Then run them. Use fuzzers and stuff for
    parameter manipulation and create input for sql
    injection and css etc myself although I really want to
    automated this.

    As for should you test an indivisual application. Of
    course it has its uses, but one application could
    conceiveably compromise another application and so I
    would say not if you dont have to.

    --- Mark Curphey <mcurpheyonebox.com> wrote:
    > As you know we are starting to build the testing
    > framework....we are
    > going to capture the mailing list debate and
    > thoughts to want your input.
    > Well then publish it for community review and input.
    >
    > One of the areas that seems really important is What
    > to test ? I put
    > some provisional headings down at
    > http://www.owasp.org/projects/testing/
    >
    > Imaginary scneario : you are presented with a site
    > dns name and asked
    > to review its security of the applications running
    > on it.
    >
    > Where do you start ?
    > Do you spider the site looking for any place that
    > sends paramaters to
    > an application ?
    > How do you find where application reside ?
    > What about web services and WDSL ? Do you look at a
    > UDDI ?
    > Should you test an application issolation (ie a
    > single cgi) or all applications
    > on that site ?
    >
    > These are just a few thoughts, really just a few...
    >
    > So does anyone want to share the way they approach
    > deciding what should
    > be tested with the list ?
    >
    > __________________________________________________
    > FREE voicemail, email, and fax...all in one place.
    > Sign Up Now! http://www.onebox.com
    >

    __________________________________________________
    Do You Yahoo!?
    Send FREE video emails in Yahoo! Mail!
    http://promo.yahoo.com/videomail/