Dailydave mailing list archives
bugs are bad.
From: Dave Aitel <dave () immunityinc com>
Date: Mon, 31 Jul 2006 16:17:35 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was reading a couple of articles lately. http://www.darkreading.com/document.asp?doc_id=100156&WT.svl=news1_2 "Client side bugs are bad. You can still get owned. Buy a HIPS!" http://www.zdnet.com.au/news/security/soa/JavaScript_opens_doors_to_browser_based_attacks/0,2000061744,39265130,00.htm "Javascript inside your browser is bad. You can still get owned! Buy a web scanner!" Or, as slacey said on http://technocrat.net/d/2006/7/28/6124: Is it me, or does this sound like it boils down to the javascript version of: for i = 1 to 255: wget http://192.168.1.$i/ post results to tracker site. Either way, there should be some sort of filter you can apply in Firefox so that people who sell the "solution" to a problem shouldn't be able to comment on it. Not that bugs in non-MS apps are uninteresting, or Javascript things are lame - as CANVAS moves more and more into web application hacking we find ourselves doing more and more things like that. But if it's new and interesting, the people to quote will be the CTO's and CSO's of companies who are actually worried about such things. One thing I've been thinking about lately is that the common thing to do with any security technology is turn it into a scanner. Scanners make lots of money. But writing and selling a scanner typically means you solve the boring parts of the problem. For example, recently I've been doing a lot of web application assessment work. I don't need to scan them for bugs a scanner is likely to be able to find. I need to browse them, and then store and manipulate different data in a lot of different ways. I want to draw a circle around some blocks that represent queries and say "This is the login sequence - go do this a thousand times and tell me what the cookies are like, and while you're at it try every other query in this other group afterwards". Then I want to draw a circle around the "order a widget" sequence and say "try this in every possible order after logging in and let me know if anything weird happens". Essentially I think the whole idea of storing a site based on it's "pages" is broken. GET /bob.php?method=login is very different from method=logout. Same "page", different code paths. But today's scanners can't help me. And I think this is because they're making tons of money rather than being useful to people who know what they're doing. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFEzmVbB8JNm+PA+iURAjh5AJ9zpuwfUpMgkBYjfvM3Kmq/OQgA0QCffzsS EJuBmKb9PaCweqq5wqTT69Y= =aG/N -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- bugs are bad. Dave Aitel (Jul 31)
- Re: bugs are bad. Jared DeMott (Jul 31)
- Re: bugs are bad. Matthew Franz (Aug 01)
- Message not available
- Re: bugs are bad. Matthew Franz (Aug 01)
- Re: bugs are bad. John Lampe (Aug 01)
- Re: bugs are bad. foofus (Aug 01)
- Re: bugs are bad. John Lampe (Aug 01)
- Re: bugs are bad. Matthew Franz (Aug 01)
- Re: bugs are bad. Jared DeMott (Jul 31)
- Re: bugs are bad. John Lampe (Aug 01)