Re: bugs are bad.

[John Lampe <jwlampe () nessus org>]

Matthew Franz wrote:

> I don't know about the SPI tool, my limited experience with Appscan
> left a lot to be desired and the Open Source tools aren't much better.
> I think dave may be on to something here. The whole GUI
> spider/proxy/interceptor/manual-request-builder paradigm used by
> paros/webscrab/odysseus & friends  leaves a lot to be desired IMO and
> is damn awkward except for demos to management.


Hi Matthew,
I have to agree with you there.  Most folks run the automated scanners 
(Nessus, retina, webinspect, appscan, etc.) and then spend the majority 
of their time trapping requests and manually attempting injects or 
overflows.  The problem is that the application scanner doesn't really 
gather and use information that would be useful for *further* 
automation.  For example, if you're testing a blind sql injection, it 
isn't enough to send a "+AND+1=1" and see if the page returned is the 
same as the page where the bogus data wasn't sent.  It'd be nice to know 
if the application accepts the '+' sign.  And, if it doesn't accept the 
'+' sign, is it due to a script running within the browser (like 
RegularExpressionValidator), or a server-side parsing?  If the former, 
you can (and should) still attempt to inject via manual POSTs.  If the 
latter, then the automated scanner should attempt other encoding options 
to see what permuations of the '+' sign are allowed (and where).  And, 
there are hundreds of these cases which could be built and automated. If 
you gather this sort of knowledge, it should mean that the manual 'trap 
and modify' pen-testing gets minimized (or at least lessened). And, if 
I'm paying thousands of bucks for a web application scanner (not to be 
confused with a general network scanner) then this is the sort of data 
that I want.  Heck, I'd even like to see a table of code inputs and what 
dangerous chars (and their encoding) were allowed, size restrictions, 
etc.   *That* would be freaking useful.

There is a large vendor (I won't pitch them here) that is supposed to be 
making their scan engine more intelligent.  They have a web broadcast on 
Aug 10 and I'll be all ears.  It'll be interesting to see what comes out 
of that.



-- 
John Lampe
Senior Security Researcher
TENABLE Network Security, Inc.
jwlampe@{nessus.org,tenablesecurity.com}
Tele: (410) 872-0555
www.tenablesecurity.com

Is your network TENABLE?
---------------------------------------
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave