Dailydave mailing list archives
Re: bugs are bad.
From: John Lampe <jwlampe () nessus org>
Date: Mon, 31 Jul 2006 13:25:32 -0500
Matthew Franz wrote:
I don't know about the SPI tool, my limited experience with Appscan left a lot to be desired and the Open Source tools aren't much better. I think dave may be on to something here. The whole GUI spider/proxy/interceptor/manual-request-builder paradigm used by paros/webscrab/odysseus & friends leaves a lot to be desired IMO and is damn awkward except for demos to management.
Hi Matthew, I have to agree with you there. Most folks run the automated scanners (Nessus, retina, webinspect, appscan, etc.) and then spend the majority of their time trapping requests and manually attempting injects or overflows. The problem is that the application scanner doesn't really gather and use information that would be useful for *further* automation. For example, if you're testing a blind sql injection, it isn't enough to send a "+AND+1=1" and see if the page returned is the same as the page where the bogus data wasn't sent. It'd be nice to know if the application accepts the '+' sign. And, if it doesn't accept the '+' sign, is it due to a script running within the browser (like RegularExpressionValidator), or a server-side parsing? If the former, you can (and should) still attempt to inject via manual POSTs. If the latter, then the automated scanner should attempt other encoding options to see what permuations of the '+' sign are allowed (and where). And, there are hundreds of these cases which could be built and automated. If you gather this sort of knowledge, it should mean that the manual 'trap and modify' pen-testing gets minimized (or at least lessened). And, if I'm paying thousands of bucks for a web application scanner (not to be confused with a general network scanner) then this is the sort of data that I want. Heck, I'd even like to see a table of code inputs and what dangerous chars (and their encoding) were allowed, size restrictions, etc. *That* would be freaking useful. There is a large vendor (I won't pitch them here) that is supposed to be making their scan engine more intelligent. They have a web broadcast on Aug 10 and I'll be all ears. It'll be interesting to see what comes out of that. -- John Lampe Senior Security Researcher TENABLE Network Security, Inc. jwlampe@{nessus.org,tenablesecurity.com} Tele: (410) 872-0555 www.tenablesecurity.com Is your network TENABLE? --------------------------------------- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- bugs are bad. Dave Aitel (Jul 31)
- Re: bugs are bad. Jared DeMott (Jul 31)
- Re: bugs are bad. Matthew Franz (Aug 01)
- Message not available
- Re: bugs are bad. Matthew Franz (Aug 01)
- Re: bugs are bad. John Lampe (Aug 01)
- Re: bugs are bad. foofus (Aug 01)
- Re: bugs are bad. John Lampe (Aug 01)
- Re: bugs are bad. Matthew Franz (Aug 01)
- Re: bugs are bad. Jared DeMott (Jul 31)
- Re: bugs are bad. John Lampe (Aug 01)