Dailydave mailing list archives
Re: bugs are bad.
From: John Lampe <jwlampe () nessus org>
Date: Mon, 31 Jul 2006 13:52:43 -0500
Matthew Franz wrote:
The other I'd like to see in commercial products is mining information from server configuration and feeding that into a scanner. For example on J2EE apps you've got a wealth of info sprinkled across dozens of XML config files. Struts-based apps also have juicy stuff about forms, variables, types, and validation mechanisms that could drive specific tests, much of it which will be in the .war I assume there is comparable stuff on the Microsoft platform...
There is comparable stuff on MS platforms. Parsing the source code, .config files, the registry (if they are doing it right), DISCO, UDDI, etc. etc. yields interesting stuff. And, there are tools which automate some of the local code auditing (FxCop, SSW Code auditor, etc.)... It would seem that a better methodology for app pen-testing would be to do the code audit and pen-test in conjunction. The code audit gives you the attack vectors that *should* work, and the pen-test becomes nothing more than a validation for the code audit. Lots of pen-testers won't like this as it requires skill in actually reading code...That's why you hear them say stuff like "We need to emulate the actual Hacker attack" and similar rubbish. Why use a black-box approach when you can read and analyze the application? Isn't that just common sense? -- John Lampe Senior Security Researcher TENABLE Network Security, Inc. jwlampe@{nessus.org,tenablesecurity.com} Tele: (410) 872-0555 www.tenablesecurity.com Is your network TENABLE? --------------------------------------- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- bugs are bad. Dave Aitel (Jul 31)
- Re: bugs are bad. Jared DeMott (Jul 31)
- Re: bugs are bad. Matthew Franz (Aug 01)
- Message not available
- Re: bugs are bad. Matthew Franz (Aug 01)
- Re: bugs are bad. John Lampe (Aug 01)
- Re: bugs are bad. foofus (Aug 01)
- Re: bugs are bad. John Lampe (Aug 01)
- Re: bugs are bad. Matthew Franz (Aug 01)
- Re: bugs are bad. Jared DeMott (Jul 31)
- Re: bugs are bad. John Lampe (Aug 01)