Dailydave mailing list archives
Retests
From: Dave Aitel <dave () immunityinc com>
Date: Thu, 21 Sep 2006 14:15:27 -0700
Today I ran a retest on an app that had a couple of cross site scriptings, directory traversals, and one response splitting thing. I did it manually, but here's what I want for next time: def login(): ret=spkproxy.runLoginSequence(username,password) if not ret: bail() AllSeqs=XSSSeqs+ResponseSplittingSeqs+DirectoryListingSeqs for seq in AllSeqs: login() ret=spkproxy.testXSSsequence(seq) if ret.failed(): report.output("Found a bug that was not fixed %s"%seq.name) else: report.output("Bug fixed %s"%seq.name) report.output("Request: %s \n Response %s\n"%(ret.request,ret.response) Ah, and I notice that Outlook is vulnerable to the VML bug. How cool is that? One thing we talked about a bit in China at Xcon was the difference between an attack framework and an exploit framework. In my mind, an attack framework brings you from the tactical world to the operational world - you're taking on an organization, finding centers of gravity in the processes of your targets. Essentially, a Customer Relations Management tool + Exploits + process management + some other magic sauce. I think people focus too much on spamming. Spamming is very much a pre-mobile warfare kind of way to think about information operations. I.E. if a hacker wants to own you, he's likely to think about the organizations and services you use. Your ISP, your bank, your myspace account, your gmail, your lawyer, your accountant, your computer supply store, your apartment building, etc. A true attack framework takes this, wraps it up, and gives you the path of success custom to that target. This may include attacking web applications in a real way, rather than scanning them. This may include spamming people with email, and if so, which people did you spam, and why. If you got caught or discovered, which people in that organization would be informed? Can we build a model of the information my adversary has about my operations? The other thing we talked about in China at Xcon was: 1. There's no good book like Shellcoders for running real attacks. Hacking is still a mystery beyond "Hacking Exposed" to most people. 2. Drugs are bad opsec. At best they give law enforcement something to key in on and at worst something for someone to blackmail you with and something to dull your edge. Most of the hacker community does a lot of drugs, and people who don't have a slight edge, I think. Of course they're more boring too, so there's that. -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Retests Dave Aitel (Sep 21)
- Re: Retests Arun Koshy (Sep 21)
- Re: Retests Thor Larholm (Sep 23)