Full Disclosure mailing list archives
Re: Vulnerability Disclosure Technics
From: "Mr. John" <johnspood () yahoo com>
Date: Tue, 22 Jun 2004 01:18:38 -0700 (PDT)
You are right, parameter passing or fuzzy input to a software is good, but there is some problems: - Some applications like IE have many and many ways for input. - Sequence of input may be very variant that reaching to bug state want a very good chance. for tester. - More important, For example for buffer overflow testing, it isn't easy to understand that Now, a successful buffer overflow happend, at all. Or for a XSS vulnerability, how a automatic vulnerability testing application can detect XSS in a case of input? Or suppose finding vulnerabiliy in MS RPC at last year, how she detects that at that input sequence, MS RPC is vulnerable? But I see that some companies have ability to get binary code of a software (like IE) and test it for vulnerabilities and they will be found some vulnerabilities in it after a short time. I think that they have some automated machines for these testing, but I don't have any IDEA about that. Regards. Mr. John -------------------------------------------------- "Oliver () greyhat de" <Oliver () greyhat de> wrote: There are several ways to search for vulnerabilities in applications. If you have the sourcecode, you can do a code review. There are many tools (like flawfinder etc.) wich will support you in finding "static" vulnerabilities like buffer-overflows du to incorrect usage of commands like "strcpy" and family. If you dont have the source code, you can do a reverse engineering with debuggers, dissassemblers and other tools, to search for common coding mistakes. You also can do a black-box testing, whereby you can use fuzzy-technologie to generate random parameters and requests, sending to the application. The last one is the one i often use, because in most cases you dont have the source code, and reverse engineering is not that easy :) bye, Oliver Mr. John wrote:
Hi A question is in my mind everywhen I see a vulnerability disclosure. I want to know how a person finds a security vulnerability in a software. Is
there
a regular way? Suppose that I am technical chair of a software group and we have a software that security consideration is important for us. How can I test our software to ensure that no security vulnerabilities (like buffer overflow vuln) exists in our software product. Or it is question for me how for example eEye find many vulnerabilities in software products. Is there a regular and formal way? Is there some tools,
technics,
method, ... for this purpose, for finding a vulnerability in a software? Thanks John
__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Vulnerability Disclosure Technics Mr. John (Jun 19)
- Re: Vulnerability Disclosure Technics Oliver () greyhat de (Jun 21)
- Re: Vulnerability Disclosure Technics Mr. John (Jun 22)
- Re: Vulnerability Disclosure Technics Valdis . Kletnieks (Jun 21)
- Re: Vulnerability Disclosure Technics Oliver () greyhat de (Jun 21)