[WEB SECURITY] In depth security scanning versus breadth based

Arian J. Evans arian.evans at anachronic.com
Wed Jul 8 01:00:28 EDT 2009


Robert,

The biggest form-sequencing challenge I have experienced with desktop webapp
scanners is dealing with form/workflow sequences that have One-Time Unique
requirements in their submission sequence. Two common scenarios are:

1) Requiring new, unique user input for each workflow sequence (new user
private details for "register new user", etc.)

2) Having some form of a dynamic, volatile token that needs submitted
throughout each unique workflow series. Scanners usually do not recognize
these and dynamically update them with each submission series.


Also some thoughts on fuzzing as it relates to webapps, and scanners:


Fuzzing is for dinosaurs. You really don't need to fuzz 99% of the time if
you have some metadata context of the application, users, and roles.

Almost anything and everything that can be found futzzing around with
parameters in a webapp can be found faster and more effectively by
comparative analysis across users, roles, and sessions.

role=admin/users/0/1

session=1234/1237

This even covers complex combinations where you have something like 3 or
more name=value pairs like:

mkey=[128-bit-GUID]&skey=[128-bit-GUID]&zkey=[128-bit-GUID]

And different combinations of mkey, skey, and zkey unlock different roles,
privileges, and permissions in the system.

Mathematically you are unlikely to find anything fuzzing in
weeks/months/years of testing those three keys. You are much better off
performing comparative analysis across users and roles on existing valid
tokens to find indications weak/low entropy generation, weak auth, magic
combinations, etc.

Sometimes, rarely, you can find a "magic bit" by fuzzing (e.g. random value:
debug_mode=077 dumps all passwords), which CANNOT be found with the roles
and privileges you have access too, but these are statistically rare, and in
my experience could almost always be found if you have the right roles and
privileges during testing.

I am not sure which if any desktop scanners that can do this, but I know at
least one of them has been trying. There are other BB scanning solutions
that can provide this today.

If we are going to discuss scanner effectiveness, or really any testing
black-box testing effectiveness, getting away from blind fuzzing as a
dinosaur time-wasting event and focusing on comparative, contextual
analsysis is very important I think.

Cheers,

-- 
Arian Evans




On Tue, Jul 7, 2009 at 6:49 PM, Andres Riancho <andres.riancho at gmail.com>wrote:

> Robert,
>
> On Tue, Jul 7, 2009 at 9:14 PM, <robert at webappsec.org> wrote:
> > Hello Everyone,
> >
> > Many automated tools are great at crawling/attacking every url they
> discover, however fail to properly visit URL sequences
> > in order. For example you must complete a 5 page process to get to the
> functionality on page 6. Certain commercial products
> > support 'macro's' where you can record those 'url sequences' in order and
> can later audit them in order. What are the lists
> > experiences with getting blackbox tools to perform this depth of review
> in a pre/post production environment?
> >
> > If you plan on replying with one of the following replies you will be
> ignored! :)
> > - Debating the types of attacks/weaknesses tools are good at finding
> > - Debating source code/sca analysis vs blackbox
> > - Pitching your product/service
>
> I think that it's almost impossible to automatically create a 100%
> accurate model to analyze web applications using a black-box approach.
> For simple web applications with no "wizard-like" logic, this might be
> achieved... but when the application starts to get more complex, IMHO
> you've got two ways to go:
>
> - Create a really complex model manually, that your web app scanner
> needs to understand, and knows how to fuzz. Which is a hard task to
> perform, and even if you want to do it... the scanner could limit your
> model in SO MANY WAYS...
>
> - Throw away the scanner, and perform manual testing, which is the
> only real way in which you'll be sure that all the web application
> vulnerabilities are being found. With this, I'm not saying that
> scanners are useless! Damn... I write one in my spare time! What I'm
> saying is that when the web application gets really, really complex...
> the only way to test it properly is by hand.
>
> Which is basically great, because all of us will have lots of work
> testing web applications for at least 5 more years ;)
>
> My two cents,
>
> > Regards,
> > - Robert A.
> > http://www.cgisecurity.com/ Application Security news, and more
> > http://www.webappsec.org/ WASC Co Founder and Moderator of The Web
> Security Mailing List
> > http://www.qasec.com/ Software Security Testing in QA and Development
> >
> >
> >
> ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> > Join WASC on LinkedIn
> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> >
>
>
>
> --
> Andrés Riancho
> Founder, Bonsai - Information Security
> http://www.bonsai-sec.com/
> http://w3af.sf.net/
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090707/e21b42c0/attachment.html>


More information about the websecurity mailing list