[WEB SECURITY] In depth security scanning versus breadth based

Rafal @ IsHackingYou.com rafal at ishackingyou.com
Thu Jul 9 11:01:10 EDT 2009 

List-
    Technically speaking I think there are 2 hurdles ... both are able to be 
overcome.

The first is how to "guide" the testing tool through the workflow, 
appropriately.  This requires the tool to be able to understand a success 
and failure condition when stepping-through the pages/actions.  Importing a 
script from a QA tool (take for instance, QTP) isn't rocket science and any 
piece of automation worth it's price tag should be able to successfully 
interact with your QC environment on *some* level... but that's not the 
trick.  The trick is to have the tool figure out when it's failed at 
following the workflow.  In the odd chance that a card number you're using 
to register (as an example) is a duplicate and the system throws an error 
and returns you to Page1... how does the tool recognize that it didn't 
complete the transaction correctly?  Worse yet... if in the middle of 
stepping through Page1 --> Page 6 you have a condition on page 5 that 
actually throws you back into Page3 and then continues to step you 
forward... writing the technical looping condition and "flow-control" is 
both technically difficult and process-intensive, not to mention 
memory-hungry... but it can be done with logic and state-tracking.

The second major hurdle is the issue (as someone has already brought up) of 
one-time events such as registering a user, or completing a transaction 
(registering a credit card, or activating an account, for example).  This 
can be overcome by "tagging" the inputs that will change within the workflow 
and providing parameter-based variable input (meaning, provide for input 
$CCNum = {1234, 1235, 1236, 1237...1300}, as an example.  The ability to 
identify variable-input fields is already an option on commercial tools 
(refraining from naming, respecting the "no pitching your tools" clause) but 
those are currently in a "ask for user input" state.  This requires the 
tester to sit there and put in valid input every time the application runs 
into this parameter on a page (into a pop-up box)... which can be quite 
annoying and possibly eliminate many of the benefits of automated testing. 
The solution to this is to allow for the variable-input parameter option 
(via a pre-defined list perhaps... or RegEx?)... this will successfully 
mitigate this issue.

I strongly feel that this sort of question continues to prove that "web app 
security" is *not* strictly a "security problem" and that the QA teams must 
be involved in testing... even if they don't fully understand the nature of 
the work.  Security teams (traditional security personnel) simply aren't 
equipped to handle this in *most* cases.

Cheers.

__
Rafal M. Los
Security & IT Risk Strategist

 - Blog:		http://preachsecurity.blogspot.com
 - LinkedIn:	http://www.linkedin.com/in/rmlos
 - Twitter:    	http://twitter.com/RafalLos

--------------------------------------------------
From: <robert at webappsec.org>
Sent: Tuesday, July 07, 2009 7:14 PM
To: <websecurity at webappsec.org>
Subject: [WEB SECURITY] In depth security scanning versus breadth based

Hello Everyone,

Many automated tools are great at crawling/attacking every url they 
discover, however fail to properly visit URL sequences
in order. For example you must complete a 5 page process to get to the 
functionality on page 6. Certain commercial products
support 'macro's' where you can record those 'url sequences' in order and 
can later audit them in order. What are the lists
experiences with getting blackbox tools to perform this depth of review in a 
pre/post production environment?

If you plan on replying with one of the following replies you will be 
ignored! :)
- Debating the types of attacks/weaknesses tools are good at finding
- Debating source code/sca analysis vs blackbox
- Pitching your product/service

Regards,
- Robert A.
http://www.cgisecurity.com/ Application Security news, and more
http://www.webappsec.org/ WASC Co Founder and Moderator of The Web Security 
Mailing List
http://www.qasec.com/ Software Security Testing in QA and Development


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

More information about the websecurity mailing list