[WEB SECURITY] In depth security scanning versus breadth based

NeZa neza0x at gmail.com
Thu Jul 9 21:34:10 EDT 2009


Hey Rafal,

You mentioned one key point which I think is one of the main doubts in this
discussion which is "how to guide the tool through the workflow", you said
it can be done with "logic and state-tracking".

Could you please throw more lights on this "state-tracking" process? I mean,
how it can be implemented?

Thanks :-)

On Thu, Jul 9, 2009 at 10:01 AM, Rafal @ IsHackingYou.com <
rafal at ishackingyou.com> wrote:

> List-
>    Technically speaking I think there are 2 hurdles ... both are able to be
> overcome.
>
> The first is how to "guide" the testing tool through the workflow,
> appropriately.  This requires the tool to be able to understand a success
> and failure condition when stepping-through the pages/actions.  Importing a
> script from a QA tool (take for instance, QTP) isn't rocket science and any
> piece of automation worth it's price tag should be able to successfully
> interact with your QC environment on *some* level... but that's not the
> trick.  The trick is to have the tool figure out when it's failed at
> following the workflow.  In the odd chance that a card number you're using
> to register (as an example) is a duplicate and the system throws an error
> and returns you to Page1... how does the tool recognize that it didn't
> complete the transaction correctly?  Worse yet... if in the middle of
> stepping through Page1 --> Page 6 you have a condition on page 5 that
> actually throws you back into Page3 and then continues to step you
> forward... writing the technical looping condition and "flow-control" is
> both technically difficult and process-intensive, not to mention
> memory-hungry... but it can be done with logic and state-tracking.
>
> The second major hurdle is the issue (as someone has already brought up) of
> one-time events such as registering a user, or completing a transaction
> (registering a credit card, or activating an account, for example).  This
> can be overcome by "tagging" the inputs that will change within the
> workflow
> and providing parameter-based variable input (meaning, provide for input
> $CCNum = {1234, 1235, 1236, 1237...1300}, as an example.  The ability to
> identify variable-input fields is already an option on commercial tools
> (refraining from naming, respecting the "no pitching your tools" clause)
> but
> those are currently in a "ask for user input" state.  This requires the
> tester to sit there and put in valid input every time the application runs
> into this parameter on a page (into a pop-up box)... which can be quite
> annoying and possibly eliminate many of the benefits of automated testing.
> The solution to this is to allow for the variable-input parameter option
> (via a pre-defined list perhaps... or RegEx?)... this will successfully
> mitigate this issue.
>
> I strongly feel that this sort of question continues to prove that "web app
> security" is *not* strictly a "security problem" and that the QA teams must
> be involved in testing... even if they don't fully understand the nature of
> the work.  Security teams (traditional security personnel) simply aren't
> equipped to handle this in *most* cases.
>
> Cheers.
>
> __
> Rafal M. Los
> Security & IT Risk Strategist
>
>  - Blog:                http://preachsecurity.blogspot.com
>  - LinkedIn:    http://www.linkedin.com/in/rmlos
>  - Twitter:     http://twitter.com/RafalLos
>
> --------------------------------------------------
> From: <robert at webappsec.org>
> Sent: Tuesday, July 07, 2009 7:14 PM
> To: <websecurity at webappsec.org>
> Subject: [WEB SECURITY] In depth security scanning versus breadth based
>
> Hello Everyone,
>
> Many automated tools are great at crawling/attacking every url they
> discover, however fail to properly visit URL sequences
> in order. For example you must complete a 5 page process to get to the
> functionality on page 6. Certain commercial products
> support 'macro's' where you can record those 'url sequences' in order and
> can later audit them in order. What are the lists
> experiences with getting blackbox tools to perform this depth of review in
> a
> pre/post production environment?
>
> If you plan on replying with one of the following replies you will be
> ignored! :)
> - Debating the types of attacks/weaknesses tools are good at finding
> - Debating source code/sca analysis vs blackbox
> - Pitching your product/service
>
> Regards,
> - Robert A.
> http://www.cgisecurity.com/ Application Security news, and more
> http://www.webappsec.org/ WASC Co Founder and Moderator of The Web
> Security
> Mailing List
> http://www.qasec.com/ Software Security Testing in QA and Development
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>


-- 
NeZa
Hacker Wanna Be from Nezahualcoyotl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090709/f5dc5d00/attachment.html>


More information about the websecurity mailing list