[WEB SECURITY] In depth security scanning versus breadth based

Rusty Johnson rusty_johnson2 at yahoo.com
Fri Jul 10 09:48:50 EDT 2009


All,

Last night at OWASP DC Dinis Cruz presented Ounce O2 (open source....at least O2 is) and I was fortunate enough to attend. O2 in particular represents a sort of fusion between static analysis and automated scanning into an enivornment where, if you are lucky enough to receive source code, you can identify a few of the things discussed here. For example, if you are concerned with multi page data flow you can watch the entire process from start to finish. So for instance, when you identify dangerous input and the method being called that is in fact dangerous........... you can identify everywhere the method is referenced within the application. Additionally it is possible to load, compile, and debug in a runtime environment in order to verify the vulnerability or in fact create a virtual patch if chose to do so. IMHO that is a cool way to provide your customer with a real world code example for mitigation in your report vice a standardized template
 containing code examples they may or may not help them in any way shape or form. I'm not going to touch on everything it can do but this I would encourage checking it out and potentially contributing being that it is open source. Great idea and a good way to bridge the gap that this thread has discussed.

~cktricky

--- On Thu, 7/9/09, NeZa <neza0x at gmail.com> wrote:

From: NeZa <neza0x at gmail.com>
Subject: Re: [WEB SECURITY] In depth security scanning versus breadth based
To: "Rafal @ IsHackingYou.com" <rafal at ishackingyou.com>
Cc: websecurity at webappsec.org
Date: Thursday, July 9, 2009, 9:34 PM

Hey Rafal,

You mentioned one key point which I think is one of the main doubts in this discussion which is "how to guide the tool through the workflow", you said it can be done with "logic and state-tracking".


Could you please throw more lights on this "state-tracking" process? I mean, how it can be implemented?

Thanks :-)

On Thu, Jul 9, 2009 at 10:01 AM, Rafal @ IsHackingYou.com <rafal at ishackingyou.com> wrote:

List-

    Technically speaking I think there are 2 hurdles ... both are able to be

overcome.



The first is how to "guide" the testing tool through the workflow,

appropriately.  This requires the tool to be able to understand a success

and failure condition when stepping-through the pages/actions.  Importing a

script from a QA tool (take for instance, QTP) isn't rocket science and any

piece of automation worth it's price tag should be able to successfully

interact with your QC environment on *some* level... but that's not the

trick.  The trick is to have the tool figure out when it's failed at

following the workflow.  In the odd chance that a card number you're using

to register (as an example) is a duplicate and the system throws an error

and returns you to Page1... how does the tool recognize that it didn't

complete the transaction correctly?  Worse yet... if in the middle of

stepping through Page1 --> Page 6 you have a condition on page 5 that

actually throws you back into Page3 and then continues to step you

forward... writing the technical looping condition and "flow-control" is

both technically difficult and process-intensive, not to mention

memory-hungry... but it can be done with logic and state-tracking.



The second major hurdle is the issue (as someone has already brought up) of

one-time events such as registering a user, or completing a transaction

(registering a credit card, or activating an account, for example).  This

can be overcome by "tagging" the inputs that will change within the workflow

and providing parameter-based variable input (meaning, provide for input

$CCNum = {1234, 1235, 1236, 1237...1300}, as an example.  The ability to

identify variable-input fields is already an option on commercial tools

(refraining from naming, respecting the "no pitching your tools" clause) but

those are currently in a "ask for user input" state.  This requires the

tester to sit there and put in valid input every time the application runs

into this parameter on a page (into a pop-up box)... which can be quite

annoying and possibly eliminate many of the benefits of automated testing.

The solution to this is to allow for the variable-input parameter option

(via a pre-defined list perhaps... or RegEx?)... this will successfully

mitigate this issue.



I strongly feel that this sort of question continues to prove that "web app

security" is *not* strictly a "security problem" and that the QA teams must

be involved in testing... even if they don't fully understand the nature of

the work.  Security teams (traditional security personnel) simply aren't

equipped to handle this in *most* cases.



Cheers.



__

Rafal M. Los

Security & IT Risk Strategist



 - Blog:                http://preachsecurity.blogspot.com

 - LinkedIn:    http://www.linkedin.com/in/rmlos

 - Twitter:     http://twitter.com/RafalLos



--------------------------------------------------

From: <robert at webappsec.org>

Sent: Tuesday, July 07, 2009 7:14 PM

To: <websecurity at webappsec.org>

Subject: [WEB SECURITY] In depth security scanning versus breadth based



Hello Everyone,



Many automated tools are great at crawling/attacking every url they

discover, however fail to properly visit URL sequences

in order. For example you must complete a 5 page process to get to the

functionality on page 6. Certain commercial products

support 'macro's' where you can record those 'url sequences' in order and

can later audit them in order. What are the lists

experiences with getting blackbox tools to perform this depth of review in a

pre/post production environment?



If you plan on replying with one of the following replies you will be

ignored! :)

- Debating the types of attacks/weaknesses tools are good at finding

- Debating source code/sca analysis vs blackbox

- Pitching your product/service



Regards,

- Robert A.

http://www.cgisecurity.com/ Application Security news, and more

http://www.webappsec.org/ WASC Co Founder and Moderator of The Web Security

Mailing List

http://www.qasec.com/ Software Security Testing in QA and Development





----------------------------------------------------------------------------

Join us on IRC: irc.freenode.net #webappsec



Have a question? Search The Web Security Mailing List Archives:

http://www.webappsec.org/lists/websecurity/archive/



Subscribe via RSS:

http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



Join WASC on LinkedIn

http://www.linkedin.com/e/gis/83336/4B20E4374DBA





----------------------------------------------------------------------------

Join us on IRC: irc.freenode.net #webappsec



Have a question? Search The Web Security Mailing List Archives:

http://www.webappsec.org/lists/websecurity/archive/



Subscribe via RSS:

http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



Join WASC on LinkedIn

http://www.linkedin.com/e/gis/83336/4B20E4374DBA






-- 
NeZa
Hacker Wanna Be from Nezahualcoyotl




      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090710/5465f397/attachment.html>


More information about the websecurity mailing list