[WEB SECURITY] In depth security scanning versus breadth based

Rafal @ IsHackingYou.com rafal at ishackingyou.com
Tue Jul 21 14:54:03 EDT 2009


NeZa,
    Sorry it took so long for me to reply I just found this email threaded as I was cleaning out my unread messages!

  The idea that a "tool" meaning, an automaton, can make its way through a workflow starts to trend the technology towards what some would refer to as artificial intelligence... but it's not necessarily that drastic.  There are two possible approaches here -one relying on human interaction the other on machine-based automation.

  Using a human-assited approach the human being will "guide" the tool through the paths which will need to be exercised during the test.  This accomplishes the workflow concept quite well in that it defines the testing paths (workflows) from a human, thus leaving the mundane testing work to the automaton and the "intelligence" to the human.

  The second approach is using full automation, which can be a little bit more tricky.  If you think about the way links are traversed currently, using some B-tree type of approach to link-following.  Most of the good site "crawlers" out there will be able to follow links and map them in a B-Tree type of structure (logically, anyway).  This can be applied to workflows as well, as follows:

A certain page [A] (a node) is traversed and all the links on that page become child nodes of that node[A].  Then, one by one starting with the first child[A_x] node each node is traversed, and all links are recorded and stored as child nodes of that node[A_x_y...] until an end is reached and no more nodes are left to traverse... then the system moves one node up in the tree [A_x_y_....-1] and descends that tree-structure until an end is reached - and so on and so on until all nodes (links) have been processed.  This can be applied readily to traversal of workflows much in the same way as combinations of input generally acts as the catalyst for a workflow... so by simply storing the combination of input parameters (from the available parameters in the application, and some "other" params meant as attack vectors) and their resultant output (is a new child node discovered?) then a map can be made of the workflow and duplicates are simply cast off.

Now, I realize this is much easier explained in text than it is in code, and I won't even pretend to be smart enough to code this... but it's do-able, and in fact has already been done in certain commercially available products (parts of this, anyway).

Hope this helps clarify my position?



__
Rafal M. Los
Security & IT Risk Strategist

 - Blog:  http://preachsecurity.blogspot.com
 - LinkedIn: http://www.linkedin.com/in/rmlos
 - Twitter:     http://twitter.com/RafalLos
  From: NeZa 
  Sent: Thursday, July 09, 2009 8:34 PM
  To: Rafal @ IsHackingYou.com 
  Cc: websecurity at webappsec.org 
  Subject: Re: [WEB SECURITY] In depth security scanning versus breadth based


  Hey Rafal,

  You mentioned one key point which I think is one of the main doubts in this discussion which is "how to guide the tool through the workflow", you said it can be done with "logic and state-tracking".

  Could you please throw more lights on this "state-tracking" process? I mean, how it can be implemented?

  Thanks :-)


  On Thu, Jul 9, 2009 at 10:01 AM, Rafal @ IsHackingYou.com <rafal at ishackingyou.com> wrote:

    List-
       Technically speaking I think there are 2 hurdles ... both are able to be
    overcome.

    The first is how to "guide" the testing tool through the workflow,
    appropriately.  This requires the tool to be able to understand a success
    and failure condition when stepping-through the pages/actions.  Importing a
    script from a QA tool (take for instance, QTP) isn't rocket science and any
    piece of automation worth it's price tag should be able to successfully
    interact with your QC environment on *some* level... but that's not the
    trick.  The trick is to have the tool figure out when it's failed at
    following the workflow.  In the odd chance that a card number you're using
    to register (as an example) is a duplicate and the system throws an error
    and returns you to Page1... how does the tool recognize that it didn't
    complete the transaction correctly?  Worse yet... if in the middle of
    stepping through Page1 --> Page 6 you have a condition on page 5 that
    actually throws you back into Page3 and then continues to step you
    forward... writing the technical looping condition and "flow-control" is
    both technically difficult and process-intensive, not to mention
    memory-hungry... but it can be done with logic and state-tracking.

    The second major hurdle is the issue (as someone has already brought up) of
    one-time events such as registering a user, or completing a transaction
    (registering a credit card, or activating an account, for example).  This
    can be overcome by "tagging" the inputs that will change within the workflow
    and providing parameter-based variable input (meaning, provide for input
    $CCNum = {1234, 1235, 1236, 1237...1300}, as an example.  The ability to
    identify variable-input fields is already an option on commercial tools
    (refraining from naming, respecting the "no pitching your tools" clause) but
    those are currently in a "ask for user input" state.  This requires the
    tester to sit there and put in valid input every time the application runs
    into this parameter on a page (into a pop-up box)... which can be quite
    annoying and possibly eliminate many of the benefits of automated testing.
    The solution to this is to allow for the variable-input parameter option
    (via a pre-defined list perhaps... or RegEx?)... this will successfully
    mitigate this issue.

    I strongly feel that this sort of question continues to prove that "web app
    security" is *not* strictly a "security problem" and that the QA teams must
    be involved in testing... even if they don't fully understand the nature of
    the work.  Security teams (traditional security personnel) simply aren't
    equipped to handle this in *most* cases.

    Cheers.

    __
    Rafal M. Los
    Security & IT Risk Strategist

     - Blog:                http://preachsecurity.blogspot.com
     - LinkedIn:    http://www.linkedin.com/in/rmlos
     - Twitter:     http://twitter.com/RafalLos

    --------------------------------------------------
    From: <robert at webappsec.org>
    Sent: Tuesday, July 07, 2009 7:14 PM
    To: <websecurity at webappsec.org>
    Subject: [WEB SECURITY] In depth security scanning versus breadth based


    Hello Everyone,

    Many automated tools are great at crawling/attacking every url they
    discover, however fail to properly visit URL sequences
    in order. For example you must complete a 5 page process to get to the
    functionality on page 6. Certain commercial products
    support 'macro's' where you can record those 'url sequences' in order and
    can later audit them in order. What are the lists
    experiences with getting blackbox tools to perform this depth of review in a
    pre/post production environment?

    If you plan on replying with one of the following replies you will be
    ignored! :)
    - Debating the types of attacks/weaknesses tools are good at finding
    - Debating source code/sca analysis vs blackbox
    - Pitching your product/service

    Regards,
    - Robert A.
    http://www.cgisecurity.com/ Application Security news, and more
    http://www.webappsec.org/ WASC Co Founder and Moderator of The Web Security
    Mailing List
    http://www.qasec.com/ Software Security Testing in QA and Development


    ----------------------------------------------------------------------------
    Join us on IRC: irc.freenode.net #webappsec

    Have a question? Search The Web Security Mailing List Archives:
    http://www.webappsec.org/lists/websecurity/archive/

    Subscribe via RSS:
    http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

    Join WASC on LinkedIn
    http://www.linkedin.com/e/gis/83336/4B20E4374DBA


    ----------------------------------------------------------------------------
    Join us on IRC: irc.freenode.net #webappsec

    Have a question? Search The Web Security Mailing List Archives:
    http://www.webappsec.org/lists/websecurity/archive/

    Subscribe via RSS:
    http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

    Join WASC on LinkedIn
    http://www.linkedin.com/e/gis/83336/4B20E4374DBA





  -- 
  NeZa
  Hacker Wanna Be from Nezahualcoyotl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090721/57bb9f91/attachment.html>


More information about the websecurity mailing list