Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: webapp dependencies

from [Matt Fisher] Network Security [Permanent Link]
Subject: RE: webapp dependencies
Date: Tue, 19 Apr 2005 23:21:37 -0400 
Hi Ory, 

I don't think the issue here is about "quality" items such as page load
time, broken links, etc. I think he's talking about having irrelevant
files junking up his webroot to avoid things like  all sorts of source
code, config files, stack traces and other such items from being browsed
or picked up in a scan. 

This is a really interesting subject to me: I've always recommend
keeping your webroot clean, and I suggest that SA's list the dir's and
check with the Dev group on any unusual files ("Hey Bob, is this
login.bob page really supposed to be there ? " ) .   

First of all I don't think crawlers would cut it ( or other client side
products). You'd have to look at the source code to gather the
dependencies, because you can have obvious client side stuff like href's
/ scripts /images, but you can have plenty of server side dependencies
that won't be visible to the client, like SSIs, class libs, modules,
HTML files read from a filestream (but no href), pages referenced
through parameter ( showpage.jsp?pageid=123) etc.  A quick example of
some page1.html being dependent, but not visible to the client:

<a href=page.asp?pageid=1>Read Report</a><br>

<%

Set fso = server.createobject("Scripting.FileSystemObject")
Select case request.querystring("pageid")
        case 1 ' Read a text report imported from a nightly batch
transaction
                Set file = fso.OpenTextFile(Server.MapPath("\") &
"/page1.html") 
                do until file.atendofstream
                        response.write file.readline 
                ...
End select 

%>


Unless I did something lame in this sample, I don't see how a crawler
would know where the content is actually coming from page1.html and not
page.asp.  

Given the server side dependencies issue,  I see two approaches short of
finding an actual tool for this (which, btw, is more likely to be found
in a Dev group than an AppSec on IMHO)

 1. Grep the code for various file patterns and then list those as
"needed." The problem is you'd have to anticipate the patterns 

2.  List the existing files, then grep for THOSE.  If the file exists
but doesn't match a grep, then carefully remove it.  

By carefully remove it I mean wait until a config window, take that box
out of service on any load balancers, rename it, test as much of the app
as possible and then finally delete it or move it to a 'deleteme'
folder, or whatever other processes you take to ensure career longevity
when playing with production systems. 

This is an area that I think is pretty darned important (having done
really keen stuff against multiple sites based on fluff files). I would
imagine the tool would end up being a development tool (non security
related).  There are products that will perform code-to-UML mapping
(vice versa) that may help with this. May.

  I'd really be interested in hearing about it if anyone finds a good
tool / technique but at this point I really don't see how it could be
sufficiently performed from any client sided product such as crawlers,
scanners, accessibility testers etc.  

- Matt @ SPI

http://www.spidynamics.com
WebInspect, DevInspect, 
QAInspect, SecureObjects, AMP

Start Secure. Stay Secure.



-----Original Message-----
From: Ory Segal [mailto:osegal@watchfire.com] 
Sent: Thursday, April 14, 2005 4:27 AM
To: Jarmon, Don R; webappsec@securityfocus.com
Subject: RE: webapp dependencies

Hello,

Watchfire ( http://www.watchfire.com ) has a platform for 
automating scanning, analysis and reporting of online 
businesses. The platform is called WebXM, and it includes 
many modules, some of which you mentioned.
For example:

1) Scanning for web application security
2) Scanning for site accessibility problems
3) Scanning for web site quality issues (what you have mentioned)
4) Manage web site privacy

And many more.

The platform is installed as a server, with a web interface 
acting as a reports dashboard, which will also present 
regression testing.

Thank you,

Ory Segal,
Watchfire 

-----Original Message-----
From: Jarmon, Don R [mailto:Don.Jarmon@Intergraph.com]
Sent: Thursday, April 14, 2005 2:23 AM
To: webappsec@securityfocus.com
Subject: webapp dependencies

I looking for a tool that will analysis content hosted on a 
web site, identify all the webapp dependencies, and report on 
any non-essential content.  The tool would run from the 
server.  Does such a tool exist?
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: suggesting passwds to users, Mark Owen
Next by Date:  Re: suggesting passwds to users, Saqib Ali
Previous by Thread:  Re: webapp dependencies, moty yacov
Next by Thread:  RE: webapp dependencies, Amit Klein (AKsecurity)
Indexes:  [Date] [Thread] [Top] [All Lists]