Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Environment for testing WebApp Security Scanners

from [mikeiscool] Network Security [Permanent Link]
Subject: Re: Environment for testing WebApp Security Scanners
Date: Wed, 9 Aug 2006 09:25:02 +1000
On 8/9/06, Dean H. Saxe <dean@fullfrontalnerdity.com> wrote: 
Just remember, some vendors put in signatures specifically for apps
like this that they know will be tested.

I spoke with some folks at Blackhat last week from one of the tool
vendors that admitted they don't find all the vulnerabilities in
HacmeBank.  Why?  Because bypassing the login form using SQL
injection may require you to throw away the cookies which maintain
the login attempts state information.  For instance, if you try SQL
injection too many times and fail to login with those attempts, a
cookie which controls the remaining number of login attempts will
force all further attempts to fail.  Of course, a human would delete
the login attempt counter cookie and solve the problem quite simply.

I see this as a major weakness of these types of tools.  Developers
store all kinds of crap in cookies, without a good analysis of the
cookies by a human, how do we know when deleting this information
will adversely affect the application's security?  This is not an
edge case where such tools scan.  Its a very commonly revealed
vulnerability in my web app pen testing and code review experience.

(FWIW I work for Foundstone.) 

Surely it'd be trivial to have a cookie specification field of the
scanning tool. The person doing the scanning could review the cookie
and spec it up a bit. Then the tool could be a bit context aware, at
least of cookies, and watch when fields it may be interested in
changes.

I.e. you could draw links between cookie items and pages, or cookie
items and request fields, etc, etc, etc.

The tool could start to learn common cookie forms and use that to help
suggest what various fields might be.


-dhs

Dean H. Saxe, CISSP, CEH
dean@fullfrontalnerdity.com
Here in America everything is bought and sold, you can get anything
for little bits of gold.
We'll rape the earth and ruin the air, cut down every tree from here
to there.
     -- Donna The Buffalo "America"


-- mic

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution. Try it today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Environment for testing WebApp Security Scanners, Mark Curphey
Next by Date:  [Full-disclosure] more on browser trust, pdp (architect)
Previous by Thread:  RE: Environment for testing WebApp Security Scanners, Mark Curphey
Next by Thread:  Re: Environment for testing WebApp Security Scanners, Dean H. Saxe
Indexes:  [Date] [Thread] [Top] [All Lists]