Conversation Log for discussion

["Mark Curphey" <mark@curphey.com>]

Curpheyusa007 - Mark Curphey
Gollum256 - Rogan Dawes


curphey007USA: One thing I have been thinking about is possibly a different
aproach to dealing with the problem (or maybe the same depending on your
view point) 

I think I would be right in saying that today we try to describe a complete
transaction. In a simple case like a XSS that would be the http request
being sent along with any pre and post conditions. 

Another approach or more acuratly a powerful extension maybe to extrapolate
the attack in such a way that the scenario could become;

Get a URI, operate on response it. So in the case of a xss test you could
request a URI, parse the http headers or html and then build test requests
with a defined payload.
Gollum256: That was the direction in which I was moving, yes
Gollum256: The "fuzzer" would actually create customized WAS tests for a
particular URI
Gollum256: and submit them for execution
curphey007USA: i think we could then build generic sql injection (possibly)
, XSS, path traversal etc 
Gollum256: you could do anything you like, if this was implemented.
Gollum256: including building up a library of "pre-conditions", such as a
login sequence, etc
curphey007USA: right
curphey007USA: that my next mail
curphey007USA: the libraries list
Gollum256: That is mostly going to be custom to the app in question, I tihnk
curphey007USA: agree
curphey007USA: the nice thing about that is
curphey007USA: refence libraries can be built
curphey007USA: ie special sauce
curphey007USA: so there will be best of both worlds
Gollum256: e.g. getting a JSESSIONID for one app, vs. getting an IIS cookie
for another
curphey007USA: well also you could have a libary for sql injection..one
company may have a better way of doing it
curphey007USA: ie more iterationbs
Gollum256: We would need to make a nice GUI to allow the operator to create
and edit tests.
curphey007USA: better algorithm
Gollum256: My thinking is that that would be engine/test application
specific.
curphey007USA: right
curphey007USA: agree
curphey007USA: was would just call saying 
curphey007USA: makeSQLInjectionCases(this);
curphey007USA: then the engine would call its library
Gollum256: e.g. if companyX has a list of SQL injection Strings that they
believe is wonderful, they would use those in building the WAS
curphey007USA: which maybe a reference 
curphey007USA: or special sauce
curphey007USA: jinx
Gollum256: No, I see it differently
curphey007USA: ha
curphey007USA: that was the same wasnt it
Gollum256: There would not actually be a generic WAS test for SQL injection
curphey007USA: right apart from maybe a refefence implementation
curphey007USA: ?
Gollum256: The scanner would identify an URL with parameters that could be
tested fro SQL injection
Gollum256: It would then dynamically build up a WAS test for the first
parameter
Gollum256: with their proprietary list of SQL injection strings as a
variable to iterate through
Gollum256: and their own list of error messages to test for
curphey007USA: hmm
Gollum256: This WAS test would quite possibly never exist in an XML form
curphey007USA: yeah
curphey007USA: two approaches
Gollum256: on the disk
curphey007USA: i think mine is to describe the generic case in WAS and pass
to engine to build and execute
curphey007USA: i think yours is to use engine to build was cases and execute
curphey007USA: is that right ?
Gollum256: yes
Gollum256: To a certain extent, I am trying to separate the engine from the
analyser, if you know what I mean
curphey007USA: agree I think thats esential to the whole design
curphey007USA: agnostic from implemnentairon of engine
Gollum256: the execution of the WAS test can be farmed off to any number of
execution engine
curphey007USA: so under your scheme would the engine build say 100
individual was tests and pass t an execution part
curphey007USA: for say xss
Gollum256: the act of selecting the WAS tests, and the URL's on which to run
them is the job of the analyser
curphey007USA: or read in one was file and build 100 tests
curphey007USA: in its own format
Gollum256: if there were 100 variables, this could happen
curphey007USA: well dude you are far more knowledgeable about this stuff
than me
Gollum256: I'm inclined to see it as one test per variable per URL
curphey007USA: so i can only defer to you and the others
curphey007USA: maybe some food for thought
curphey007USA: or discussion
Gollum256: want to copy and paste the log into an email?
Gollum256: ;-)
curphey007USA: yeah i can do that