[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Conversation Log for discussion
Curpheyusa007 - Mark Curphey Gollum256 - Rogan Dawes curphey007USA: One thing I have been thinking about is possibly a different aproach to dealing with the problem (or maybe the same depending on your view point) I think I would be right in saying that today we try to describe a complete transaction. In a simple case like a XSS that would be the http request being sent along with any pre and post conditions. Another approach or more acuratly a powerful extension maybe to extrapolate the attack in such a way that the scenario could become; Get a URI, operate on response it. So in the case of a xss test you could request a URI, parse the http headers or html and then build test requests with a defined payload. Gollum256: That was the direction in which I was moving, yes Gollum256: The "fuzzer" would actually create customized WAS tests for a particular URI Gollum256: and submit them for execution curphey007USA: i think we could then build generic sql injection (possibly) , XSS, path traversal etc Gollum256: you could do anything you like, if this was implemented. Gollum256: including building up a library of "pre-conditions", such as a login sequence, etc curphey007USA: right curphey007USA: that my next mail curphey007USA: the libraries list Gollum256: That is mostly going to be custom to the app in question, I tihnk curphey007USA: agree curphey007USA: the nice thing about that is curphey007USA: refence libraries can be built curphey007USA: ie special sauce curphey007USA: so there will be best of both worlds Gollum256: e.g. getting a JSESSIONID for one app, vs. getting an IIS cookie for another curphey007USA: well also you could have a libary for sql injection..one company may have a better way of doing it curphey007USA: ie more iterationbs Gollum256: We would need to make a nice GUI to allow the operator to create and edit tests. curphey007USA: better algorithm Gollum256: My thinking is that that would be engine/test application specific. curphey007USA: right curphey007USA: agree curphey007USA: was would just call saying curphey007USA: makeSQLInjectionCases(this); curphey007USA: then the engine would call its library Gollum256: e.g. if companyX has a list of SQL injection Strings that they believe is wonderful, they would use those in building the WAS curphey007USA: which maybe a reference curphey007USA: or special sauce curphey007USA: jinx Gollum256: No, I see it differently curphey007USA: ha curphey007USA: that was the same wasnt it Gollum256: There would not actually be a generic WAS test for SQL injection curphey007USA: right apart from maybe a refefence implementation curphey007USA: ? Gollum256: The scanner would identify an URL with parameters that could be tested fro SQL injection Gollum256: It would then dynamically build up a WAS test for the first parameter Gollum256: with their proprietary list of SQL injection strings as a variable to iterate through Gollum256: and their own list of error messages to test for curphey007USA: hmm Gollum256: This WAS test would quite possibly never exist in an XML form curphey007USA: yeah curphey007USA: two approaches Gollum256: on the disk curphey007USA: i think mine is to describe the generic case in WAS and pass to engine to build and execute curphey007USA: i think yours is to use engine to build was cases and execute curphey007USA: is that right ? Gollum256: yes Gollum256: To a certain extent, I am trying to separate the engine from the analyser, if you know what I mean curphey007USA: agree I think thats esential to the whole design curphey007USA: agnostic from implemnentairon of engine Gollum256: the execution of the WAS test can be farmed off to any number of execution engine curphey007USA: so under your scheme would the engine build say 100 individual was tests and pass t an execution part curphey007USA: for say xss Gollum256: the act of selecting the WAS tests, and the URL's on which to run them is the job of the analyser curphey007USA: or read in one was file and build 100 tests curphey007USA: in its own format Gollum256: if there were 100 variables, this could happen curphey007USA: well dude you are far more knowledgeable about this stuff than me Gollum256: I'm inclined to see it as one test per variable per URL curphey007USA: so i can only defer to you and the others curphey007USA: maybe some food for thought curphey007USA: or discussion Gollum256: want to copy and paste the log into an email? Gollum256: ;-) curphey007USA: yeah i can do that
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]