[Dailydave] Sequences
Dave Aitel
dave at immunityinc.com
Thu Sep 14 17:12:06 EST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A good web application assessment tool requires sequences. People get
so wrapped around pages, but pages are really not what you care about.
What you care about is the application as an application, not a set of
pages. It's about methods, which may or may not reside at URLS that
end in .ASP.
Anyways, today I was doing some testing against bobsdll.dll, which
requires a method that looks insane. Something like this:
http://host/bobsdll.dll/?^loadBLOB^passwordSECRET^myscript=bob(cow)
All I know is that a good web application tool should be able to find
the bugs I found today.
o Remote information retrieval
o Remote portscan random things (default is restricted to localhost,
but that can be useful to detect the OS...)
o Remote overflow in method parsing (somewhat tricky as product is
Java - by default it looks like a null pointer exception, but then it
illegal instructions somewhere in the heap)
- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFCdO2tehAhL0gheoRArdzAJ0Y4mJ8V5FYxWwvqW9YenclSHP5pACdHYU3
gfn1F7/ndWRCUQ5a364pYjk=
=OW+w
-----END PGP SIGNATURE-----
More information about the Dailydave
mailing list