[Dailydave] From blackbox to grey-box during Web App tests

[Andre Gironda]

On 10/9/07, Dave Aitel <dave at immunityinc.com> wrote:
> So  Fortify has this out - it's interesting, but I think it's not what
> I want. Has anyone used it?
> http://www.fortifysoftware.com/products/tracer/

I know one person outside of Foritfy who gave me feedback on Tracer.
Did you see the Iron Chef at BH-US-07?

Ouncelabs has a bounty out to OWASP on a similar tool they call  Blacktop.

> I dunno why everyone gets so hung up on metrics when they should be
> going for the jugular.

You are right.  The problem Tracer is trying to solve is simply
knowledge of code coverage on inputs.  The real problem we ideally
want to see solved is the ability to use this coverage to create a
fuzzer tracker - which would use the coverage results to improve time
between findings by predicting which inputs/outputs can be exploited.

> What I want is to use SPIKE Proxy and while I'm testing the web app
> have every CreateProcess and SQL Statement fed to me and then have a
> filter so I can look only at what I care about (and avoid spamming
> their network too much - especially on busy sites).

It sounds like you want a web file and SQL aware proxy fuzzer.  The
one that comes with taof is suitable, as is the internal DVLabs proxy
fuzzer.

> Theoretically you could then write something that autodetected and
> bypassed filters and automated getting you your SQL injection in the
> first place. And you would have at least one eye in the land of the
> blind SQL Injection.

There are a few open-source tools such as JDBC Spy or possibly FileMon
which contain code or examples useful in this effort.

> It's probably more work to write this email than write up the code
> using Immunity Debugger and SPIKE Proxy, so maybe I'll just go off and
> do that.

beSTORM is also working on something similar that could be complete at
this point.  They wanted it to be a DirBuster type proxy tool in
addition to SQL.

Cheers,
Andre