[Dailydave] From blackbox to grey-box during Web App tests
Thomas Ptacek
tqbf at matasano.com
Wed Oct 10 12:28:16 EDT 2007
It's nice that they're doing this for JVM, but isn't this exactly what
PaiMei and BinNavi (and, if you want to get snarky, gcov) do for
native binaries?
Can someone help me understand what web app magic this tool adds?
On 10/9/07, Dave Aitel <dave at immunityinc.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> So Fortify has this out - it's interesting, but I think it's not what
> I want. Has anyone used it?
>
> http://www.fortifysoftware.com/products/tracer/
>
> I dunno why everyone gets so hung up on metrics when they should be
> going for the jugular.
>
> What I want is to use SPIKE Proxy and while I'm testing the web app
> have every CreateProcess and SQL Statement fed to me and then have a
> filter so I can look only at what I care about (and avoid spamming
> their network too much - especially on busy sites).
>
> Theoretically you could then write something that autodetected and
> bypassed filters and automated getting you your SQL injection in the
> first place. And you would have at least one eye in the land of the
> blind SQL Injection.
>
> It's probably more work to write this email than write up the code
> using Immunity Debugger and SPIKE Proxy, so maybe I'll just go off and
> do that.
>
> - -dave
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFHC49wB8JNm+PA+iURAuZzAJ9FOIQ1NC3EABbOomT6DqeHButWLQCg4/jR
> SkYWfY9IHtoli4QpCuEGqUU=
> =TNSd
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
--
---
Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log
More information about the Dailydave
mailing list