RE: [WEB SECURITY] Looking for Addressing some Questions

["Billy Hoffman" <Billy.Hoffman@xxxxxxxxxxxxxxx>]

Adding JavaScript parsing to something like Nikto is not as simple as
slapping SpiderMonkey into the code.

Billy Hoffman
--
Lead Researcher, SPI Labs
SPI Dynamics Inc. - http://www.spidynamics.com
Phone:  678-781-4800
Direct:   678-781-4845

-----Original Message-----
From: Ory Segal [mailto:osegal@xxxxxxxxxxxxx] 
Sent: Monday, September 25, 2006 11:56 AM
To: Billy Hoffman; Randal L. Schwartz; mohammad zoroufi
Cc: websecurity@xxxxxxxxxxxxx
Subject: RE: [WEB SECURITY] Looking for Addressing some Questions

Hi,

How did this turn into a discussion about HTTP methods? :-)

I think Matt Fisher's point was very important - the ability to execute
client side code and discover additional links that are generated
dynamically is very important and is missing from freeware/open source
tools.

-Ory Segal,
Watchfire

 



-----Original Message-----
From: Billy Hoffman [mailto:Billy.Hoffman@xxxxxxxxxxxxxxx] 
Sent: Monday, September 25, 2006 6:32 PM
To: Randal L. Schwartz; mohammad zoroufi
Cc: websecurity@xxxxxxxxxxxxx
Subject: RE: [WEB SECURITY] Looking for Addressing some Questions

Randal,

While each HTTP verb was created to mean a very specific thing, that's
not what most people use them for anymore. Most people use POST because
they think it protects them against XSS or it makes their URLs look
prettier, not because they want to inform someone's user agent that a
FORM submission changes the state of the web server.

Billy Hoffman
--
Lead Researcher, SPI Labs
SPI Dynamics Inc. - http://www.spidynamics.com
Phone:  678-781-4800
Direct:   678-781-4845

-----Original Message-----
From: Randal L. Schwartz [mailto:merlyn@xxxxxxxxxxxxxx]
Sent: Saturday, September 23, 2006 9:34 AM
To: mohammad zoroufi
Cc: websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Looking for Addressing some Questions

>>>>> "mohammad" == mohammad zoroufi <m_zoroufi@xxxxxxxxxxxxxxx> writes:

mohammad> 1)Are there any difference in functionality of spiders and
crawlers?

Of course.

mohammad> 2)Looking for a spider/crawler that plays an importance role
for me, I
mohammad> want
mohammad> to navigate(scan) all the navigations existing in any web page
containing
mohammad> all hyper links and submission buttons( I want to crawl whole
site using 
mohammad> links between any resources between html page, server page and
etc.).
mohammad> Whose
mohammad> crawler has the above capability?

You *really* don't want to do that.  A crawler that submits "POST" links
as well as "GET" links will very likely change the state of the server,
which is no longer a benign act.  Semantically, "GET" should be
idempotent (repeatable because it doesn't change the server state), and
is safe, which is how crawlers can keep from damaging things.  (Stories
have been told about badly-designed interfaces like wikis that deleted
content on a GET...
oops!)

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777
0095
<merlyn@xxxxxxxxxxxxxx> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl
training!

------------------------------------------------------------------------
----
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


------------------------------------------------------------------------
----
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]