[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Need a little feedback for a vulnerability scanner I'm developing

Yes it helps a lot, cheers Arian.
Makes perfect sense now.

I'll probably add that functionality at some point,
otherwise it'll be like a tune stuck in my head.


On 21/07/10 07:50, Arian J. Evans wrote: 
@Long-term-suspend scenario: sure.

Scanning production website:

1. Monitoring folks detect anomalous performance in the application.

2. Monitoring folks check logs, see strange stuff from source IP of
scanner. x10 panic if external IP.

3. Monitoring folks contact IT Security, and Business owners

4. Business owners freak out, blame security first. x10 if external
security provider.

5. Business owners contact security, have stern conversation with
them, demand all scanning halted indefinitely until problem diagnosed.
(Or immediately diagnose problem as scanner...)

6. At the end of the day, or a few days later - it turns out the
scanner is not the culprit (assuming it is not the scanner - most
scanners are fairly dangerous on production websites). IT Security
gets approval to continue scanning.

IT security wants to resume existing scan since the site is large and
takes 48 hours to scan, instead of start over from scratch.
Additionally, the business may have imposed new, restrictive scan
limitations on IT Security, so they want to get everything they can
out of the existing scan.

Additionally if you do not decouple state, paused scans will fail to
refresh tokens that are bound into non-cookie parts of the request
object, and fail to complete scanning successfully on those parts of
the application.

Hope this helps.

Cheerio,

---
Arian Evans
Software Security Scanner Sycophant


On Tue, Jul 20, 2010 at 5:51 PM, Tasos Laskos<tasos.laskos@xxxxxxxxx> wrote:
On 21/07/10 02:09, Arian J. Evans wrote: 

@Hibernate - I don't think this is critical for most of the users that
will use your tool.

Pause, resume, and "hibernate" style functionality is most important
when you are scanning sites, day in and day out, looking for changes,
new code, new vulns, etc.


I just committed the latest revision to add pause/resume functionality.

When the user hits ctrl+c, or sends the interrupt to the system some other
way,
the system waits for all working threads to finish and pauses providing the
user with a choice between resuming or exiting.


Since you are always a culprit at the scene of the crime, if something
happens someone needs to be able to pause activity, sometimes for
hours, sometimes for days or weeks.


Really? I had no idea that people do that.
That's very interesting, can you give me a scenario where a scanner would
need to be paused for so long?


Usually, though, if more than a
few weeks has passed I recommend dumping the scan and restarting, to
ensure you pick up all new and changed links and such. Obviously,
state needs to be fully decoupled for this to work.


I'll take a rain-check on that and enjoy my finally finished system,
hehehe...


---
Arian Evans
Professional Software Security Scanner Referee


On Tue, Jul 20, 2010 at 3:25 PM, Tasos Laskos<tasos.laskos@xxxxxxxxx>
  wrote:


Cheers Arian,

I have some good news guys.

The framework is almost ready...all the features I had in mind have been
implemented.
The technical details can be found here:
http://sourceforge.net/apps/trac/arachni/wiki/TechnicalDetails

The reporting system that was the last thing to do has been completed as
of
a couple of hours ago.

Keep in mind that I'm talking about the framework, not about its modules
nor
reports.
Although I've got some cool stuff in mind about these also.

However there's one feature I'd like to add but I'm unsure about, so I'd
like to ask you guys.

You see, I'm trying to follow this document as closely as I can afford
right
now:


http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria

as suggested by Matt.

Pause/resume functionality in described in it, which is relatively easy
to
implement.
However, do you guys think that there should be like a hibernate/restore
kind of functionality?

Like exiting Arachni during a running scan and be able to continue from
where it left of the next time it runs.

Because that could be very tricky, yes it's easy to serialize and restore
nowadays but still...

So I'm asking you guys, do you think that it's important?





On 19/07/10 22:32, Arian J. Evans wrote: 

*some automated scanners are not effective on new technologies

This list has a bad habit of forgetting about the BAZILLION existing
websites using legacy and current technology, which won't get
rewritten, may not even get patched, but a fair percentage of which
will need some form of security baseline and a risk-management
strategy.

Most of us on this list are early-adopters or cutting edge, but we
represent the minority of overall need right now, and for the
foreseeable immediate future.

/shrug

Anyway, this thread was about Tasos's project. Cheers to him, and back
to
him,

---
Arian Evans



On Mon, Jul 19, 2010 at 11:34 AM, Rafal Los<rafal@xxxxxxxxxxxxxxxx>
  wrote:


Chris, Steve, Chris, Ory, and everyone else ...

        I don't think we're in the dark ages, as you suggest Chris, but
I
do agree there is room for improvement.  I'm more in Ory's line of
thinking
- the problem I see with so much development is that we end up with
great
ideas that end up in half-baked tools that "work on a specific task"
well,
but then suck at the rest of the problem.  I am not saying that this
new
tool (yes, I see that it is primarily an academic exercise) won't
contribute
something great to web app security overall ... I would just love to
see
some of that energy brought into maturing existing products/tools.

        I see "scanning" as a quickly dying task.  As I've been saying
lately it's only a matter of time before "automated scanners" are so
ineffective it doesn't make sense to build/purchase/use them anymore.
  As
the complexity of web application development skyrockets up that
hockey-stick type curve what's needed is less "scanning" and more
"assessing" technologies.  But before I go off on a rant on that topic,
I'll
stop myself and just say that I'm not putting anyone down for trying
something new.  This is how the light bulb and hamburger were invented,
after all, only saying that it makes sense to continue to invest in
existing
ideas and tools to mature them...

        There will always be niche tools to perform task-specific
duties,
and we certainly welcome those as they contribute to the overall
community
"security" in some way.  What I meant by "reinventing the wheel" is
that
there is so much development that starts up a project to do task X and
gets
"tunnel-vision" without first investigating whether that code exists
(even
in a non-perfect form) elsewhere.  Writing code to accomplish a task
better,
faster, cleaner is a noble cause ...but ask yourself if you'd be better
off
contributing to an existing project to make it that much better, rather
than
starting from byte zero and building a foundation-up project.


        Make sense?

Rafal "Raf" Los
InfoSec Specialist&      Blogger
Twitter: @RafalLos
Blog: http://preachsecurity.blogspot.com




----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe@xxxxxxxxxxxxx and reply to
the confirmation email

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates






----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS
Feed]

To unsubscribe email websecurity-unsubscribe@xxxxxxxxxxxxx and reply to
the
confirmation email

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates








----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe@xxxxxxxxxxxxx and reply to the confirmation email

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

Brought to you by http://www.webappsec.org
Search this site