Inside a penetration testing shop
Its one thing to build Nessus on your Linux box, click all tests on, enter a target IP, click go, and watch the test progress bar grow. After hundreds of thousands of Ethernet TX/RX LED flickers, Nessus will present you with a nicely formatted report of any and all vulnerabilities it discovers - including an inevitable rash of false positives. It is an entirely different thing to get a well trained and well equipped team of white hat hackers to try and bust into your critical web based systems. Do not get me wrong, Nessus is a spectacular information security tool, but just as people are better than computers at playing the game of go, people are better than automated tools at uncovering system vulnerabilities. This is especially true in the realm of web application vulnerabilities, an area where the available tools have not reached the level of sophistication that Nessus and its commercial counterparts have for general remote host audits.
Jeremiah Gossman has a column on BetaNews that gives an inside look into his web application security outfit, WhiteHat Security. Here is an excerpt.
"With the necessary paperwork signed and account credentials generated, we were ready to go. The URL and username/password were revealed to the racers and the symbolic green flag dropped. The next several seconds we heard nothing but mouse clicks and keyboard tapping.
From past experience we've learned that the fastest way to victory is to target the search boxes first and try for a speedy XSS win. Search boxes are notorious for such insecurities. It's a cheap trick, but it works. Next, it's best to look for input parameters and determine if any of them echo URL query data, indicating another potential spot for XSS.
The first 60 seconds of the race flew by. Nervousness set in because we knew that at any moment someone was going to claim speed-hack victory. Bill Pennington (WhiteHat's VP of Services), in what is becoming a trend, identified the first vulnerability (XSS) in about 1 minute 30 seconds. In classic style, we cried foul because he could arguably only exploit himself with XSS and represented no further risk."
inside the man
Subscribe to:
Post Comments (Atom)
Blog Archive
-
▼
2005
(228)
-
▼
October
(16)
- A strong female voice for Islam The International...
- Twins for Hitler? A fresh face for fascism?While s...
- Inside a penetration testing shopIts one thing to ...
- Professional go player Fung Yun audio documentary(...
- The joys of library blogsMy uncle, Ross Thrasher, ...
- Splog me "Splogs are blogs set up for spamming pu...
- Geek humor"If I was going to make an evil programm...
- German publishers warm to Google Print In the wak...
- Google Print lawsuit number twoA couple of weeks a...
- IA pitches folksonomies to librariansnform Informa...
- EFF outs government-industry collusionThe Electron...
- Why spend on IT?Students in my IT Strategic Planni...
- Uncertain future for snort under Check PointSecuri...
- IT security: dangerous professionals or dangerous ...
- Here's a good one
- Is there an open source security application crisi...
-
▼
October
(16)
About Me
- thrashor
- Edmonton, Alberta, Canada
- Returned to working as a Management Consultant, specializing in risk, security, and regulatory compliance, with Fujitsu Canada after running the IT shop in the largest library in the South Pacific.
No comments:
Post a Comment