[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Vulnerability Disclosure Technics

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Vulnerability Disclosure Technics
From: "Mr. John" <johnspood@xxxxxxxxx>
Date: Tue, 22 Jun 2004 01:18:38 -0700 (PDT)

You are right, parameter passing or fuzzy input to a
software is good, but there is some problems:

 - Some applications like IE have many and many ways
for input.
 - Sequence of input may be very variant that reaching
to bug state want a very good chance. for tester.
 - More important, For example for buffer overflow
testing, it isn't easy to understand that Now, a
successful buffer overflow happend, at all. Or for a
XSS vulnerability, how a automatic vulnerability
testing application can detect XSS in a case of input?
Or suppose finding vulnerabiliy in MS RPC at last
year, how she detects that at that input sequence, MS
RPC is vulnerable?

But I see that some companies have ability to get
binary code of a software (like IE) and test it for
vulnerabilities and they will be found some
vulnerabilities in it after a short time. I think that
they have some automated machines for these testing,
but I don't have any IDEA about that.

Regards.
Mr. John

--------------------------------------------------
"Oliver@xxxxxxxxxx" <Oliver@xxxxxxxxxx> wrote:

There are several ways to search for vulnerabilities
in applications.
If you have the sourcecode, you can do a code review.
There are many 
tools (like flawfinder etc.) wich will support you in
finding "static" 
vulnerabilities like
buffer-overflows du to incorrect usage of commands
like "strcpy" and family.
If you dont have the source code, you can do a reverse
engineering with 
debuggers, dissassemblers and other tools, to search
for common
coding mistakes.
You also can do a black-box testing, whereby you can
use 
fuzzy-technologie to generate random parameters and
requests, sending to 
the application.
The last one is the one i often use, because in most
cases you dont have 
the source code, and reverse engineering is not that
easy :)

bye,

Oliver

Mr. John wrote:

>Hi
>A question is in my mind everywhen I see a
>vulnerability disclosure. I want to know how a person
>finds a security vulnerability in a software. Is
there
>a regular way?
>Suppose that I am technical chair of a software group
>and we have a software that security consideration
>is important for us. How can I test our software to
>ensure that no security vulnerabilities (like buffer
>overflow vuln) exists in our software product. Or it
>is question for me how for example eEye find many
>vulnerabilities in software products. Is there a
>regular and formal way? Is there some tools,
technics,
>method, ... for this purpose, for finding a
>vulnerability in a software?
>
>Thanks
>John
>

__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] Vulnerability Disclosure Technics
  - From: Oliver@xxxxxxxxxx

Prev by Date: Re: [Full-Disclosure] PLEASE QUIT YACKING ABOUT M$
Next by Date: RE: [Full-Disclosure] M$ Getting Better?
Previous by thread: Re: [Full-Disclosure] Vulnerability Disclosure Technics
Next by thread: Re: [Full-Disclosure] Vulnerability Disclosure Technics
Index(es):
- Date
- Thread