[Owasp-dotnet] Some comments on the current version of Beretta

Wed Aug 3 14:49:54 EDT 2005

I had a quick look at Berreta and here is a brain dump about it (note 
that I am now in a position where I need a tool like this for one of my 
projects, and having tested some of the available commercial scanners I 
really want this tool to work)

ok, so:

1) the first thing that we need to do is to add an AJAX interface to 
this (Asynchronous JavaScript) there are already some toolkits for this 
out there for .NET so we should use them.
    * The web interface is the way to go, but having to reload every 
page after every click will drive everybody nuts (besides being a very 
un-optimized way to do things)
    * The idea is that all GUI functions are implemented in AJAX and 
there are only a few pages loaded (the main one and maybe some pop-ups)
    * I am not sure what the is current relationship between the current 
AJAX .Net engines and web Services, but ideally the final version should 
be compatible/equivalent

2) we need to have a fully functional testing suite so that we can work 
on the full test sequence: Scan, Analyze, Inject, Analyze, etc... (Hacme 
bank and WebGoat) should be the initial targets. I also have a big need 
for a brute-force http request engine (where I am able to define some 
parts of the http get request to be 'brute forced')

3) I'm a bit bias on this one, but I think that creating an SQL 
Injection module will make this tool already usable by thousands of 
users. We need to write the plug-in for this that (based on an SQL 
Injection) displays all information available (from databases to tables 
to columns to data (a bit like what DataThief and absInThe do, although 
ironically none gets the data from the error messages. DataThief needs 
an supporting SQL Server and AbsInThe works via 'Blind Sql Injection')). 
I have some scripts which allows the enumeration via error messages 
which I want to convert to this

4) The AJAX server interface (in a similar way to Web Services) should 
expose the following 'services' to the AJAX client apps (running for now 
in IE/Firefox (and maybe in a .Net Browser Component):
    * Session /Project Management
    * Exploit Management
    * Create Payloads: Input = 'ArrayList with request params'
                                  Output = 'ArrayList with Payloads'
    * Execute Payloads (all | Next | payload_ID)
    * Analyze Results: Input = 'ArrayList with HttpResponses'
                                      Output = 'ArrayList with DataItems'

    The presentation of this would be done by the client (this way we 
could support multiple types of clients)

5) Another reason why we should move to an AJAX world is that it would 
allow components like T-Browser (which I think is a 'have-to-have' 
component) and WebScarab to be integrated with the solution. WebScarab 
for example already has a huge amount of very cool functionality which 
we should leverage

6) we need to integrate this with the new testing guide, and make sure 
the terminology is compatible with it

7) we need to have a good spider engine and 'blind brute force security 
audit'. There are already some good Open Source Engines out there, and 
there is no need to reinvent the wheel. See for example SensePost Witko 
tool (which is based on Nikto). While we're at it, a Goggle Hacking plug 
it would also be very useful.

Just some thoughts

Dinis Cruz
.Net Security Consultant
Owasp .Net Project Leader