[Owasp-dotnet] Some comments on the current version of Beretta
dinis at ddplus.net
Wed Aug 3 14:49:54 EDT 2005
I had a quick look at Berreta and here is a brain dump about it (note
that I am now in a position where I need a tool like this for one of my
projects, and having tested some of the available commercial scanners I
really want this tool to work)
1) the first thing that we need to do is to add an AJAX interface to
out there for .NET so we should use them.
* The web interface is the way to go, but having to reload every
page after every click will drive everybody nuts (besides being a very
un-optimized way to do things)
* The idea is that all GUI functions are implemented in AJAX and
there are only a few pages loaded (the main one and maybe some pop-ups)
* I am not sure what the is current relationship between the current
AJAX .Net engines and web Services, but ideally the final version should
2) we need to have a fully functional testing suite so that we can work
on the full test sequence: Scan, Analyze, Inject, Analyze, etc... (Hacme
bank and WebGoat) should be the initial targets. I also have a big need
for a brute-force http request engine (where I am able to define some
parts of the http get request to be 'brute forced')
3) I'm a bit bias on this one, but I think that creating an SQL
Injection module will make this tool already usable by thousands of
users. We need to write the plug-in for this that (based on an SQL
Injection) displays all information available (from databases to tables
to columns to data (a bit like what DataThief and absInThe do, although
ironically none gets the data from the error messages. DataThief needs
an supporting SQL Server and AbsInThe works via 'Blind Sql Injection')).
I have some scripts which allows the enumeration via error messages
which I want to convert to this
4) The AJAX server interface (in a similar way to Web Services) should
expose the following 'services' to the AJAX client apps (running for now
in IE/Firefox (and maybe in a .Net Browser Component):
* Session /Project Management
* Exploit Management
* Create Payloads: Input = 'ArrayList with request params'
Output = 'ArrayList with Payloads'
* Execute Payloads (all | Next | payload_ID)
* Analyze Results: Input = 'ArrayList with HttpResponses'
Output = 'ArrayList with DataItems'
The presentation of this would be done by the client (this way we
could support multiple types of clients)
5) Another reason why we should move to an AJAX world is that it would
allow components like T-Browser (which I think is a 'have-to-have'
component) and WebScarab to be integrated with the solution. WebScarab
for example already has a huge amount of very cool functionality which
we should leverage
6) we need to integrate this with the new testing guide, and make sure
the terminology is compatible with it
7) we need to have a good spider engine and 'blind brute force security
audit'. There are already some good Open Source Engines out there, and
there is no need to reinvent the wheel. See for example SensePost Witko
tool (which is based on Nikto). While we're at it, a Goggle Hacking plug
it would also be very useful.
Just some thoughts
.Net Security Consultant
Owasp .Net Project Leader
More information about the Owasp-dotnet