[Owasp-pantera] Ideas for scan engine
symgryph at gmail.com
Thu Jan 4 09:43:08 EST 2007
One of the features of the automated scan that would be very useful: 1. ajax
testing. Nothing to date does this. A 'learn' mode that would allow me to
interact with the application, and then a 'fuzz' mode that would
automatically attack paramaters that the machine 'learns' during learn
mode. The 'fuzz' mode could check for things like buffer overflows,
unhandled conditions, random characters, etc.
For static applications, the 'automated' discovery could follow a set of
'paths' that I set by browsing the sites. I don't always want to test the
ENTIRE website, but just the part that has changed. So following my 'path'
it could autotest links ONLY on the pages I specify.
Complete automated testing, of course should be standard.
Finally a sql injection banger for looking at logins, and things that look
for stupid things like not encrypting password fields before they are sent
to server e.g. either base64 encoding, or application specific java scripts
that allow logins from forms.
Reporting wise, either export to .odf would be great, since from there I can
go to html, pdf, or etc. Something management friendly with 'high, medium,
low' assessments, which are of course, customizable by me! We can use a
'scoring' system to decide if an application 'passes' or 'fails' by a point
system. Helps to make things more quantifiable.
I will help as much as I can in testing, I LOVE pantera!
Thomas J. Munn
Two Wheels Good, Four Wheels Bad
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-pantera