[OWASP-Washington] Good article on stopping automated web app attack tools
Chuck
chuck.lists at gmail.com
Wed Apr 27 16:45:44 EDT 2005
Hi all,
I saw this today and it is pretty interesting. If people start
implementing these techniques it will certainly make pen-testing web
apps harder.
http://www.nextgenss.com/papers/StoppingAutomatedAttackTools.pdf
I am especially interested in how to overcome apps that invalidate
session ids. If there is a form a few levels deep in a web app that I
want to fuzz, are there any tools out there that will automate that
process, starting a new session for each request? This seems to be a
problem when looking at things like HacmeBank that use .Net VIEWSTATE.
I'd like to know if maybe something like that would be possible using
WebScarab's scripting.
Have a good day.
Chuck
More information about the Owasp-washington
mailing list