[Owasp-leaders] Bring balance: force verification in scanning tools

Kevin W. Wall kevin.w.wall at gmail.com
Sun May 22 04:56:28 UTC 2016


On Sat, May 21, 2016 at 10:51 PM, johanna curiel curiel
<johanna.curiel at owasp.org> wrote:
> Bev made a question which triggered an idea
>
>>>Why couldn't we think about implementing some types of OWASP forensic
>>> features into all of our code projects so that we could at least have some
>>> way to investigate if / when they are misused?
>
> Now, when she said that I though why ZAP does not implement a feature that
> already exists is SaaS products which REQUIRES that you set a file in the
> hosting application before in order to be able to pen test it? If the file
> is not found in the URL domain server hosting the application, you cannot
> attack it.
>
> I don't want to advertise which commercial vendors do that but this is the
> way they avoid that a hackers go and misuse their services.
>
> Building a module into ZAP that requires this file first to verify you own
> the web app and then attack will make it harder for hackers to just download
> and use ZAP for evil purpose
>
> I know the project is open source and a hacker can go and modify the module
> but that will be more work for him and will refrain the lazy hackers or the
> ones without Java knowledge and resources, they will have better to move to
> another tool without this feature.

I think you've put your finger on it...open source and hacker modifications.
(Frankly, that's even fairly easier to do with assembler code and closed
source.) But given that it IS open source, a hacker would simply fork it
on GitHub or BitBucket or wherever and just point fellow black hats at
the modified source at some other URL.

> This way we are helping the white hats and not the black ones. Is not the
> final solution but I think in this way OWASP builds breakers attempting to
> also help Applications security.

I think that the only reason to even consider this is if LE starts giving
OWASP flack for making "attack tools". Then it might be advisable to
do that for the sake of appearance if nothing else.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.


More information about the OWASP-Leaders mailing list