[Owasp-pantera] Pantera 2007 roadmap!

Dmitry Chan dmitry.chan at gmail.com
Thu Jan 4 10:53:21 EST 2007


Ok, you asked for it ;)

0) I'd like the attack surface stored in a table for quick reference (form
fields, hidden values, GET parameters, etc.)

1) sql injection via HTTP headers.  fields which might be stored in a db
(referer, user-agent, etc.) get tested for sql injection

2) where there is browser-side parsing, I'd like to see a check if the
server is parsing on the same value

3) which parameters allow which encoding schemes (can I unicode and get
valid response, double unicode, char(0x27), etc.).  Also, I want to know
what the backend allows as valid bytes for each parameter.  And, once you
know which bytes are accepted and how you can encode them, you can start
testing lengths and permutations (poor man's regex discoverer) :-)

4) if there is regex in the client-side parsing, I'd either like to test it
or at least get an alert like "Hey, there is crappy regex like ^[A-Z].*
"...or, maybe just a table of where regex exists and what it is....maybe
this could be a passive module?

5) automated fuzzing of form values (like the functionality that was in
SPIKEproxy...but better)

6) cookie analysis (randomness, parameters passed, expiration, etc.)

7) brute force directory and file discovery

8) sql injection (standard and blind)

9) try default credentials for known applications and then brute force
authentication

10) cross-pollentation with other sites.  Can we use google to analyze html
(or javascript, or whatever) source and then compare it with what is in the
public domain or indexable via search engines?  I just want to know if the
site that I'm scanning has borrowed code.  More ideas on this at
http://blogs.securiteam.com/index.php/archives/719 and
http://blogs.securiteam.com/index.php/archives/509

11) I'd like to look for confidential data on web servers.  Are there SSN
numbers, .xls spreadsheets, does it process credit card info over a non-SSL
link.  These might work as passive checks????


Can I help?  What are your architecture plans for the engine?  Will it be a
modular approach where users can contribute code which plugs into the
scanner?  I'd like to help out if possible; but my work will be sporadic and
I'll need to be able to work independent of what is occurring within the
base engine...

Oh, and ask that Dinis Cruz guy for his ideas too...he has a lot more than
me ;-)

Thanks,

-- 
!Dmitry
http://blogs.securiteam.com/index.php/archives/author/dmitryc/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-pantera/attachments/20070104/87f97e6c/attachment.html 


More information about the Owasp-pantera mailing list