[Owasp-pantera] Pantera 2007 roadmap!

list at roseslabs.com list at roseslabs.com
Fri Jan 5 04:09:53 EST 2007


Hi Dmitry,

Thanks for all your input!!

I'm taking notes on all yours suggestions.

Yes, the idea for the scan engine will be a modular approach (plugins) and
all the attacks patterns, detection signatures and documentation will be
stored in XML files. So it will very easy do add new stuff.

btw, PPA checks now works in the same fashion using XML files.

Sincerely,

Simon Roses Femerling

> Ok, you asked for it ;)
>
> 0) I'd like the attack surface stored in a table for quick reference (form
> fields, hidden values, GET parameters, etc.)
>
> 1) sql injection via HTTP headers.  fields which might be stored in a db
> (referer, user-agent, etc.) get tested for sql injection
>
> 2) where there is browser-side parsing, I'd like to see a check if the
> server is parsing on the same value
>
> 3) which parameters allow which encoding schemes (can I unicode and get
> valid response, double unicode, char(0x27), etc.).  Also, I want to know
> what the backend allows as valid bytes for each parameter.  And, once you
> know which bytes are accepted and how you can encode them, you can start
> testing lengths and permutations (poor man's regex discoverer) :-)
>
> 4) if there is regex in the client-side parsing, I'd either like to test
> it
> or at least get an alert like "Hey, there is crappy regex like ^[A-Z].*
> "...or, maybe just a table of where regex exists and what it is....maybe
> this could be a passive module?
>
> 5) automated fuzzing of form values (like the functionality that was in
> SPIKEproxy...but better)
>
> 6) cookie analysis (randomness, parameters passed, expiration, etc.)
>
> 7) brute force directory and file discovery
>
> 8) sql injection (standard and blind)
>
> 9) try default credentials for known applications and then brute force
> authentication
>
> 10) cross-pollentation with other sites.  Can we use google to analyze
> html
> (or javascript, or whatever) source and then compare it with what is in
> the
> public domain or indexable via search engines?  I just want to know if the
> site that I'm scanning has borrowed code.  More ideas on this at
> http://blogs.securiteam.com/index.php/archives/719 and
> http://blogs.securiteam.com/index.php/archives/509
>
> 11) I'd like to look for confidential data on web servers.  Are there SSN
> numbers, .xls spreadsheets, does it process credit card info over a
> non-SSL
> link.  These might work as passive checks????
>
>
> Can I help?  What are your architecture plans for the engine?  Will it be
> a
> modular approach where users can contribute code which plugs into the
> scanner?  I'd like to help out if possible; but my work will be sporadic
> and
> I'll need to be able to work independent of what is occurring within the
> base engine...
>
> Oh, and ask that Dinis Cruz guy for his ideas too...he has a lot more than
> me ;-)
>
> Thanks,
>
> --
> !Dmitry
> http://blogs.securiteam.com/index.php/archives/author/dmitryc/
>




More information about the Owasp-pantera mailing list