[OWASP-Security101] Scanning Production Services?

NightShade avghacker at gmail.com
Fri Apr 13 13:27:02 UTC 2012


Usually there are two ways you can approach a scanning process.  The 
first would be similar to what you have described, where the scanner is 
just a point and shoot at the product site to see what issues it can 
find and be exploited.  As you already pointed out there can be issues 
with flooding the DB with "junk", and also performance issues if not 
setup properly.  The other approach to take is to attack this problem 
from the DEV/QA side.  You can setup scanners to point and shoot on the 
QA environment where "junk" being pushed into the DB doesn't matter 
because it isn't public facing data.  This can also lead to more secure 
development by showing DEVs early on where the vulnerabilities exist.  
Obviously the biggest challenge here is when QA does exist or match the 
large production environment.

On 4/13/2012 8:54 AM, Patrick Laverty wrote:
> By "destructive" I mean that if there is a SQLi vulnerability that
> gets exploited, the database gets filled with garbage data which then
> also makes the site garbage.
> I work in an environment with hundreds of sites, so to just point and
> shoot at our entire environment would be pretty hard to really scan.
> Thanks.
> On Fri, Apr 13, 2012 at 8:12 AM, us1903<sharu89 at gmail.com>  wrote:
>> Hi Patrick,
>> When you say scanners are destructive to a site, do you mean the
>> performance issue when the scans are running? As for the destruction it can
>> cause in the database, you can scan the application in the production
>> environment by making a blacklist. This blacklist will contain all the
>> URLs/requests that can modify content in the database. Exclude all such
>> requests from the scanner for the production environment. Although, making
>> the blacklist is time-consuming and you will have to hand-pick the
>> URLs/requests.
>> Yes of-course the blacklisted URLs/requests will have to
>> be assessed manually or other approaches that are safe.
>> --
>> Sharath Unni
>> On Fri, Apr 13, 2012 at 5:30 PM,<security101-request at lists.owasp.org>wrote:
>>> Send Security101 mailing list submissions to
>>>         security101 at lists.owasp.org
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>         https://lists.owasp.org/mailman/listinfo/security101
>>> or, via email, send a message with subject or body 'help' to
>>>         security101-request at lists.owasp.org
>>> You can reach the person managing the list at
>>>         security101-owner at lists.owasp.org
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of Security101 digest..."
>>> Today's Topics:
>>>    1. Scanning Production Services? (Patrick Laverty)
>>> ----------------------------------------------------------------------
>>> Message: 1
>>> Date: Thu, 12 Apr 2012 12:56:05 -0400
>>> From: Patrick Laverty<patrick_laverty at brown.edu>
>>> To: security101 at lists.owasp.org
>>> Subject: [OWASP-Security101] Scanning Production Services?
>>> Message-ID:
>>>         <CAHZK5Obq=xAbqc9TOTp+THeCRECEaFTktbCxNjyQm2AsP4Ti_w at mail.gmail.com
>>> Content-Type: text/plain; charset=ISO-8859-1
>>> What do you do with regard to scanning your production web
>>> applications? It seems that at least some scanners can be pretty
>>> destructive to a site and database if they do find vulnerabilities.
>>> So do you only scan your pre-production environment and then make sure
>>> there are no more code changes from the time of the pre-prod scan and
>>> when the code goes live on a production server?
>>> Thanks.
>>> Patrick
>>> ------------------------------
>>> _______________________________________________
>>> Security101 mailing list
>>> Security101 at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/security101
>>> End of Security101 Digest, Vol 3, Issue 8
>>> *****************************************
>> --
>> Sharath
>> Disclaimer: "This email may feature some ideas that might be a little evil
>> or at least require some flexible ethics. Some things will be downright
>> horrible, and you should not do them, but are either for your information
>> or simply for the point of interest. Your judgment and actions are your
>> own, so think before you do anything you read and only use your dark side
>> for good."
>> ______________________________________________________________________________________________________________________________
>> [image: Please consider the environment before printing]
>> _______________________________________________
>> Security101 mailing list
>> Security101 at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/security101
>> List Run By OWASP
>> List Admin: Michael.Coates at owasp.org
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org

More information about the Security101 mailing list