« GOP version of CyberSecurity Bill introduced | Main | Effective Application Security Testing: The Evil Streak »



Feed You can follow this conversation by subscribing to the comment feed for this post.


"The tester must then imagine what the server topology looks like and ask him/herself a few questions:"
Shouldn't all of this be answered through a through reconnaissance?

Joe Basirico

You are correct that some of this information will be discovered during reconnaissance, and certainly we will be using all of this information to create a mental model that will give us a clearer picture of how the system is built and designed. However, there are always certain things that we aren't able to discover through reconnoissance. For example, we may know _that a list of integers is sorted, but we may not know the algorithm used. Depending on the algorithm used there may be disk, memory or processor denial of service opportunities.

A good example of this kind of implementation attack is the HashDoS issue released at CCC a few months ago. This attacked an implementation detail on how the hash table was created, different hashing algorithms would respond differently and would be exploited differently. For more information see their slides, which are a good read (warning: PDF): http://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf

I don't mean to imply that an imagination will help you discover DoS issues only, but those are two easy examples. We can discover how validators work (bypassing validators may allow for code injection vulnerabilities, improper error handling, and more) and more.

I hope this helps, if you have any other questions feel free to post another followup comment.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)

Sign Up for Alerts

Follow Us

Our Newsletter

Subscribe to our quarterly newsletter, The Application Security Report..

Other Featured Blogs

Dinis Cruz Blog, by Dinis Cruz

WhoIsJoe, by Joe Basirico