SirGod Posted November 11, 2016 Report Posted November 11, 2016 Un articol de calitate, dupa cum ne-au obisnuit baietii de la PortSwigger. Recomand si restul articolelor de pe blogul lor. Backslash Powered Scanning: Hunting Unknown Vulnerability Classes James Kettle - james.kettle@portswigger.net - @albinowax Abstract Existing web scanners search for server-side injection vulnerabilities by throwing a canned list of technology-specific payloads at a target and looking for signatures - almost like an anti-virus. In this document, I'll share the conception and development of an alternative approach, capable of finding and confirming both known and unknown classes of injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering. True to its heritage, this approach also manages to harness some pitfalls that will be all too familiar to experienced manual testers. I'll share some of the more entertaining findings and lessons learned from unleashing this prototype on a few thousand sites, and release a purpose-built stealthy-scanning toolkit. Finally, I'll show how it can be taken far beyond injection hunting, leaving you with numerous leads for future research. Outline Introduction Three Failures of Scanners Rare Technology Variants and Filters Buried Vulnerabilities Alternative Approach to Scanning Suspicious Input Transformations Probe-pair Fuzzing Core Logic Types of Mutation Recognising Response Differences Hunting Findings Scanning Distributed Systems Sample Results Lessons Learned Further Research Enumerable Input Detection Cold-start Bruteforce Attacks Conclusion Articol complet: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html 1 Quote