Re: Sanctum AppScan 4 misses potential vulnerabilities in wrapped links

Valdis.Kletnieks_at_vt.edu
Date: 09/26/03

Next message: Stan Bubrouski: "Re: LanSuite 2003 - Multiple Vulnerabilities"

Previous message: Matt Zimmerman: "[SECURITY] [DSA-390-1] New marbles packages fix buffer overflow"
In reply to: Dawes, Rogan (ZA - Johannesburg): "RE: Sanctum AppScan 4 misses potential vulnerabilities in wrapped links"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Dawes, Rogan (ZA - Johannesburg)" <rdawes@deloitte.co.za>
Date: Fri, 26 Sep 2003 11:49:53 -0400

On Fri, 26 Sep 2003 09:35:46 +0200, "Dawes, Rogan (ZA - Johannesburg)" <rdawes@deloitte.co.za> said:
> I am inclined to agree with Sanctum's position here. Without actually
> executing the javascript, and triggering all the possible events, and
>
> would be overlooked by this technique. I'm still of the opinion that *no*
> automated tool can provide complete coverage of an arbitrary web
> application, simply because of the potential complexity. It's like solving
> the halting problem, to my mind.

That's because it *is* the Turing Halting Problem, more or less.

Fortunately, we can mostly work around the problem by applying some constraints
to the problem space - for instance, we can simulate the Javascript and see if
what pops out is "legal" or "illegal". We then finesse the Turing issues by
simply declaring that any Javascript that takes over X amount of resources
(CPU, memory, network accesses, whatever) is tossed in the "illegal" pile.
This is demonstrably free of both Turing issues (since every test is guaranteed
to produce a result in X or less) and fulfills the Principle of Least Surprise
("I'd not have asked to visit that webpage if I knew it would take 2 hours to
do so").

The biggest remaining issue is the totally b0rked Javascript security model -
it isn't clear that it's possible to write an accurate simulator that does it
correctly. The proof of this statement is the obvious fact that if it WERE
possible to write such a beast, vendors would be shipping it as their
Javascript interpreter. ;)

application/pgp-signature attachment: stored

Next message: Stan Bubrouski: "Re: LanSuite 2003 - Multiple Vulnerabilities"

Previous message: Matt Zimmerman: "[SECURITY] [DSA-390-1] New marbles packages fix buffer overflow"
In reply to: Dawes, Rogan (ZA - Johannesburg): "RE: Sanctum AppScan 4 misses potential vulnerabilities in wrapped links"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Avoiding an Infinite Loop in Arbitrary eval(user_code)
... Short of writing a javascript-in-javascript interpreter, ... an algorithm to be written for a universal solution of the Halting Problem. ... I could, for example, solve this problem by writing a javascript ... Whether or not they have considered it as an attack vector is ...
(comp.lang.javascript)
Re: Determining the last statement exercise
... Neither Rice's theorem nor the halting problem applies here. ... If they did, no compiler could throw a compile error, and in particular no ... algorithm holds ... Prototype.js was written by people who don't know javascript for people ...
(comp.lang.javascript)
Re: Avoiding an Infinite Loop in Arbitrary eval(user_code)
... interpreter in javascript, then executing the user's code in my ... threads or a solution to the halting problem. ... I wrote a BASIC compiler and VM in Javascript once. ... was a big pain would be an understatement and performance ... ...
(comp.lang.javascript)