Re: Techniques for Vulneability discovery

From: GomoR (GomoR@gomor.org)
Date: 04/09/02


Date: Tue, 9 Apr 2002 16:03:28 +0200
From: GomoR <GomoR@gomor.org>
To: security-basics@securityfocus.com

On Fri, 5 Apr 2002 09:04:33 +0800
"kaipower" <kaipower@subdimension.com> wrote:

> Hi,
>
> After reading the mailing list for quite a while, there is a burning
> question which I kept asking myself:
>
> How do experts discover vulnerabilities in a system/software?
>
> Some categories of vulnerabilities that I am aware of:
> 1) Buffer overflow (Stack or Heap)
> 2) Mal access control and Trust management
> 3) Cross site scripting
> 4) Unexpected input - e.g. SQL injection?
> 5) Race conditions
> 6) password authentication
>
> Do people just run scripts to brute force to find vulnerabilities? (as in
> the case of Buffer overflows)
> Or do they do a reverse engineer of the software?
>
> How relevant is reverse engineering in this context?
>
> Anybody out there care to give a methodology/strategy in finding
> vulnerabilities?
>
> Mike
>

      There is just a new article published that covers this point.
  I've read it, and I think it could help you a little.

  http://www.computer.org/computer/sp/articles/arc/index.htm

______________________________________________________________________
       __ __
      / || \ FreeBSD Network - http://www.GomoR.org/
     | __ |___/ Security Engineer Junior
     | || \
      \__|| \ >root is the only God I believe in<



Relevant Pages

  • RE: Techniques for Vulneability discovery
    ... As a software tester I might offer some information. ... Testing can be a basic as holding down a key in a field for two minutes to see if a buffer overflow happened. ... How do experts discover vulnerabilities in a system/software? ... Or do they do a reverse engineer of the software? ...
    (Vuln-Dev)
  • RE: Techniques for Vulneability discovery
    ... As a software tester I might offer some information. ... Testing can be a basic as holding down a key in a field for two minutes to see if a buffer overflow happened. ... How do experts discover vulnerabilities in a system/software? ... Or do they do a reverse engineer of the software? ...
    (Security-Basics)
  • Re: Techniques for Vulneability discovery
    ... > How do experts discover vulnerabilities in a system/software? ... > 1) Buffer overflow ... > 3) Cross site scripting ... > Or do they do a reverse engineer of the software? ...
    (Security-Basics)
  • Techniques for Vulneability discovery
    ... How do experts discover vulnerabilities in a system/software? ... Buffer overflow ... Cross site scripting ... Or do they do a reverse engineer of the software? ...
    (Vuln-Dev)
  • Techniques for Vulneability discovery
    ... How do experts discover vulnerabilities in a system/software? ... Buffer overflow ... Cross site scripting ... Or do they do a reverse engineer of the software? ...
    (Security-Basics)