[31826] in bugtraq
Re: Sanctum AppScan 4 misses potential vulnerabilities in wrapped links
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Sep 26 12:45:47 2003
Message-Id: <200309261549.h8QFnr9s009648@turing-police.cc.vt.edu>
To: "Dawes, Rogan (ZA - Johannesburg)" <rdawes@deloitte.co.za>
Cc: "'RAFAEL SAN MIGUEL CARRASCO'" <rsmc@tid.es>, bugtraq@securityfocus.com
In-Reply-To: Your message of "Fri, 26 Sep 2003 09:35:46 +0200."
<AA8E3CBBF6E2E7489931D9F30A7BDBD81B2A34@zajnbnt006.za.deloitte.com>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_1092252802P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Fri, 26 Sep 2003 11:49:53 -0400
--==_Exmh_1092252802P
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
On Fri, 26 Sep 2003 09:35:46 +0200, "Dawes, Rogan (ZA - Johannesburg)" <r=
dawes@deloitte.co.za> said:
> I am inclined to agree with Sanctum's position here. Without actually
> executing the javascript, and triggering all the possible events, and
>
> would be overlooked by this technique. I'm still of the opinion that *n=
o*
> automated tool can provide complete coverage of an arbitrary web
> application, simply because of the potential complexity. It's like solv=
ing
> the halting problem, to my mind.
That's because it *is* the Turing Halting Problem, more or less.
Fortunately, we can mostly work around the problem by applying some const=
raints
to the problem space - for instance, we can simulate the Javascript and s=
ee if
what pops out is "legal" or "illegal". We then finesse the Turing issues=
by
simply declaring that any Javascript that takes over X amount of resource=
s
(CPU, memory, network accesses, whatever) is tossed in the "illegal" pile=
=2E
This is demonstrably free of both Turing issues (since every test is guar=
anteed
to produce a result in X or less) and fulfills the Principle of Least Sur=
prise
("I'd not have asked to visit that webpage if I knew it would take 2 hour=
s to
do so").
The biggest remaining issue is the totally b0rked Javascript security mod=
el -
it isn't clear that it's possible to write an accurate simulator that doe=
s it
correctly. The proof of this statement is the obvious fact that if it WE=
RE
possible to write such a beast, vendors would be shipping it as their
Javascript interpreter. ;)
--==_Exmh_1092252802P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE/dGAhcC3lWbTT17ARApskAKDe/AP3FzblsEdBKzKDfq4uuUvdxgCfZTmI
Lga4/1BJfk3NFCvzvJvdRhw=
=YqwC
-----END PGP SIGNATURE-----
--==_Exmh_1092252802P--
