Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • by Richard (6330) on 2005.10.13 6:34 (#43867)
    >I've done white box security audits of code, but
    >never something like this. Am I completely
    >missing something?

    Actually yes. The difference between site audit and code audit.

    >Do you even need to know Perl if you're not
    >allowed to look at the code?

    Yes - if the site is written in perl/mod_perl
    you are expected to know the "common weaknesses"
    and try the site for them.

    If you will need (and as professional you will)
    to go in deeper, you will have to ask for certain
    information, which you probably will get.

    >How the heck can you "audit" something you're
    >not allowed to see?

    You are allowed to see the site.

    >The only thing I can think of is to spider
    >the site and start throwing malformed input
    >at everything and see what breaks.

    If this is not done with wild trial/error
    but after deliberation and analysis (because
    of your perl knowledge and experience), that's
    exactly what was requested.

    >That's hardly an audit and would likely miss
    >many problems.

    Customer: "We need you to paint this car black."
    You: "But why? If I paint it red, it's much more
    secure, because black cars are known to get
    overseen and accidents can happen and... ... ... ...
    That's that. Hello Customer? Hello?"

    >I know that penetration tests aren't
    >uncommon, but asking for an audit of code
    >you're not allowed to see is a different
    >beast altogether.

    Read the original text again. site audit !=
    code audit. Audit of a site that is written
    in perl does not mean to audit the perl code.
    Audit the phenotype of the site with general
    background knowledge about the genotype.

    That's that.