Thursday, 2 February 2012

Solving a problem...

When you're working on a project/tool with pentesters, most of them (including me) have the same issue: Solving 100% of a problem.

It's a mindset created by the job in my opinion. As a pentester, you need to think of all the way around something. So every time you create something, you will try to think of all the way around it and find all its limitations.

It's good to think about limitations, however most of the time it creates a reason to drop the project (and go back to procrastination: reddit, twitter, facebook).

For example, if you want to write a web scanner, it's easy to quickly write something with a lot of limitations:
  • No HPP (HTTP Parameter Pollution)
  • Won't support Flash application
  • Won't support Java Servlet
  • Won't support NTLM
  • No Web based Authentication support (without some extra work)
  • ...
And you start thinking, maybe I should write a Proxy instead of a scanner...

The problem is that this tool, even if it has a lot of limitations, will probably work on 60% of websites and save 50% of your time. So it's probably worth writing it ;)

Same for a basic host review tool, you want it to know the default value of each parameter for each version of each software in case the parameter is not set in the configuration file. So you end up killing the project because it takes days to do that. In the other hand, you can just write a basic host review tool using grep, it won't be perfect, it won't work on all systems, but it will save you hours of work on most systems.

No comments: