All the Perl that's Practical to Extract and Report

Blindman's bluff and security audits

Ovid on 2003-03-31T17:19:41

On the Perl Jobs mailing list, a job for a security audit of a mod_perl site was listed (the job is no longer in the database, though). While that seems straightfoward, the following information was supplied:

Audit the nlp.petamem.com pages which are written in perl (using mod_perl2) for security problems and other faults. You cannot have direct access to the site code, but we will provide you with all technical informations you need for auditing.

I've done white box security audits of code, but never something like this. Am I completely missing something? Do you even need to know Perl if you're not allowed to look at the code? How the heck can you "audit" something you're not allowed to see? The only thing I can think of is to spider the site and start throwing malformed input at everything and see what breaks. That's hardly an audit and would likely miss many problems. Are requests like this common in the security world? I know that penetration tests aren't uncommon, but asking for an audit of code you're not allowed to see is a different beast altogether.

blackbox audits

Richard on 2005-10-13T11:34:18

>I've done white box security audits of code, but
>never something like this. Am I completely
>missing something?

Actually yes. The difference between site audit and code audit.

>Do you even need to know Perl if you're not
>allowed to look at the code?

Yes - if the site is written in perl/mod_perl
you are expected to know the "common weaknesses"
and try the site for them.

If you will need (and as professional you will)
to go in deeper, you will have to ask for certain
information, which you probably will get.

>How the heck can you "audit" something you're
>not allowed to see?

You are allowed to see the site.

>The only thing I can think of is to spider
>the site and start throwing malformed input
>at everything and see what breaks.

If this is not done with wild trial/error
but after deliberation and analysis (because
of your perl knowledge and experience), that's
exactly what was requested.

>That's hardly an audit and would likely miss
>many problems.

Customer: "We need you to paint this car black."
You: "But why? If I paint it red, it's much more
secure, because black cars are known to get
overseen and accidents can happen and... ... ... ...
That's that. Hello Customer? Hello?"

>I know that penetration tests aren't
>uncommon, but asking for an audit of code
>you're not allowed to see is a different
>beast altogether.

Read the original text again. site audit !=
code audit. Audit of a site that is written
in perl does not mean to audit the perl code.
Audit the phenotype of the site with general
background knowledge about the genotype.

That's that.

Richard