[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Fw: Info about attack trees
From: "Jerry dePriest" <jerryde () mc ! net>
Date: 2012-05-28 18:37:19
Message-ID: C4AEC7DDA65C46F583B14991084F46DF () snoopy
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
haven't you ever watched the wizard of oz? attack trees...
----- Original Message -----
From: Peter Dawson
To: full-disclosure@lists.grok.org.uk
Sent: Monday, May 28, 2012 9:20 AM
Subject: Re: [Full-disclosure] Info about attack trees
==> "there are no such thing as an attack tree."
Eh ?? Seems that Schneier was blowing smoke up in the air with his thoughts on attack trees \
!!
Anyhoot, here's another good old linky Military Operations Research V10, N2, 2005, \
http://www.innovativedecisions.com/documents/Buckshaw-Parnelletal.pdf
/pd
On Fri, May 25, 2012 at 9:46 AM, Daniel Hadfield <dan@pingsweep.co.uk> wrote:
You can create an XSS with a SQLi
If you can output on the page, you can inject HTML/JS with that variable
On 25/05/2012 09:58, Federico De Meo wrote:
> Hello everybody, I'm new to this maling-list and to security in general.
> I'm here to learn and I'm starting with a question :)
>
> I'm looking for some informations about attack trees usage in web application analysis.
>
> For my master thesis I decided to study the usage of this formalism in order to reppresent \
attacks to a web applications. > I need a lot of use cases from which to start learning common \
attacks which can help building a proper tree. >
> >From where can I start?
>
> I've already read the OWASP top 10 vulnerabilities an I'm familiar with XSS, SQLi, ecc. \
however I've no clue on how to combine them together in order to perform the steps needed to \
attack a system. I'm looking for some examples and maybe to some famous attacks from which I \
can understand which steps are performed and how commons vulnerabilities can being combined \
together. Any help is really appreciated. >
>
> -------------------
> Federico.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--------------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.19222">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2 face=Arial>haven't you ever watched the wizard of oz? attack
trees...</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV style="FONT: 10pt arial">----- Original Message -----
<DIV style="BACKGROUND: #e4e4e4; font-color: black"><B>From:</B> <A
title=slash.pd@gmail.com href="mailto:slash.pd@gmail.com">Peter Dawson</A>
</DIV>
<DIV><B>To:</B> <A title=full-disclosure@lists.grok.org.uk
href="mailto:full-disclosure@lists.grok.org.uk">full-disclosure@lists.grok.org.uk</A>
</DIV>
<DIV><B>Sent:</B> Monday, May 28, 2012 9:20 AM</DIV>
<DIV><B>Subject:</B> Re: [Full-disclosure] Info about attack trees</DIV></DIV>
<DIV><BR></DIV>
<DIV>==> "there are no such thing as an attack tree."</DIV>
<DIV> </DIV>
<DIV>Eh ?? Seems that Schneier was blowing smoke up in the air with
his thoughts on attack trees !!</DIV>
<DIV> </DIV>
<DIV>Anyhoot, here's another good old linky Military Operations Research V10,
N2, 2005, <A class="external autonumber"
href="http://www.innovativedecisions.com/documents/Buckshaw-Parnelletal.pdf"
rel=nofollow></A><A
href="http://www.innovativedecisions.com/documents/Buckshaw-Parnelletal.pdf">http://www.innovativedecisions.com/documents/Buckshaw-Parnelletal.pdf</A><BR></DIV>
<DIV> </DIV>
<DIV>/pd<BR></DIV>
<DIV class=gmail_quote>On Fri, May 25, 2012 at 9:46 AM, Daniel Hadfield <SPAN
dir=ltr><<A href="mailto:dan@pingsweep.co.uk"
target=_blank>dan@pingsweep.co.uk</A>></SPAN> wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>You can create an XSS with a SQLi<BR><BR>If you can output
on the page, you can inject HTML/JS with that variable<BR>
<DIV class=HOEnZb>
<DIV class=h5><BR><BR>On 25/05/2012 09:58, Federico De Meo wrote:<BR>>
Hello everybody, I'm new to this maling-list and to security in
general.<BR>> I'm here to learn and I'm starting with a question
:)<BR>><BR>> I'm looking for some informations about attack trees usage
in web application analysis.<BR>><BR>> For my master thesis I decided to
study the usage of this formalism in order to reppresent attacks to a web
applications.<BR>> I need a lot of use cases from which to start learning
common attacks which can help building a proper tree.<BR>><BR>> >From
where can I start?<BR>><BR>> I've already read the OWASP top 10
vulnerabilities an I'm familiar with XSS, SQLi, ecc. however I've no clue on
how to combine them together in order to perform the steps needed to attack a
system. I'm looking for some examples and maybe to some famous attacks from
which I can understand which steps are performed and how commons
vulnerabilities can being combined together. Any help is really
appreciated.<BR>><BR>><BR>> -------------------<BR>>
Federico.<BR>> _______________________________________________<BR>>
Full-Disclosure - We believe in it.<BR>> Charter: <A
href="http://lists.grok.org.uk/full-disclosure-charter.html"
target=_blank>http://lists.grok.org.uk/full-disclosure-charter.html</A><BR>>
Hosted and sponsored by Secunia - <A href="http://secunia.com/"
target=_blank>http://secunia.com/</A><BR><BR>_______________________________________________<BR>Full-Disclosure \
- We believe in it.<BR>Charter: <A
href="http://lists.grok.org.uk/full-disclosure-charter.html"
target=_blank>http://lists.grok.org.uk/full-disclosure-charter.html</A><BR>Hosted
and sponsored by Secunia - <A href="http://secunia.com/"
target=_blank>http://secunia.com/</A><BR></DIV></DIV></BLOCKQUOTE></DIV><BR><BR
clear=all>
<P>
<HR>
<P></P>_______________________________________________<BR>Full-Disclosure - We
believe in it.<BR>Charter:
http://lists.grok.org.uk/full-disclosure-charter.html<BR>Hosted and sponsored by
Secunia - http://secunia.com/</BODY></HTML>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic