Information disclosure has always been a boon to hackers.
The Crown Jewel of information disclosure, source code disclosure, is arguably the most significant information an attacker can obtain, and can be used to expose potential code-level vulnerabilities, logic, and hard coded information.
Since vulnerabilities that disclose source code are not always available, we were lead to believe that the concept of security by obscurity can provide some level of protection, as fragile as it may be… but not anymore.
Divination Attacks, a new breed of information gathering attacks, provide the means to identify the memory structure and source code of application components, using black box techniques with unparalleled accuracy.
What is that useful for?
Consider the methods that are required to detect the following complex exposures:
SQL Injection attacks that affects different pages in the application via database values or session attributes, and require the vulnerable page to be accessed through abnormal combinations of authentication, deliberate exceptions, and missing information.
Sounds confusing?
Talented or lucky testers might be able to detect these complex exposures in a limited scope, but have you ever heard of an automated vulnerability scanner, a passive security scanner, or any other black-box tool that can detect these "indirect" attacks with minimal user interference?
"Diviner" - a new OWASP ZAP extension, can be used to locate leads for direct and indirect attacks scenarios on a consistent basis, and can also enable testers to fingerprint server-side source code fragments and visualize the structure of the server memory and inter-page processes, thus, enhancing the tester's decision making process and enabling him to properly invest his time and efforts.
