Open sashank opened 8 years ago
Thank you Shashank for Reaching me. Great to hear from you, great to know you had a look at Lamma.
Lamma is just a small beginning. Lots of development is happening and will be making major updates in couple of weeks. Your suggestions, contributions will help the community to get more value out of it.
Thank you and please keep in touch. Ajit
ajit@securitymonx.com +91-9850-82-8882
On 7 Sep 2016 20:08, "Sashank" notifications@github.com wrote:
Few more use cases that would be nice to have
- Search for hard coded passwords in the code (not sure if it is supported).
- This guide might help https://cryptocoding.net/index.php/Coding_rules in detecting some more coding errors in crypto implementations.
- A curated list of CVE's in authentication and cryptographic implementations could be checked against the code (some of their implementations to exploit those CVE's might be found on github etc.)
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/smxlabs/LAMMA-beta/issues/1, or mute the thread https://github.com/notifications/unsubscribe-auth/ASYC3TalP-tuLctKO60eE2CRcgbYyCCLks5qnsx8gaJpZM4J2_mA .
Cool, those are good pointers for me to make progress.
Thanks a lot Shashank. ~Ajit
On 8 Sep 2016 19:34, "Sashank" notifications@github.com wrote:
- Few ways to check for coded passwords , look for method calls to PBKDF2 or SCRYPT or any such password based methods of popular libraries like openssl, bountycastle etc , these methods are used to generate cryptographic keys from user driven passwords.
- Also database driver calls/scripts might have embedded passwords usually. It might be tricky to blanket cover all of these methods but we can try atleast popular database drivers.
- Also you could search for popular used simple passwords in the code . For example search for these strings http://www.passwordrandom.com/most-popular-passwords (and their hashes) in the source code.
- Searching for popular crypto and authentication vulnerabilities could be tricky. I would attempt it is this way , take the CWE Id (310 , 287) for example and search for all the CVE's with CVSS score between, lets say 8 - 10 . Here is sample search query https://www.cvedetails.com/vulnerability-search.php?f=1&vendor=&product=&cveid=&cweid=310&cvssscoremin=8&cvssscoremax=10&psy=&psm=&pey=&pem=&usy=&usm=&uey=&uem= , you would get the most notorious ones like heartbleed etc. you could find some scripts on github done as POC for these Vulnerabilities, you could start with them .
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/smxlabs/LAMMA-beta/issues/1#issuecomment-245607754, or mute the thread https://github.com/notifications/unsubscribe-auth/ASYC3bmLPGyoXk-CTv7YfuSxY8sw0yQJks5qoBXogaJpZM4J2_mA .
Lets catchup some time i can give more brain dump etc.
Few more use cases that would be nice to have