[Owasp-dotnet] RE: Owasp-dotnet digest, Vol 1 #221 - 6 msgs
Eoin Keary
eoinkeary at hotmail.com
Tue Sep 13 05:35:49 EDT 2005
Regarding Dans comment on 200 responses, An app i am testing does this.
HTTP 200 for everything.
I used webinspect and every test was postivie.
If an application has a dynamic url: Each time a link is selected a new
event ID is generated, which is unique and part of the GET request then
after the crawling phase, when webinspect does the test all the url's are
invalid as they have invalid web wevent id's. No tool can get around this
problem.
Eoin
>From: owasp-dotnet-request at lists.sourceforge.net
>Reply-To: owasp-dotnet at lists.sourceforge.net
>To: owasp-dotnet at lists.sourceforge.net
>Subject: Owasp-dotnet digest, Vol 1 #221 - 6 msgs
>Date: Mon, 12 Sep 2005 14:06:26 -0700
>
>Send Owasp-dotnet mailing list submissions to
> owasp-dotnet at lists.sourceforge.net
>
>To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/owasp-dotnet
>or, via email, send a message with subject or body 'help' to
> owasp-dotnet-request at lists.sourceforge.net
>
>You can reach the person managing the list at
> owasp-dotnet-admin at lists.sourceforge.net
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Owasp-dotnet digest..."
>
>
>Today's Topics:
>
> 1. About The ViewState Decoder Plugin For Fiddler
>(kerem.kusmezer at owasp.org)
> 2. Re: About The ViewState Decoder Plugin For Fiddler (Phillip Haydon)
> 3. Re: [Dailydave] Re: Hacking: As American as Apple Cider (Gadi
>Evron)
> 4. [Fwd: SPI Dynamics Wins Secure Enterprise Testers Choice] (Dinis
>Cruz)
> 5. DeveloperDeveloperDeveloper Day 2 (Dinis Cruz)
> 6. Re: [Fwd: SPI Dynamics Wins Secure Enterprise Testers Choice]
>(Daniel Cuthbert)
>
>--__--__--
>
>Message: 1
>Date: Mon, 12 Sep 2005 02:05:56 -0400 (EDT)
>From: kerem.kusmezer at owasp.org
>To: owasp-dotnet at lists.sourceforge.net
>Subject: [Owasp-dotnet] About The ViewState Decoder Plugin For Fiddler
>
>I have developed a custom plugin for Fiddler, which enables you to decode
>the viewstate on the fly.
>You can download the latest version with the source code from
>http://www.yazilimguvenligi.com/ViewStateplug.zip.
>Any comments and improvement ideas are welcome.
>
>P.S: I have also developed a com compitable version of this , which
>enables you to call the decoder from any com compitable platform with
>net1.1 installed.
>Also i have developed a jndi interface for this which enables you to call
>it directly from java, just passing the viewstate text into it.
>I am now uploading the com compitable version to the server.
>
>Sincerely Yours
>Izzet Kerem Kusmezer
>
>
>--__--__--
>
>Message: 2
>To: Owasp-dotnet at lists.sourceforge.net
>Subject: Re: [Owasp-dotnet] About The ViewState Decoder Plugin For Fiddler
>Date: Mon, 12 Sep 2005 19:24:33 +1200
>From: "Phillip Haydon" <naturalcause at orcon.net.nz>
>
>No offence, but why re-invent the wheel? There are already plenty of good
>viewstate decoders for each .net framework...
>
>Phill
>
>On Mon, 12 Sep 2005 18:05:56 +1200, <kerem.kusmezer at owasp.org> wrote:
>
> > I have developed a custom plugin for Fiddler, which enables you to
>decode
> > the viewstate on the fly.
> > You can download the latest version with the source code from
> > http://www.yazilimguvenligi.com/ViewStateplug.zip.
> > Any comments and improvement ideas are welcome.
> >
> > P.S: I have also developed a com compitable version of this , which
> > enables you to call the decoder from any com compitable platform with
> > net1.1 installed.
> > Also i have developed a jndi interface for this which enables you to
>call
> > it directly from java, just passing the viewstate text into it.
> > I am now uploading the com compitable version to the server.
> >
> > Sincerely Yours
> > Izzet Kerem Kusmezer
> >
> >
> > -------------------------------------------------------
> > SF.Net email is Sponsored by the Better Software Conference & EXPO
> > September 19-22, 2005 * San Francisco, CA * Development Lifecycle
> > Practices
> > Agile & Plan-Driven Development * Managing Projects & Teams * Testing &
> > QA
> > Security * Process Improvement & Measurement *
>http://www.sqe.com/bsce5sf
> > _______________________________________________
> > Owasp-dotnet mailing list
> > Owasp-dotnet at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-dotnet
> >
> >
>
>
>
>--
>Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
>
>
>--__--__--
>
>Message: 3
>Date: Mon, 12 Sep 2005 07:01:20 +0200
>From: Gadi Evron <ge at linuxbox.org>
>To: Dinis Cruz <dinis at ddplus.net>
>CC: dailydave at lists.immunitysec.com, owasp-dotnet at lists.sourceforge.net,
> owasp-leaders at lists.sourceforge.net, "Marcus J. Ranum"
><mjr at ranum.com>,
> Kyle.Quest at networkengines.com
>Subject: [Owasp-dotnet] Re: [Dailydave] Re: Hacking: As American as Apple
>Cider
>
> > 4) "Hacking is Cool"
> >
> > This section is the only one that I don't really agree with Marcus, and
> > I think the reason is because I have a different definition of Hacking.
> >
> > For me Hacking is a combination of: learning, research, solving-puzzles,
> > perseverance, doing what is perceived to be impossible, advancing the
> > understating of a particular problem, pushing the boundaries, thinking
> > outside of the box, being creative, reverse engineer a system, etc....
> >
> > ... in a single work Hacking = Creating (as in Inventing).
> >
> > Hacking for me is also what most Artists, Scientists and Engineers do.
> > This (I believe) is the original definition of hacking before it got
> > hijacked by the Media who define Hacking as criminal activity.
>
>Has anyone ever hacked real life?
>
>You know what I'm talking about and it is not social engineering nor
>reversing. Someone should collect some of these cool funny stories or
>"pranks" that always seem to be around us, put them in a book, and release.
>
> Gadi.
>
>--
>Available for consulting:
>+972-50-5428610 / ge at linuxbox.org.
>
>
>--__--__--
>
>Message: 4
>Date: Mon, 12 Sep 2005 21:44:49 +0100
>From: Dinis Cruz <dinis at ddplus.net>
>To: owasp-dotnet at lists.sourceforge.net
>Subject: [Owasp-dotnet] [Fwd: SPI Dynamics Wins Secure Enterprise Testers
>Choice]
>
>This is a multi-part message in MIME format.
>--------------090507020808040603000605
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>Content-Transfer-Encoding: 7bit
>
>Any comments?
>
>--------------090507020808040603000605
>Content-Type: message/rfc822;
> name="SPI Dynamics Wins Secure Enterprise Testers Choice"
>Content-Transfer-Encoding: 7bit
>Content-Disposition: inline;
> filename="SPI Dynamics Wins Secure Enterprise Testers Choice"
>
>X-Account-Key: account2
>Return-Path: <v-gangd_fploemoo_hghfnf_hghfnf_a at bounce3.rm04.net> Mon Sep 12
>15:31:16 2005
>Received: from spam3.orcsweb.com [66.129.69.48] by mail.orcsweb.com with
>SMTP;
> Mon, 12 Sep 2005 15:31:16 -0400
>X-ASG-Debug-ID: 1126553475-27282-29-0
>X-Barracuda-URL: http://spam.orcsweb.com:80/cgi-bin/mark.cgi
>X-Barracuda-UID: dinis at ddplus.net dinis at ddplus.net dinis at ddplus.net
>Received: from mail09.rm04.net (mail09.rm04.net [129.41.69.95])
> by mailfilter.orcsweb.com (Spam Firewall) with ESMTP id 3473A13AD6A0D
> for <dinis at ddplus.net>; Mon, 12 Sep 2005 15:31:15 -0400 (EDT)
>Received: by mail09.rm04.net id h4nbo6064o0d for <dinis at ddplus.net>; Mon,
>12 Sep 2005 15:30:48 -0400 (envelope-from
><v-gangd_fploemoo_hghfnf_hghfnf_a at bounce3.rm04.net>)
>Message-ID: <284542.1126553448310.JavaMail.root at mailgen02.atlp1>
>Date: Mon, 12 Sep 2005 15:30:48 -0400 (EDT)
>From: SPI Dynamics <news at spidynamics.com>
>Reply-To: news at spidynamics.com
>To: dinis at ddplus.net
>X-ASG-Orig-Subj: SPI Dynamics Wins Secure Enterprise Testers Choice
>Subject: SPI Dynamics Wins Secure Enterprise Testers Choice
>Mime-Version: 1.0
>Content-Type: multipart/alternative;
> boundary="----=_Part_1008_333927.1126553407850"
>x-mid: 396643
>X-Virus-Scanned: by ORCSWEB Spam Quarantine at orcsweb.com
>X-Barracuda-Spam-Score: 2.17
>X-Barracuda-Spam-Status: No, SCORE=2.17 using per-user scores of
>TAG_LEVEL=4.0 QUARANTINE_LEVEL=7.0 KILL_LEVEL=1000.0 tests=BAYES_80,
>HTML_FONT_FACE_BAD, HTML_IMAGE_RATIO_06, HTML_MESSAGE
>X-Barracuda-Spam-Report: Code version 3.02, rules version 3.0.3913
> Rule breakdown below pts rule name description
> ---- ----------------------
>--------------------------------------------------
> 0.13 HTML_IMAGE_RATIO_06 BODY: HTML has a low ratio of text to image
>area
> 0.01 HTML_MESSAGE BODY: HTML included in message
> 0.04 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
> 2.00 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
> [score: 0.8382]
>
>------=_Part_1008_333927.1126553407850
>Content-Type: text/plain
>Content-Transfer-Encoding: 7bit
>
>
>
>
>
>Secure Enterprise Magazine chose SPI Dynamics WebInspect 5.5 as the Testers
>Choice product in a recent Web Application vulnerability scanner product
>review. Read the entire Secure Enterprise review at:
>http://www.spidynamics.com/assets/documents/SecureEnterprise_WI5.5_review.pdf
>
>http://sdm3.rm04.net/ctt?kn=6&m=396643&r=MTYwNjMwNzA1NAS2&b=2&j=Nzc2MzQxMwS2&mt=1
>
>
>
>To test your Web Application, download our complimentary 15-day product
>trial that delivers a comprehensive vulnerability report.
>
>
>
>WebInspect Enterprise Edition 5.5. delivers a complete enterprise solution
>for addressing security throughout the application lifecycle.
>
>Learn More>>>
>
>http://sdm3.rm04.net/ctt?kn=2&m=396643&r=MTYwNjMwNzA1NAS2&b=2&j=Nzc2MzQxMwS2&mt=1
>
>SPI Dynamics, Inc.
>
>115 Perimeter Center Pl. NE.
>
>Suite 1100
>
>Atlanta GA 30346
>
>678.781.4800
>
>sales at spidynamics.com
>
>mailto:sales at spidynamics.com
>
>
>
>Toll-Free: 1.866.SPI.2700 (1.866.774.2700) www.spidynamics.com
>
>( http://www.spidynamics.com/ )
>
>
>
>
>
>
>
>Please Remove Me From This Mailing
>
>http://sdm3.rm04.net/ui/modules/display/optOut.jsp?&m=396643&r=MTYwNjMwNzA1NAS2&j=Nzc2MzQxMwS2&mt=1
>Begin Referenced Links ====================================
>http://www.spidynamics.com/assets/documents/SecureEnterprise_WI5.5_review.pdf
>
>https://download.spidynamics.com/1/ad/fwi.asp?Campaign_ID=701300000002PzY
>
>End Referenced Links ======================================
>
>
>
>------=_Part_1008_333927.1126553407850
>Content-Type: text/html
>Content-Transfer-Encoding: quoted-printable
>
><HTML><BODY style=3D"FONT-FAMILY: arial" LINK=3D"#0000FF"
>ALINK=3D"#0000FF"=
> VLINK=3D"#800080" BGCOLOR=3D"#FFFFFF"><P align=3D"left"><IMG
>src=3D"http:/=
>/open3.rm04.net/open/log/396643/MTYwNjMwNzA1NAS2/0/Nzc2MzQxMwS2/1"><!--VERS=
>ION value=3D"6.0.1"--><TABLE cellSpacing=3D0 cellPadding=3D0 width=3D650
>al=
>ign=3Dcenter border=3D0 >
><TBODY>
><TR >
><TD ><IMG height=3D54 alt=3D"SPI Dynamics and Microsoft"
>src=3D'http://con=
>tent3.rm04.net/ra/2005/09/12/396643/CONT_17.gif' width=3D650 border=3D0
> ><=
>/TD></TR>
><TR >
><TD >
><TABLE cellSpacing=3D0 cellPadding=3D0 width=3D650 border=3D0 >
><TBODY>
><TR >
><TD vAlign=3Dtop ><IMG height=3D120 alt=3D"Webcast: The Hacker Evolution:
>=
>New Trends in Application Vulnerabilities and Exploits"
>src=3D'http://conte=
>nt3.rm04.net/ra/2005/09/12/396643/CONT_18.gif' width=3D389 border=3D0
> ></T=
>D>
><TD vAlign=3Dtop ><IMG height=3D120 alt=3D""
>src=3D'http://content3.rm04.n=
>et/ra/2005/09/12/396643/CONT_19.jpg' width=3D261 border=3D0
> ></TD></TR></T=
>BODY></TABLE></TD></TR>
><TR >
><TD style=3D"BORDER-TOP: #ffffff 1px solid; BACKGROUND-COLOR: #7394ac" >
><TABLE cellSpacing=3D16 cellPadding=3D0 width=3D"100%" border=3D0 >
><TBODY>
><TR >
><TD style=3D"FONT-SIZE: 15px; COLOR: #ffffff; LINE-HEIGHT: 25px;
>FONT-FAMIL=
>Y: Verdana, Arial, Helvetica, sans-serif" width=3D"50%" >
><P align=3Dcenter><STRONG><A
>href=3D"http://sdm3.rm04.net/ctt?kn=3D3&m=3D39=
>6643&r=3DMTYwNjMwNzA1NAS2&b=3D0&j=3DNzc2MzQxMwS2&mt=3D1"
>name=3Dhttpwww.spi=
>dynamics.comassetsdocumentsSecureEnterprise_WI5.5_review.pdf(3) ><IMG
>heigh=
>t=3D133 hspace=3D3
>src=3D'http://content3.rm04.net/ra/2005/09/12/396643/CON=
>T_20.gif' width=3D200 border=3D0 ></A></STRONG></P></TD>
><TD style=3D"PADDING-LEFT: 16px; FONT-SIZE: 12px; BORDER-LEFT: #ffffff 1px
>=
>solid; COLOR: #ffffff; LINE-HEIGHT: 14px; FONT-FAMILY: Verdana, Arial,
>Helv=
>etica, sans-serif" width=3D"50%" ><STRONG><IMG height=3D100
>src=3D'http://=
>content3.rm04.net/ra/2005/09/12/396643/CONT_21.gif' width=3D250
> ></STRONG>=
> </TD></TR></TBODY></TABLE></TD></TR>
><TR >
><TD vAlign=3Dtop >
><P style=3D"PADDING-RIGHT: 16px; PADDING-LEFT: 16px; FONT-SIZE: 12px;
>PADDI=
>NG-BOTTOM: 25px; COLOR: #6a6969; LINE-HEIGHT: 14px; PADDING-TOP: 25px;
>FONT=
>-FAMILY: Verdana, Arial, Helvetica, sans-serif"><FONT face=3DArial
>size=3D3=
> >Secure Enterprise Magazine chose SPI Dynamics WebInspect 5.5 as the
>Tester=
>s Choice product in a recent Web Application vulnerability scanner product
>=
>review. Read the entire Secure Enterprise review</FONT><FONT
>face=3DAr=
>ial size=3D3> at: </FONT><A style=3D"COLOR: #7394ac"
>href=3D"http://sd=
>m3.rm04.net/ctt?kn=3D6&m=3D396643&r=3DMTYwNjMwNzA1NAS2&b=3D0&j=3DNzc2MzQxMw=
>S2&mt=3D1"
>name=3Dhttpwww.spidynamics.comassetsdocumentsSecureEnterprise_WI=
>5.5_review.pdf(4) ><FONT face=3DArial
>size=3D3>http://www.spidynamics.com/a=
>ssets/documents/SecureEnterprise_WI5.5_review.pdf</FONT></A><FONT
>size=3D3>=
> <BR></FONT><BR><STRONG><A
>href=3D"http://sdm3.rm04.net/ctt?kn=3D5&m=3D3966=
>43&r=3DMTYwNjMwNzA1NAS2&b=3D0&j=3DNzc2MzQxMwS2&mt=3D1" name=3Dlink ><IMG
>he=
>ight=3D75
>src=3D'http://content3.rm04.net/ra/2005/09/12/396643/CONT_22.gif'=
> width=3D250 align=3Dleft ></A></STRONG><STRONG><BR><FONT size=3D3><FONT
>f=
>ace=3DArial><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Verdana">To test
>y=
>our Web Application, download our complimentary 15-day product trial that
>d=
>elivers a comprehensive vulnerability report</SPAN><SPAN
>class=3Dstyle1><SP=
>AN style=3D"FONT-FAMILY:
>Verdana">.</SPAN></SPAN></FONT><BR></FONT></STRONG=
> ><BR><BR><BR><FONT face=3DArial size=3D3>WebInspect Enterprise Edition
>5.5.=
> delivers a complete enterprise solution for addressing security
>throughout=
> the application lifecycle.</FONT><SPAN class=3Dstyle2><A style=3D"COLOR:
>#=
>7394ac"
>href=3D"http://sdm3.rm04.net/ctt?kn=3D2&m=3D396643&r=3DMTYwNjMwNzA1=
>NAS2&b=3D0&j=3DNzc2MzQxMwS2&mt=3D1" target=3D_blank
>name=3Dhttpwww.spidynam=
>ics.comproductswebinspectdatasheet.html ><BR><FONT face=3DArial
>size=3D3>Le=
>arn More>>></FONT></A></SPAN><BR><BR></P></TD></TR>
><TR >
><TD style=3D"BACKGROUND-COLOR: #999999" >
><TABLE cellSpacing=3D0 cellPadding=3D16 width=3D"100%" border=3D0 >
><TBODY>
><TR >
><TD style=3D"FONT-SIZE: 12px; COLOR: #ffffff; LINE-HEIGHT: 14px;
>FONT-FAMIL=
>Y: Verdana, Arial, Helvetica, sans-serif" vAlign=3Dtop width=3D"50%" >
><P><STRONG>SPI Dynamics, Inc.<BR></STRONG>115 Perimeter Center Pl.
>NE.<BR>S=
>uite 1100<BR>Atlanta GA 30346<BR>678.781.4800<BR><A style=3D"FONT-SIZE:
>12p=
>x; COLOR: #ffffff; TEXT-DECORATION: none"
>href=3D"mailto:sales at spidynamics.=
>com" name=3Dmailtosales at spidynamics.com(2)
>xt=3D"SPLINK">sales at spidynamics.=
>com</A> <BR>Toll-Free: 1.866.SPI.2700 (1.866.774.2700) <A
>href=3D"http://ww=
>w.spidynamics.com/">www.spidynamics.com</A><BR></P></TD>
><TD style=3D"FONT-SIZE: 12px; COLOR: #ffffff; LINE-HEIGHT: 14px;
>FONT-FAMIL=
>Y: Verdana, Arial, Helvetica, sans-serif" vAlign=3Dtop width=3D"50%"
> >&nbs=
>p;</TD></TR></TBODY></TABLE><FONT face=3DArial><A
>href=3D"http://sdm3.rm04.=
>net/ui/modules/display/optOut.jsp?&m=3D396643&r=3DMTYwNjMwNzA1NAS2&j=3DNzc2=
>MzQxMwS2&mt=3D1" name=3Doppurtg >Please Remove Me From This
>Mailing</A></FO=
>NT></TD></TR></TBODY></TABLE><BR></P></BODY></HTML>
>
>
>------=_Part_1008_333927.1126553407850--
>
>
>
>--------------090507020808040603000605--
>
>
>
>--__--__--
>
>Message: 5
>Date: Mon, 12 Sep 2005 21:55:33 +0100
>From: Dinis Cruz <dinis at ddplus.net>
>To: owasp-dotnet at lists.sourceforge.net,
> owasp-london at lists.sourceforge.net
>Subject: [Owasp-dotnet] DeveloperDeveloperDeveloper Day 2
>
>This is a multi-part message in MIME format.
>--------------090306060607060603050607
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>Content-Transfer-Encoding: 7bit
>
>
>I'm doing the following presentation on the next DDD conference
>(http://www.developerday.co.uk/ddd/default.asp) in Reading (UK)
>
>*"Attacking Web and Windows Applications*
>In this session multiple attack vectors will be shown covering a wide
>variety of vulnerabilities and exploits: Sql Injection (basic and
>advanced), XSS (session hijacking and remote command execution),
>Elevation of Privilege, Web Services exploitation, AJAX exploitation,
>Rootkits (user and kernel level), attacking fat-clients by hooking into
>windows functions (and patching applications in real time), dynamically
>manipulating .Net client applications, exploiting buffer overflows,
>exploiting IE vulnerabilities, exploiting Full Trust Asp.Net, attacking
>IIS, and, using MetaSploit to automate attacks (and exploit generation)."
>
>If you are going to attend, you can vote for the ones you want to see
>here: http://www.developerday.co.uk/ddd/votesessions.asp
>
>Thanks
>
>Dinis
>
>--------------090306060607060603050607
>Content-Type: text/html; charset=ISO-8859-1
>Content-Transfer-Encoding: 7bit
>
><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
><html>
><head>
> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
></head>
><body bgcolor="#ffffff" text="#000000">
><br>
><font face="Times New Roman, Times, serif" size="2">I'm doing the
>following presentation on the next DDD conference
>(<a class="moz-txt-link-freetext"
>href="http://www.developerday.co.uk/ddd/default.asp">http://www.developerday.co.uk/ddd/default.asp</a>)
>in Reading (UK)<br>
><br>
><b>"Attacking Web and Windows Applications</b><br>
>In this session multiple attack vectors will be shown covering a wide
>variety of vulnerabilities and exploits: Sql Injection (basic and
>advanced), XSS (session hijacking and remote command execution),
>Elevation of Privilege, Web Services exploitation, AJAX exploitation,
>Rootkits (user and kernel level), attacking fat-clients by hooking into
>windows functions (and patching applications in real time), dynamically
>manipulating .Net client applications, exploiting buffer overflows,
>exploiting IE vulnerabilities, exploiting Full Trust Asp.Net, attacking
>IIS, and, using MetaSploit to automate attacks (and exploit
>generation)."<br>
><br>
>If you are going to attend, you can vote for the ones you want to see
>here: <a class="moz-txt-link-freetext"
>href="http://www.developerday.co.uk/ddd/votesessions.asp">http://www.developerday.co.uk/ddd/votesessions.asp</a><br>
><br>
>Thanks<br>
><br>
>Dinis<br>
></font><font face="Times New Roman, Times, serif" size="2"></font>
></body>
></html>
>
>--------------090306060607060603050607--
>
>
>
>--__--__--
>
>Message: 6
>From: Daniel Cuthbert <daniel.cuthbert at owasp.org>
>Subject: Re: [Owasp-dotnet] [Fwd: SPI Dynamics Wins Secure Enterprise
>Testers Choice]
>Date: Mon, 12 Sep 2005 22:03:24 +0100
>To: owasp-dotnet at lists.sourceforge.net
>
>
>--Apple-Mail-13-75432651
>Content-Transfer-Encoding: 7bit
>Content-Type: text/plain;
> charset=US-ASCII;
> delsp=yes;
> format=flowed
>
>Loads
>
>The reason it works is that it has loads of shiny buttons and the
>marketing department claims it to be the best
>They only let you test it on their vulnerable web site, but anyone
>with a small sense can guess its been designed to "find" all those holes
>
>Easy tip for anyone wanting to totally stuff the automated scanners:
>Make Apache/IIS return 200 OK's for EVERY request. This will make it
>light up like a christmas tree for vulnerabilities found
>
>
>On 12 Sep 2005, at 21:44, Dinis Cruz wrote:
>
> > Any comments?
> >
> > From: SPI Dynamics <news at spidynamics.com>
> > Date: 12 September 2005 20:30:48 BDT
> > To: dinis at ddplus.net
> > Subject: SPI Dynamics Wins Secure Enterprise Testers Choice
> > Reply-To: news at spidynamics.com
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Secure Enterprise Magazine chose SPI Dynamics WebInspect 5.5 as the
> > Testers Choice product in a recent Web Application vulnerability
> > scanner product review. Read the entire Secure Enterprise review
> > at: http://www.spidynamics.com/assets/documents/
> > SecureEnterprise_WI5.5_review.pdf
> >
> >
> > To test your Web Application, download our complimentary 15-day
> > product trial that delivers a comprehensive vulnerability report.
> >
> >
> >
> > WebInspect Enterprise Edition 5.5. delivers a complete enterprise
> > solution for addressing security throughout the application lifecycle.
> > Learn More>>>
> >
> >
> > SPI Dynamics, Inc.
> > 115 Perimeter Center Pl. NE.
> > Suite 1100
> > Atlanta GA 30346
> > 678.781.4800
> > sales at spidynamics.com
> > Toll-Free: 1.866.SPI.2700 (1.866.774.2700) www.spidynamics.com
> >
> >
> > Please Remove Me From This Mailing
> >
> >
> >
>
>
>--Apple-Mail-13-75432651
>Content-Transfer-Encoding: quoted-printable
>Content-Type: text/html;
> charset=ISO-8859-1
>
><HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
>-khtml-line-break: after-white-space; ">Loads<DIV><BR =
>class=3D"khtml-block-placeholder"></DIV><DIV>The reason it works is that =
>it has loads of shiny buttons and the marketing department claims it to =
>be the best</DIV><DIV>They only let you test it on their vulnerable web =
>site, but anyone with a small sense can guess its been designed to =
>"find" all those holes</DIV><DIV><BR =
>class=3D"khtml-block-placeholder"></DIV><DIV>Easy tip for anyone wanting =
>to totally stuff the automated scanners:</DIV><DIV>Make Apache/IIS =
>return 200 OK's for EVERY request. This will make it light up like a =
>christmas tree for vulnerabilities found</DIV><DIV><BR =
>class=3D"khtml-block-placeholder"></DIV><DIV><BR><DIV><DIV>On 12 Sep =
>2005, at 21:44, Dinis Cruz wrote:</DIV><BR =
>class=3D"Apple-interchange-newline"><BLOCKQUOTE type=3D"cite"><DIV =
>style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
>margin-left: 0px; ">Any comments?</DIV><DIV style=3D"margin-top: 0px; =
>margin-right: 0px; margin-bottom: 0px; margin-left: 41px; text-indent: =
>-41px; font: normal normal normal 12px/normal Helvetica; color: rgb(0, =
>0, 0); min-height: 14px; "><B></B><BR></DIV><DIV style=3D"margin-top: =
>0px; margin-right: 0px; margin-bottom: 0px; margin-left: 41px; =
>text-indent: -41px; "><FONT face=3D"Helvetica" size=3D"3" =
>color=3D"#000000" style=3D"font: 12.0px Helvetica; color: =
>#000000"><B>From: </B></FONT><FONT face=3D"Helvetica" size=3D"3" =
>style=3D"font: 12.0px Helvetica">SPI Dynamics <<A =
>href=3D"mailto:news at spidynamics.com">news at spidynamics.com</A>></FONT></=
>DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: =
>0px; margin-left: 40px; text-indent: -40px; "><FONT face=3D"Helvetica" =
>size=3D"3" color=3D"#000000" style=3D"font: 12.0px Helvetica; color: =
>#000000"><B>Date: </B></FONT><FONT face=3D"Helvetica" size=3D"3" =
>style=3D"font: 12.0px Helvetica">12 September 2005 20:30:48 =
>BDT</FONT></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
>margin-bottom: 0px; margin-left: 25px; text-indent: -25px; "><FONT =
>face=3D"Helvetica" size=3D"3" color=3D"#000000" style=3D"font: 12.0px =
>Helvetica; color: #000000"><B>To: </B></FONT><FONT face=3D"Helvetica" =
>size=3D"3" style=3D"font: 12.0px Helvetica"><A =
>href=3D"mailto:dinis at ddplus.net">dinis at ddplus.net</A></FONT></DIV><DIV =
>style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
>margin-left: 55px; text-indent: -55px; "><FONT face=3D"Helvetica" =
>size=3D"3" color=3D"#000000" style=3D"font: 12.0px Helvetica; color: =
>#000000"><B>Subject: </B></FONT><FONT face=3D"Helvetica" size=3D"3" =
>style=3D"font: 12.0px Helvetica"><B>SPI Dynamics Wins Secure Enterprise =
>Testers Choice</B></FONT></DIV><DIV style=3D"margin-top: 0px; =
>margin-right: 0px; margin-bottom: 0px; margin-left: 64px; text-indent: =
>-64px; "><FONT face=3D"Helvetica" size=3D"3" color=3D"#000000" =
>style=3D"font: 12.0px Helvetica; color: #000000"><B>Reply-To: =
></B></FONT><FONT face=3D"Helvetica" size=3D"3" style=3D"font: 12.0px =
>Helvetica"><A =
>href=3D"mailto:news at spidynamics.com">news at spidynamics.com</A></FONT></DIV>=
><DIV style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
>margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
>0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
>min-height: 14px; "><BR></DIV> <BR><P align=3D"left"><IMG =
>src=3D"http://open3.rm04.net/open/log/396643/MTYwNjMwNzA1NAS2/0/Nzc2MzQxMw=
>S2/1"><TABLE cellspacing=3D"0" cellpadding=3D"0" width=3D"650" =
>align=3D"center" border=3D"0"> <TBODY><TR><TD><IMG height=3D"54" =
>alt=3D"SPI Dynamics and Microsoft" =
>src=3D"http://content3.rm04.net/ra/2005/09/12/396643/CONT_17.gif" =
>width=3D"650" border=3D"0"></TD></TR><TR><TD> <TABLE cellspacing=3D"0" =
>cellpadding=3D"0" width=3D"650" border=3D"0"><TBODY><TR><TD =
>valign=3D"top"><IMG height=3D"120" alt=3D"Webcast: The Hacker Evolution: =
>New Trends in Application Vulnerabilities and Exploits" =
>src=3D"http://content3.rm04.net/ra/2005/09/12/396643/CONT_18.gif" =
>width=3D"389" border=3D"0"></TD><TD valign=3D"top"><IMG height=3D"120" =
>alt=3D"" src=3D"http://content3.rm04.net/ra/2005/09/12/396643/CONT_19.jpg"=
> width=3D"261" border=3D"0"></TD></TR></TBODY></TABLE></TD></TR><TR><TD =
>style=3D"BORDER-TOP: #ffffff 1px solid; BACKGROUND-COLOR: #7394ac"> =
><TABLE cellspacing=3D"16" cellpadding=3D"0" width=3D"100%" =
>border=3D"0"><TBODY><TR><TD style=3D"FONT-SIZE: 15px; COLOR: #ffffff; =
>LINE-HEIGHT: 25px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif" =
>width=3D"50%"> <P align=3D"center"><STRONG><A =
>href=3D"http://sdm3.rm04.net/ctt?kn=3D3&m=3D396643&r=3DMTYwNjMwNzA1NAS2&b=3D=
>0&j=3DNzc2MzQxMwS2&mt=3D1" =
>name=3D"httpwww.spidynamics.comassetsdocumentsSecureEnterprise_WI5.5_revie=
>w.pdf(3)"><IMG height=3D"133" hspace=3D"3" =
>src=3D"http://content3.rm04.net/ra/2005/09/12/396643/CONT_20.gif" =
>width=3D"200" border=3D"0"></A></STRONG></P></TD><TD =
>style=3D"PADDING-LEFT: 16px; FONT-SIZE: 12px; BORDER-LEFT: #ffffff 1px =
>solid; COLOR: #ffffff; LINE-HEIGHT: 14px; FONT-FAMILY: Verdana, Arial, =
>Helvetica, sans-serif" width=3D"50%"><STRONG><IMG height=3D"100" =
>src=3D"http://content3.rm04.net/ra/2005/09/12/396643/CONT_21.gif" =
>width=3D"250"></STRONG> </TD></TR></TBODY></TABLE></TD></TR><TR><TD =
>valign=3D"top"> <P style=3D"PADDING-RIGHT: 16px; PADDING-LEFT: 16px; =
>FONT-SIZE: 12px; PADDING-BOTTOM: 25px; COLOR: #6a6969; LINE-HEIGHT: =
>14px; PADDING-TOP: 25px; FONT-FAMILY: Verdana, Arial, Helvetica, =
>sans-serif"><FONT face=3D"Arial" size=3D"3">Secure Enterprise Magazine =
>chose SPI Dynamics WebInspect 5.5 as the Testers Choice product in a =
>recent Web Application vulnerability scanner product review. Read the =
>entire Secure Enterprise=A0review</FONT><FONT face=3D"Arial" =
>size=3D"3">=A0at: </FONT><A style=3D"COLOR: #7394ac" =
>href=3D"http://sdm3.rm04.net/ctt?kn=3D6&m=3D396643&r=3DMTYwNjMwNzA1NAS2&b=3D=
>0&j=3DNzc2MzQxMwS2&mt=3D1" =
>name=3D"httpwww.spidynamics.comassetsdocumentsSecureEnterprise_WI5.5_revie=
>w.pdf(4)"><FONT face=3D"Arial" =
>size=3D"3">http://www.spidynamics.com/assets/documents/SecureEnterprise_WI=
>5.5_review.pdf</FONT></A><FONT size=3D"3"> <BR></FONT><BR><STRONG><A =
>href=3D"http://sdm3.rm04.net/ctt?kn=3D5&m=3D396643&r=3DMTYwNjMwNzA1NAS2&b=3D=
>0&j=3DNzc2MzQxMwS2&mt=3D1" name=3D"link"><IMG height=3D"75" =
>src=3D"http://content3.rm04.net/ra/2005/09/12/396643/CONT_22.gif" =
>width=3D"250" align=3D"left"></A></STRONG><STRONG><BR><FONT =
>size=3D"3"><FONT face=3D"Arial"><SPAN style=3D"FONT-SIZE: 10pt; =
>FONT-FAMILY: Verdana">To test your Web Application, download our =
>complimentary 15-day product trial that delivers a comprehensive =
>vulnerability report</SPAN><SPAN class=3D"style1"><SPAN =
>style=3D"FONT-FAMILY: =
>Verdana">.</SPAN></SPAN></FONT><BR></FONT></STRONG><BR><BR><BR><FONT =
>face=3D"Arial" size=3D"3">WebInspect Enterprise Edition 5.5. delivers a =
>complete enterprise solution for addressing security throughout the =
>application lifecycle.</FONT><SPAN class=3D"style2"><A style=3D"COLOR: =
>#7394ac" =
>href=3D"http://sdm3.rm04.net/ctt?kn=3D2&m=3D396643&r=3DMTYwNjMwNzA1NAS2&b=3D=
>0&j=3DNzc2MzQxMwS2&mt=3D1" target=3D"_blank" =
>name=3D"httpwww.spidynamics.comproductswebinspectdatasheet.html"><BR><FONT=
> face=3D"Arial" size=3D"3">Learn =
>More>>></FONT></A></SPAN><BR><BR></P></TD></TR><TR><TD =
>style=3D"BACKGROUND-COLOR: #999999"> <TABLE cellspacing=3D"0" =
>cellpadding=3D"16" width=3D"100%" border=3D"0"><TBODY><TR><TD =
>style=3D"FONT-SIZE: 12px; COLOR: #ffffff; LINE-HEIGHT: 14px; =
>FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif" valign=3D"top" =
>width=3D"50%"> <P><STRONG>SPI Dynamics, Inc.<BR></STRONG>115 Perimeter =
>Center Pl. NE.<BR>Suite 1100<BR>Atlanta GA 30346<BR>678.781.4800<BR><A =
>style=3D"FONT-SIZE: 12px; COLOR: #ffffff; TEXT-DECORATION: none" =
>href=3D"mailto:sales at spidynamics.com" =
>name=3D"mailtosales at spidynamics.com(2)" =
>xt=3D"SPLINK">sales at spidynamics.com</A> <BR>Toll-Free: 1.866.SPI.2700 =
>(1.866.774.2700) <A =
>href=3D"http://www.spidynamics.com/">www.spidynamics.com</A><BR></P></TD><=
>TD style=3D"FONT-SIZE: 12px; COLOR: #ffffff; LINE-HEIGHT: 14px; =
>FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif" valign=3D"top" =
>width=3D"50%">=A0</TD></TR></TBODY></TABLE><FONT face=3D"Arial"><A =
>href=3D"http://sdm3.rm04.net/ui/modules/display/optOut.jsp?&m=3D396643&r=3D=
>MTYwNjMwNzA1NAS2&j=3DNzc2MzQxMwS2&mt=3D1" name=3D"oppurtg">Please Remove =
>Me =46rom This Mailing</A></FONT></TD></TR></TBODY></TABLE><BR></P> <BR =
>class=3D"Apple-interchange-newline"></BLOCKQUOTE></DIV><BR></DIV></BODY></=
>HTML>=
>
>--Apple-Mail-13-75432651--
>
>
>
>--__--__--
>
>_______________________________________________
>Owasp-dotnet mailing list
>Owasp-dotnet at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-dotnet
>
>
>End of Owasp-dotnet Digest
_________________________________________________________________
Accurate weather reports for this week & the weekend!
http://www.msn.ie/weather
More information about the Owasp-dotnet
mailing list