[OWASP-BLR] FW: Application Security

jatinder pal singh jatin_libra at hotmail.com
Fri Aug 11 06:09:41 EDT 2006

Hi Cherian,
Thanks for sharing that article. It was an interesting one no doubt.
My 2 cents on this topic.
Ok agreed that webScarab has some impressive functions and Burp is really 
helpul as a proxy to intercept data also That article also talks of tools 
like AppScan which have hardly ever pushed any of the apps i've pen-tested.
AppScan in particular just throws up false positives upon false positives.
I work as a pen-tester for a bank and we've tried various tools to automate 
our pen-test process and i've realied at the end of the day you need an 
experienced pen-tester.


>From: "Cherian Thomas" <cherian.in at gmail.com>
>Reply-To: "OWASP, Bangalore Chapter" 
><owasp-bangalore at lists.sourceforge.net>
>To: "OWASP, Bangalore Chapter" <owasp-bangalore at lists.sourceforge.net>
>Subject: Re: [OWASP-BLR] FW: Application Security
>Date: Fri, 11 Aug 2006 12:59:08 +0530
>MIME-Version: 1.0
>Received: from lists-outbound.sourceforge.net ([]) by 
>bay0-mc4-f3.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Fri, 11 
>Aug 2006 00:29:16 -0700
>Received: from sc8-sf-list2-new.sourceforge.net (unknown [])by 
>sc8-sf-spam2.sourceforge.net (Postfix) with ESMTPid B6B9112F36; Fri, 11 Aug 
>2006 00:29:15 -0700 (PDT)
>Received: from sc8-sf-mx1-b.sourceforge.net 
>([]helo=mail.sourceforge.net)by sc8-sf-list2-new.sourceforge.net 
>with esmtp (Exim 4.43)id 1GBRSC-00065e-QX for 
>owasp-bangalore at lists.sourceforge.net;Fri, 11 Aug 2006 00:29:13 -0700
>Received: from ug-out-1314.google.com ([])by 
>mail.sourceforge.net with esmtp (Exim 4.44) id 1GBRSC-0003WV-2Sfor 
>owasp-bangalore at lists.sourceforge.net;Fri, 11 Aug 2006 00:29:13 -0700
>Received: by ug-out-1314.google.com with SMTP id q2so703930ugefor 
><owasp-bangalore at lists.sourceforge.net>;Fri, 11 Aug 2006 00:29:08 -0700 
>Received: by with SMTP id n12mr3645402ugh;Fri, 11 Aug 2006 
>00:29:08 -0700 (PDT)
>Received: by with HTTP; Fri, 11 Aug 2006 00:29:08 -0700 (PDT)
>X-Message-Info: LsUYwwHHNt1Kw045Eu48Qoi1TxqvPJWik8J8fb1/M0c=
><20060809080241.13754.qmail at web36912.mail.mud.yahoo.com><BAY115-F73A835CEEDE64A3491B829C4B0 at phx.gbl>
>X-Spam-Score: 0.0 (/)
>X-Spam-Report: Spam Filtering performed by sourceforge.net.See 
>http://spamassassin.org/tag/ for more details.Report problems 
>tohttp://sf.net/tracker/?func=add&group_id=1&atid=2000010.0 RCVD_BY_IP      
>        Received by mail server with no name
>X-BeenThere: owasp-bangalore at lists.sourceforge.net
>X-Mailman-Version: 2.1.8
>Precedence: list
>List-Id: "OWASP, Bangalore Chapter" <owasp-bangalore.lists.sourceforge.net>
><mailto:owasp-bangalore-request at lists.sourceforge.net?subject=unsubscribe>
>List-Post: <mailto:owasp-bangalore at lists.sourceforge.net>
><mailto:owasp-bangalore-request at lists.sourceforge.net?subject=help>
><mailto:owasp-bangalore-request at lists.sourceforge.net?subject=subscribe>
>Errors-To: owasp-bangalore-bounces at lists.sourceforge.net
>Return-Path: owasp-bangalore-bounces at lists.sourceforge.net
>X-OriginalArrivalTime: 11 Aug 2006 07:29:16.0652 (UTC) 
> > There are of course tools available for automated SQL and XSS testing 
> > then my exp with these tools has been far from satisfactory.
> > Anyways you can contact me on jatin.libra at gmail.com if u want links to 
> > tools but I would suggest you to hire any of the professional 
> > out here to get ur apps tested manually.
> > There are no shortcuts to Pen-Testing.
>if you are looking for tools I'd suggest you take a look at this
>    this was posted on securityfocus
>With regards
>Cherian Thomas,
>Mobile: 9886123849
>Using Tomcat but need to do more? Need to support web services, security?
>Get stuff done quickly with pre-integrated technology to make your job 
>Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>OWASP-Bangalore mailing list
>OWASP-Bangalore at lists.sourceforge.net

More information about the Owasp-bangalore mailing list