[Owasp-delhi] Tools for Web Server V A

Parthajit Panda Parthajit.Panda at gmrgroup.in
Thu Feb 18 22:00:43 EST 2010


Nessus is a network or host vulnerability scanner. For application security scanning you will need a Web Application Security Vulnerability Scanner (WASVS) such as IBM Rational AppScan or HP Webinspect.

Regards
Parthajit

From: owasp-delhi-bounces at lists.owasp.org [mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Gautam Kapoor
Sent: Thursday, February 18, 2010 8:26 PM
To: suresh tiwary
Cc: shekhar.aryan at me.com; owasp-delhi at lists.owasp.org; vinodh.kiran at teaqtech.com
Subject: Re: [Owasp-delhi] Tools for Web Server V A

a good starting point would be

http://cirt.net/nikto2
windows based vrsion
http://www.sensepost.com/research/wikto/

for IIS checklist you can start here.

http://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=98

Regards
Gautam
On 18 February 2010 17:39, suresh tiwary <sureshtiwary at rediffmail.com<mailto:sureshtiwary at rediffmail.com>> wrote:
Dear OWASP Delhi,

Thank you all for the good information. but i am still confused whether "NESSUS" is a web server vulnerability assessment tool or a Network Assessment tool.

Please suggest.

The situation is: I have to perform the V.A of IIS using a tool. So how do I start, Use NESSES and proceed or use any commercial tool. If commercial tool, then which is the widely accepted commercial tool. A organization cant have multiple commerical tool, so suggest A few commercial tools that can perform web server V.A.

Also any checklist for IIS V.A ?

Thanks & regards,
Suresh

Note: Forwarded message attached

-- Original Message --

From: "Vinodh Kiran S" vinodh.kiran at teaqtech.com<mailto:vinodh.kiran at teaqtech.com>
To: sureshtiwary at rediffmail.com<mailto:sureshtiwary at rediffmail.com>
Cc: neelu.tripathy at tcs.com<mailto:neelu.tripathy at tcs.com>, ra.shrivastava08 at gmail.com<mailto:ra.shrivastava08 at gmail.com>
Subject: FW: [Owasp-delhi] Tools for Web Server V A
Error! Filename not specified.<http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/[email protected]?>



---------- Forwarded message ----------
From: "Vinodh Kiran S" <vinodh.kiran at teaqtech.com<mailto:vinodh.kiran at teaqtech.com>>
To: <sureshtiwary at rediffmail.com<mailto:sureshtiwary at rediffmail.com>>
Date:
Subject: FW: [Owasp-delhi] Tools for Web Server V A
Dear Suresh,

In continuation of the below recommendations from Rahul and Neelu, I just wanted to let you know that we represent Core Security (Providers of Core Impact), here in India.  The attached datasheet will give you a quick overview. I would like to know your thoughts on this. Please do contact me for any further assistance.

Good Day!

Regards,

Vinodh Kiran S |Sr. Manager - ECM | Cell: +91 (0) 9900247424

Error! Filename not specified.
Error! Filename not specified.

Teaq Technologies Pvt. Ltd.
#320, 6c Cross, OMBR Layout | Bangalore 560 043, INDIA |Telefax: +91 (80) 4161 2610



From: owasp-delhi-bounces at lists.owasp.org<mailto:owasp-delhi-bounces at lists.owasp.org> [mailto:owasp-delhi-bounces at lists.owasp.org<mailto:owasp-delhi-bounces at lists.owasp.org>] On Behalf Of Neelu Tripathy
Sent: Wednesday, February 17, 2010 4:11 PM
To: suresh tiwary
Cc: owasp-delhi at lists.owasp.org<mailto:owasp-delhi at lists.owasp.org>; owasp-delhi-bounces at lists.owasp.org<mailto:owasp-delhi-bounces at lists.owasp.org>
Subject: Re: [Owasp-delhi] Tools for Web Server V A


Hi Suresh,

     Apart from what Rahul suggested, you can also for GFI Languard or Core Impact (both proprietary). For a better hands-on and/or manual assessment, try using Metasploit (Opensource), though that might be more on the PT side.


Regards,
Neelu Tripathy
Security Analyst,  TEG
Tata Consultancy Services
Mailto: neelu.tripathy at tcs.com<mailto:neelu.tripathy at tcs.com>
From:

"suresh tiwary" <sureshtiwary at rediffmail.com<mailto:sureshtiwary at rediffmail.com>>

To:

<owasp-delhi at lists.owasp.org<mailto:owasp-delhi at lists.owasp.org>>

Date:

02/17/2010 11:46 AM

Subject:

[Owasp-delhi] Tools for Web Server V A

Sent by:

owasp-delhi-bounces at lists.owasp.org<mailto:owasp-delhi-bounces at lists.owasp.org>


________________________________



Issue: Tools for web server V A for IIS, Apache etc ?

Dear OWASP Delhi,

Can anyone provide complete and comprehensive information, sites of web server vulnerability assessment by manual method and by automated tools.

1. What are the free tools / open source tools actually and
practically used for web serv V A ?

2. What are the commercial tools used for automated web server V A ?

3. How a manual web server v a is conducted ? Any checklist and the
practical process.

4. People can share their web server v a experience.

Thanks & regards,
Suresh


_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org<mailto:Owasp-delhi at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-delhi

=====-----=====-----=====

Notice: The information contained in this e-mail

message and/or attachments to it may contain

confidential or privileged information. If you are

not the intended recipient, any dissemination, use,

review, distribution, printing or copying of the

information contained in this e-mail message

and/or attachments to it are strictly prohibited. If

you have received this communication in error,

please notify us by reply e-mail or telephone and

immediately and permanently delete the message

and any attachments. Thank you





_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org<mailto:Owasp-delhi at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-delhi


________________________________
This e-mail contains information which is confidential and/or legally privileged. If you are not the intended recipient , you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please destroy it and notify us by reply e-mail or by telephone. Internet E-mail messages may be subject to delays, non-delivery and unauthorised alterations and we shall not be responsible for the consequence(s) in such event(s). All reasonable precautions have been taken to ensure no viruses are present in this E-mail. We cannot accept responsibility for loss or damage arising from the use of this E-mail or attachments and recommend that you subject these to your virus checking procedures prior to use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20100219/a9666fc1/attachment.html 


More information about the Owasp-delhi mailing list