[OWASP-TESTING] Peer Review!

Dan Cuthbert dan at idsec.com
Fri Dec 6 07:27:18 EST 2002


actually i was meaning to mail everyone asking whats happened to
Achilles? 
it is included on my list, but as Tom said its website is now a
gibberish site.




On Thu, 2002-12-05 at 21:00, Tom Gallagher wrote:
> Achilles isn't made by @Stake.  I downloaded it from http://www.digizen-security.com, but that web site seems to display gibberish now.  
> 
> There are also other tools I can think of that aren't designed for security testing but are really useful.  For example, have you have tried using SQL Profiler to find SQL injection bugs?  It is really helpful.
> 
> Not sure if you want to include these types of tools or not.
> 
> Tom
> 
> ---
> Tom Gallagher <tomgal at microsoft.com>
> Office QnS Security Team
> 
> 
> -----Original Message-----
> From: Mads Rasmussen [mailto:mads at opencs.com.br] 
> Sent: Thursday, December 05, 2002 11:44 AM
> To: David Endler
> Cc: owasp-testing at lists.sourceforge.net
> 
> 
> Hi David,
> 
> Here is a text for a description of our toolbag for testing web
> applications, it still needs improvement
> 
> I will send it again included in the openOffice document as appendix, I
> have some figures for the methodology as well, maybe tomorrow :)
> 
> Mads
> 
> --
> Appendix II - Toolbag 
> 
> 1 - Test Tools
> The following items are part of the toolbag for tests of web
> applications. New tools can be added depending on needs according to the
> toolbag updating methodology.
> The items are divided into references, company, tool and if the license
> is commercial.
> 1.1. Assessment tools
> These tools are used to map the architecture of the application to be
> tested as well as its environment, scanning the hierarchy of available
> resources at the web server, examining the contents, returning and
> reporting where problems might be.
> Virtual users could be used to to simulate use of the site.
> Some tools listed will suggest solutions to encountered vulnerabilities.
> 1.1.1.  AtStake        WAP Assessment Tool
> 1.1.2.  AtStake        WebProxy
> 1.1.3.  ISECOM        AssTool
> 1.1.4.  OSSTM         Metis
> 1.1.5.  eEye            Retina (comercial)
> 1.1.6.  ParaSoft       WebKing Box Testing (commercial)
> 1.2. Fuzzing
> These tools are used to realize attacks based on variations in requests
> (random data)
> 1.2.1.  AtStake        Fuzzer
> 1.2.2.  AtStake        Fuzzer Server
> 1.3. Authentication
> Dictionary attacks + variations and brute force at logins and passwords
> 1.3.1.  OpenSource            Brutus
> 1.3.2.  Immunity Security    SPIKE
> 1.4. Cookie and HTTP Manipulation
> Man in the middle attacks modifying the messages sent between the client
> and the server
> 1.4.1.  Paessler                 IE Booster (comercial)
> 1.4.2.  AtStake                  Achilles
> 1.5. CGI Tests
> 1.5.1.  OpenSource            Nessus (CGI module)
> 1.5.2.  OpenSource            Whisker
>  1.6. Stress Tests
> Discover pages that loads slowly and where to encounter high traffic
> problems 
>  1.6.1.  Paessler                 WebStress (comercial)
> 1.6.2.  ParaSoft                 WebKing Load Testing
>  
> 1.7.Code Analysis
> These tools are used to identify bad progamming techniques in various
> languages (s.a. Java, C/C++, Perl, PHP, Python etc).in case of white box
> testing.
> In case of Black/Gray box testing, the functionality of the application
> is tested based on random inputs, pre and popst conditions, verification
> of time limited values. The format of input, buffer overflow, TOCTOU
> (Time of Check, Time of Use), race conditions etc.
> 1.7.1.  AtStake                  Feszer
> 1.7.2.  David Wheeler         FlawFinder
> 1.7.3.  Reliable Software     ITS4
> 1.7.4.  ISECOM                  Rats
> 1.7.5.  University Virginia     Splint
> 1.7.6.  Parasoft                 JTest/C++Test
> 1.7.7.  Gerald Combos         Ethereal
> 1.7.8.  DeCafe Software      DeCafe
> 1.8. Session Auditing
>  1.8.1.  iDefense                 Session Auditor
> 1.8.2.                              SPIKE
>  1.9. J2EE
>  1.9.1.  AdventNet              QEngine
>  1.10. Tools for Training
> These tools are used for training the skills needed to attack web
> application as well as to test new tools.
> 
> 1.10.1.         OWASP         WebGoat
> 1.10.2.         OWASP         WebMaven Buggy Bank
> 
> --
> 
> Mads Rasmussen
> Open Communications Security
> +55(11)3345-2525
> 
> 
> > -----Mensagem original-----
> > De: David Endler [mailto:DEndler at iDefense.com]
> > Enviada em: terça-feira, 3 de dezembro de 2002 15:52
> > Para: 'owasp-testing at lists.sourceforge.net'
> > Assunto: [OWASP-TESTING] Peer Review!
> > 
> > OK folks, here it is, the latest and greatest version of the OWASP
> Testing
> > Methodology: http://www.owasp.org/testing/TestingPeerReview0.6.sxw .
> > 
> > Please take some time to rip into it and get me your document copy
> with
> > edits by Monday December 9th.  No section is out of bounds, please
> feel
> > free
> > to add, delete, or modify content, structure, graphics, and
> style/grammar.
> > 
> > To edit this document, download OpenOffice from
> > http://www.openoffice.org/dev_docs/source/download.html
> > Make sure you enter your name in the installation for editing
> purposes.
> > After you open the document, please click on
> > 
> > Edit->Changes->Record and
> > Edit->Changes->Show
> > 
> > and edit away! Thanks again for your efforts and contributions so far
> to
> > this project.  There are many people in industry anxiously awaiting
> our
> > first cut at this, believe it or not, and there has become a small
> buzz
> > surrounding this project.  This document is also going to be well
> > integrated
> > with the webgoat project so that real live examples can be illustrated
> of
> > testing techniques.  Please make the effort to provide meaningful
> feedback
> > and edits by Monday, thanks.  Please email me with any questions or
> > technical difficulties.
> > 
> > -dave
> > 
> > 
> > 
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft Visual Studio.NET
> > comprehensive development tool, built to increase your
> > productivity. Try a free online hosted session at:
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
> > _______________________________________________
> > owasp-testing mailing list
> > owasp-testing at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing





More information about the Owasp-testing mailing list