[OWASP-TESTING] Testing Project: Phase II

Daniel Daniel at deeper.co.za
Wed Jan 19 11:40:30 EST 2005


This has got me thinking now about other guides we should include.
How many people here use SPIKE (the fuzzer, not the proxy) when performing
app tests?

Also, maybe we should include a section on using proxies?



>
>> there was a fair amount of talk about adding tools such as
>> nikto/nmap and nessus to this document previously, but im
>> happy to open it up again
>> nikto does have some good points and with ver 2 in
>> development, yeah i can see it needing to be in there.
>
>
> I am less familiar with Nikto, but we use Nessus extensively and we have
found that it has a good deal of overlap (for web application deployment
configuration management) with some of the expensive and proprietary
tools like Kavado in that it does checks for some versioning and
configuration issues for web servers (default apps, IIS .dlls available,
etc)
>
> For the purposes of the OWASP testing guide I would imagine that ports
80 and 443 would be the dividing line between the output we "care" about
from tools like Nessus, Nikto and nmap.  I suppose there are
> recommendations that go beyond that (don't run mail from the same server
that you run web from, etc) but that would put the guide on a slippery
slope that will probably outpace the community's ability to develop and
maintain relevant content.  Also, in-depth host-level security
> recommendations should be readily available from other sources.
>
>
>> For a list which has over 70 people subscribed, its pretty
>> silent in here?
>
>
> That's a fair estimation.  This is my first post and I've been lurking
for a while...
>
> So in the interest of putting my money(time) where my mouth is I will
volunteer to write a "Using Nessus for Application Security Testing"
section for the Part II Testing Guide.  My caveat is that my schedule is
a complete disaster until mid February, so I probably won't have it
finished until late/end of February.  As long as that works for everyone
I will put this in my calendar.
>
> Thanks,
>
>
> Dan
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's
fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>








More information about the Owasp-testing mailing list