[OWASP-TESTING] Testing Project: Phase II

Ferruh Mavituna ferruh at mavituna.com
Wed Jan 19 14:43:40 EST 2005


Hi (here is another lurker),


> This has got me thinking now about other guides we should include.
> How many people here use SPIKE (the fuzzer, not the proxy) when performing
> app tests?

I was using WebProxy (@stake), it includes a fuzzer and some other useful
tools.


> Also, maybe we should include a section on using proxies?
I think it's a good idea to write about general proxy concept for
penetration testers. Also there is another nice tool for simple penetration
testing: "Mini Browser" 

Currently it's an integrated application with website watcher
(http://www.aignes.com/ ), a small browser which uses IE and you can modify
request/cookies etc. on the fly. May we should explain basic type of tools
(proxies, fuzzers, browsers, Browser based extensions like Firefox
LiveHeaders etc.) with some samples.

If readers can understand these tool categories, there is no need to tell
them about usage, most of them are really easy to use.


Best Regards;

> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net [mailto:owasp-testing-
> admin at lists.sourceforge.net] On Behalf Of Daniel
> Sent: Wednesday, January 19, 2005 6:41 PM
> To: owasp-testing at lists.sourceforge.net
> Subject: RE: [OWASP-TESTING] Testing Project: Phase II
> 
> This has got me thinking now about other guides we should include.
> How many people here use SPIKE (the fuzzer, not the proxy) when performing
> app tests?
> 
> Also, maybe we should include a section on using proxies?
> 
> 
> 
> >
> >> there was a fair amount of talk about adding tools such as
> >> nikto/nmap and nessus to this document previously, but im
> >> happy to open it up again
> >> nikto does have some good points and with ver 2 in
> >> development, yeah i can see it needing to be in there.
> >
> >
> > I am less familiar with Nikto, but we use Nessus extensively and we have
> found that it has a good deal of overlap (for web application deployment
> configuration management) with some of the expensive and proprietary
> tools like Kavado in that it does checks for some versioning and
> configuration issues for web servers (default apps, IIS .dlls available,
> etc)
> >
> > For the purposes of the OWASP testing guide I would imagine that ports
> 80 and 443 would be the dividing line between the output we "care" about
> from tools like Nessus, Nikto and nmap.  I suppose there are
> > recommendations that go beyond that (don't run mail from the same server
> that you run web from, etc) but that would put the guide on a slippery
> slope that will probably outpace the community's ability to develop and
> maintain relevant content.  Also, in-depth host-level security
> > recommendations should be readily available from other sources.
> >
> >
> >> For a list which has over 70 people subscribed, its pretty
> >> silent in here?
> >
> >
> > That's a fair estimation.  This is my first post and I've been lurking
> for a while...
> >
> > So in the interest of putting my money(time) where my mouth is I will
> volunteer to write a "Using Nessus for Application Security Testing"
> section for the Part II Testing Guide.  My caveat is that my schedule is
> a complete disaster until mid February, so I probably won't have it
> finished until late/end of February.  As long as that works for everyone
> I will put this in my calendar.
> >
> > Thanks,
> >
> >
> > Dan
> >
> >
> > -------------------------------------------------------
> > The SF.Net email is sponsored by: Beat the post-holiday blues
> > Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's
> fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> > owasp-testing mailing list
> > owasp-testing at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> >
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing





More information about the Owasp-testing mailing list