[Owasp-testing] Maltego

christian.heinrich at cmlh.id.au christian.heinrich at cmlh.id.au
Mon Jul 14 19:40:35 EDT 2008


Pavol,

The context of "Information Gathering" is different when you apply it to Web
Application Security Testing compared to the Reconnaissance Phase of a
(Network and Host) Penetration Test of which Maltego applies to the latter.

Specifically, in the context of Web Application Security Testing the process
is focused on the /robots.txt and the associated robots <meta> tags and the
Crawler/Robot/Spider adhering to these controls.

I agree that Maltego should be documented somewhere but I disagree that the
OWASP Testing Guide is the appropriate document.


Regards,
Christian Heinrich
OWASP Individual Member
http://www.linkedin.com/in/ChristianHeinrich

-----Original Message-----
From: Pavol Luptak [mailto:pavol.luptak at nethemba.com] 
Sent: Tuesday, 1 July 2008 12:55 AM
To: owasp-testing at lists.owasp.org
Cc: christian.heinrich at cmlh.id.au
Subject: Re: [Owasp-testing] v3 - 1st Draft of "Search Engine Discovery"

Hi,
during "Information Gathering" phase I use sophisticated search/mining and
correlation system Maltego http://www.paterva.com/maltego/ 
(I have no relation with that company!) 
But this tool significantly helps me in "completely passive" discovery 
(reveals a lot of mobile numbers, addresses, contacts, real owners of
audited 
web site etc.)

I think this kind of tools should be mentioned in "Information Gathering"
phase of the testing guide, because they are really helpful.

And for all, do you know any opensource alternative of this tool
(ok, there is a community version of Maltego 
http://www.paterva.com/maltego/community-edition/, but quite limited)

Thanks and regards,

Pavol

On Tue, Jul 01, 2008 at 12:04:22AM +1000, christian.heinrich at cmlh.id.au
wrote:
> Matteo,
> 
> I have completed the draft transfer of the content relevant to Google from
> the "Spidering and googling" section of v2.
> 
> The draft can be viewed at
> https://www.owasp.org/index.php/Testing:_Search_engine_discovery and I
have
> incorporated reference to other Search Engines, such as Live Search, etc.
> 
> 
> Regards,
> Christian Heinrich
> OWASP Individual Member
> http://www.linkedin.com/in/ChristianHeinrich
>  
> 
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing





More information about the Owasp-testing mailing list