RE: Web Application Testing

["Darren Webb" <spyder007 () charter net>]

All,

I learned a lot on this site. http://www.hackthissite.org/ 

If you wish to contain your testing to your local network, then I would
suggest
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subconte
nt=/resources/proddesc/hacmecasino.htm or this
http://www.quakenbush.com/node/6 or this
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project .

When I started really doing app security these sites helped me immensely not
only in learning/testing the suites but in learning some of the concepts
behind the suite and app security in general.

(Note: I tested all of the suites you are looking at and I found that
Hailstorm was the best for us. No, I don't work for them but they are great
people to work with.)

Darren


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of M. Groen
Sent: Wednesday, May 09, 2007 1:43 AM
To: Fabio Cerullo
Cc: Chris Barber; security-basics () securityfocus com
Subject: Re: Web Application Testing


Thanks for the clear explanation.

One other question, does anyone happen to know if there are sites on which
you can try "pen testing" products, like WebInspect, or Hailstorm? I mean a
" playground" on which it is allowed to do pen-tensting (and make mistakes)?

Mathijs


> Thank you very much for the feedback. It is really much appreciated.
>
> I will go after Chris suggestion (SpyDynamics) if budget allows it.
>
> Mesut, have you tried Acunetix Vulnerability Scanner?
>
> Thanks again,
>
> Fabio
>
> On 5/8/07, Chris Barber <cmbarber () gmail com> wrote:
> > SpyDynamics has a package that does just what you described.  I have 
> > used it in the past and it works great.  Infact, I used it on a COTS 
> > package that my company was thinking about using and we found a huge 
> > flaw in the way it handled userids passwords.  We notified the 
> > publisher and they were non-believers until we demoed the flaw to 
> > them in person.  They fixed the problem imediately, and we eventually 
> > did buy the package, after a retest with SpyDynamics' tool.
> >
> > Chris.
> >
> > On 5/8/07, Fabio Cerullo <fcerullo () gmail com> wrote:
> > > Hello all,
> > >
> > > is there any guide/tool which could help someone to do a web 
> > > application security assessment?
> > >
> > > I mean... an automated tool that you could fire against the app. 
> > > and will give you a report or some kind of checklist to go through 
> > > in order to reinforce security.
> > >
> > > I remember from old days to have used Webtrends but i don't know if 
> > > there is something new in the market.
> > >
> > > Any help will be really appreciated.
> > >
> > > Thank you very much.
> > >
> > > Fabio