Security Basics mailing list archives
RE: Web Application Testing
From: "Darren Webb" <spyder007 () charter net>
Date: Wed, 9 May 2007 22:10:30 -0500
All, I learned a lot on this site. http://www.hackthissite.org/ If you wish to contain your testing to your local network, then I would suggest http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subconte nt=/resources/proddesc/hacmecasino.htm or this http://www.quakenbush.com/node/6 or this http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project . When I started really doing app security these sites helped me immensely not only in learning/testing the suites but in learning some of the concepts behind the suite and app security in general. (Note: I tested all of the suites you are looking at and I found that Hailstorm was the best for us. No, I don't work for them but they are great people to work with.) Darren -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of M. Groen Sent: Wednesday, May 09, 2007 1:43 AM To: Fabio Cerullo Cc: Chris Barber; security-basics () securityfocus com Subject: Re: Web Application Testing Thanks for the clear explanation. One other question, does anyone happen to know if there are sites on which you can try "pen testing" products, like WebInspect, or Hailstorm? I mean a " playground" on which it is allowed to do pen-tensting (and make mistakes)? Mathijs
Thank you very much for the feedback. It is really much appreciated. I will go after Chris suggestion (SpyDynamics) if budget allows it. Mesut, have you tried Acunetix Vulnerability Scanner? Thanks again, Fabio On 5/8/07, Chris Barber <cmbarber () gmail com> wrote:SpyDynamics has a package that does just what you described. I have used it in the past and it works great. Infact, I used it on a COTS package that my company was thinking about using and we found a huge flaw in the way it handled userids passwords. We notified the publisher and they were non-believers until we demoed the flaw to them in person. They fixed the problem imediately, and we eventually did buy the package, after a retest with SpyDynamics' tool. Chris. On 5/8/07, Fabio Cerullo <fcerullo () gmail com> wrote:Hello all, is there any guide/tool which could help someone to do a web application security assessment? I mean... an automated tool that you could fire against the app. and will give you a report or some kind of checklist to go through in order to reinforce security. I remember from old days to have used Webtrends but i don't know if there is something new in the market. Any help will be really appreciated. Thank you very much. Fabio
Current thread:
- Web Application Testing Fabio Cerullo (May 08)
- Re: Web Application Testing phillip () cryptolife org (May 08)
- Re: Web Application Testing Chris Barber (May 08)
- Re: Web Application Testing Fabio Cerullo (May 08)
- Re: Web Application Testing M. Groen (May 09)
- RE: Web Application Testing Darren Webb (May 09)
- Re: Web Application Testing Fabio Cerullo (May 08)
- <Possible follow-ups>
- FW: Web Application Testing winsoc (May 10)