PaulDotCom mailing list archives

Steps taken During a Web App Pentest

From: j2mccluggage at adelphia.net (Jody & Jennifer McCluggage)
Date: Tue, 9 Jun 2009 22:53:00 -0400

I second that.  I have found it helpful to propagate via group policy
self-singed certs that are used for internal apps only.  That avoids the
issue of teaching your users that it is ok to walk through cert errors.  I
have also found that helpful in dealing with 3rd-party applications that use
a self-signed cert (where it is not possible to replace with a 3rd party
cert).  That way if I am getting a cert error when accessing them, I know
that something is wrong.

 

Jody

 

  _____  

From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Jason Wood
Sent: Monday, June 08, 2009 4:37 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Steps taken During a Web App Pentest

 

Just to add another option to the SSL cert...

If you need to do a self-signed cert and are using Active Directory, you can
also add the CA cert to the trusted CA repository in the domain then
replicate it to all your users using group policy.  It is then a trusted
cert and the users don't get a pop-up asking telling them it is a bad cert.
That only works for IE though and not FF.  FF still needs to have the CA
cert added to its own trusted CA repository.  Kind of a bummer.

Jason



On Mon, Jun 8, 2009 at 1:19 PM, Michael McGrew <mmcgrew1 at mail.csuchico.edu>
wrote:

Why not get a proper cert for around $40 instead of teaching your users that
it's OK to accept self signed certs, lending them more prone to a phishing
or MITM attack?

 

On Mon, Jun 8, 2009 at 7:30 AM, <infolookup at gmail.com> wrote:

Thanks for the feed back so far anyone else wants to state what testing
framework or tools the are using preferably open source.

Once I am finish the initial testing my next steps will be to lock it done,
configure some sort of self sign cert for apache to use ssl instead of the
native http for starters.

Sent from my Verizon Wireless BlackBerry

  _____  

From: Johan Peder M?ller 
Date: Mon, 8 Jun 2009 15:53:49 +0200
To: <infolookup at gmail.com>; PaulDotCom Security Weekly Mailing
List<pauldotcom at mail.pauldotcom.com>
Subject: Re: [Pauldotcom] Steps taken During a Web App Pentest

Hi

Given your "no buget" constraint, I'd go with something like OWASP Live CD
(http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project).

If you have a basic understanding of how web appls work, and how to attack
them this should give you a starting point. As for the completeness of
scannings I can't say. I myself is in the process of evaluating.

rgds
Johan M?ller



On Sat, Jun 6, 2009 at 8:55 PM, <infolookup at gmail.com> wrote:

Hello All:

I am task with doing a basic web app pentest of a server that we are about
to given external users access too.

Background:

I work for a university no security department, no budget to hire a auditor.

We are about to put one of our training servers on our DMZ this way Faculty
and Staff members can access it from home for  Microsoft and other
application video tutorials.


Since my boss is aware that I am interested in infosec I was given the green
light to test the app/server and report back anything that can aid in
locking it down.

Question:

Since there are so much tools and ways to go about this I would like to know
how do others go about a web app pentest, don't have to give away any trade
secrets  :)-.

I am just looking for an efficient way to go about this!


Specs:

OS: Windows 2003 running in a VMware, ESX 3.5.

Application:  Training package, with a bundled windows version of a LAMP
setup.

Acess Method: http.

Thanks in advance.
Sent from my Verizon Wireless BlackBerry
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

 


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

 


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

 

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.339 / Virus Database: 270.12.58/2164 - Release Date: 06/08/09
17:59:00

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090609/79ea0ca2/attachment.htm

Current thread:

Steps taken During a Web App Pentest infolookup at gmail.com (Jun 06)
- Steps taken During a Web App Pentest Johan Peder Møller (Jun 08)
  - Steps taken During a Web App Pentest infolookup at gmail.com (Jun 08)
    - Steps taken During a Web App Pentest Paul Asadoorian (Jun 08)
    - Steps taken During a Web App Pentest Adrian Crenshaw (Jun 08)
    - Steps taken During a Web App Pentest infolookup at gmail.com (Jun 08)
    - Steps taken During a Web App Pentest Paul Asadoorian (Jun 08)
    - Steps taken During a Web App Pentest Michael McGrew (Jun 08)
    - Steps taken During a Web App Pentest Jason Wood (Jun 08)
    - Steps taken During a Web App Pentest Jody & Jennifer McCluggage (Jun 09)
    - Steps taken During a Web App Pentest infolookup at gmail.com (Jun 09)
    - Steps taken During a Web App Pentest Jason Wood (Jun 10)
- Steps taken During a Web App Pentest Michael McGrew (Jun 08)