Penetration Testing mailing list archives
Re: Manday for Web Pentest
From: "Andre Gironda" <andreg () gmail com>
Date: Wed, 4 Jun 2008 05:10:13 -0700
On Tue, Jun 3, 2008 at 4:55 AM, Pete Herzog <lists () isecom org> wrote: Pete,
Anyone interested in working with us to create a tool that will do the SCARE method for use on web apps, let me know. I think it would make for an interesting crawler that gives the attack surface as a result.
First of all, you should question 1) How much coverage is necessary 2) How to appropriately address coverage issues 3) Other scoping issues My suggestion is to use FireEye: http://csrc.nist.gov/groups/SNS/acts/download/ Also - can I nominate people for your webapp SCARE crawler project? 1st choice: Alexander Sotirov i.e. http://recon.cx/2008/speakers.html#xss 2nd choice: Andrew Petukhov and Dmitry Kozlov i.e. http://www.owasp.org/images/3/3e/OWASP-AppSecEU08-Petukhov.pdf 3rd choice: Matias Madou i.e. http://www.owasp.org/images/d/d3/AppSecEU08_Dynamic_Taint_Propagation_OWASP.ppt Another question to add into the mix here (for web applications). How do you determine whether you want to do a code review (and to what degree of automation) or automated black-box scan (and to what degree of this should be manual)? Let's say 3 MLOC or 300 websites. Which method is faster? Which tools even scale to meet these requirements? Cheers, Andre ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Re: Manday for Web Pentest Joseph McCray (Jun 02)
- <Possible follow-ups>
- Re: Manday for Web Pentest Pete Herzog (Jun 03)
- Re: Manday for Web Pentest Andre Gironda (Jun 04)