Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OWASP Top 10 penetration testing software?

From: psiinon <psiinon () gmail com>
Date: Mon, 5 Mar 2012 11:17:27 +0000
Hi Zaki,

I this case I was refering to automated scanners, which wont detect
everything :)

Yes, penetration testing can find things like insecure cryptographic storage.
However to be sure you really need to have access to the servers (esp
databases) and the source code.

Cheers,

Simon

(Resent without formatting;)


On Mon, Mar 5, 2012 at 11:00 AM, Zaki Akhmad <zakiakhmad () gmail com> wrote:


On Wed, Feb 29, 2012 at 3:44 AM, psiinon <psiinon () gmail com> wrote:


Hi,

You should be careful with scanners that claim to test "the OWASP Top Ten".
For example, "Insecure Cryptographic Storage" is one of the OWASP Top
Ten but this is typically only detectable server side, so no web app
scanner will find it :)


So Simon, a penetration testing won't cover all?

The simplest test case for this insecure cryptographic storage is by
requesting a forgot password. If the web application sends your
password in clear text, then you found the issue.

--
Zaki Akhmad
OWASP Indonesia


--
OWASP ZAP: Toolsmith Tool of the Year 2011

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: