Security Basics mailing list archives

Re: apache-tomcat

From: Alcides <alcides.hercules () gmail com>
Date: Fri, 25 Aug 2006 11:43:14 +0530

Hi List,
I have conducted Web vulnerability scan using acunetix 4.
It's showing me some alerts in RED/ORANGE and BLUE.
RED:
1."Script sourcecode disclosure" and on expanding, points to some
subdirectory on webserver.
2."sql injection": and on expanding, points to some subdirectory on webserver.
3.cross site scripting" and on expanding, points to some files in some
subdirectories on webserver that has .jsp extention
ORANGE
1."cookie manipulation" and again on expanding, points to some files
in some subdirectories on webserver that has .jsp extention
BLUE
~I have fixed these.

NOW
My question to the whole list is:
How can I go for a pen-test with respect to above alerts?
How can I carry out xss and sql injetion attack in this scenario?
All suggestions are appreciated
Warm regards and thanks in advance.



On 8/16/06, Luis E. Alvarado Day <lalvarado () frro utn edu ar> wrote:

Acunetix Web Vulnerability Scanner 3, has a good directory check list. If
you try it, please let me know which acunetix or nessus has better dir
discovery performance.


Luis Alvarado Day
www.leadsi.com.ar
Rosario | Argentina

-----Mensaje original-----
De: Alcides [mailto:alcides.hercules () gmail com]
Enviado el: Miércoles, 16 de Agosto de 2006 05:21 a.m.
Para: security-basics () securityfocus com
Asunto: apache-tomcat

HI list,
I wish to test  how secure my tomcat server (http://xxx.yyy.zzz.qqq:8080)is.

I have tomcat server: Apache-Coyote/1.1 and having a default install.
I tried basic things like default usernames/passwds. I tried nessus scan.
I tried nikto scan also. It reavelead some of the directories present
on serverside, but not all.
Now,
1.Can any one tell me about the tool to discover all the accsessibe
directories on server/webserver.
2.What more can be tried to test the security of the above server.

Thanks in advance.


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

apache-tomcat Alcides (Aug 16)
- RE: apache-tomcat Luis E. Alvarado Day (Aug 17)
- Message not available
  - Re: apache-tomcat Alcides (Aug 17)
- Message not available
  - Re: apache-tomcat Alcides (Aug 25)