Steps taken During a Web App Pentest

[johan at johans.dk (Johan Peder Møller)]

Hi

Given your "no buget" constraint, I'd go with something like OWASP Live CD (
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project).

If you have a basic understanding of how web appls work, and how to attack
them this should give you a starting point. As for the completeness of
scannings I can't say. I myself is in the process of evaluating.

rgds
Johan M?ller


On Sat, Jun 6, 2009 at 8:55 PM, <infolookup at gmail.com> wrote:

> Hello All:
>
> I am task with doing a basic web app pentest of a server that we are about
> to given external users access too.
>
> Background:
>
> I work for a university no security department, no budget to hire a
> auditor.
>
> We are about to put one of our training servers on our DMZ this way Faculty
> and Staff members can access it from home for  Microsoft and other
> application video tutorials.
>
>
> Since my boss is aware that I am interested in infosec I was given the
> green light to test the app/server and report back anything that can aid in
> locking it down.
>
> Question:
>
> Since there are so much tools and ways to go about this I would like to
> know how do others go about a web app pentest, don't have to give away any
> trade secrets  :)-.
>
> I am just looking for an efficient way to go about this!
>
>
> Specs:
>
> OS: Windows 2003 running in a VMware, ESX 3.5.
>
> Application:  Training package, with a bundled windows version of a LAMP
> setup.
>
> Acess Method: http.
>
> Thanks in advance.
> Sent from my Verizon Wireless BlackBerry
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090608/b8eecf4f/attachment.htm